Skip to content

chore(deps): migrate unicorn flavor images from RapidFort to Chainguard#2650

Merged
chance-coleman merged 15 commits into
mainfrom
chance/core-522
May 20, 2026
Merged

chore(deps): migrate unicorn flavor images from RapidFort to Chainguard#2650
chance-coleman merged 15 commits into
mainfrom
chance/core-522

Conversation

@chance-coleman

@chance-coleman chance-coleman commented May 5, 2026

Copy link
Copy Markdown
Contributor

Description

Migrates the unicorn flavor from RapidFort to Chainguard FIPS images across all components.

Keycloak FIPS JCE configuration

Chainguard's Keycloak image requires an explicit JCE security provider override to enable FIPS mode, unlike the RapidFort image which handled this internally. A new ConfigMap is injected as a volume mount and JAVA_OPTS_APPEND is set to load the override file at startup. The old JDK_JAVA_OPTIONS injection for rfcurated images is removed.

CI authentication

Replaced RapidFort username/password credentials with a Chainguard federated identity (chainguardIdentity) using the chainguard-dev/setup-chainctl action across all workflows.

fapolicyd on RHEL 9

Chainguard's CNI image writes libcrypto.so.3 into /opt/cni/bin/.cgr/ at runtime. On RHEL 9 with fapolicyd in enforcing mode this blocks CNI startup. Added a prerequisite note with the required fapolicyd rule and the RKE2 user data script now configures this automatically.

Pepr image policy

Updated the validateIstioImage policy to recognize cgr.dev/defenseunicorns.com/istio-proxy-fips as the valid unicorn proxy registry/repository.

Renovate and label cleanup

Updated the renovate-readiness action and scripts to use waiting on unicorn instead of waiting on rapidfort. Updated the multi-arch check script to scan cgr.dev/defenseunicorns.com images and fixed comment stripping to prevent inline YAML comments from being passed as image names to crane.

Related Issue

Fixes Core-522

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@chance-coleman chance-coleman self-assigned this May 5, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 5, 2026 22:09

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 6, 2026 13:36

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@mjnagel mjnagel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few initial comments, looking good overall.

Comment thread .github/actions/renovate-readiness/action.yaml Outdated
Comment thread docs/dev/unicorn-registry-auth.md Outdated
Comment thread docs/dev/unicorn-registry-auth.md Outdated
Comment thread src/grafana/zarf.yaml Outdated
Comment thread src/istio/zarf.yaml Outdated
Comment thread src/keycloak/chart/values.yaml Outdated
Comment thread src/loki/zarf.yaml Outdated
Comment thread src/prometheus-stack/zarf.yaml Outdated
Comment thread src/vector/zarf.yaml Outdated
Comment thread tasks/deploy.yaml Outdated
…decar images, switch keycloak JCE toggle to repo-conditional, update chainctl auth commands, and rewrite unicorn flavor docs
@github-actions github-actions Bot dismissed their stale review May 6, 2026 21:37

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 6, 2026 21:38

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 11, 2026 15:01

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 11, 2026 15:07

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: de7137d1e9a0f098d4034d79b85965f28dd02bb04423894d226550d93928f179


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 18, 2026 18:17

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 18, 2026 19:27

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 18, 2026 20:02

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 18, 2026 20:10

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e


Tip: Customize your compliance reviews with Lula.

@github-actions github-actions Bot dismissed their stale review May 18, 2026 20:51

Superseded by a new Lula compliance review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lula Compliance Overview

Please review the changes to ensure they meet compliance standards.

Reviewed Changes

Lula reviewed 30 files changed that affect compliance.


File Lines Changed
src/istio/zarf.yaml 83–89

UUID: b4367e52-bef0-4463-a906-e5af6b4aa015
sha256: 2c85e11f4c29d548a9b3868a6247a6d99c05ae72e2562d4dad4582c9d2eda74e


Tip: Customize your compliance reviews with Lula.

@chance-coleman

Copy link
Copy Markdown
Contributor Author

@greptileai review this PR please

@greptile-apps

greptile-apps Bot commented May 18, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR migrates the unicorn flavor images across all UDS Core components from RapidFort (quay.io/rfcurated/*) to Chainguard FIPS images (cgr.dev/defenseunicorns.com/*), updating CI authentication, Renovate tooling, and Pepr image policy accordingly.

  • Keycloak FIPS JCE: Adds a ConfigMap-backed fips-sunjce.security file mounted via subPath into /opt/keycloak/data/ and injects JAVA_OPTS_APPEND to load it at startup; a Helm fail guard prevents user-supplied JAVA_OPTS_APPEND from conflicting.
  • CI auth: Replaces RapidFort username/password with Chainguard federated identity (chainguard-dev/setup-chainctl) pinned to a commit SHA across all workflow files.
  • RHEL 9 / fapolicyd: Adds an fapolicyd allow-rule for /opt/cni/bin/ in both user_data.sh and the prerequisite docs to permit Chainguard CNI's runtime-written libcrypto.so.3.

Confidence Score: 5/5

Safe to merge — the migration is mechanical and well-tested; the new Keycloak FIPS JCE mechanism is covered by dedicated Helm unit tests and a fail-guard prevents the most likely misconfiguration.

All changed components follow the same substitution pattern (registry/repository swap + copyright year bump). The only non-trivial logic addition is the Keycloak FIPS JCE path, which is gated by the same contains "cgr.dev" predicate used in all three new Helm blocks, has an explicit fail guard, and is covered end-to-end by new helm-unittest cases. The Pepr policy change is backed by updated unit tests. The fapolicyd rule is guarded and documented consistently between user_data.sh and the prerequisites page.

No files require special attention.

Important Files Changed

Filename Overview
src/keycloak/chart/templates/statefulset.yaml Adds conditional JAVA_OPTS_APPEND env var, fips-jce-security volumeMount (subPath into the data directory), and corresponding volume block; includes a Helm fail guard for conflicting user env vars.
src/keycloak/chart/templates/configmap-fips-jce-security.yaml New ConfigMap rendering a minimal fips-sunjce.security file; correctly gated on contains "cgr.dev" .Values.image.repository.
src/keycloak/chart/tests/kc_fips_jce_security_test.yaml New Helm unit test suite covering ConfigMap presence/absence, JAVA_OPTS_APPEND injection, volumeMount, and the fail guard for conflicting env vars.
src/pepr/policies/common.ts Updated ISTIO_IMAGE_FLAVOR_CONFIGS unicorn entry from RapidFort to cgr.dev/defenseunicorns.com/istio-proxy-fips; validateIstioImage logic unchanged and tests pass.
scripts/check-multiarch.sh Switched from quay.io/rfcurated to cgr.dev/defenseunicorns.com; added sed comment-stripping stage to prevent inline YAML comments from being passed as image names to crane.
.github/actions/setup/action.yaml Replaces RapidFort username/password inputs with a chainguardIdentity input wired to chainguard-dev/setup-chainctl pinned at a commit SHA; conditionally executed only when identity is non-empty.
.github/test-infra/aws/rke2/scripts/user_data.sh Adds a guarded fapolicyd rule allowing all subjects to access /opt/cni/bin/ at runtime; guard correctly checks for fagenrules availability before running.
docs/getting-started/production/prerequisites.mdx Adds unicorn-flavor fapolicyd prerequisite note with the allow rule for /opt/cni/bin/; note is scoped to RHEL 9 + enforcing mode.

Reviews (2): Last reviewed commit: "distroless promstack node exporter" | Re-trigger Greptile

Comment thread src/keycloak/chart/templates/statefulset.yaml
@chance-coleman chance-coleman marked this pull request as ready for review May 19, 2026 01:33
@chance-coleman chance-coleman requested a review from a team as a code owner May 19, 2026 01:33

@joelmccoy joelmccoy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Comment thread src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml
@chance-coleman chance-coleman dismissed github-actions[bot]’s stale review May 20, 2026 16:48

Not applicable at this point in time

@chance-coleman chance-coleman merged commit b0d4c87 into main May 20, 2026
81 of 87 checks passed
@chance-coleman chance-coleman deleted the chance/core-522 branch May 20, 2026 16:48
jasonwashburn pushed a commit that referenced this pull request May 27, 2026
🤖 I have created a release *beep* *boop*
---


##
[1.5.0](v1.4.0...v1.5.0)
(2026-05-26)


### Bug Fixes

* avoid virtual threads in Keycloak
([#2686](#2686))
([e07ddb2](e07ddb2))
* broken grafana tests
([#2696](#2696))
([202c8ac](202c8ac))
* **eks:** stabilize UDP NetworkPolicy e2e coverage
([#2666](#2666))
([3d45af4](3d45af4))


### Miscellaneous

* add 1.5.0 release notes
([#2700](#2700))
([197dc46](197dc46))
* **ci:** add test to verify loki able to flush to s3
([#2673](#2673))
([4783ffb](4783ffb))
* **deps:** migrate unicorn flavor images from RapidFort to Chainguard
([#2650](#2650))
([b0d4c87](b0d4c87))
* **deps:** update grafana
([#2584](#2584))
([f07a6a7](f07a6a7))
* **deps:** update grafana to v2.7.3
([#2691](#2691))
([0aaf351](0aaf351))
* **deps:** update iac support dependencies to v2.0.1
([#2677](#2677))
([40cf6a6](40cf6a6))
* **deps:** update iac-support-deps
([#2670](#2670))
([ab1b90d](ab1b90d))
* **deps:** update loki
([#2586](#2586))
([396bb53](396bb53))
* **deps:** update loki to v2.7.3
([#2690](#2690))
([6b773ed](6b773ed))
* **deps:** update prometheus-stack
([#2644](#2644))
([1bfbfaf](1bfbfaf))
* **deps:** update prometheus-stack
([#2684](#2684))
([1fae685](1fae685))
* **deps:** update prometheus-stack
([#2687](#2687))
([ceab924](ceab924))
* **deps:** update support-deps
([#2683](#2683))
([f725d10](f725d10))
* **deps:** update support-deps
([#2689](#2689))
([83622c3](83622c3))
* **deps:** update velero
([#2678](#2678))
([70f0106](70f0106))
* **docs:** add legacy upgrade notes and local demo deploy warning
([#2667](#2667))
([ded7c08](ded7c08))
* updating cert bundle
([#2675](#2675))
([7da8b6c](7da8b6c))


### Documentation

* add time-sync prereqs callout in docs
([#2679](#2679))
([3d45a2c](3d45a2c))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants