chore(deps): migrate unicorn flavor images from RapidFort to Chainguard by chance-coleman · Pull Request #2650 · defenseunicorns/uds-core

chance-coleman · 2026-05-05T21:45:47Z

Description

Migrates the unicorn flavor from RapidFort to Chainguard FIPS images across all components.

Keycloak FIPS JCE configuration

Chainguard's Keycloak image requires an explicit JCE security provider override to enable FIPS mode, unlike the RapidFort image which handled this internally. A new ConfigMap is injected as a volume mount and JAVA_OPTS_APPEND is set to load the override file at startup. The old JDK_JAVA_OPTIONS injection for rfcurated images is removed.

CI authentication

Replaced RapidFort username/password credentials with a Chainguard federated identity (chainguardIdentity) using the chainguard-dev/setup-chainctl action across all workflows.

fapolicyd on RHEL 9

Chainguard's CNI image writes libcrypto.so.3 into /opt/cni/bin/.cgr/ at runtime. On RHEL 9 with fapolicyd in enforcing mode this blocks CNI startup. Added a prerequisite note with the required fapolicyd rule and the RKE2 user data script now configures this automatically.

Pepr image policy

Updated the validateIstioImage policy to recognize cgr.dev/defenseunicorns.com/istio-proxy-fips as the valid unicorn proxy registry/repository.

Renovate and label cleanup

Updated the renovate-readiness action and scripts to use waiting on unicorn instead of waiting on rapidfort. Updated the multi-arch check script to scan cgr.dev/defenseunicorns.com images and fixed comment stripping to prevent inline YAML comments from being passed as image names to crane.

Related Issue

Fixes Core-522

Type of change

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Other (security config, docs update, etc)

Checklist before merging

Test, docs, adr added or updated as needed
Contributor Guide followed

…rd FIPS

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

mjnagel

Few initial comments, looking good overall.

…decar images, switch keycloak JCE toggle to repo-conditional, update chainctl auth commands, and rewrite unicorn flavor docs

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e

_{Tip: Customize your compliance reviews with Lula.}

Superseded by a new Lula compliance review.

github-actions

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.

File	Lines Changed
`src/istio/zarf.yaml`	`83–89`

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e

_{Tip: Customize your compliance reviews with Lula.}

chance-coleman · 2026-05-18T22:09:07Z

@greptileai review this PR please

greptile-apps · 2026-05-18T22:15:36Z

Greptile Summary

This PR migrates the unicorn flavor images across all UDS Core components from RapidFort (quay.io/rfcurated/*) to Chainguard FIPS images (cgr.dev/defenseunicorns.com/*), updating CI authentication, Renovate tooling, and Pepr image policy accordingly.

Keycloak FIPS JCE: Adds a ConfigMap-backed fips-sunjce.security file mounted via subPath into /opt/keycloak/data/ and injects JAVA_OPTS_APPEND to load it at startup; a Helm fail guard prevents user-supplied JAVA_OPTS_APPEND from conflicting.
CI auth: Replaces RapidFort username/password with Chainguard federated identity (chainguard-dev/setup-chainctl) pinned to a commit SHA across all workflow files.
RHEL 9 / fapolicyd: Adds an fapolicyd allow-rule for /opt/cni/bin/ in both user_data.sh and the prerequisite docs to permit Chainguard CNI's runtime-written libcrypto.so.3.

Confidence Score: 5/5

Safe to merge — the migration is mechanical and well-tested; the new Keycloak FIPS JCE mechanism is covered by dedicated Helm unit tests and a fail-guard prevents the most likely misconfiguration.

All changed components follow the same substitution pattern (registry/repository swap + copyright year bump). The only non-trivial logic addition is the Keycloak FIPS JCE path, which is gated by the same contains "cgr.dev" predicate used in all three new Helm blocks, has an explicit fail guard, and is covered end-to-end by new helm-unittest cases. The Pepr policy change is backed by updated unit tests. The fapolicyd rule is guarded and documented consistently between user_data.sh and the prerequisites page.

No files require special attention.

Important Files Changed

Filename	Overview
src/keycloak/chart/templates/statefulset.yaml	Adds conditional JAVA_OPTS_APPEND env var, fips-jce-security volumeMount (subPath into the data directory), and corresponding volume block; includes a Helm fail guard for conflicting user env vars.
src/keycloak/chart/templates/configmap-fips-jce-security.yaml	New ConfigMap rendering a minimal fips-sunjce.security file; correctly gated on contains "cgr.dev" .Values.image.repository.
src/keycloak/chart/tests/kc_fips_jce_security_test.yaml	New Helm unit test suite covering ConfigMap presence/absence, JAVA_OPTS_APPEND injection, volumeMount, and the fail guard for conflicting env vars.
src/pepr/policies/common.ts	Updated ISTIO_IMAGE_FLAVOR_CONFIGS unicorn entry from RapidFort to cgr.dev/defenseunicorns.com/istio-proxy-fips; validateIstioImage logic unchanged and tests pass.
scripts/check-multiarch.sh	Switched from quay.io/rfcurated to cgr.dev/defenseunicorns.com; added sed comment-stripping stage to prevent inline YAML comments from being passed as image names to crane.
.github/actions/setup/action.yaml	Replaces RapidFort username/password inputs with a chainguardIdentity input wired to chainguard-dev/setup-chainctl pinned at a commit SHA; conditionally executed only when identity is non-empty.
.github/test-infra/aws/rke2/scripts/user_data.sh	Adds a guarded fapolicyd rule allowing all subjects to access /opt/cni/bin/ at runtime; guard correctly checks for fagenrules availability before running.
docs/getting-started/production/prerequisites.mdx	Adds unicorn-flavor fapolicyd prerequisite note with the allow rule for /opt/cni/bin/; note is scoped to RHEL 9 + enforcing mode.

_{Reviews (2): Last reviewed commit: "distroless promstack node exporter" | Re-trigger Greptile}

joelmccoy

LGTM!

Not applicable at this point in time

🤖 I have created a release *beep* *boop* --- ## [1.5.0](v1.4.0...v1.5.0) (2026-05-26) ### Bug Fixes * avoid virtual threads in Keycloak ([#2686](#2686)) ([e07ddb2](e07ddb2)) * broken grafana tests ([#2696](#2696)) ([202c8ac](202c8ac)) * **eks:** stabilize UDP NetworkPolicy e2e coverage ([#2666](#2666)) ([3d45af4](3d45af4)) ### Miscellaneous * add 1.5.0 release notes ([#2700](#2700)) ([197dc46](197dc46)) * **ci:** add test to verify loki able to flush to s3 ([#2673](#2673)) ([4783ffb](4783ffb)) * **deps:** migrate unicorn flavor images from RapidFort to Chainguard ([#2650](#2650)) ([b0d4c87](b0d4c87)) * **deps:** update grafana ([#2584](#2584)) ([f07a6a7](f07a6a7)) * **deps:** update grafana to v2.7.3 ([#2691](#2691)) ([0aaf351](0aaf351)) * **deps:** update iac support dependencies to v2.0.1 ([#2677](#2677)) ([40cf6a6](40cf6a6)) * **deps:** update iac-support-deps ([#2670](#2670)) ([ab1b90d](ab1b90d)) * **deps:** update loki ([#2586](#2586)) ([396bb53](396bb53)) * **deps:** update loki to v2.7.3 ([#2690](#2690)) ([6b773ed](6b773ed)) * **deps:** update prometheus-stack ([#2644](#2644)) ([1bfbfaf](1bfbfaf)) * **deps:** update prometheus-stack ([#2684](#2684)) ([1fae685](1fae685)) * **deps:** update prometheus-stack ([#2687](#2687)) ([ceab924](ceab924)) * **deps:** update support-deps ([#2683](#2683)) ([f725d10](f725d10)) * **deps:** update support-deps ([#2689](#2689)) ([83622c3](83622c3)) * **deps:** update velero ([#2678](#2678)) ([70f0106](70f0106)) * **docs:** add legacy upgrade notes and local demo deploy warning ([#2667](#2667)) ([ded7c08](ded7c08)) * updating cert bundle ([#2675](#2675)) ([7da8b6c](7da8b6c)) ### Documentation * add time-sync prereqs callout in docs ([#2679](#2679)) ([3d45a2c](3d45a2c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

chore(deps): migrate unicorn flavor images from RapidFort to Chaingua…

81d185a

…rd FIPS

chance-coleman self-assigned this May 5, 2026

Merge branch 'main' into chance/core-522

db4a549

github-actions Bot previously requested changes May 5, 2026

View reviewed changes

fix: broken link and multiarch

985c7a4

github-actions Bot previously requested changes May 5, 2026

View reviewed changes

chance-coleman added 2 commits May 6, 2026 06:16

temp: use latest k3d version for 1.35 instead of 1.34

65d3195

Merge remote-tracking branch 'origin/main' into chance/core-522

8b570b6

github-actions Bot previously requested changes May 6, 2026

View reviewed changes

mjnagel reviewed May 6, 2026

View reviewed changes

chance-coleman commented May 6, 2026

View reviewed changes

Comment thread tasks/deploy.yaml Outdated

pr feedback: rename chainguard labels to unicorn, bump loki/vector/si…

e13c28a

…decar images, switch keycloak JCE toggle to repo-conditional, update chainctl auth commands, and rewrite unicorn flavor docs

github-actions Bot previously requested changes May 6, 2026

View reviewed changes

Merge branch 'main' into chance/core-522

0aaef91

github-actions Bot previously requested changes May 6, 2026

View reviewed changes

chance-coleman and others added 2 commits May 11, 2026 07:38

cgr version updates

432b8a9

Merge branch 'main' into chance/core-522

acbc464

github-actions Bot previously requested changes May 11, 2026

View reviewed changes

fix lint

8a8cc93

github-actions Bot previously requested changes May 11, 2026

View reviewed changes

bump istio images for new fixes

2f3fa49

github-actions Bot previously requested changes May 18, 2026

View reviewed changes

Merge branch 'main' into chance/core-522

7d12b1a

github-actions Bot previously requested changes May 18, 2026

View reviewed changes

Merge branch 'main' into chance/core-522

1eca831

github-actions Bot previously requested changes May 18, 2026

View reviewed changes

cleanup and update promstack versions

ca65b3b

github-actions Bot previously requested changes May 18, 2026

View reviewed changes

distroless promstack node exporter

8208d9e

github-actions Bot previously requested changes May 18, 2026

View reviewed changes

greptile-apps Bot reviewed May 18, 2026

View reviewed changes

Comment thread src/keycloak/chart/templates/statefulset.yaml

chance-coleman marked this pull request as ready for review May 19, 2026 01:33

chance-coleman requested a review from a team as a code owner May 19, 2026 01:33

joelmccoy approved these changes May 19, 2026

View reviewed changes

Comment thread src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml

chance-coleman merged commit b0d4c87 into main May 20, 2026
81 of 87 checks passed

chance-coleman deleted the chance/core-522 branch May 20, 2026 16:48

github-actions Bot mentioned this pull request May 19, 2026

chore(main): release 1.5.0 #2671

Merged

Uh oh!

Conversation

chance-coleman commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Keycloak FIPS JCE configuration

CI authentication

fapolicyd on RHEL 9

Pepr image policy

Renovate and label cleanup

Related Issue

Type of change

Checklist before merging

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

mjnagel left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

Reviewed Changes

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Lula Compliance Overview

chance-coleman commented May 5, 2026 •

edited

Loading

greptile-apps Bot commented May 18, 2026 •

edited

Loading