diff --git a/.github/actions/renovate-readiness/README.md b/.github/actions/renovate-readiness/README.md index c4ea90fb4a..38941a1c50 100644 --- a/.github/actions/renovate-readiness/README.md +++ b/.github/actions/renovate-readiness/README.md @@ -33,7 +33,7 @@ The action performs the following steps: - It compares the extracted data using the `compareImagesAndCharts.ts` script. - Based on the comparison, it applies appropriate labels to the PR: - `waiting on ironbank`: If a registry1 image is behind - - `waiting on rapidfort`: If a rapidfort image is behind + - `waiting on unicorn`: If a Unicorn image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump @@ -72,7 +72,7 @@ The TypeScript scripts are thoroughly tested using Jest: - **compareImagesAndCharts.test.ts**: Tests the comparison of images and charts, including: - Helm chart updates (both regular and major) - Image updates (including major updates) - - Waiting conditions for Ironbank and Rapidfort images + - Waiting conditions for Ironbank and Unicorn images - Missing or empty extract files - Invalid version formats diff --git a/.github/actions/renovate-readiness/action.yaml b/.github/actions/renovate-readiness/action.yaml index 503e9aceda..bcc52cb461 100644 --- a/.github/actions/renovate-readiness/action.yaml +++ b/.github/actions/renovate-readiness/action.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: renovate-readiness @@ -229,7 +229,7 @@ runs: echo "labels=$LABELS" >> $GITHUB_OUTPUT # Check if waiting on labels are present, or this is a helm chart update only - if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on rapidfort"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then + if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on unicorn"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then echo "waiting=true" >> $GITHUB_OUTPUT else echo "waiting=false" >> $GITHUB_OUTPUT @@ -251,7 +251,7 @@ runs: echo "Current labels: $CURRENT_LABELS" # Define the managed labels we care about - MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "waiting on rapidfort" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update") + MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update") # Remove labels that are currently on the PR but not in the new set for LABEL in "${MANAGED_LABELS[@]}"; do diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index b1674a64eb..08888a0e48 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -17,12 +17,8 @@ inputs: description: "IRON_BANK_ROBOT_PASSWORD" required: false default: '' - rapidfortUsername: - description: "RAPIDFORT_USERNAME" - required: false - default: '' - rapidfortPassword: - description: "RAPIDFORT_PASSWORD" + chainguardIdentity: + description: "ID for Chainguard Identity" required: false default: '' installUv: @@ -69,10 +65,8 @@ runs: echo "MARU_AUTH=\"{\"raw.githubusercontent.com\": \"${{ inputs.ghToken }}\"}\"" >> "$GITHUB_ENV" shell: bash - - name: Rapidfort Login - if: ${{ inputs.rapidfortUsername != '' && inputs.rapidfortPassword != '' }} - shell: bash - env: - RAPIDFORT_USERNAME: ${{ inputs.rapidfortUsername }} - RAPIDFORT_PASSWORD: ${{ inputs.rapidfortPassword }} - run: echo "${{ env.RAPIDFORT_PASSWORD }}" | uds zarf tools registry login -u "${{ env.RAPIDFORT_USERNAME }}" --password-stdin quay.io + - name: Chainguard Login + if: ${{ inputs.chainguardIdentity != '' }} + uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1 + with: + identity: ${{ inputs.chainguardIdentity }} diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 9a00a29f29..fb84ea41b5 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial info() { @@ -63,6 +63,17 @@ rm -rf ./yq pre_userdata +# Allow CNI plugins and their bundled libraries to be opened/executed by fapolicyd. +# fapolicyd starts before cloud-init runs this script, so we must recompile rules and restart. +# Guard: fapolicyd is RHEL-specific; skip on distros where it is absent or disabled. +if command -v fagenrules >/dev/null 2>&1; then + mkdir -p /etc/fapolicyd/rules.d + cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF' +allow perm=any all : dir=/opt/cni/bin/ +EOF + fagenrules && systemctl restart fapolicyd +fi + # If no bootstrap IP is provided then start RKE2 as single node/bootstrap if [[ "${BOOTSTRAP_IP}" == "" ]]; then bootstrap_ip=$(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+') diff --git a/.github/workflows/private-pki-test.yaml b/.github/workflows/private-pki-test.yaml index 1328b8ea80..ff329ec27c 100644 --- a/.github/workflows/private-pki-test.yaml +++ b/.github/workflows/private-pki-test.yaml @@ -52,8 +52,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Run UDS Core Private PKI Test diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e7a33e0c9d..256232a21c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -41,8 +41,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: (Snapshot) Get snapshot version using git commit short sha and date @@ -123,8 +122,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Test and Publish Core Package Layer diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index b565c13a4b..df3eafc8b5 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -146,8 +146,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - rapidfortUsername: ${{ secrets.RAPIDFORT_USERNAME }} - rapidfortPassword: ${{ secrets.RAPIDFORT_PASSWORD }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Check multi-arch images uses: ./.github/actions/check-multiarch diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index a8b8fe5646..c30d68c402 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -69,8 +69,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} - name: Setup Tofu uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 434ebe404a..2fd6ef4002 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -66,8 +66,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} - name: Setup Tofu uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 diff --git a/.github/workflows/test-k3d-ha.yaml b/.github/workflows/test-k3d-ha.yaml index 1a682eab16..1b732a31b2 100644 --- a/.github/workflows/test-k3d-ha.yaml +++ b/.github/workflows/test-k3d-ha.yaml @@ -52,8 +52,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Run UDS Core Install HA Test diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 2502a94a6d..164c19c4cf 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -70,8 +70,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} - name: Setup Tofu uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a7c4176e5e..a87a802a05 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -44,7 +44,7 @@ jobs: test: # Use the 8 core runner for full-core or 4 core runner (with larger disk) for func layers tests runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'uds-ubuntu-big-boy-4-core'}}" - # Increase the timeout for longer upgrades - temporarily increased to 60 for longer upgrade from cgr -> rf + # Increase the timeout for longer upgrades timeout-minutes: ${{ inputs.test_type == 'upgrade' && 60 || 30 }} name: Test env: @@ -60,8 +60,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (inputs.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Test a single layer package diff --git a/docs/getting-started/production/prerequisites.mdx b/docs/getting-started/production/prerequisites.mdx index 3b63935f06..e43874b974 100644 --- a/docs/getting-started/production/prerequisites.mdx +++ b/docs/getting-started/production/prerequisites.mdx @@ -101,6 +101,18 @@ done See [Istio's platform requirements](https://istio.io/latest/docs/ops/deployment/platform-requirements/) for the full upstream list. +> [!NOTE] +> **Unicorn flavor on RHEL 9 with fapolicyd:** The unicorn flavor uses FIPS-compliant CNI images that write `libcrypto.so.3` into `/opt/cni/bin/.cgr/` at runtime. If fapolicyd is running in enforcing mode, it will block access to this file because it is not RPM-managed, preventing istio-cni from starting. Add the following rule to allow access, then recompile and restart fapolicyd: +> +> ```bash +> mkdir -p /etc/fapolicyd/rules.d +> cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF' +> allow perm=any all : dir=/opt/cni/bin/ +> EOF +> fagenrules +> systemctl restart fapolicyd +> ``` + ## Falco requirements UDS Core uses [Falco](https://falco.org/)'s [Modern eBPF Probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe), which has the following requirements: diff --git a/scripts/check-multiarch.sh b/scripts/check-multiarch.sh index ab59ccad53..4a2f242f6a 100755 --- a/scripts/check-multiarch.sh +++ b/scripts/check-multiarch.sh @@ -38,10 +38,12 @@ trap "rm -f $TEMP_IMAGES $TEMP_MISSING" EXIT echo "Scanning $SRC_DIR for unicorn and registry1 images..." -# Extract all quay.io/rfcurated/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images -find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "quay.io/rfcurated/|registry1.dso.mil/ironbank/" {} \; | \ +# Extract all cgr.dev/defenseunicorns.com/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images +find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "cgr.dev/defenseunicorns.com/|registry1.dso.mil/ironbank/" {} \; | \ sed 's/^[[:space:]]*-[[:space:]]*//' | \ + sed 's/#.*//' | \ sed 's/"//g' | \ + sed 's/[[:space:]]*$//' | \ sort -u > "$TEMP_IMAGES" TOTAL=$(wc -l < "$TEMP_IMAGES") diff --git a/scripts/renovate/README.md b/scripts/renovate/README.md index da1a1bb7ff..9c4b25beca 100644 --- a/scripts/renovate/README.md +++ b/scripts/renovate/README.md @@ -44,7 +44,7 @@ This script will: The scripts can apply the following labels to PRs: - `waiting on ironbank`: If a registry1 image is behind -- `waiting on rapidfort`: If a rapidfort image is behind +- `waiting on unicorn`: If a Unicorn image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump diff --git a/scripts/renovate/compareImagesAndCharts.spec.ts b/scripts/renovate/compareImagesAndCharts.spec.ts index 98353135d2..b54102c979 100644 --- a/scripts/renovate/compareImagesAndCharts.spec.ts +++ b/scripts/renovate/compareImagesAndCharts.spec.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -73,12 +73,12 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -87,12 +87,12 @@ describe("compareImagesAndCharts", () => { "1.25.3": [ "docker.io/library/nginx:1.25.3", "registry1.dso.mil/ironbank/nginx:1.25.3", - "quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.25.3", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -145,12 +145,12 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -159,12 +159,12 @@ describe("compareImagesAndCharts", () => { "2.0.0": [ "docker.io/library/nginx:2.0.0", "registry1.dso.mil/ironbank/nginx:2.0.0", - "quay.io/rfcurated/nginx:2.0.0-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:2.0.0", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -217,7 +217,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -226,7 +226,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -280,7 +280,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -289,7 +289,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -342,7 +342,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -350,7 +350,7 @@ describe("compareImagesAndCharts", () => { return { "1.25.3": [ "docker.io/library/nginx:1.25.3", - "quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.25.3", ], "1.22.6": ["registry1.dso.mil/ironbank/nginx:1.22.6"], }; @@ -406,8 +406,8 @@ describe("compareImagesAndCharts", () => { "docker.io/library/curl:1.25.3", "registry1.dso.mil/ironbank/nginx:1.21.6", "registry1.dso.mil/ironbank/curl:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", - "quay.io/rfcurated/curl:1.21.6-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", + "cgr.dev/defenseunicorns.com/curl-fips:1.21.6", ], }; } @@ -417,8 +417,8 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "registry1.dso.mil/ironbank/nginx:1.21.6", "registry1.dso.mil/ironbank/curl:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", - "quay.io/rfcurated/curl:1.21.6-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", + "cgr.dev/defenseunicorns.com/curl-fips:1.21.6", ], }; } @@ -428,7 +428,7 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); expect(result.labels).toContain("waiting on ironbank"); - expect(result.labels).toContain("waiting on rapidfort"); + expect(result.labels).toContain("waiting on unicorn"); // Check for multiple Ironbank messages expect(result.changes).toContain( @@ -438,16 +438,16 @@ describe("compareImagesAndCharts", () => { "Waiting on Ironbank to update registry1.dso.mil/ironbank/curl to version 1.25.3", ); - // Check for multiple Rapidfort messages + // Check for multiple Unicorn messages expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/nginx to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/curl to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/curl-fips to version 1.25.3", ); }); - it("should detect waiting on rapidfort", async () => { + it("should detect waiting on unicorn", async () => { // Mock fs.readFileSync to return different content based on the file path (fs.readFileSync as Mock).mockImplementation(filePath => { if (filePath === "old/charts.yaml") { @@ -485,14 +485,14 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } if (content === "images-new") { return { "1.25.3": ["docker.io/library/nginx:1.25.3", "registry1.dso.mil/ironbank/nginx:1.25.3"], - "1.21.6": ["quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened"], + "1.21.6": ["cgr.dev/defenseunicorns.com/nginx-fips:1.21.6"], }; } return {}; @@ -500,9 +500,9 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on rapidfort"]); + expect(result.labels).toEqual(["waiting on unicorn"]); expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/nginx to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); }); @@ -544,12 +544,12 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -557,11 +557,11 @@ describe("compareImagesAndCharts", () => { return { "1.25.3": ["docker.io/library/nginx:1.25.3"], "1.22.6": ["registry1.dso.mil/ironbank/nginx:1.22.6"], - "1.21.6": ["quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened"], + "1.21.6": ["cgr.dev/defenseunicorns.com/nginx-fips:1.21.6"], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -570,12 +570,12 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on ironbank", "waiting on rapidfort"]); + expect(result.labels).toEqual(["waiting on ironbank", "waiting on unicorn"]); expect(result.changes).toContain( "Waiting on Ironbank to update registry1.dso.mil/ironbank/nginx to version 1.25.3", ); expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/nginx to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); }); @@ -895,82 +895,82 @@ describe("compareImagesAndCharts", () => { expect(result.changes).toContain("Major helm chart update detected for grafana"); expect(result.changes).toContain("PR contains only helm chart updates"); }); -}); -it("should detect wait for loki (regression test)", async () => { - // Mock fs.readFileSync to return different content based on the file path - (fs.readFileSync as Mock).mockImplementation(filePath => { - if (filePath === "old/charts.yaml") { - return "charts-old"; - } - if (filePath === "new/charts.yaml") { - return "charts-new"; - } - if (filePath === "old/images.yaml") { - return "images-old"; - } - if (filePath === "new/images.yaml") { - return "images-new"; - } - return ""; - }); + it("should detect wait for loki (regression test)", async () => { + // Mock fs.readFileSync to return different content based on the file path + (fs.readFileSync as Mock).mockImplementation(filePath => { + if (filePath === "old/charts.yaml") { + return "charts-old"; + } + if (filePath === "new/charts.yaml") { + return "charts-new"; + } + if (filePath === "old/images.yaml") { + return "images-old"; + } + if (filePath === "new/images.yaml") { + return "images-new"; + } + return ""; + }); - // Mock fs.existsSync to return true for all files - (fs.existsSync as Mock).mockReturnValue(true); - - // Mock yaml.parse to return different content based on the input - (yaml.parse as Mock).mockImplementation(content => { - if (content === "charts-old") { - return { - "https://grafana.github.io/helm-charts/loki": "6.29.0", - }; - } - if (content === "charts-new") { - return { - "https://grafana.github.io/helm-charts/loki": "6.29.0", - }; - } - if (content === "images-old") { - return { - "3.4.3": [ - "docker.io/grafana/loki:3.4.3", - "registry1.dso.mil/ironbank/opensource/grafana/loki:3.4.3", - "quay.io/rfcurated/grafana/loki:3.4.3-jammy-fips-rfcurated-rfhardened", - ], - "1.6.38": [ - "docker.io/memcached:1.6.38-alpine", - "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", - "quay.io/rfcurated/memcached:1.6.38-jammy-fips-rfcurated-rfhardened", - ], - "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], - "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], - "1.27.5": ["quay.io/rfcurated/nginx:1.27.5-slim-jammy-fips-rfcurated-rfhardened"], - }; - } - if (content === "images-new") { - return { - "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], - "3.4.3": ["quay.io/rfcurated/grafana/loki:3.4.3-jammy-fips-rfcurated-rfhardened"], - "1.6.38": [ - "docker.io/memcached:1.6.38-alpine", - "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", - "quay.io/rfcurated/memcached:1.6.38-jammy-fips-rfcurated-rfhardened", - ], - "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], - "1.27.5": ["quay.io/rfcurated/nginx:1.27.5-slim-jammy-fips-rfcurated-rfhardened"], - "3.5.0": [ - "docker.io/grafana/loki:3.5.0", - "registry1.dso.mil/ironbank/opensource/grafana/loki:3.5.0", - ], - }; - } - return {}; - }); + // Mock fs.existsSync to return true for all files + (fs.existsSync as Mock).mockReturnValue(true); + + // Mock yaml.parse to return different content based on the input + (yaml.parse as Mock).mockImplementation(content => { + if (content === "charts-old") { + return { + "https://grafana.github.io/helm-charts/loki": "6.29.0", + }; + } + if (content === "charts-new") { + return { + "https://grafana.github.io/helm-charts/loki": "6.29.0", + }; + } + if (content === "images-old") { + return { + "3.4.3": [ + "docker.io/grafana/loki:3.4.3", + "registry1.dso.mil/ironbank/opensource/grafana/loki:3.4.3", + "cgr.dev/defenseunicorns.com/loki-fips:3.4.3", + ], + "1.6.38": [ + "docker.io/memcached:1.6.38-alpine", + "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", + "cgr.dev/defenseunicorns.com/memcached-fips:1.6.38", + ], + "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], + "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], + "1.27.5": ["cgr.dev/defenseunicorns.com/nginx-fips:1.27.5"], + }; + } + if (content === "images-new") { + return { + "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], + "3.4.3": ["cgr.dev/defenseunicorns.com/loki-fips:3.4.3"], + "1.6.38": [ + "docker.io/memcached:1.6.38-alpine", + "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", + "cgr.dev/defenseunicorns.com/memcached-fips:1.6.38", + ], + "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], + "1.27.5": ["cgr.dev/defenseunicorns.com/nginx-fips:1.27.5"], + "3.5.0": [ + "docker.io/grafana/loki:3.5.0", + "registry1.dso.mil/ironbank/opensource/grafana/loki:3.5.0", + ], + }; + } + return {}; + }); - const result = await compareImagesAndCharts("old", "new"); + const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on rapidfort"]); - expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/grafana/loki to version 3.5.0", - ); + expect(result.labels).toEqual(["waiting on unicorn"]); + expect(result.changes).toContain( + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/loki-fips to version 3.5.0", + ); + }); }); diff --git a/scripts/renovate/compareImagesAndCharts.ts b/scripts/renovate/compareImagesAndCharts.ts index e821194bcb..d67ebb1509 100644 --- a/scripts/renovate/compareImagesAndCharts.ts +++ b/scripts/renovate/compareImagesAndCharts.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -52,7 +52,7 @@ export async function compareImagesAndCharts( // If no waiting labels were added, add needs-review if ( !result.labels.includes("waiting on ironbank") && - !result.labels.includes("waiting on rapidfort") && + !result.labels.includes("waiting on unicorn") && !result.labels.includes("helm-chart-only") ) { result.labels.push("needs-review"); @@ -257,14 +257,12 @@ function compareImages( result.changes.push( `Waiting on Ironbank to update ${imgName} to version ${newVersion}`, ); - } else if (missingImg.startsWith("quay.io/rfcurated")) { + } else if (missingImg.startsWith("cgr.dev/defenseunicorns.com")) { // Only add the label once, but add a message for each missing image - if (!result.labels.includes("waiting on rapidfort")) { - result.labels.push("waiting on rapidfort"); + if (!result.labels.includes("waiting on unicorn")) { + result.labels.push("waiting on unicorn"); } - result.changes.push( - `Waiting on Rapidfort to update ${imgName} to version ${newVersion}`, - ); + result.changes.push(`Waiting on Unicorn to update ${imgName} to version ${newVersion}`); } } diff --git a/scripts/renovate/getImagesAndCharts.spec.ts b/scripts/renovate/getImagesAndCharts.spec.ts index 468a229c5b..effdad08ea 100644 --- a/scripts/renovate/getImagesAndCharts.spec.ts +++ b/scripts/renovate/getImagesAndCharts.spec.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -114,10 +114,10 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/grafana:11.5.3-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/busybox:1.37.0-glibc-rf.1-rfcurated - - quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/k8s-sidecar:1.30.3-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/grafana-fips:11.5.3 + - cgr.dev/defenseunicorns.com/busybox:1.37.0 + - cgr.dev/defenseunicorns.com/curl-fips:8.12.1 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:1.30.3 `; } if (filePath === "test-dir/common/zarf.yaml") { @@ -193,18 +193,15 @@ components: ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", - ], - "1.37.0": [ - "docker.io/library/busybox:1.37.0", - "quay.io/rfcurated/busybox:1.37.0-glibc-rf.1-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], + "1.37.0": ["docker.io/library/busybox:1.37.0", "cgr.dev/defenseunicorns.com/busybox:1.37.0"], "1.30.3": [ "ghcr.io/kiwigrid/k8s-sidecar:1.30.3", "registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.30.3", - "quay.io/rfcurated/k8s-sidecar:1.30.3-jammy-scratch-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/k8s-sidecar-fips:1.30.3", ], - "11.5.3": ["quay.io/rfcurated/grafana:11.5.3-jammy-scratch-fips-rfcurated"], + "11.5.3": ["cgr.dev/defenseunicorns.com/grafana-fips:11.5.3"], "9.5": ["registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5"], }); }); @@ -241,8 +238,8 @@ components: only: flavor: unicorn images: - - quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/postgres:15.4.0-slim-jammy-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/nginx-fips:1.25.3 + - cgr.dev/defenseunicorns.com/postgresql-fips:15.4.0 `; } if (filePath === "test-dir/common/zarf.yaml") { @@ -274,12 +271,12 @@ metadata: "1.25.3": [ "docker.io/library/nginx:1.25.3", "registry1.dso.mil/ironbank/opensource/nginx/nginx:1.25.3", - "quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.25.3", ], "15.4.0": [ "docker.io/library/postgres:15.4.0", "registry1.dso.mil/ironbank/opensource/postgres/postgresql:15.4.0", - "quay.io/rfcurated/postgres:15.4.0-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/postgresql-fips:15.4.0", ], }); }); @@ -356,7 +353,7 @@ components: - name: component1 images: - registry1.dso.mil/ironbank/postgres:15.2.0 - - quay.io/rfcurated/postgres:15.2.0-slim-jammy-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/postgresql-fips:15.2.0 - docker.io/library/postgres:15.2.0-beta.2 `; } @@ -388,7 +385,7 @@ metadata: expect(images).toEqual({ "15.2.0": [ "registry1.dso.mil/ironbank/postgres:15.2.0", - "quay.io/rfcurated/postgres:15.2.0-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/postgresql-fips:15.2.0", "docker.io/library/postgres:15.2.0-beta.2", ], }); diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml index 1e9915a0a0..8658b73d24 100644 --- a/src/authservice/values/unicorn-values.yaml +++ b/src/authservice/values/unicorn-values.yaml @@ -1,6 +1,6 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/istio-ecosystem/authservice - tag: "1.1.5-jammy-scratch-fips-rfcurated" + repository: cgr.dev/defenseunicorns.com/authservice-fips + tag: "1.1.5" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index 2b4b00124a..506790d9de 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -47,4 +47,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/istio-ecosystem/authservice:1.1.5-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/authservice-fips:1.1.5 diff --git a/src/falco/values/unicorn-values.yaml b/src/falco/values/unicorn-values.yaml index f14f4747bc..62dab9084e 100644 --- a/src/falco/values/unicorn-values.yaml +++ b/src/falco/values/unicorn-values.yaml @@ -1,15 +1,15 @@ -# Copyright 2025 Defense Unicorns +# Copyright 2025-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - registry: quay.io - repository: rfcurated/falcosecurity/falco - tag: 0.43.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/falco-fips + tag: 0.43.1 pullPolicy: IfNotPresent falcosidekick: image: - registry: quay.io - repository: rfcurated/falcosecurity/falcosidekick - tag: 2.33.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/falcosidekick-fips + tag: 2.33.0 pullPolicy: IfNotPresent diff --git a/src/falco/zarf.yaml b/src/falco/zarf.yaml index 50c186d0bb..d265c7781d 100644 --- a/src/falco/zarf.yaml +++ b/src/falco/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2025 Defense Unicorns +# Copyright 2025-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -53,5 +53,5 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/falcosecurity/falco:0.43.1-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/falcosecurity/falcosidekick:2.33.0-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/falco-fips:0.43.1 + - cgr.dev/defenseunicorns.com/falcosidekick-fips:2.33.0 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 0693d45947..dfa755297f 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,24 +1,24 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - registry: quay.io - repository: rfcurated/grafana - tag: 12.4.2-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/grafana-fips + tag: 12.4.2 initChownData: image: - registry: quay.io - repository: rfcurated/busybox - tag: 1.37.0-musl-rf.1-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/busybox-fips + tag: 1.37.0 downloadDashboardsImage: - registry: quay.io - repository: rfcurated/curl - tag: 8.19.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/curl-fips + tag: 8.19.0 sidecar: image: - registry: quay.io - repository: rfcurated/kiwigrid/k8s-sidecar - tag: 2.5.0-jammy-scratch-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/k8s-sidecar-fips + tag: 2.7.1 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index f39b67424a..b39ed9788b 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -62,7 +62,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/grafana:12.4.2-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/busybox:1.37.0-musl-rf.1-fips-rfcurated - - quay.io/rfcurated/curl:8.19.0-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/kiwigrid/k8s-sidecar:2.5.0-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/grafana-fips:12.4.2 + - cgr.dev/defenseunicorns.com/busybox-fips:1.37.0 + - cgr.dev/defenseunicorns.com/curl-fips:8.19.0 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.7.1 diff --git a/src/istio/values/unicorn/cni.yaml b/src/istio/values/unicorn/cni.yaml index 57427116f1..b958093f95 100644 --- a/src/istio/values/unicorn/cni.yaml +++ b/src/istio/values/unicorn/cni.yaml @@ -1,5 +1,5 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial cni: - image: quay.io/rfcurated/istio/install-cni:1.29.2-jammy-fips-rfcurated-rfhardened + image: cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.2 diff --git a/src/istio/values/unicorn/istiod.yaml b/src/istio/values/unicorn/istiod.yaml index b7b7a7d27f..8676ae84a3 100644 --- a/src/istio/values/unicorn/istiod.yaml +++ b/src/istio/values/unicorn/istiod.yaml @@ -1,12 +1,12 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial pilot: - image: "quay.io/rfcurated/istio/pilot:1.29.2-jammy-fips-rfcurated-rfhardened" + image: "cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.2" global: proxy_init: - # renovate: image=quay.io/rfcurated/istio/proxyv2 - image: "###ZARF_REGISTRY###/rfcurated/istio/proxyv2:1.29.2-jammy-fips-rfcurated-rfhardened" + # renovate: image=cgr.dev/defenseunicorns.com/istio-proxy-fips + image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.2" proxy: - # renovate: image=quay.io/rfcurated/istio/proxyv2 - image: "###ZARF_REGISTRY###/rfcurated/istio/proxyv2:1.29.2-jammy-fips-rfcurated-rfhardened" + # renovate: image=cgr.dev/defenseunicorns.com/istio-proxy-fips + image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.2" diff --git a/src/istio/values/unicorn/ztunnel.yaml b/src/istio/values/unicorn/ztunnel.yaml index 9c615d29e1..5f33ba135e 100644 --- a/src/istio/values/unicorn/ztunnel.yaml +++ b/src/istio/values/unicorn/ztunnel.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -image: quay.io/rfcurated/istio/ztunnel:1.29.2-jammy-scratch-fips-rfcurated +image: cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.2 diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 5b902ec32d..2c9bda66f3 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -82,10 +82,10 @@ components: - "values/unicorn/ztunnel.yaml" # @lulaStart b4367e52-bef0-4463-a906-e5af6b4aa015 images: - - quay.io/rfcurated/istio/pilot:1.29.2-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/istio/proxyv2:1.29.2-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/istio/install-cni:1.29.2-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/istio/ztunnel:1.29.2-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.2 + - cgr.dev/defenseunicorns.com/istio-proxy-fips:1.29.2 + - cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.2 + - cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.2 # @lulaEnd b4367e52-bef0-4463-a906-e5af6b4aa015 - name: gateway-api-crds diff --git a/src/keycloak/chart/templates/configmap-fips-jce-security.yaml b/src/keycloak/chart/templates/configmap-fips-jce-security.yaml new file mode 100644 index 0000000000..41b47b6efc --- /dev/null +++ b/src/keycloak/chart/templates/configmap-fips-jce-security.yaml @@ -0,0 +1,15 @@ +# Copyright 2024-2026 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +{{- if contains "cgr.dev" .Values.image.repository }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keycloak.fullname" . }}-fips-jce-security + namespace: {{ .Release.Namespace }} + labels: + {{- include "keycloak.labels" . | nindent 4 }} +data: + fips-sunjce.security: | + security.provider.99=SunJCE +{{- end }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 6df6c3c869..9bee4d7598 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -185,13 +185,19 @@ spec: - secretRef: name: {{ include "keycloak.fullname" . }}-realm-env env: + {{- if and (contains "cgr.dev" .Values.image.repository) .Values.env }} + {{- range .Values.env }} + {{- if eq .name "JAVA_OPTS_APPEND" }} + {{- fail "cgr.dev image detected with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.env }} {{- tpl (toYaml .Values.env) . | nindent 12 }} {{- end }} - {{- if or (contains "rfcurated" .Values.image.repository) (contains "rfcurated" (toString .Values.image.tag)) }} - # Ensure javaagent is disabled (only for rfcurated unicorn flavor) - - name: JDK_JAVA_OPTIONS - value: "--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED" + {{- if contains "cgr.dev" .Values.image.repository }} + - name: JAVA_OPTS_APPEND + value: "-Djava.security.properties=/opt/keycloak/data/fips-sunjce.security" {{- end }} # Common configuration - name: UDS_DOMAIN @@ -394,6 +400,12 @@ spec: {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{- if contains "cgr.dev" .Values.image.repository }} + - name: fips-jce-security + mountPath: /opt/keycloak/data/fips-sunjce.security + subPath: fips-sunjce.security + readOnly: true + {{- end }} enableServiceLinks: {{ .Values.enableServiceLinks }} restartPolicy: {{ .Values.restartPolicy }} {{- with .Values.nodeSelector }} @@ -483,6 +495,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if contains "cgr.dev" .Values.image.repository }} + - name: fips-jce-security + configMap: + name: {{ include "keycloak.fullname" . }}-fips-jce-security + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml b/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml new file mode 100644 index 0000000000..3b666a2713 --- /dev/null +++ b/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml @@ -0,0 +1,100 @@ +# Copyright 2024-2026 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json + +suite: Keycloak - FIPS JCE security override +templates: + - statefulset.yaml + - configmap-fips-jce-security.yaml + +tests: + - it: should NOT render the fips-jce-security configmap when image.repository does not contain cgr.dev + set: + image: + repository: quay.io/keycloak/keycloak + template: configmap-fips-jce-security.yaml + asserts: + - hasDocuments: + count: 0 + + - it: should render the fips-jce-security configmap when image.repository contains cgr.dev + set: + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips + template: configmap-fips-jce-security.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + + - it: should include SunJCE provider in configmap data when image.repository contains cgr.dev + set: + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips + template: configmap-fips-jce-security.yaml + asserts: + - matchRegex: + path: data["fips-sunjce.security"] + pattern: "security\\.provider\\.99=SunJCE" + + - it: should NOT inject JAVA_OPTS_APPEND when image.repository does not contain cgr.dev + set: + image: + repository: quay.io/keycloak/keycloak + template: statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: JAVA_OPTS_APPEND + + - it: should inject JAVA_OPTS_APPEND with correct path when image.repository contains cgr.dev + set: + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips + template: statefulset.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: JAVA_OPTS_APPEND + value: "-Djava.security.properties=/opt/keycloak/data/fips-sunjce.security" + + - it: should NOT add fips-jce-security volumeMount when image.repository does not contain cgr.dev + set: + image: + repository: quay.io/keycloak/keycloak + template: statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fips-jce-security + + - it: should add fips-jce-security volumeMount when image.repository contains cgr.dev + set: + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips + template: statefulset.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fips-jce-security + mountPath: /opt/keycloak/data/fips-sunjce.security + subPath: fips-sunjce.security + readOnly: true + + - it: should fail render when image.repository contains cgr.dev and env contains JAVA_OPTS_APPEND + set: + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips + env: + - name: JAVA_OPTS_APPEND + value: "-Xmx512m" + template: statefulset.yaml + asserts: + - failedTemplate: + errorMessage: "cgr.dev image detected with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" diff --git a/src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml b/src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml deleted file mode 100644 index a4c490f796..0000000000 --- a/src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2025 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json - -suite: Keycloak - Unicorn JDK_JAVA_OPTIONS env injection -templates: - - statefulset.yaml - -tests: - - it: should render JDK_JAVA_OPTIONS when image.repository contains "rfcurated" - set: - image: - repository: quay.io/rfcurated/keycloak - tag: "26.4.2" - template: statefulset.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: JDK_JAVA_OPTIONS - value: "--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED" - - - it: should render JDK_JAVA_OPTIONS when image.tag contains "rfcurated" - set: - image: - repository: quay.io/keycloak/keycloak - tag: "26.4.2-jammy-fips-rfcurated" - template: statefulset.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: JDK_JAVA_OPTIONS - value: "--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED" - - - it: should NOT render JDK_JAVA_OPTIONS when image is not rfcurated - set: - image: - repository: quay.io/keycloak/keycloak - tag: "26.6.1" - template: statefulset.yaml - asserts: - - notContains: - path: spec.template.spec.containers[0].env - content: - name: JDK_JAVA_OPTIONS diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 61432699d8..9ead810e4b 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial podSecurityContext: @@ -11,8 +11,8 @@ securityContext: drop: - ALL image: - repository: quay.io/rfcurated/keycloak - tag: "26.6.1-jammy-fips-rfcurated" + repository: cgr.dev/defenseunicorns.com/keycloak-fips + tag: "26.6.1" migrations: deleteGeneratedTrustStore: true diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 7c0b9f1dba..5338fc80aa 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -59,5 +59,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - quay.io/rfcurated/keycloak:26.6.1-jammy-fips-rfcurated + - cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1 - ghcr.io/defenseunicorns/uds/identity-config:0.27.0 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 2bfc28feff..f7f6235d05 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -1,21 +1,21 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial loki: image: - registry: quay.io - repository: rfcurated/grafana/loki - tag: 3.7.1-jammy-fips-rfcurated-rfhardened + registry: cgr.dev/defenseunicorns.com + repository: loki-fips + tag: 3.7.1 gateway: image: - registry: quay.io - repository: rfcurated/nginx - tag: 1.29.7-slim-jammy-fips-rfcurated-rfhardened + registry: cgr.dev/defenseunicorns.com + repository: nginx-fips + tag: 1.29.8 memcached: image: - repository: quay.io/rfcurated/memcached - tag: 1.6.41-jammy-fips-rfcurated-rfhardened + repository: cgr.dev/defenseunicorns.com/memcached-fips + tag: 1.6.41 sidecar: image: - repository: quay.io/rfcurated/kiwigrid/k8s-sidecar - tag: 2.5.0-jammy-scratch-fips-rfcurated-rfhardened + repository: cgr.dev/defenseunicorns.com/k8s-sidecar-fips + tag: 2.7.1 diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 2c807bf23c..d94420e0d3 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -49,7 +49,7 @@ components: - name: loki required: true - description: "Install Loki using Rapidfort images" + description: "Install Loki using Chainguard images" only: flavor: "unicorn" import: @@ -59,7 +59,7 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - quay.io/rfcurated/grafana/loki:3.7.1-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/nginx:1.29.7-slim-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/memcached:1.6.41-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/kiwigrid/k8s-sidecar:2.5.0-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/loki-fips:3.7.1 + - cgr.dev/defenseunicorns.com/nginx-fips:1.29.8 + - cgr.dev/defenseunicorns.com/memcached-fips:1.6.41 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.7.1 diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml index d3b071ba70..b76cb0b7e6 100644 --- a/src/metrics-server/values/unicorn-values.yaml +++ b/src/metrics-server/values/unicorn-values.yaml @@ -1,6 +1,6 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/metrics-server - tag: "0.8.1-jammy-scratch-fips-rfcurated-rfhardened" + repository: cgr.dev/defenseunicorns.com/metrics-server-fips + tag: "0.8.1" diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 4f58c7054c..2aae40530d 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -45,4 +45,4 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - quay.io/rfcurated/metrics-server:0.8.1-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/metrics-server-fips:0.8.1 diff --git a/src/pepr/policies/common.spec.ts b/src/pepr/policies/common.spec.ts index f7695c810e..36ebc50f6a 100644 --- a/src/pepr/policies/common.spec.ts +++ b/src/pepr/policies/common.spec.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -132,7 +132,7 @@ describe("validateIstioImage", () => { // Test each flavor with its canonical registry it("should return true for unicorn flavor image with correct registry", () => { - expect(validateIstioImage("quay.io/rfcurated/istio/proxyv2:1.16.0")).toBe(true); + expect(validateIstioImage("cgr.dev/defenseunicorns.com/istio-proxy-fips:1.16.0")).toBe(true); }); it("should return true for upstream flavor image with correct registry", () => { @@ -153,8 +153,10 @@ describe("validateIstioImage", () => { // Test with different tags and digests it("should handle images with tags and digests", () => { - expect(validateIstioImage("quay.io/rfcurated/istio/proxyv2:latest")).toBe(true); - expect(validateIstioImage("quay.io/rfcurated/istio/proxyv2@sha256:abc123")).toBe(true); + expect(validateIstioImage("cgr.dev/defenseunicorns.com/istio-proxy-fips:latest")).toBe(true); + expect(validateIstioImage("cgr.dev/defenseunicorns.com/istio-proxy-fips@sha256:abc123")).toBe( + true, + ); }); // Test negative cases diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts index 3a9af00ec7..3744ac9092 100644 --- a/src/pepr/policies/common.ts +++ b/src/pepr/policies/common.ts @@ -1,5 +1,5 @@ /** - * Copyright 2024 Defense Unicorns + * Copyright 2024-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -40,8 +40,8 @@ const ISTIO_IMAGE_FLAVOR_CONFIGS = { repository: "ironbank/tetrate/istio/proxyv2", }, unicorn: { - registry: "quay.io", - repository: "rfcurated/istio/proxyv2", + registry: "cgr.dev", + repository: "defenseunicorns.com/istio-proxy-fips", }, } as const; diff --git a/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml b/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml index 670364fc26..dc1b824882 100644 --- a/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml +++ b/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml @@ -1,14 +1,13 @@ # Copyright 2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -# Image configuration for unicorn flavor image: - registry: quay.io - repository: rfcurated/prometheus/blackbox-exporter - tag: 0.28.0-jammy-scratch-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/prometheus-blackbox-exporter-fips + tag: 0.28.0 configReloader: image: - registry: quay.io - repository: rfcurated/prometheus-operator/prometheus-config-reloader - tag: 0.91.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-config-reloader-fips + tag: 0.91.0 diff --git a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml index fd0099fea1..fe03ccce92 100644 --- a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml +++ b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml @@ -4,14 +4,14 @@ alertmanager: alertmanagerSpec: image: - registry: quay.io - repository: rfcurated/prometheus/alertmanager - tag: 0.32.1-jammy-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/prometheus-alertmanager-fips + tag: 0.32.1 kube-state-metrics: image: - registry: quay.io - repository: rfcurated/kube-state-metrics - tag: 2.18.0-jammy-scratch-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/kube-state-metrics-fips + tag: 2.18.0 securityContext: enabled: true fsGroup: 65532 @@ -21,14 +21,14 @@ kube-state-metrics: prometheus: prometheusSpec: image: - registry: quay.io - repository: rfcurated/prometheus - tag: 3.11.3-jammy-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/prometheus-fips + tag: 3.11.3 prometheus-node-exporter: image: - registry: quay.io - repository: rfcurated/prometheus/node-exporter - tag: 1.11.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-node-exporter-fips + tag: 1.11.1 distroless: false prometheusOperator: admissionWebhooks: @@ -39,19 +39,20 @@ prometheusOperator: patch: enabled: true image: - registry: quay.io - repository: rfcurated/ingress-nginx/kube-webhook-certgen - tag: 1.6.9-jammy-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/kube-webhook-certgen-fips + # Chainguard provides kube-webhook-certgen from their ingress-nginx package, which follows a different versioning scheme than upstream's ingress-nginx/kube-webhook-certgen + tag: 1.15.2 securityContext: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 image: - registry: quay.io - repository: rfcurated/prometheus-operator - tag: 0.91.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-operator-fips + tag: 0.91.0 prometheusConfigReloader: image: - registry: quay.io - repository: rfcurated/prometheus-operator/prometheus-config-reloader - tag: 0.91.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-config-reloader-fips + tag: 0.91.0 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index f586d4e943..0364128267 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -72,13 +72,13 @@ components: valuesFiles: - "values/unicorn/kube-prometheus-stack.yaml" images: - - "quay.io/rfcurated/prometheus/node-exporter:1.11.1-jammy-scratch-fips-rfcurated" - - "quay.io/rfcurated/prometheus-operator:0.91.0-jammy-scratch-fips-rfcurated" - - "quay.io/rfcurated/kube-state-metrics:2.18.0-jammy-scratch-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/prometheus/alertmanager:0.32.1-jammy-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/prometheus-operator/prometheus-config-reloader:0.91.0-jammy-scratch-fips-rfcurated" - - "quay.io/rfcurated/prometheus:3.11.3-jammy-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/ingress-nginx/kube-webhook-certgen:1.6.9-jammy-fips-rfcurated-rfhardened" + - "cgr.dev/defenseunicorns.com/prometheus-node-exporter-fips:1.11.1" + - "cgr.dev/defenseunicorns.com/prometheus-operator-fips:0.91.0" + - "cgr.dev/defenseunicorns.com/kube-state-metrics-fips:2.18.0" + - "cgr.dev/defenseunicorns.com/prometheus-alertmanager-fips:0.32.1" + - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.91.0" + - "cgr.dev/defenseunicorns.com/prometheus-fips:3.11.3" + - "cgr.dev/defenseunicorns.com/kube-webhook-certgen-fips:1.15.2" # Chainguard provides kube-webhook-certgen from their ingress-nginx package, which follows a different versioning scheme than upstream's ingress-nginx/kube-webhook-certgen - name: prometheus-blackbox-exporter required: true @@ -122,5 +122,5 @@ components: valuesFiles: - "values/unicorn/blackbox-exporter.yaml" images: - - "quay.io/rfcurated/prometheus/blackbox-exporter:0.28.0-jammy-scratch-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/prometheus-operator/prometheus-config-reloader:0.91.0-jammy-scratch-fips-rfcurated" + - "cgr.dev/defenseunicorns.com/prometheus-blackbox-exporter-fips:0.28.0" + - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.91.0" diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index e795afe4c1..23d9111720 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -1,6 +1,6 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/vector - tag: 0.55.0-jammy-fips-rfcurated-rfhardened + repository: cgr.dev/defenseunicorns.com/vector-fips + tag: 0.55.0 diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 158f869baa..cafc131a23 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -52,4 +52,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/vector:0.55.0-jammy-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/vector-fips:0.55.0 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index 72e258a7f7..178ad350d9 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -1,19 +1,19 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/velero/velero - tag: 1.18.0-noble-scratch-fips-rfcurated + repository: cgr.dev/defenseunicorns.com/velero-fips + tag: 1.18.0 initContainers: - name: velero-plugin-for-aws - image: quay.io/rfcurated/velero/velero-plugin-for-aws:1.14.0-noble-scratch-fips-rfcurated + image: cgr.dev/defenseunicorns.com/velero-plugin-for-aws-fips:1.14.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target name: plugins - name: velero-plugin-for-azure - image: quay.io/rfcurated/velero/velero-plugin-for-microsoft-azure:1.14.0-noble-scratch-fips-rfcurated + image: cgr.dev/defenseunicorns.com/velero-plugin-for-microsoft-azure-fips:1.14.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index ecf17b592b..6fdbb3af5f 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -51,6 +51,6 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/velero/velero:1.18.0-noble-scratch-fips-rfcurated - - quay.io/rfcurated/velero/velero-plugin-for-aws:1.14.0-noble-scratch-fips-rfcurated - - quay.io/rfcurated/velero/velero-plugin-for-microsoft-azure:1.14.0-noble-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/velero-fips:1.18.0 + - cgr.dev/defenseunicorns.com/velero-plugin-for-aws-fips:1.14.0 + - cgr.dev/defenseunicorns.com/velero-plugin-for-microsoft-azure-fips:1.14.0 diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 47a7141657..b176e3d7c7 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -126,7 +126,7 @@ tasks: # Download latest release bundle curl -sSL https://raw.githubusercontent.com/defenseunicorns/uds-core/v${LATEST_CORE_TAG}/bundles/k3d-standard/uds-bundle.yaml -o tmp/core-shim/uds-bundle.yaml - # Update the bundle with the latest version using yq + # Update the bundle: pin core to the latest release OCI ref ./uds zarf tools yq e -i " del(.packages[] | select(.name == \"core\").path) | .packages[] |= (select(.name == \"core\") |