From 81d185af5425f2246518227ee57d1871de6b0c7f Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Tue, 5 May 2026 14:43:08 -0700 Subject: [PATCH 1/9] chore(deps): migrate unicorn flavor images from RapidFort to Chainguard FIPS --- .github/actions/renovate-readiness/README.md | 4 +- .../actions/renovate-readiness/action.yaml | 14 +- .github/actions/setup/action.yaml | 20 +- .../test-infra/aws/rke2/scripts/user_data.sh | 13 +- .github/workflows/private-pki-test.yaml | 3 +- .github/workflows/publish.yaml | 6 +- .../workflows/pull-request-conditionals.yaml | 3 +- .github/workflows/test-aks.yaml | 3 +- .github/workflows/test-eks.yaml | 3 +- .github/workflows/test-k3d-ha.yaml | 3 +- .github/workflows/test-rke2.yaml | 3 +- .github/workflows/test.yaml | 5 +- docs/concepts/platform/flavors.mdx | 4 + docs/dev/unicorn-registry-auth.md | 39 ++++ .../production/prerequisites.mdx | 12 + scripts/check-multiarch.sh | 4 +- scripts/renovate/README.md | 2 +- .../renovate/compareImagesAndCharts.spec.ts | 216 +++++++++--------- scripts/renovate/compareImagesAndCharts.ts | 12 +- scripts/renovate/getImagesAndCharts.spec.ts | 33 ++- src/authservice/values/unicorn-values.yaml | 6 +- src/authservice/zarf.yaml | 4 +- src/falco/values/unicorn-values.yaml | 14 +- src/falco/zarf.yaml | 6 +- src/grafana/values/unicorn-values.yaml | 26 +-- src/grafana/zarf.yaml | 10 +- src/istio/values/unicorn/cni.yaml | 4 +- src/istio/values/unicorn/istiod.yaml | 12 +- src/istio/values/unicorn/ztunnel.yaml | 4 +- src/istio/zarf.yaml | 8 +- .../configmap-fips-jce-security.yaml | 15 ++ src/keycloak/chart/templates/statefulset.yaml | 25 +- .../tests/kc_fips_jce_security_test.yaml | 100 ++++++++ .../tests/kc_rfcurated_java_opts_test.yaml | 47 ---- src/keycloak/chart/values.schema.json | 5 + src/keycloak/chart/values.yaml | 7 + src/keycloak/values/unicorn-values.yaml | 7 +- src/keycloak/zarf.yaml | 4 +- src/loki/values/unicorn-values.yaml | 25 +- src/loki/zarf.yaml | 12 +- src/metrics-server/values/unicorn-values.yaml | 6 +- src/metrics-server/zarf.yaml | 4 +- src/pepr/policies/common.spec.ts | 10 +- src/pepr/policies/common.ts | 6 +- .../values/unicorn/blackbox-exporter.yaml | 13 +- .../values/unicorn/kube-prometheus-stack.yaml | 47 ++-- src/prometheus-stack/zarf.yaml | 18 +- src/vector/values/unicorn-values.yaml | 6 +- src/vector/zarf.yaml | 4 +- src/velero/values/unicorn-values.yaml | 10 +- src/velero/zarf.yaml | 8 +- 51 files changed, 514 insertions(+), 361 deletions(-) create mode 100644 docs/dev/unicorn-registry-auth.md create mode 100644 src/keycloak/chart/templates/configmap-fips-jce-security.yaml create mode 100644 src/keycloak/chart/tests/kc_fips_jce_security_test.yaml delete mode 100644 src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml diff --git a/.github/actions/renovate-readiness/README.md b/.github/actions/renovate-readiness/README.md index c4ea90fb4a..13566e02e2 100644 --- a/.github/actions/renovate-readiness/README.md +++ b/.github/actions/renovate-readiness/README.md @@ -23,7 +23,7 @@ The action performs the following steps: The action applies specific labels based on which versions are out of sync: - `waiting on upstream`: If package.json version is behind both/either image versions (indicates a Pepr release issue) - `waiting on ironbank`: If Ironbank image is behind package.json - - `waiting on unicorn`: If Unicorn image is behind package.json + - `waiting on chainguard`: If Chainguard image is behind package.json - Multiple `waiting on` labels can be applied if multiple images are behind - **Support Dependencies**: For support dependency updates, the action adds the `needs-review` label and sets `should_process` to `false` to prevent excessive IAC runs. @@ -33,7 +33,7 @@ The action performs the following steps: - It compares the extracted data using the `compareImagesAndCharts.ts` script. - Based on the comparison, it applies appropriate labels to the PR: - `waiting on ironbank`: If a registry1 image is behind - - `waiting on rapidfort`: If a rapidfort image is behind + - `waiting on chainguard`: If a Chainguard image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump diff --git a/.github/actions/renovate-readiness/action.yaml b/.github/actions/renovate-readiness/action.yaml index 503e9aceda..f80d40e7e0 100644 --- a/.github/actions/renovate-readiness/action.yaml +++ b/.github/actions/renovate-readiness/action.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: renovate-readiness @@ -120,7 +120,7 @@ runs: echo "Upstream package.json is behind image versions - possible Pepr release issue" gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on upstream" gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true else gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true @@ -131,9 +131,9 @@ runs: fi if [[ "$UNICORN_MISMATCH" == "true" ]]; then - gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on unicorn" + gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on chainguard" else - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true fi fi @@ -142,7 +142,7 @@ runs: echo "All Pepr versions are in sync. Ready for review." gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review" fi @@ -229,7 +229,7 @@ runs: echo "labels=$LABELS" >> $GITHUB_OUTPUT # Check if waiting on labels are present, or this is a helm chart update only - if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on rapidfort"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then + if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on chainguard"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then echo "waiting=true" >> $GITHUB_OUTPUT else echo "waiting=false" >> $GITHUB_OUTPUT @@ -251,7 +251,7 @@ runs: echo "Current labels: $CURRENT_LABELS" # Define the managed labels we care about - MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "waiting on rapidfort" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update") + MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on chainguard" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update") # Remove labels that are currently on the PR but not in the new set for LABEL in "${MANAGED_LABELS[@]}"; do diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index b1674a64eb..08888a0e48 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -17,12 +17,8 @@ inputs: description: "IRON_BANK_ROBOT_PASSWORD" required: false default: '' - rapidfortUsername: - description: "RAPIDFORT_USERNAME" - required: false - default: '' - rapidfortPassword: - description: "RAPIDFORT_PASSWORD" + chainguardIdentity: + description: "ID for Chainguard Identity" required: false default: '' installUv: @@ -69,10 +65,8 @@ runs: echo "MARU_AUTH=\"{\"raw.githubusercontent.com\": \"${{ inputs.ghToken }}\"}\"" >> "$GITHUB_ENV" shell: bash - - name: Rapidfort Login - if: ${{ inputs.rapidfortUsername != '' && inputs.rapidfortPassword != '' }} - shell: bash - env: - RAPIDFORT_USERNAME: ${{ inputs.rapidfortUsername }} - RAPIDFORT_PASSWORD: ${{ inputs.rapidfortPassword }} - run: echo "${{ env.RAPIDFORT_PASSWORD }}" | uds zarf tools registry login -u "${{ env.RAPIDFORT_USERNAME }}" --password-stdin quay.io + - name: Chainguard Login + if: ${{ inputs.chainguardIdentity != '' }} + uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1 + with: + identity: ${{ inputs.chainguardIdentity }} diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 14a9b806df..c22620db62 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial info() { @@ -63,6 +63,17 @@ rm -rf ./yq pre_userdata +# Allow CNI plugins and their bundled libraries to be opened/executed by fapolicyd. +# fapolicyd starts before cloud-init runs this script, so we must recompile rules and restart. +# Guard: fapolicyd is RHEL-specific; skip on distros where it is absent or disabled. +if command -v fagenrules >/dev/null 2>&1; then + mkdir -p /etc/fapolicyd/rules.d + cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF' +allow perm=any all : dir=/opt/cni/bin/ +EOF + fagenrules && systemctl restart fapolicyd +fi + # If no bootstrap IP is provided then start RKE2 as single node/bootstrap if [[ "${BOOTSTRAP_IP}" == "" ]]; then bootstrap_ip=$(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+') diff --git a/.github/workflows/private-pki-test.yaml b/.github/workflows/private-pki-test.yaml index 1328b8ea80..ff329ec27c 100644 --- a/.github/workflows/private-pki-test.yaml +++ b/.github/workflows/private-pki-test.yaml @@ -52,8 +52,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Run UDS Core Private PKI Test diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e7a33e0c9d..256232a21c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -41,8 +41,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: (Snapshot) Get snapshot version using git commit short sha and date @@ -123,8 +122,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Test and Publish Core Package Layer diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index b565c13a4b..df3eafc8b5 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -146,8 +146,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - rapidfortUsername: ${{ secrets.RAPIDFORT_USERNAME }} - rapidfortPassword: ${{ secrets.RAPIDFORT_PASSWORD }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Check multi-arch images uses: ./.github/actions/check-multiarch diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index f66c001bc8..96f6f35c66 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -69,8 +69,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} - name: Setup Tofu uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index a369db4ce2..57f05b0004 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -66,8 +66,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} - name: Setup Tofu uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 diff --git a/.github/workflows/test-k3d-ha.yaml b/.github/workflows/test-k3d-ha.yaml index 483b315098..15a3144012 100644 --- a/.github/workflows/test-k3d-ha.yaml +++ b/.github/workflows/test-k3d-ha.yaml @@ -52,8 +52,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Run UDS Core Install HA Test diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 061de0b8e7..0fef4e68ff 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -70,8 +70,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} - name: Setup Tofu uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a7c4176e5e..a87a802a05 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -44,7 +44,7 @@ jobs: test: # Use the 8 core runner for full-core or 4 core runner (with larger disk) for func layers tests runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'uds-ubuntu-big-boy-4-core'}}" - # Increase the timeout for longer upgrades - temporarily increased to 60 for longer upgrade from cgr -> rf + # Increase the timeout for longer upgrades timeout-minutes: ${{ inputs.test_type == 'upgrade' && 60 || 30 }} name: Test env: @@ -60,8 +60,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} registry1Username: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }} registry1Password: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }} - rapidfortUsername: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }} - rapidfortPassword: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }} + chainguardIdentity: ${{ (inputs.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }} installK3d: 'true' - name: Test a single layer package diff --git a/docs/concepts/platform/flavors.mdx b/docs/concepts/platform/flavors.mdx index ea21986581..132928746a 100644 --- a/docs/concepts/platform/flavors.mdx +++ b/docs/concepts/platform/flavors.mdx @@ -24,6 +24,10 @@ UDS Core is published in multiple **flavors**. A flavor determines the container > [!TIP] > **Compare CVE counts:** You can view current CVE counts for the `upstream` and `registry1` flavors on the [UDS Registry Core Package](https://registry.defenseunicorns.com/repo/public/core/versions). The `unicorn` flavor undergoes additional patching and curation by Defense Unicorns, resulting in significantly fewer CVEs. [Contact Defense Unicorns](https://www.defenseunicorns.com/contact) to learn more. +## Authenticating with the unicorn registry + +The `unicorn` flavor container images are hosted on `cgr.dev/defenseunicorns.com`. Pulling these images locally requires authentication via `chainctl`, the Chainguard CLI, configured as a Docker credential helper. See [Unicorn registry authentication](/dev/unicorn-registry-auth/) for setup instructions. + ## Flavors and bundles You select a flavor when building a UDS Bundle. All Core packages within a bundle should use the **same flavor** to ensure image consistency. diff --git a/docs/dev/unicorn-registry-auth.md b/docs/dev/unicorn-registry-auth.md new file mode 100644 index 0000000000..eb64a93311 --- /dev/null +++ b/docs/dev/unicorn-registry-auth.md @@ -0,0 +1,39 @@ +# Unicorn registry authentication + +The `unicorn` flavor images are hosted on `cgr.dev/defenseunicorns.com`, a private Chainguard organization. Working with the unicorn flavor locally requires authentication to pull images from this registry. + +Use `chainctl` as a Docker credential helper. This approach exchanges short-lived OIDC tokens at pull time and requires no stored credentials. Do not create a static pull token for local development: tokens expire, require manual rotation, and expand your credential surface. + +## Prerequisites + +You must have `chainctl` installed and be a member of the `defenseunicorns.com` Chainguard organization. Install `chainctl` using the method appropriate for your OS from the [Chainguard documentation](https://edu.chainguard.dev/chainguard/administration/iam-organizations/how-to-install-chainctl/). Then log in: + +```bash +chainctl auth login +``` + +## Configure the credential helper + +Register `chainctl` as the credential helper for `cgr.dev`: + +```bash +chainctl auth configure-docker +``` + +This adds a `cgr.dev` entry to your `~/.docker/config.json` credential helper map. Any Docker-compatible tool that reads this config (Docker, Zarf, `crane`, `uds`) will automatically call `chainctl` for authentication when accessing `cgr.dev`. + +Verify access by pulling a unicorn image: + +```bash +docker pull cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1 +``` + +## How it works + +When a tool needs credentials for `cgr.dev`, Docker calls `chainctl` as a subprocess to get a short-lived token backed by your SSO session. No password is stored. Your access is determined by your Chainguard organization membership, not by a credential you manage. + +## Troubleshooting + +**`unauthorized` or `403` error when pulling:** Run `chainctl auth login` to refresh your session, then retry. + +**`chainctl: command not found`:** Install `chainctl` and ensure it is on your `PATH`. diff --git a/docs/getting-started/production/prerequisites.mdx b/docs/getting-started/production/prerequisites.mdx index 3b63935f06..e43874b974 100644 --- a/docs/getting-started/production/prerequisites.mdx +++ b/docs/getting-started/production/prerequisites.mdx @@ -101,6 +101,18 @@ done See [Istio's platform requirements](https://istio.io/latest/docs/ops/deployment/platform-requirements/) for the full upstream list. +> [!NOTE] +> **Unicorn flavor on RHEL 9 with fapolicyd:** The unicorn flavor uses FIPS-compliant CNI images that write `libcrypto.so.3` into `/opt/cni/bin/.cgr/` at runtime. If fapolicyd is running in enforcing mode, it will block access to this file because it is not RPM-managed, preventing istio-cni from starting. Add the following rule to allow access, then recompile and restart fapolicyd: +> +> ```bash +> mkdir -p /etc/fapolicyd/rules.d +> cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF' +> allow perm=any all : dir=/opt/cni/bin/ +> EOF +> fagenrules +> systemctl restart fapolicyd +> ``` + ## Falco requirements UDS Core uses [Falco](https://falco.org/)'s [Modern eBPF Probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe), which has the following requirements: diff --git a/scripts/check-multiarch.sh b/scripts/check-multiarch.sh index ab59ccad53..7fdb94d019 100755 --- a/scripts/check-multiarch.sh +++ b/scripts/check-multiarch.sh @@ -38,8 +38,8 @@ trap "rm -f $TEMP_IMAGES $TEMP_MISSING" EXIT echo "Scanning $SRC_DIR for unicorn and registry1 images..." -# Extract all quay.io/rfcurated/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images -find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "quay.io/rfcurated/|registry1.dso.mil/ironbank/" {} \; | \ +# Extract all cgr.dev/defenseunicorns.com/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images +find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "cgr.dev/defenseunicorns.com/|registry1.dso.mil/ironbank/" {} \; | \ sed 's/^[[:space:]]*-[[:space:]]*//' | \ sed 's/"//g' | \ sort -u > "$TEMP_IMAGES" diff --git a/scripts/renovate/README.md b/scripts/renovate/README.md index da1a1bb7ff..932b367bb6 100644 --- a/scripts/renovate/README.md +++ b/scripts/renovate/README.md @@ -44,7 +44,7 @@ This script will: The scripts can apply the following labels to PRs: - `waiting on ironbank`: If a registry1 image is behind -- `waiting on rapidfort`: If a rapidfort image is behind +- `waiting on chainguard`: If a Chainguard image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump diff --git a/scripts/renovate/compareImagesAndCharts.spec.ts b/scripts/renovate/compareImagesAndCharts.spec.ts index 98353135d2..0cc03dca2c 100644 --- a/scripts/renovate/compareImagesAndCharts.spec.ts +++ b/scripts/renovate/compareImagesAndCharts.spec.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -73,12 +73,12 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -87,12 +87,12 @@ describe("compareImagesAndCharts", () => { "1.25.3": [ "docker.io/library/nginx:1.25.3", "registry1.dso.mil/ironbank/nginx:1.25.3", - "quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.25.3", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -145,12 +145,12 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -159,12 +159,12 @@ describe("compareImagesAndCharts", () => { "2.0.0": [ "docker.io/library/nginx:2.0.0", "registry1.dso.mil/ironbank/nginx:2.0.0", - "quay.io/rfcurated/nginx:2.0.0-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:2.0.0", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -217,7 +217,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -226,7 +226,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -280,7 +280,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -289,7 +289,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -342,7 +342,7 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } @@ -350,7 +350,7 @@ describe("compareImagesAndCharts", () => { return { "1.25.3": [ "docker.io/library/nginx:1.25.3", - "quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.25.3", ], "1.22.6": ["registry1.dso.mil/ironbank/nginx:1.22.6"], }; @@ -406,8 +406,8 @@ describe("compareImagesAndCharts", () => { "docker.io/library/curl:1.25.3", "registry1.dso.mil/ironbank/nginx:1.21.6", "registry1.dso.mil/ironbank/curl:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", - "quay.io/rfcurated/curl:1.21.6-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", + "cgr.dev/defenseunicorns.com/curl-fips:1.21.6", ], }; } @@ -417,8 +417,8 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "registry1.dso.mil/ironbank/nginx:1.21.6", "registry1.dso.mil/ironbank/curl:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", - "quay.io/rfcurated/curl:1.21.6-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", + "cgr.dev/defenseunicorns.com/curl-fips:1.21.6", ], }; } @@ -428,7 +428,7 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); expect(result.labels).toContain("waiting on ironbank"); - expect(result.labels).toContain("waiting on rapidfort"); + expect(result.labels).toContain("waiting on chainguard"); // Check for multiple Ironbank messages expect(result.changes).toContain( @@ -438,16 +438,16 @@ describe("compareImagesAndCharts", () => { "Waiting on Ironbank to update registry1.dso.mil/ironbank/curl to version 1.25.3", ); - // Check for multiple Rapidfort messages + // Check for multiple Chainguard messages expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/nginx to version 1.25.3", + "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/curl to version 1.25.3", + "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/curl-fips to version 1.25.3", ); }); - it("should detect waiting on rapidfort", async () => { + it("should detect waiting on chainguard", async () => { // Mock fs.readFileSync to return different content based on the file path (fs.readFileSync as Mock).mockImplementation(filePath => { if (filePath === "old/charts.yaml") { @@ -485,14 +485,14 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], }; } if (content === "images-new") { return { "1.25.3": ["docker.io/library/nginx:1.25.3", "registry1.dso.mil/ironbank/nginx:1.25.3"], - "1.21.6": ["quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened"], + "1.21.6": ["cgr.dev/defenseunicorns.com/nginx-fips:1.21.6"], }; } return {}; @@ -500,9 +500,9 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on rapidfort"]); + expect(result.labels).toEqual(["waiting on chainguard"]); expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/nginx to version 1.25.3", + "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); }); @@ -544,12 +544,12 @@ describe("compareImagesAndCharts", () => { "1.21.6": [ "docker.io/library/nginx:1.21.6", "registry1.dso.mil/ironbank/nginx:1.21.6", - "quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.21.6", ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -557,11 +557,11 @@ describe("compareImagesAndCharts", () => { return { "1.25.3": ["docker.io/library/nginx:1.25.3"], "1.22.6": ["registry1.dso.mil/ironbank/nginx:1.22.6"], - "1.21.6": ["quay.io/rfcurated/nginx:1.21.6-slim-jammy-fips-rfcurated-rfhardened"], + "1.21.6": ["cgr.dev/defenseunicorns.com/nginx-fips:1.21.6"], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", "registry1.dso.mil/ironbank/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], }; } @@ -570,12 +570,12 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on ironbank", "waiting on rapidfort"]); + expect(result.labels).toEqual(["waiting on ironbank", "waiting on chainguard"]); expect(result.changes).toContain( "Waiting on Ironbank to update registry1.dso.mil/ironbank/nginx to version 1.25.3", ); expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/nginx to version 1.25.3", + "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); }); @@ -895,82 +895,82 @@ describe("compareImagesAndCharts", () => { expect(result.changes).toContain("Major helm chart update detected for grafana"); expect(result.changes).toContain("PR contains only helm chart updates"); }); -}); -it("should detect wait for loki (regression test)", async () => { - // Mock fs.readFileSync to return different content based on the file path - (fs.readFileSync as Mock).mockImplementation(filePath => { - if (filePath === "old/charts.yaml") { - return "charts-old"; - } - if (filePath === "new/charts.yaml") { - return "charts-new"; - } - if (filePath === "old/images.yaml") { - return "images-old"; - } - if (filePath === "new/images.yaml") { - return "images-new"; - } - return ""; - }); + it("should detect wait for loki (regression test)", async () => { + // Mock fs.readFileSync to return different content based on the file path + (fs.readFileSync as Mock).mockImplementation(filePath => { + if (filePath === "old/charts.yaml") { + return "charts-old"; + } + if (filePath === "new/charts.yaml") { + return "charts-new"; + } + if (filePath === "old/images.yaml") { + return "images-old"; + } + if (filePath === "new/images.yaml") { + return "images-new"; + } + return ""; + }); - // Mock fs.existsSync to return true for all files - (fs.existsSync as Mock).mockReturnValue(true); - - // Mock yaml.parse to return different content based on the input - (yaml.parse as Mock).mockImplementation(content => { - if (content === "charts-old") { - return { - "https://grafana.github.io/helm-charts/loki": "6.29.0", - }; - } - if (content === "charts-new") { - return { - "https://grafana.github.io/helm-charts/loki": "6.29.0", - }; - } - if (content === "images-old") { - return { - "3.4.3": [ - "docker.io/grafana/loki:3.4.3", - "registry1.dso.mil/ironbank/opensource/grafana/loki:3.4.3", - "quay.io/rfcurated/grafana/loki:3.4.3-jammy-fips-rfcurated-rfhardened", - ], - "1.6.38": [ - "docker.io/memcached:1.6.38-alpine", - "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", - "quay.io/rfcurated/memcached:1.6.38-jammy-fips-rfcurated-rfhardened", - ], - "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], - "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], - "1.27.5": ["quay.io/rfcurated/nginx:1.27.5-slim-jammy-fips-rfcurated-rfhardened"], - }; - } - if (content === "images-new") { - return { - "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], - "3.4.3": ["quay.io/rfcurated/grafana/loki:3.4.3-jammy-fips-rfcurated-rfhardened"], - "1.6.38": [ - "docker.io/memcached:1.6.38-alpine", - "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", - "quay.io/rfcurated/memcached:1.6.38-jammy-fips-rfcurated-rfhardened", - ], - "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], - "1.27.5": ["quay.io/rfcurated/nginx:1.27.5-slim-jammy-fips-rfcurated-rfhardened"], - "3.5.0": [ - "docker.io/grafana/loki:3.5.0", - "registry1.dso.mil/ironbank/opensource/grafana/loki:3.5.0", - ], - }; - } - return {}; - }); + // Mock fs.existsSync to return true for all files + (fs.existsSync as Mock).mockReturnValue(true); + + // Mock yaml.parse to return different content based on the input + (yaml.parse as Mock).mockImplementation(content => { + if (content === "charts-old") { + return { + "https://grafana.github.io/helm-charts/loki": "6.29.0", + }; + } + if (content === "charts-new") { + return { + "https://grafana.github.io/helm-charts/loki": "6.29.0", + }; + } + if (content === "images-old") { + return { + "3.4.3": [ + "docker.io/grafana/loki:3.4.3", + "registry1.dso.mil/ironbank/opensource/grafana/loki:3.4.3", + "cgr.dev/defenseunicorns.com/loki-fips:3.4.3", + ], + "1.6.38": [ + "docker.io/memcached:1.6.38-alpine", + "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", + "cgr.dev/defenseunicorns.com/memcached-fips:1.6.38", + ], + "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], + "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], + "1.27.5": ["cgr.dev/defenseunicorns.com/nginx-fips:1.27.5"], + }; + } + if (content === "images-new") { + return { + "1.27": ["docker.io/nginxinc/nginx-unprivileged:1.27-alpine"], + "3.4.3": ["cgr.dev/defenseunicorns.com/loki-fips:3.4.3"], + "1.6.38": [ + "docker.io/memcached:1.6.38-alpine", + "registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.38", + "cgr.dev/defenseunicorns.com/memcached-fips:1.6.38", + ], + "1.26.3": ["registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.3"], + "1.27.5": ["cgr.dev/defenseunicorns.com/nginx-fips:1.27.5"], + "3.5.0": [ + "docker.io/grafana/loki:3.5.0", + "registry1.dso.mil/ironbank/opensource/grafana/loki:3.5.0", + ], + }; + } + return {}; + }); - const result = await compareImagesAndCharts("old", "new"); + const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on rapidfort"]); - expect(result.changes).toContain( - "Waiting on Rapidfort to update quay.io/rfcurated/grafana/loki to version 3.5.0", - ); + expect(result.labels).toEqual(["waiting on chainguard"]); + expect(result.changes).toContain( + "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/loki-fips to version 3.5.0", + ); + }); }); diff --git a/scripts/renovate/compareImagesAndCharts.ts b/scripts/renovate/compareImagesAndCharts.ts index e821194bcb..6c4bc593c2 100644 --- a/scripts/renovate/compareImagesAndCharts.ts +++ b/scripts/renovate/compareImagesAndCharts.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -52,7 +52,7 @@ export async function compareImagesAndCharts( // If no waiting labels were added, add needs-review if ( !result.labels.includes("waiting on ironbank") && - !result.labels.includes("waiting on rapidfort") && + !result.labels.includes("waiting on chainguard") && !result.labels.includes("helm-chart-only") ) { result.labels.push("needs-review"); @@ -257,13 +257,13 @@ function compareImages( result.changes.push( `Waiting on Ironbank to update ${imgName} to version ${newVersion}`, ); - } else if (missingImg.startsWith("quay.io/rfcurated")) { + } else if (missingImg.startsWith("cgr.dev/defenseunicorns.com")) { // Only add the label once, but add a message for each missing image - if (!result.labels.includes("waiting on rapidfort")) { - result.labels.push("waiting on rapidfort"); + if (!result.labels.includes("waiting on chainguard")) { + result.labels.push("waiting on chainguard"); } result.changes.push( - `Waiting on Rapidfort to update ${imgName} to version ${newVersion}`, + `Waiting on Chainguard to update ${imgName} to version ${newVersion}`, ); } } diff --git a/scripts/renovate/getImagesAndCharts.spec.ts b/scripts/renovate/getImagesAndCharts.spec.ts index 468a229c5b..effdad08ea 100644 --- a/scripts/renovate/getImagesAndCharts.spec.ts +++ b/scripts/renovate/getImagesAndCharts.spec.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -114,10 +114,10 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/grafana:11.5.3-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/busybox:1.37.0-glibc-rf.1-rfcurated - - quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/k8s-sidecar:1.30.3-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/grafana-fips:11.5.3 + - cgr.dev/defenseunicorns.com/busybox:1.37.0 + - cgr.dev/defenseunicorns.com/curl-fips:8.12.1 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:1.30.3 `; } if (filePath === "test-dir/common/zarf.yaml") { @@ -193,18 +193,15 @@ components: ], "8.12.1": [ "docker.io/curlimages/curl:8.12.1", - "quay.io/rfcurated/curl:8.12.1-jammy-scratch-fips-rfcurated", - ], - "1.37.0": [ - "docker.io/library/busybox:1.37.0", - "quay.io/rfcurated/busybox:1.37.0-glibc-rf.1-rfcurated", + "cgr.dev/defenseunicorns.com/curl-fips:8.12.1", ], + "1.37.0": ["docker.io/library/busybox:1.37.0", "cgr.dev/defenseunicorns.com/busybox:1.37.0"], "1.30.3": [ "ghcr.io/kiwigrid/k8s-sidecar:1.30.3", "registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.30.3", - "quay.io/rfcurated/k8s-sidecar:1.30.3-jammy-scratch-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/k8s-sidecar-fips:1.30.3", ], - "11.5.3": ["quay.io/rfcurated/grafana:11.5.3-jammy-scratch-fips-rfcurated"], + "11.5.3": ["cgr.dev/defenseunicorns.com/grafana-fips:11.5.3"], "9.5": ["registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5"], }); }); @@ -241,8 +238,8 @@ components: only: flavor: unicorn images: - - quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/postgres:15.4.0-slim-jammy-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/nginx-fips:1.25.3 + - cgr.dev/defenseunicorns.com/postgresql-fips:15.4.0 `; } if (filePath === "test-dir/common/zarf.yaml") { @@ -274,12 +271,12 @@ metadata: "1.25.3": [ "docker.io/library/nginx:1.25.3", "registry1.dso.mil/ironbank/opensource/nginx/nginx:1.25.3", - "quay.io/rfcurated/nginx:1.25.3-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/nginx-fips:1.25.3", ], "15.4.0": [ "docker.io/library/postgres:15.4.0", "registry1.dso.mil/ironbank/opensource/postgres/postgresql:15.4.0", - "quay.io/rfcurated/postgres:15.4.0-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/postgresql-fips:15.4.0", ], }); }); @@ -356,7 +353,7 @@ components: - name: component1 images: - registry1.dso.mil/ironbank/postgres:15.2.0 - - quay.io/rfcurated/postgres:15.2.0-slim-jammy-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/postgresql-fips:15.2.0 - docker.io/library/postgres:15.2.0-beta.2 `; } @@ -388,7 +385,7 @@ metadata: expect(images).toEqual({ "15.2.0": [ "registry1.dso.mil/ironbank/postgres:15.2.0", - "quay.io/rfcurated/postgres:15.2.0-slim-jammy-fips-rfcurated-rfhardened", + "cgr.dev/defenseunicorns.com/postgresql-fips:15.2.0", "docker.io/library/postgres:15.2.0-beta.2", ], }); diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml index 1e9915a0a0..8658b73d24 100644 --- a/src/authservice/values/unicorn-values.yaml +++ b/src/authservice/values/unicorn-values.yaml @@ -1,6 +1,6 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/istio-ecosystem/authservice - tag: "1.1.5-jammy-scratch-fips-rfcurated" + repository: cgr.dev/defenseunicorns.com/authservice-fips + tag: "1.1.5" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index 2b4b00124a..506790d9de 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -47,4 +47,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/istio-ecosystem/authservice:1.1.5-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/authservice-fips:1.1.5 diff --git a/src/falco/values/unicorn-values.yaml b/src/falco/values/unicorn-values.yaml index f14f4747bc..62dab9084e 100644 --- a/src/falco/values/unicorn-values.yaml +++ b/src/falco/values/unicorn-values.yaml @@ -1,15 +1,15 @@ -# Copyright 2025 Defense Unicorns +# Copyright 2025-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - registry: quay.io - repository: rfcurated/falcosecurity/falco - tag: 0.43.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/falco-fips + tag: 0.43.1 pullPolicy: IfNotPresent falcosidekick: image: - registry: quay.io - repository: rfcurated/falcosecurity/falcosidekick - tag: 2.33.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/falcosidekick-fips + tag: 2.33.0 pullPolicy: IfNotPresent diff --git a/src/falco/zarf.yaml b/src/falco/zarf.yaml index 50c186d0bb..d265c7781d 100644 --- a/src/falco/zarf.yaml +++ b/src/falco/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2025 Defense Unicorns +# Copyright 2025-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -53,5 +53,5 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/falcosecurity/falco:0.43.1-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/falcosecurity/falcosidekick:2.33.0-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/falco-fips:0.43.1 + - cgr.dev/defenseunicorns.com/falcosidekick-fips:2.33.0 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 0693d45947..54571ef630 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,24 +1,24 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - registry: quay.io - repository: rfcurated/grafana - tag: 12.4.2-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/grafana-fips + tag: 12.4.2 initChownData: image: - registry: quay.io - repository: rfcurated/busybox - tag: 1.37.0-musl-rf.1-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/busybox-fips + tag: 1.37.0 downloadDashboardsImage: - registry: quay.io - repository: rfcurated/curl - tag: 8.19.0-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/curl-fips + tag: 8.19.0 sidecar: image: - registry: quay.io - repository: rfcurated/kiwigrid/k8s-sidecar - tag: 2.5.0-jammy-scratch-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/k8s-sidecar-fips + tag: 2.5.1 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index f39b67424a..d8a2bab882 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -62,7 +62,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/grafana:12.4.2-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/busybox:1.37.0-musl-rf.1-fips-rfcurated - - quay.io/rfcurated/curl:8.19.0-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/kiwigrid/k8s-sidecar:2.5.0-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/grafana-fips:12.4.2 + - cgr.dev/defenseunicorns.com/busybox-fips:1.37.0 + - cgr.dev/defenseunicorns.com/curl-fips:8.19.0 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.5.1 diff --git a/src/istio/values/unicorn/cni.yaml b/src/istio/values/unicorn/cni.yaml index 57427116f1..f2f40c2d1e 100644 --- a/src/istio/values/unicorn/cni.yaml +++ b/src/istio/values/unicorn/cni.yaml @@ -1,5 +1,5 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial cni: - image: quay.io/rfcurated/istio/install-cni:1.29.2-jammy-fips-rfcurated-rfhardened + image: cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.1 diff --git a/src/istio/values/unicorn/istiod.yaml b/src/istio/values/unicorn/istiod.yaml index b7b7a7d27f..38961a7684 100644 --- a/src/istio/values/unicorn/istiod.yaml +++ b/src/istio/values/unicorn/istiod.yaml @@ -1,12 +1,12 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial pilot: - image: "quay.io/rfcurated/istio/pilot:1.29.2-jammy-fips-rfcurated-rfhardened" + image: "cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.1" global: proxy_init: - # renovate: image=quay.io/rfcurated/istio/proxyv2 - image: "###ZARF_REGISTRY###/rfcurated/istio/proxyv2:1.29.2-jammy-fips-rfcurated-rfhardened" + # renovate: image=cgr.dev/defenseunicorns.com/istio-proxy-fips + image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.1" proxy: - # renovate: image=quay.io/rfcurated/istio/proxyv2 - image: "###ZARF_REGISTRY###/rfcurated/istio/proxyv2:1.29.2-jammy-fips-rfcurated-rfhardened" + # renovate: image=cgr.dev/defenseunicorns.com/istio-proxy-fips + image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.1" diff --git a/src/istio/values/unicorn/ztunnel.yaml b/src/istio/values/unicorn/ztunnel.yaml index 9c615d29e1..f6c8f93936 100644 --- a/src/istio/values/unicorn/ztunnel.yaml +++ b/src/istio/values/unicorn/ztunnel.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -image: quay.io/rfcurated/istio/ztunnel:1.29.2-jammy-scratch-fips-rfcurated +image: cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.1 diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 5b902ec32d..0efd689e37 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -82,10 +82,10 @@ components: - "values/unicorn/ztunnel.yaml" # @lulaStart b4367e52-bef0-4463-a906-e5af6b4aa015 images: - - quay.io/rfcurated/istio/pilot:1.29.2-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/istio/proxyv2:1.29.2-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/istio/install-cni:1.29.2-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/istio/ztunnel:1.29.2-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.1 + - cgr.dev/defenseunicorns.com/istio-proxy-fips:1.29.1 + - cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.1 + - cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.1 # @lulaEnd b4367e52-bef0-4463-a906-e5af6b4aa015 - name: gateway-api-crds diff --git a/src/keycloak/chart/templates/configmap-fips-jce-security.yaml b/src/keycloak/chart/templates/configmap-fips-jce-security.yaml new file mode 100644 index 0000000000..4462c4bf33 --- /dev/null +++ b/src/keycloak/chart/templates/configmap-fips-jce-security.yaml @@ -0,0 +1,15 @@ +# Copyright 2024-2026 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +{{- if .Values.migrations.writeFipsJceSecurity }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keycloak.fullname" . }}-fips-jce-security + namespace: {{ .Release.Namespace }} + labels: + {{- include "keycloak.labels" . | nindent 4 }} +data: + fips-sunjce.security: | + security.provider.99=SunJCE +{{- end }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index e40b2c5a08..085a1af2c5 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -133,13 +133,19 @@ spec: - secretRef: name: {{ include "keycloak.fullname" . }}-realm-env env: + {{- if and .Values.migrations.writeFipsJceSecurity .Values.env }} + {{- range .Values.env }} + {{- if eq .name "JAVA_OPTS_APPEND" }} + {{- fail "migrations.writeFipsJceSecurity=true conflicts with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.env }} {{- tpl (toYaml .Values.env) . | nindent 12 }} {{- end }} - {{- if or (contains "rfcurated" .Values.image.repository) (contains "rfcurated" (toString .Values.image.tag)) }} - # Ensure javaagent is disabled (only for rfcurated unicorn flavor) - - name: JDK_JAVA_OPTIONS - value: "--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED" + {{- if .Values.migrations.writeFipsJceSecurity }} + - name: JAVA_OPTS_APPEND + value: "-Djava.security.properties=/opt/keycloak/data/fips-sunjce.security" {{- end }} # Common configuration - name: UDS_DOMAIN @@ -338,6 +344,12 @@ spec: {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.migrations.writeFipsJceSecurity }} + - name: fips-jce-security + mountPath: /opt/keycloak/data/fips-sunjce.security + subPath: fips-sunjce.security + readOnly: true + {{- end }} enableServiceLinks: {{ .Values.enableServiceLinks }} restartPolicy: {{ .Values.restartPolicy }} {{- with .Values.nodeSelector }} @@ -427,6 +439,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.migrations.writeFipsJceSecurity }} + - name: fips-jce-security + configMap: + name: {{ include "keycloak.fullname" . }}-fips-jce-security + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml b/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml new file mode 100644 index 0000000000..86b867d3c9 --- /dev/null +++ b/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml @@ -0,0 +1,100 @@ +# Copyright 2024-2026 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json + +suite: Keycloak - FIPS JCE security override +templates: + - statefulset.yaml + - configmap-fips-jce-security.yaml + +tests: + - it: should NOT render the fips-jce-security configmap when writeFipsJceSecurity is false + set: + migrations: + writeFipsJceSecurity: false + template: configmap-fips-jce-security.yaml + asserts: + - hasDocuments: + count: 0 + + - it: should render the fips-jce-security configmap when writeFipsJceSecurity is true + set: + migrations: + writeFipsJceSecurity: true + template: configmap-fips-jce-security.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + + - it: should include SunJCE provider in configmap data when writeFipsJceSecurity is true + set: + migrations: + writeFipsJceSecurity: true + template: configmap-fips-jce-security.yaml + asserts: + - matchRegex: + path: data["fips-sunjce.security"] + pattern: "security\\.provider\\.99=SunJCE" + + - it: should NOT inject JAVA_OPTS_APPEND when writeFipsJceSecurity is false + set: + migrations: + writeFipsJceSecurity: false + template: statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: JAVA_OPTS_APPEND + + - it: should inject JAVA_OPTS_APPEND with correct path when writeFipsJceSecurity is true + set: + migrations: + writeFipsJceSecurity: true + template: statefulset.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: JAVA_OPTS_APPEND + value: "-Djava.security.properties=/opt/keycloak/data/fips-sunjce.security" + + - it: should NOT add fips-jce-security volumeMount when writeFipsJceSecurity is false + set: + migrations: + writeFipsJceSecurity: false + template: statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fips-jce-security + + - it: should add fips-jce-security volumeMount when writeFipsJceSecurity is true + set: + migrations: + writeFipsJceSecurity: true + template: statefulset.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fips-jce-security + mountPath: /opt/keycloak/data/fips-sunjce.security + subPath: fips-sunjce.security + readOnly: true + + - it: should fail render when writeFipsJceSecurity=true and env contains JAVA_OPTS_APPEND + set: + migrations: + writeFipsJceSecurity: true + env: + - name: JAVA_OPTS_APPEND + value: "-Xmx512m" + template: statefulset.yaml + asserts: + - failedTemplate: + errorMessage: "migrations.writeFipsJceSecurity=true conflicts with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" diff --git a/src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml b/src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml deleted file mode 100644 index 9135776ce4..0000000000 --- a/src/keycloak/chart/tests/kc_rfcurated_java_opts_test.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2025 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json - -suite: Keycloak - Unicorn JDK_JAVA_OPTIONS env injection -templates: - - statefulset.yaml - -tests: - - it: should render JDK_JAVA_OPTIONS when image.repository contains "rfcurated" - set: - image: - repository: quay.io/rfcurated/keycloak - tag: "26.4.2" - template: statefulset.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: JDK_JAVA_OPTIONS - value: "--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED" - - - it: should render JDK_JAVA_OPTIONS when image.tag contains "rfcurated" - set: - image: - repository: quay.io/keycloak/keycloak - tag: "26.4.2-jammy-fips-rfcurated" - template: statefulset.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: JDK_JAVA_OPTIONS - value: "--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED" - - - it: should NOT render JDK_JAVA_OPTIONS when image is not rfcurated - set: - image: - repository: quay.io/keycloak/keycloak - tag: "26.5.7" - template: statefulset.yaml - asserts: - - notContains: - path: spec.template.spec.containers[0].env - content: - name: JDK_JAVA_OPTIONS diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index 596f4a4bd3..b6760dd68d 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -649,6 +649,11 @@ "properties": { "deleteGeneratedTrustStore": { "type": "boolean" + }, + "writeFipsJceSecurity": { + "type": "boolean", + "default": false, + "description": "Mounts a JVM security properties override that adds SunJCE as provider.99. Required for cgr.dev keycloak-fips images, which omit SunJCE from java.security, causing PKCS12 truststore creation to fail with HmacPBESHA256 not available. Remove once Chainguard ships keycloak-fips with SunJCE included." } } }, diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 558f60cc06..95ce4cb692 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -415,6 +415,13 @@ env: [] migrations: # Deletes the generated truststore to enable recreating it by Keycloak deleteGeneratedTrustStore: false + # Mounts a JVM security properties override that adds SunJCE as provider.99. + # Required for cgr.dev keycloak-fips images, which omit SunJCE from java.security, + # causing Keycloak's hardcoded PKCS12 truststore creation to fail with + # "Algorithm HmacPBESHA256 not available". BC FIPS remains the primary provider. + # Remove this flag and configmap-fips-jce-security.yaml once Chainguard ships + # keycloak-fips with SunJCE included in java.security. + writeFipsJceSecurity: false # Third-party integration settings, such as L7 Load Balancer support thirdPartyIntegration: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 8968b18ec1..fac34ce6db 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial podSecurityContext: @@ -11,8 +11,9 @@ securityContext: drop: - ALL image: - repository: quay.io/rfcurated/keycloak - tag: "26.5.7-jammy-fips-rfcurated" + repository: cgr.dev/defenseunicorns.com/keycloak-fips + tag: "26.6.1" migrations: deleteGeneratedTrustStore: true + writeFipsJceSecurity: true diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 8718d86baf..e7ee68160b 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial # @lulaStart 4147b6a6-3339-4d5d-b10a-f16502b52206 @@ -59,5 +59,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - quay.io/rfcurated/keycloak:26.5.7-jammy-fips-rfcurated + - cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1 - ghcr.io/defenseunicorns/uds/identity-config:0.26.1 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 2bfc28feff..49cbf36ceb 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -1,21 +1,24 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial loki: image: - registry: quay.io - repository: rfcurated/grafana/loki - tag: 3.7.1-jammy-fips-rfcurated-rfhardened + registry: cgr.dev/defenseunicorns.com + repository: loki-fips + # NOTE: exact version 3.7.1 not available at cgr.dev/defenseunicorns.com; using 3.6.10 + tag: 3.6.10 gateway: image: - registry: quay.io - repository: rfcurated/nginx - tag: 1.29.7-slim-jammy-fips-rfcurated-rfhardened + registry: cgr.dev/defenseunicorns.com + repository: nginx-fips + # NOTE: exact version 1.29.7 not available at cgr.dev/defenseunicorns.com; using 1.29.8 + tag: 1.29.8 memcached: image: - repository: quay.io/rfcurated/memcached - tag: 1.6.41-jammy-fips-rfcurated-rfhardened + repository: cgr.dev/defenseunicorns.com/memcached-fips + tag: 1.6.41 sidecar: image: - repository: quay.io/rfcurated/kiwigrid/k8s-sidecar - tag: 2.5.0-jammy-scratch-fips-rfcurated-rfhardened + repository: cgr.dev/defenseunicorns.com/k8s-sidecar-fips + # NOTE: exact version 2.5.0 not available at cgr.dev/defenseunicorns.com; using 2.5.1 + tag: 2.5.1 diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 2c807bf23c..d6e6388fc9 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -49,7 +49,7 @@ components: - name: loki required: true - description: "Install Loki using Rapidfort images" + description: "Install Loki using Chainguard images" only: flavor: "unicorn" import: @@ -59,7 +59,7 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - quay.io/rfcurated/grafana/loki:3.7.1-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/nginx:1.29.7-slim-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/memcached:1.6.41-jammy-fips-rfcurated-rfhardened - - quay.io/rfcurated/kiwigrid/k8s-sidecar:2.5.0-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/loki-fips:3.6.10 # NOTE: exact version 3.7.1 not available at cgr.dev/defenseunicorns.com; using 3.6.10 + - cgr.dev/defenseunicorns.com/nginx-fips:1.29.8 # NOTE: exact version 1.29.7 not available at cgr.dev/defenseunicorns.com; using 1.29.8 + - cgr.dev/defenseunicorns.com/memcached-fips:1.6.41 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.5.1 # NOTE: exact version 2.5.0 not available at cgr.dev/defenseunicorns.com; using 2.5.1 diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml index d3b071ba70..b76cb0b7e6 100644 --- a/src/metrics-server/values/unicorn-values.yaml +++ b/src/metrics-server/values/unicorn-values.yaml @@ -1,6 +1,6 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/metrics-server - tag: "0.8.1-jammy-scratch-fips-rfcurated-rfhardened" + repository: cgr.dev/defenseunicorns.com/metrics-server-fips + tag: "0.8.1" diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 4f58c7054c..2aae40530d 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -45,4 +45,4 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - quay.io/rfcurated/metrics-server:0.8.1-jammy-scratch-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/metrics-server-fips:0.8.1 diff --git a/src/pepr/policies/common.spec.ts b/src/pepr/policies/common.spec.ts index f7695c810e..36ebc50f6a 100644 --- a/src/pepr/policies/common.spec.ts +++ b/src/pepr/policies/common.spec.ts @@ -1,5 +1,5 @@ /** - * Copyright 2025 Defense Unicorns + * Copyright 2025-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -132,7 +132,7 @@ describe("validateIstioImage", () => { // Test each flavor with its canonical registry it("should return true for unicorn flavor image with correct registry", () => { - expect(validateIstioImage("quay.io/rfcurated/istio/proxyv2:1.16.0")).toBe(true); + expect(validateIstioImage("cgr.dev/defenseunicorns.com/istio-proxy-fips:1.16.0")).toBe(true); }); it("should return true for upstream flavor image with correct registry", () => { @@ -153,8 +153,10 @@ describe("validateIstioImage", () => { // Test with different tags and digests it("should handle images with tags and digests", () => { - expect(validateIstioImage("quay.io/rfcurated/istio/proxyv2:latest")).toBe(true); - expect(validateIstioImage("quay.io/rfcurated/istio/proxyv2@sha256:abc123")).toBe(true); + expect(validateIstioImage("cgr.dev/defenseunicorns.com/istio-proxy-fips:latest")).toBe(true); + expect(validateIstioImage("cgr.dev/defenseunicorns.com/istio-proxy-fips@sha256:abc123")).toBe( + true, + ); }); // Test negative cases diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts index 3a9af00ec7..3744ac9092 100644 --- a/src/pepr/policies/common.ts +++ b/src/pepr/policies/common.ts @@ -1,5 +1,5 @@ /** - * Copyright 2024 Defense Unicorns + * Copyright 2024-2026 Defense Unicorns * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ @@ -40,8 +40,8 @@ const ISTIO_IMAGE_FLAVOR_CONFIGS = { repository: "ironbank/tetrate/istio/proxyv2", }, unicorn: { - registry: "quay.io", - repository: "rfcurated/istio/proxyv2", + registry: "cgr.dev", + repository: "defenseunicorns.com/istio-proxy-fips", }, } as const; diff --git a/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml b/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml index 616e2332fd..455fc63780 100644 --- a/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml +++ b/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml @@ -1,14 +1,13 @@ # Copyright 2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -# Image configuration for unicorn flavor image: - registry: quay.io - repository: rfcurated/prometheus/blackbox-exporter - tag: 0.28.0-jammy-scratch-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/prometheus-blackbox-exporter-fips + tag: 0.28.0 configReloader: image: - registry: quay.io - repository: rfcurated/prometheus-operator/prometheus-config-reloader - tag: 0.90.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-config-reloader-fips + tag: 0.90.1 diff --git a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml index 13ec95408c..b5436b6939 100644 --- a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml +++ b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml @@ -1,17 +1,18 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial alertmanager: alertmanagerSpec: image: - registry: quay.io - repository: rfcurated/prometheus/alertmanager - tag: 0.32.1-jammy-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/prometheus-alertmanager-fips + # NOTE: exact version 0.32.1 not available at cgr.dev/defenseunicorns.com; using 0.31.1 + tag: 0.31.1 kube-state-metrics: image: - registry: quay.io - repository: rfcurated/kube-state-metrics - tag: 2.18.0-jammy-scratch-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/kube-state-metrics-fips + tag: 2.18.0 securityContext: enabled: true fsGroup: 65532 @@ -21,14 +22,14 @@ kube-state-metrics: prometheus: prometheusSpec: image: - registry: quay.io - repository: rfcurated/prometheus - tag: 3.11.3-jammy-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/prometheus-fips + tag: 3.11.3 prometheus-node-exporter: image: - registry: quay.io - repository: rfcurated/prometheus/node-exporter - tag: 1.11.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-node-exporter-fips + tag: 1.11.1 prometheusOperator: admissionWebhooks: containerSecurityContext: @@ -38,19 +39,21 @@ prometheusOperator: patch: enabled: true image: - registry: quay.io - repository: rfcurated/ingress-nginx/kube-webhook-certgen - tag: 1.6.9-jammy-fips-rfcurated-rfhardened + registry: cgr.dev + repository: defenseunicorns.com/kube-webhook-certgen-fips + # NOTE: exact version 1.6.9 not available at cgr.dev/defenseunicorns.com; using 1.15.2 (major jump) + # NOTE: upstream ingress-nginx/kube-webhook-certgen is deprecated; successor jkroepke/kube-webhook-certgen not yet in Chainguard + tag: 1.15.2 securityContext: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 image: - registry: quay.io - repository: rfcurated/prometheus-operator - tag: 0.90.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-operator-fips + tag: 0.90.1 prometheusConfigReloader: image: - registry: quay.io - repository: rfcurated/prometheus-operator/prometheus-config-reloader - tag: 0.90.1-jammy-scratch-fips-rfcurated + registry: cgr.dev + repository: defenseunicorns.com/prometheus-config-reloader-fips + tag: 0.90.1 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 709ae0a738..9a7fad08b6 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -72,13 +72,13 @@ components: valuesFiles: - "values/unicorn/kube-prometheus-stack.yaml" images: - - "quay.io/rfcurated/prometheus/node-exporter:1.11.1-jammy-scratch-fips-rfcurated" - - "quay.io/rfcurated/prometheus-operator:0.90.1-jammy-scratch-fips-rfcurated" - - "quay.io/rfcurated/kube-state-metrics:2.18.0-jammy-scratch-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/prometheus/alertmanager:0.32.1-jammy-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/prometheus-operator/prometheus-config-reloader:0.90.1-jammy-scratch-fips-rfcurated" - - "quay.io/rfcurated/prometheus:3.11.3-jammy-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/ingress-nginx/kube-webhook-certgen:1.6.9-jammy-fips-rfcurated-rfhardened" + - "cgr.dev/defenseunicorns.com/prometheus-node-exporter-fips:1.11.1" + - "cgr.dev/defenseunicorns.com/prometheus-operator-fips:0.90.1" + - "cgr.dev/defenseunicorns.com/kube-state-metrics-fips:2.18.0" + - "cgr.dev/defenseunicorns.com/prometheus-alertmanager-fips:0.31.1" # NOTE: exact version 0.32.1 not available at cgr.dev/defenseunicorns.com; using 0.31.1 + - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.90.1" + - "cgr.dev/defenseunicorns.com/prometheus-fips:3.11.3" + - "cgr.dev/defenseunicorns.com/kube-webhook-certgen-fips:1.15.2" # NOTE: exact version 1.6.9 not available; using 1.15.2 (major jump); upstream ingress-nginx/kube-webhook-certgen deprecated - name: prometheus-blackbox-exporter required: true @@ -122,5 +122,5 @@ components: valuesFiles: - "values/unicorn/blackbox-exporter.yaml" images: - - "quay.io/rfcurated/prometheus/blackbox-exporter:0.28.0-jammy-scratch-fips-rfcurated-rfhardened" - - "quay.io/rfcurated/prometheus-operator/prometheus-config-reloader:0.90.1-jammy-scratch-fips-rfcurated" + - "cgr.dev/defenseunicorns.com/prometheus-blackbox-exporter-fips:0.28.0" + - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.90.1" diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index 6d262327c0..c8ad4124e4 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -1,6 +1,6 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/vector - tag: 0.54.0-jammy-fips-rfcurated-rfhardened + repository: cgr.dev/defenseunicorns.com/vector-fips + tag: 0.54.0 diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 2883f214f8..7e8c10e068 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -52,4 +52,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/vector:0.54.0-jammy-fips-rfcurated-rfhardened + - cgr.dev/defenseunicorns.com/vector-fips:0.54.0 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index 72e258a7f7..178ad350d9 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -1,19 +1,19 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial image: - repository: quay.io/rfcurated/velero/velero - tag: 1.18.0-noble-scratch-fips-rfcurated + repository: cgr.dev/defenseunicorns.com/velero-fips + tag: 1.18.0 initContainers: - name: velero-plugin-for-aws - image: quay.io/rfcurated/velero/velero-plugin-for-aws:1.14.0-noble-scratch-fips-rfcurated + image: cgr.dev/defenseunicorns.com/velero-plugin-for-aws-fips:1.14.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target name: plugins - name: velero-plugin-for-azure - image: quay.io/rfcurated/velero/velero-plugin-for-microsoft-azure:1.14.0-noble-scratch-fips-rfcurated + image: cgr.dev/defenseunicorns.com/velero-plugin-for-microsoft-azure-fips:1.14.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index ecf17b592b..6fdbb3af5f 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial kind: ZarfPackageConfig @@ -51,6 +51,6 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - quay.io/rfcurated/velero/velero:1.18.0-noble-scratch-fips-rfcurated - - quay.io/rfcurated/velero/velero-plugin-for-aws:1.14.0-noble-scratch-fips-rfcurated - - quay.io/rfcurated/velero/velero-plugin-for-microsoft-azure:1.14.0-noble-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/velero-fips:1.18.0 + - cgr.dev/defenseunicorns.com/velero-plugin-for-aws-fips:1.14.0 + - cgr.dev/defenseunicorns.com/velero-plugin-for-microsoft-azure-fips:1.14.0 From 985c7a4465ae57ee1045f091be7e2636eca2e822 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Tue, 5 May 2026 15:07:24 -0700 Subject: [PATCH 2/9] fix: broken link and multiarch --- docs/concepts/platform/flavors.mdx | 4 ---- scripts/check-multiarch.sh | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/concepts/platform/flavors.mdx b/docs/concepts/platform/flavors.mdx index 132928746a..ea21986581 100644 --- a/docs/concepts/platform/flavors.mdx +++ b/docs/concepts/platform/flavors.mdx @@ -24,10 +24,6 @@ UDS Core is published in multiple **flavors**. A flavor determines the container > [!TIP] > **Compare CVE counts:** You can view current CVE counts for the `upstream` and `registry1` flavors on the [UDS Registry Core Package](https://registry.defenseunicorns.com/repo/public/core/versions). The `unicorn` flavor undergoes additional patching and curation by Defense Unicorns, resulting in significantly fewer CVEs. [Contact Defense Unicorns](https://www.defenseunicorns.com/contact) to learn more. -## Authenticating with the unicorn registry - -The `unicorn` flavor container images are hosted on `cgr.dev/defenseunicorns.com`. Pulling these images locally requires authentication via `chainctl`, the Chainguard CLI, configured as a Docker credential helper. See [Unicorn registry authentication](/dev/unicorn-registry-auth/) for setup instructions. - ## Flavors and bundles You select a flavor when building a UDS Bundle. All Core packages within a bundle should use the **same flavor** to ensure image consistency. diff --git a/scripts/check-multiarch.sh b/scripts/check-multiarch.sh index 7fdb94d019..4a2f242f6a 100755 --- a/scripts/check-multiarch.sh +++ b/scripts/check-multiarch.sh @@ -41,7 +41,9 @@ echo "Scanning $SRC_DIR for unicorn and registry1 images..." # Extract all cgr.dev/defenseunicorns.com/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "cgr.dev/defenseunicorns.com/|registry1.dso.mil/ironbank/" {} \; | \ sed 's/^[[:space:]]*-[[:space:]]*//' | \ + sed 's/#.*//' | \ sed 's/"//g' | \ + sed 's/[[:space:]]*$//' | \ sort -u > "$TEMP_IMAGES" TOTAL=$(wc -l < "$TEMP_IMAGES") From 65d31957b9fbb52e8364869c160f0948a6f620cf Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Wed, 6 May 2026 06:16:10 -0700 Subject: [PATCH 3/9] temp: use latest k3d version for 1.35 instead of 1.34 --- tasks/deploy.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 71890bce75..ebb9622e6c 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -126,11 +126,16 @@ tasks: # Download latest release bundle curl -sSL https://raw.githubusercontent.com/defenseunicorns/uds-core/v${LATEST_CORE_TAG}/bundles/k3d-standard/uds-bundle.yaml -o tmp/core-shim/uds-bundle.yaml - # Update the bundle with the latest version using yq + # Read k3d ref from local bundle so the cluster matches the current branch's expected node OS + UDS_K3D_REF=$(./uds zarf tools yq '.packages[] | select(.name == "uds-k3d-dev") | .ref' bundles/k3d-standard/uds-bundle.yaml) + + # Update the bundle: pin core to the latest release OCI ref, and k3d to the current branch's version ./uds zarf tools yq e -i " del(.packages[] | select(.name == \"core\").path) | .packages[] |= (select(.name == \"core\") | - .repository = \"${TARGET_REPO}/core\" | .ref = \"${LATEST_VERSION}\")" \ + .repository = \"${TARGET_REPO}/core\" | .ref = \"${LATEST_VERSION}\") | + .packages[] |= (select(.name == \"uds-k3d-dev\") | + .ref = \"${UDS_K3D_REF}\")" \ tmp/core-shim/uds-bundle.yaml # Create and deploy the bundle From e13c28ac1f086e23e51fe54521d06decdbc8fde0 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Wed, 6 May 2026 14:36:24 -0700 Subject: [PATCH 4/9] pr feedback: rename chainguard labels to unicorn, bump loki/vector/sidecar images, switch keycloak JCE toggle to repo-conditional, update chainctl auth commands, and rewrite unicorn flavor docs --- .github/actions/renovate-readiness/README.md | 6 +-- .../actions/renovate-readiness/action.yaml | 19 ++----- docs/dev/unicorn-registry-auth.md | 39 --------------- scripts/renovate/README.md | 2 +- .../renovate/compareImagesAndCharts.spec.ts | 22 ++++---- scripts/renovate/compareImagesAndCharts.ts | 10 ++-- src/grafana/values/unicorn-values.yaml | 2 +- src/grafana/zarf.yaml | 2 +- .../configmap-fips-jce-security.yaml | 2 +- src/keycloak/chart/templates/statefulset.yaml | 10 ++-- .../tests/kc_fips_jce_security_test.yaml | 50 +++++++++---------- src/keycloak/chart/values.schema.json | 5 -- src/keycloak/chart/values.yaml | 7 --- src/keycloak/values/unicorn-values.yaml | 1 - src/loki/values/unicorn-values.yaml | 7 +-- src/loki/zarf.yaml | 6 +-- .../values/unicorn/kube-prometheus-stack.yaml | 3 +- src/prometheus-stack/zarf.yaml | 2 +- src/vector/values/unicorn-values.yaml | 2 +- src/vector/zarf.yaml | 2 +- 20 files changed, 66 insertions(+), 133 deletions(-) delete mode 100644 docs/dev/unicorn-registry-auth.md diff --git a/.github/actions/renovate-readiness/README.md b/.github/actions/renovate-readiness/README.md index 13566e02e2..e38a9afe1d 100644 --- a/.github/actions/renovate-readiness/README.md +++ b/.github/actions/renovate-readiness/README.md @@ -23,7 +23,7 @@ The action performs the following steps: The action applies specific labels based on which versions are out of sync: - `waiting on upstream`: If package.json version is behind both/either image versions (indicates a Pepr release issue) - `waiting on ironbank`: If Ironbank image is behind package.json - - `waiting on chainguard`: If Chainguard image is behind package.json + - `waiting on unicorn`: If Unicorn image is behind package.json - Multiple `waiting on` labels can be applied if multiple images are behind - **Support Dependencies**: For support dependency updates, the action adds the `needs-review` label and sets `should_process` to `false` to prevent excessive IAC runs. @@ -33,7 +33,7 @@ The action performs the following steps: - It compares the extracted data using the `compareImagesAndCharts.ts` script. - Based on the comparison, it applies appropriate labels to the PR: - `waiting on ironbank`: If a registry1 image is behind - - `waiting on chainguard`: If a Chainguard image is behind + - `waiting on unicorn`: If a Unicorn image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump @@ -72,7 +72,7 @@ The TypeScript scripts are thoroughly tested using Jest: - **compareImagesAndCharts.test.ts**: Tests the comparison of images and charts, including: - Helm chart updates (both regular and major) - Image updates (including major updates) - - Waiting conditions for Ironbank and Rapidfort images + - Waiting conditions for Ironbank and Unicorn images - Missing or empty extract files - Invalid version formats diff --git a/.github/actions/renovate-readiness/action.yaml b/.github/actions/renovate-readiness/action.yaml index f80d40e7e0..31b01f8624 100644 --- a/.github/actions/renovate-readiness/action.yaml +++ b/.github/actions/renovate-readiness/action.yaml @@ -120,7 +120,7 @@ runs: echo "Upstream package.json is behind image versions - possible Pepr release issue" gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on upstream" gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true else gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true @@ -131,18 +131,9 @@ runs: fi if [[ "$UNICORN_MISMATCH" == "true" ]]; then - gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on chainguard" + gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on unicorn" else - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true - fi - fi - - exit 1 - else - echo "All Pepr versions are in sync. Ready for review." - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true - gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review" fi @@ -229,7 +220,7 @@ runs: echo "labels=$LABELS" >> $GITHUB_OUTPUT # Check if waiting on labels are present, or this is a helm chart update only - if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on chainguard"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then + if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on unicorn"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then echo "waiting=true" >> $GITHUB_OUTPUT else echo "waiting=false" >> $GITHUB_OUTPUT @@ -251,7 +242,7 @@ runs: echo "Current labels: $CURRENT_LABELS" # Define the managed labels we care about - MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on chainguard" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update") + MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update") # Remove labels that are currently on the PR but not in the new set for LABEL in "${MANAGED_LABELS[@]}"; do diff --git a/docs/dev/unicorn-registry-auth.md b/docs/dev/unicorn-registry-auth.md deleted file mode 100644 index eb64a93311..0000000000 --- a/docs/dev/unicorn-registry-auth.md +++ /dev/null @@ -1,39 +0,0 @@ -# Unicorn registry authentication - -The `unicorn` flavor images are hosted on `cgr.dev/defenseunicorns.com`, a private Chainguard organization. Working with the unicorn flavor locally requires authentication to pull images from this registry. - -Use `chainctl` as a Docker credential helper. This approach exchanges short-lived OIDC tokens at pull time and requires no stored credentials. Do not create a static pull token for local development: tokens expire, require manual rotation, and expand your credential surface. - -## Prerequisites - -You must have `chainctl` installed and be a member of the `defenseunicorns.com` Chainguard organization. Install `chainctl` using the method appropriate for your OS from the [Chainguard documentation](https://edu.chainguard.dev/chainguard/administration/iam-organizations/how-to-install-chainctl/). Then log in: - -```bash -chainctl auth login -``` - -## Configure the credential helper - -Register `chainctl` as the credential helper for `cgr.dev`: - -```bash -chainctl auth configure-docker -``` - -This adds a `cgr.dev` entry to your `~/.docker/config.json` credential helper map. Any Docker-compatible tool that reads this config (Docker, Zarf, `crane`, `uds`) will automatically call `chainctl` for authentication when accessing `cgr.dev`. - -Verify access by pulling a unicorn image: - -```bash -docker pull cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1 -``` - -## How it works - -When a tool needs credentials for `cgr.dev`, Docker calls `chainctl` as a subprocess to get a short-lived token backed by your SSO session. No password is stored. Your access is determined by your Chainguard organization membership, not by a credential you manage. - -## Troubleshooting - -**`unauthorized` or `403` error when pulling:** Run `chainctl auth login` to refresh your session, then retry. - -**`chainctl: command not found`:** Install `chainctl` and ensure it is on your `PATH`. diff --git a/scripts/renovate/README.md b/scripts/renovate/README.md index 932b367bb6..9c4b25beca 100644 --- a/scripts/renovate/README.md +++ b/scripts/renovate/README.md @@ -44,7 +44,7 @@ This script will: The scripts can apply the following labels to PRs: - `waiting on ironbank`: If a registry1 image is behind -- `waiting on chainguard`: If a Chainguard image is behind +- `waiting on unicorn`: If a Unicorn image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump diff --git a/scripts/renovate/compareImagesAndCharts.spec.ts b/scripts/renovate/compareImagesAndCharts.spec.ts index 0cc03dca2c..b54102c979 100644 --- a/scripts/renovate/compareImagesAndCharts.spec.ts +++ b/scripts/renovate/compareImagesAndCharts.spec.ts @@ -428,7 +428,7 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); expect(result.labels).toContain("waiting on ironbank"); - expect(result.labels).toContain("waiting on chainguard"); + expect(result.labels).toContain("waiting on unicorn"); // Check for multiple Ironbank messages expect(result.changes).toContain( @@ -438,16 +438,16 @@ describe("compareImagesAndCharts", () => { "Waiting on Ironbank to update registry1.dso.mil/ironbank/curl to version 1.25.3", ); - // Check for multiple Chainguard messages + // Check for multiple Unicorn messages expect(result.changes).toContain( - "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); expect(result.changes).toContain( - "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/curl-fips to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/curl-fips to version 1.25.3", ); }); - it("should detect waiting on chainguard", async () => { + it("should detect waiting on unicorn", async () => { // Mock fs.readFileSync to return different content based on the file path (fs.readFileSync as Mock).mockImplementation(filePath => { if (filePath === "old/charts.yaml") { @@ -500,9 +500,9 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on chainguard"]); + expect(result.labels).toEqual(["waiting on unicorn"]); expect(result.changes).toContain( - "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); }); @@ -570,12 +570,12 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on ironbank", "waiting on chainguard"]); + expect(result.labels).toEqual(["waiting on ironbank", "waiting on unicorn"]); expect(result.changes).toContain( "Waiting on Ironbank to update registry1.dso.mil/ironbank/nginx to version 1.25.3", ); expect(result.changes).toContain( - "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/nginx-fips to version 1.25.3", ); }); @@ -968,9 +968,9 @@ describe("compareImagesAndCharts", () => { const result = await compareImagesAndCharts("old", "new"); - expect(result.labels).toEqual(["waiting on chainguard"]); + expect(result.labels).toEqual(["waiting on unicorn"]); expect(result.changes).toContain( - "Waiting on Chainguard to update cgr.dev/defenseunicorns.com/loki-fips to version 3.5.0", + "Waiting on Unicorn to update cgr.dev/defenseunicorns.com/loki-fips to version 3.5.0", ); }); }); diff --git a/scripts/renovate/compareImagesAndCharts.ts b/scripts/renovate/compareImagesAndCharts.ts index 6c4bc593c2..d67ebb1509 100644 --- a/scripts/renovate/compareImagesAndCharts.ts +++ b/scripts/renovate/compareImagesAndCharts.ts @@ -52,7 +52,7 @@ export async function compareImagesAndCharts( // If no waiting labels were added, add needs-review if ( !result.labels.includes("waiting on ironbank") && - !result.labels.includes("waiting on chainguard") && + !result.labels.includes("waiting on unicorn") && !result.labels.includes("helm-chart-only") ) { result.labels.push("needs-review"); @@ -259,12 +259,10 @@ function compareImages( ); } else if (missingImg.startsWith("cgr.dev/defenseunicorns.com")) { // Only add the label once, but add a message for each missing image - if (!result.labels.includes("waiting on chainguard")) { - result.labels.push("waiting on chainguard"); + if (!result.labels.includes("waiting on unicorn")) { + result.labels.push("waiting on unicorn"); } - result.changes.push( - `Waiting on Chainguard to update ${imgName} to version ${newVersion}`, - ); + result.changes.push(`Waiting on Unicorn to update ${imgName} to version ${newVersion}`); } } diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 54571ef630..dfa755297f 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -21,4 +21,4 @@ sidecar: image: registry: cgr.dev repository: defenseunicorns.com/k8s-sidecar-fips - tag: 2.5.1 + tag: 2.7.1 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index d8a2bab882..b39ed9788b 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -65,4 +65,4 @@ components: - cgr.dev/defenseunicorns.com/grafana-fips:12.4.2 - cgr.dev/defenseunicorns.com/busybox-fips:1.37.0 - cgr.dev/defenseunicorns.com/curl-fips:8.19.0 - - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.5.1 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.7.1 diff --git a/src/keycloak/chart/templates/configmap-fips-jce-security.yaml b/src/keycloak/chart/templates/configmap-fips-jce-security.yaml index 4462c4bf33..41b47b6efc 100644 --- a/src/keycloak/chart/templates/configmap-fips-jce-security.yaml +++ b/src/keycloak/chart/templates/configmap-fips-jce-security.yaml @@ -1,7 +1,7 @@ # Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -{{- if .Values.migrations.writeFipsJceSecurity }} +{{- if contains "cgr.dev" .Values.image.repository }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index f353e4e9d3..9bee4d7598 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -185,17 +185,17 @@ spec: - secretRef: name: {{ include "keycloak.fullname" . }}-realm-env env: - {{- if and .Values.migrations.writeFipsJceSecurity .Values.env }} + {{- if and (contains "cgr.dev" .Values.image.repository) .Values.env }} {{- range .Values.env }} {{- if eq .name "JAVA_OPTS_APPEND" }} - {{- fail "migrations.writeFipsJceSecurity=true conflicts with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" }} + {{- fail "cgr.dev image detected with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" }} {{- end }} {{- end }} {{- end }} {{- if .Values.env }} {{- tpl (toYaml .Values.env) . | nindent 12 }} {{- end }} - {{- if .Values.migrations.writeFipsJceSecurity }} + {{- if contains "cgr.dev" .Values.image.repository }} - name: JAVA_OPTS_APPEND value: "-Djava.security.properties=/opt/keycloak/data/fips-sunjce.security" {{- end }} @@ -400,7 +400,7 @@ spec: {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.migrations.writeFipsJceSecurity }} + {{- if contains "cgr.dev" .Values.image.repository }} - name: fips-jce-security mountPath: /opt/keycloak/data/fips-sunjce.security subPath: fips-sunjce.security @@ -495,7 +495,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.migrations.writeFipsJceSecurity }} + {{- if contains "cgr.dev" .Values.image.repository }} - name: fips-jce-security configMap: name: {{ include "keycloak.fullname" . }}-fips-jce-security diff --git a/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml b/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml index 86b867d3c9..3b666a2713 100644 --- a/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml +++ b/src/keycloak/chart/tests/kc_fips_jce_security_test.yaml @@ -9,19 +9,19 @@ templates: - configmap-fips-jce-security.yaml tests: - - it: should NOT render the fips-jce-security configmap when writeFipsJceSecurity is false + - it: should NOT render the fips-jce-security configmap when image.repository does not contain cgr.dev set: - migrations: - writeFipsJceSecurity: false + image: + repository: quay.io/keycloak/keycloak template: configmap-fips-jce-security.yaml asserts: - hasDocuments: count: 0 - - it: should render the fips-jce-security configmap when writeFipsJceSecurity is true + - it: should render the fips-jce-security configmap when image.repository contains cgr.dev set: - migrations: - writeFipsJceSecurity: true + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips template: configmap-fips-jce-security.yaml asserts: - hasDocuments: @@ -29,20 +29,20 @@ tests: - isKind: of: ConfigMap - - it: should include SunJCE provider in configmap data when writeFipsJceSecurity is true + - it: should include SunJCE provider in configmap data when image.repository contains cgr.dev set: - migrations: - writeFipsJceSecurity: true + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips template: configmap-fips-jce-security.yaml asserts: - matchRegex: path: data["fips-sunjce.security"] pattern: "security\\.provider\\.99=SunJCE" - - it: should NOT inject JAVA_OPTS_APPEND when writeFipsJceSecurity is false + - it: should NOT inject JAVA_OPTS_APPEND when image.repository does not contain cgr.dev set: - migrations: - writeFipsJceSecurity: false + image: + repository: quay.io/keycloak/keycloak template: statefulset.yaml asserts: - notContains: @@ -50,10 +50,10 @@ tests: content: name: JAVA_OPTS_APPEND - - it: should inject JAVA_OPTS_APPEND with correct path when writeFipsJceSecurity is true + - it: should inject JAVA_OPTS_APPEND with correct path when image.repository contains cgr.dev set: - migrations: - writeFipsJceSecurity: true + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips template: statefulset.yaml asserts: - contains: @@ -62,10 +62,10 @@ tests: name: JAVA_OPTS_APPEND value: "-Djava.security.properties=/opt/keycloak/data/fips-sunjce.security" - - it: should NOT add fips-jce-security volumeMount when writeFipsJceSecurity is false + - it: should NOT add fips-jce-security volumeMount when image.repository does not contain cgr.dev set: - migrations: - writeFipsJceSecurity: false + image: + repository: quay.io/keycloak/keycloak template: statefulset.yaml asserts: - notContains: @@ -73,10 +73,10 @@ tests: content: name: fips-jce-security - - it: should add fips-jce-security volumeMount when writeFipsJceSecurity is true + - it: should add fips-jce-security volumeMount when image.repository contains cgr.dev set: - migrations: - writeFipsJceSecurity: true + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips template: statefulset.yaml asserts: - contains: @@ -87,14 +87,14 @@ tests: subPath: fips-sunjce.security readOnly: true - - it: should fail render when writeFipsJceSecurity=true and env contains JAVA_OPTS_APPEND + - it: should fail render when image.repository contains cgr.dev and env contains JAVA_OPTS_APPEND set: - migrations: - writeFipsJceSecurity: true + image: + repository: cgr.dev/defenseunicorns.com/keycloak-fips env: - name: JAVA_OPTS_APPEND value: "-Xmx512m" template: statefulset.yaml asserts: - failedTemplate: - errorMessage: "migrations.writeFipsJceSecurity=true conflicts with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" + errorMessage: "cgr.dev image detected with JAVA_OPTS_APPEND in .Values.env; the chart injects JAVA_OPTS_APPEND to load the FIPS JCE security override" diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index 0fc11b7923..bebaef1fa7 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -650,11 +650,6 @@ "deleteGeneratedTrustStore": { "type": "boolean" }, - "writeFipsJceSecurity": { - "type": "boolean", - "default": false, - "description": "Mounts a JVM security properties override that adds SunJCE as provider.99. Required for cgr.dev keycloak-fips images, which omit SunJCE from java.security, causing PKCS12 truststore creation to fail with HmacPBESHA256 not available. Remove once Chainguard ships keycloak-fips with SunJCE included." - }, "upgradePermissions": { "type": "boolean" } diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 70f0f78490..e486923ffd 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -415,13 +415,6 @@ env: [] migrations: # Deletes the generated truststore to enable recreating it by Keycloak deleteGeneratedTrustStore: false - # Mounts a JVM security properties override that adds SunJCE as provider.99. - # Required for cgr.dev keycloak-fips images, which omit SunJCE from java.security, - # causing Keycloak's hardcoded PKCS12 truststore creation to fail with - # "Algorithm HmacPBESHA256 not available". BC FIPS remains the primary provider. - # Remove this flag and configmap-fips-jce-security.yaml once Chainguard ships - # keycloak-fips with SunJCE included in java.security. - writeFipsJceSecurity: false # Runs a privileged init container during `helm upgrade` to chown persistent volumes upgradePermissions: false diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index fac34ce6db..9ead810e4b 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -16,4 +16,3 @@ image: migrations: deleteGeneratedTrustStore: true - writeFipsJceSecurity: true diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 49cbf36ceb..f7f6235d05 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -5,13 +5,11 @@ loki: image: registry: cgr.dev/defenseunicorns.com repository: loki-fips - # NOTE: exact version 3.7.1 not available at cgr.dev/defenseunicorns.com; using 3.6.10 - tag: 3.6.10 + tag: 3.7.1 gateway: image: registry: cgr.dev/defenseunicorns.com repository: nginx-fips - # NOTE: exact version 1.29.7 not available at cgr.dev/defenseunicorns.com; using 1.29.8 tag: 1.29.8 memcached: image: @@ -20,5 +18,4 @@ memcached: sidecar: image: repository: cgr.dev/defenseunicorns.com/k8s-sidecar-fips - # NOTE: exact version 2.5.0 not available at cgr.dev/defenseunicorns.com; using 2.5.1 - tag: 2.5.1 + tag: 2.7.1 diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index d6e6388fc9..d94420e0d3 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -59,7 +59,7 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/defenseunicorns.com/loki-fips:3.6.10 # NOTE: exact version 3.7.1 not available at cgr.dev/defenseunicorns.com; using 3.6.10 - - cgr.dev/defenseunicorns.com/nginx-fips:1.29.8 # NOTE: exact version 1.29.7 not available at cgr.dev/defenseunicorns.com; using 1.29.8 + - cgr.dev/defenseunicorns.com/loki-fips:3.7.1 + - cgr.dev/defenseunicorns.com/nginx-fips:1.29.8 - cgr.dev/defenseunicorns.com/memcached-fips:1.6.41 - - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.5.1 # NOTE: exact version 2.5.0 not available at cgr.dev/defenseunicorns.com; using 2.5.1 + - cgr.dev/defenseunicorns.com/k8s-sidecar-fips:2.7.1 diff --git a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml index b5436b6939..e2eb2779b2 100644 --- a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml +++ b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml @@ -41,8 +41,7 @@ prometheusOperator: image: registry: cgr.dev repository: defenseunicorns.com/kube-webhook-certgen-fips - # NOTE: exact version 1.6.9 not available at cgr.dev/defenseunicorns.com; using 1.15.2 (major jump) - # NOTE: upstream ingress-nginx/kube-webhook-certgen is deprecated; successor jkroepke/kube-webhook-certgen not yet in Chainguard + # Chainguard provides kube-webhook-certgen from their ingress-nginx package, which follows a different versioning scheme than upstream's ingress-nginx/kube-webhook-certgen tag: 1.15.2 securityContext: runAsGroup: 65532 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 9a7fad08b6..8f7b973184 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -78,7 +78,7 @@ components: - "cgr.dev/defenseunicorns.com/prometheus-alertmanager-fips:0.31.1" # NOTE: exact version 0.32.1 not available at cgr.dev/defenseunicorns.com; using 0.31.1 - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.90.1" - "cgr.dev/defenseunicorns.com/prometheus-fips:3.11.3" - - "cgr.dev/defenseunicorns.com/kube-webhook-certgen-fips:1.15.2" # NOTE: exact version 1.6.9 not available; using 1.15.2 (major jump); upstream ingress-nginx/kube-webhook-certgen deprecated + - "cgr.dev/defenseunicorns.com/kube-webhook-certgen-fips:1.15.2" # Chainguard provides kube-webhook-certgen from their ingress-nginx package, which follows a different versioning scheme than upstream's ingress-nginx/kube-webhook-certgen - name: prometheus-blackbox-exporter required: true diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index c8ad4124e4..23d9111720 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -3,4 +3,4 @@ image: repository: cgr.dev/defenseunicorns.com/vector-fips - tag: 0.54.0 + tag: 0.55.0 diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 9ea3c2b0a0..cafc131a23 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -52,4 +52,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/defenseunicorns.com/vector-fips:0.54.0 + - cgr.dev/defenseunicorns.com/vector-fips:0.55.0 From 432b8a916089d90e92a231a686d6c40cd6379fe1 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Mon, 11 May 2026 07:38:53 -0700 Subject: [PATCH 5/9] cgr version updates --- src/keycloak/chart/values.yaml | 2 +- src/keycloak/values/registry1-values.yaml | 2 +- src/keycloak/zarf.yaml | 6 +++--- .../values/unicorn/kube-prometheus-stack.yaml | 3 +-- src/prometheus-stack/zarf.yaml | 2 +- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index e486923ffd..be092c456d 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -10,7 +10,7 @@ image: pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.26.1 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.27.0 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index 39c0afbe5a..821be872b5 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -13,7 +13,7 @@ securityContext: capabilities: drop: - ALL -configImage: registry1.dso.mil/ironbank/opensource/defenseunicorns/uds/uds-identity-config:0.26.1 +configImage: registry1.dso.mil/ironbank/opensource/defenseunicorns/uds/uds-identity-config:0.27.0 migrations: deleteGeneratedTrustStore: true diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 11d6a294b2..5338fc80aa 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -32,7 +32,7 @@ components: - "values/upstream-values.yaml" images: - quay.io/keycloak/keycloak:26.6.1 - - ghcr.io/defenseunicorns/uds/identity-config:0.26.1 + - ghcr.io/defenseunicorns/uds/identity-config:0.27.0 - name: keycloak required: true @@ -46,7 +46,7 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/keycloak/keycloak-fips:26.6.1-fips - - registry1.dso.mil/ironbank/opensource/defenseunicorns/uds/uds-identity-config:0.26.1 + - registry1.dso.mil/ironbank/opensource/defenseunicorns/uds/uds-identity-config:0.27.0 - name: keycloak required: true @@ -60,4 +60,4 @@ components: - "values/unicorn-values.yaml" images: - cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1 - - ghcr.io/defenseunicorns/uds/identity-config:0.26.1 + - ghcr.io/defenseunicorns/uds/identity-config:0.27.0 diff --git a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml index e2eb2779b2..07f7868494 100644 --- a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml +++ b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml @@ -6,8 +6,7 @@ alertmanager: image: registry: cgr.dev repository: defenseunicorns.com/prometheus-alertmanager-fips - # NOTE: exact version 0.32.1 not available at cgr.dev/defenseunicorns.com; using 0.31.1 - tag: 0.31.1 + tag: 0.32.1 kube-state-metrics: image: registry: cgr.dev diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 8f7b973184..b6df2227f2 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -75,7 +75,7 @@ components: - "cgr.dev/defenseunicorns.com/prometheus-node-exporter-fips:1.11.1" - "cgr.dev/defenseunicorns.com/prometheus-operator-fips:0.90.1" - "cgr.dev/defenseunicorns.com/kube-state-metrics-fips:2.18.0" - - "cgr.dev/defenseunicorns.com/prometheus-alertmanager-fips:0.31.1" # NOTE: exact version 0.32.1 not available at cgr.dev/defenseunicorns.com; using 0.31.1 + - "cgr.dev/defenseunicorns.com/prometheus-alertmanager-fips:0.32.1" - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.90.1" - "cgr.dev/defenseunicorns.com/prometheus-fips:3.11.3" - "cgr.dev/defenseunicorns.com/kube-webhook-certgen-fips:1.15.2" # Chainguard provides kube-webhook-certgen from their ingress-nginx package, which follows a different versioning scheme than upstream's ingress-nginx/kube-webhook-certgen From 8a8cc932cbec1ddc803336e536f1ff6063f2354e Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Mon, 11 May 2026 08:06:33 -0700 Subject: [PATCH 6/9] fix lint --- src/keycloak/zarf.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index c0ff18fcc7..5338fc80aa 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -59,9 +59,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: -<<<<<<< chance/core-522 - cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1 -======= - - quay.io/rfcurated/keycloak:26.6.1-jammy-fips-rfcurated ->>>>>>> main - ghcr.io/defenseunicorns/uds/identity-config:0.27.0 From 2f3fa497b0bd2122d7a59ead369ffdd262d7fc31 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Mon, 18 May 2026 11:17:17 -0700 Subject: [PATCH 7/9] bump istio images for new fixes --- src/istio/values/unicorn/cni.yaml | 2 +- src/istio/values/unicorn/istiod.yaml | 6 +++--- src/istio/values/unicorn/ztunnel.yaml | 2 +- src/istio/zarf.yaml | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/istio/values/unicorn/cni.yaml b/src/istio/values/unicorn/cni.yaml index f2f40c2d1e..b958093f95 100644 --- a/src/istio/values/unicorn/cni.yaml +++ b/src/istio/values/unicorn/cni.yaml @@ -2,4 +2,4 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial cni: - image: cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.1 + image: cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.2 diff --git a/src/istio/values/unicorn/istiod.yaml b/src/istio/values/unicorn/istiod.yaml index 38961a7684..8676ae84a3 100644 --- a/src/istio/values/unicorn/istiod.yaml +++ b/src/istio/values/unicorn/istiod.yaml @@ -2,11 +2,11 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial pilot: - image: "cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.1" + image: "cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.2" global: proxy_init: # renovate: image=cgr.dev/defenseunicorns.com/istio-proxy-fips - image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.1" + image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.2" proxy: # renovate: image=cgr.dev/defenseunicorns.com/istio-proxy-fips - image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.1" + image: "###ZARF_REGISTRY###/defenseunicorns.com/istio-proxy-fips:1.29.2" diff --git a/src/istio/values/unicorn/ztunnel.yaml b/src/istio/values/unicorn/ztunnel.yaml index f6c8f93936..5f33ba135e 100644 --- a/src/istio/values/unicorn/ztunnel.yaml +++ b/src/istio/values/unicorn/ztunnel.yaml @@ -1,4 +1,4 @@ # Copyright 2024-2026 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -image: cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.1 +image: cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.2 diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 0efd689e37..2c9bda66f3 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -82,10 +82,10 @@ components: - "values/unicorn/ztunnel.yaml" # @lulaStart b4367e52-bef0-4463-a906-e5af6b4aa015 images: - - cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.1 - - cgr.dev/defenseunicorns.com/istio-proxy-fips:1.29.1 - - cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.1 - - cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.1 + - cgr.dev/defenseunicorns.com/istio-pilot-fips:1.29.2 + - cgr.dev/defenseunicorns.com/istio-proxy-fips:1.29.2 + - cgr.dev/defenseunicorns.com/istio-install-cni-fips:1.29.2 + - cgr.dev/defenseunicorns.com/ztunnel-fips:1.29.2 # @lulaEnd b4367e52-bef0-4463-a906-e5af6b4aa015 - name: gateway-api-crds From ca65b3ba89fa4558968421e65a389da24dcdde11 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Mon, 18 May 2026 13:09:25 -0700 Subject: [PATCH 8/9] cleanup and update promstack versions --- .github/actions/renovate-readiness/README.md | 6 +++--- .github/actions/renovate-readiness/action.yaml | 11 ++++++++++- .../values/unicorn/blackbox-exporter.yaml | 2 +- .../values/unicorn/kube-prometheus-stack.yaml | 4 ++-- src/prometheus-stack/zarf.yaml | 6 +++--- tasks/deploy.yaml | 9 ++------- 6 files changed, 21 insertions(+), 17 deletions(-) diff --git a/.github/actions/renovate-readiness/README.md b/.github/actions/renovate-readiness/README.md index e38a9afe1d..38941a1c50 100644 --- a/.github/actions/renovate-readiness/README.md +++ b/.github/actions/renovate-readiness/README.md @@ -23,7 +23,7 @@ The action performs the following steps: The action applies specific labels based on which versions are out of sync: - `waiting on upstream`: If package.json version is behind both/either image versions (indicates a Pepr release issue) - `waiting on ironbank`: If Ironbank image is behind package.json - - `waiting on unicorn`: If Unicorn image is behind package.json + - `waiting on unicorn`: If Unicorn image is behind package.json - Multiple `waiting on` labels can be applied if multiple images are behind - **Support Dependencies**: For support dependency updates, the action adds the `needs-review` label and sets `should_process` to `false` to prevent excessive IAC runs. @@ -33,7 +33,7 @@ The action performs the following steps: - It compares the extracted data using the `compareImagesAndCharts.ts` script. - Based on the comparison, it applies appropriate labels to the PR: - `waiting on ironbank`: If a registry1 image is behind - - `waiting on unicorn`: If a Unicorn image is behind + - `waiting on unicorn`: If a Unicorn image is behind - `helm-chart-only`: If a PR only contains a helm chart update - `needs-review`: If PR is NOT waiting on image updates - `major-helm-update`: If the PR contains a major chart version bump @@ -72,7 +72,7 @@ The TypeScript scripts are thoroughly tested using Jest: - **compareImagesAndCharts.test.ts**: Tests the comparison of images and charts, including: - Helm chart updates (both regular and major) - Image updates (including major updates) - - Waiting conditions for Ironbank and Unicorn images + - Waiting conditions for Ironbank and Unicorn images - Missing or empty extract files - Invalid version formats diff --git a/.github/actions/renovate-readiness/action.yaml b/.github/actions/renovate-readiness/action.yaml index 31b01f8624..bcc52cb461 100644 --- a/.github/actions/renovate-readiness/action.yaml +++ b/.github/actions/renovate-readiness/action.yaml @@ -134,6 +134,15 @@ runs: gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on unicorn" else gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true + fi + fi + + exit 1 + else + echo "All Pepr versions are in sync. Ready for review." + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true + gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review" fi @@ -220,7 +229,7 @@ runs: echo "labels=$LABELS" >> $GITHUB_OUTPUT # Check if waiting on labels are present, or this is a helm chart update only - if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on unicorn"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then + if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on unicorn"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then echo "waiting=true" >> $GITHUB_OUTPUT else echo "waiting=false" >> $GITHUB_OUTPUT diff --git a/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml b/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml index 455fc63780..dc1b824882 100644 --- a/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml +++ b/src/prometheus-stack/values/unicorn/blackbox-exporter.yaml @@ -10,4 +10,4 @@ configReloader: image: registry: cgr.dev repository: defenseunicorns.com/prometheus-config-reloader-fips - tag: 0.90.1 + tag: 0.91.0 diff --git a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml index 07f7868494..8a328520f5 100644 --- a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml +++ b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml @@ -49,9 +49,9 @@ prometheusOperator: image: registry: cgr.dev repository: defenseunicorns.com/prometheus-operator-fips - tag: 0.90.1 + tag: 0.91.0 prometheusConfigReloader: image: registry: cgr.dev repository: defenseunicorns.com/prometheus-config-reloader-fips - tag: 0.90.1 + tag: 0.91.0 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 2202de302f..0364128267 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -73,10 +73,10 @@ components: - "values/unicorn/kube-prometheus-stack.yaml" images: - "cgr.dev/defenseunicorns.com/prometheus-node-exporter-fips:1.11.1" - - "cgr.dev/defenseunicorns.com/prometheus-operator-fips:0.90.1" + - "cgr.dev/defenseunicorns.com/prometheus-operator-fips:0.91.0" - "cgr.dev/defenseunicorns.com/kube-state-metrics-fips:2.18.0" - "cgr.dev/defenseunicorns.com/prometheus-alertmanager-fips:0.32.1" - - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.90.1" + - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.91.0" - "cgr.dev/defenseunicorns.com/prometheus-fips:3.11.3" - "cgr.dev/defenseunicorns.com/kube-webhook-certgen-fips:1.15.2" # Chainguard provides kube-webhook-certgen from their ingress-nginx package, which follows a different versioning scheme than upstream's ingress-nginx/kube-webhook-certgen @@ -123,4 +123,4 @@ components: - "values/unicorn/blackbox-exporter.yaml" images: - "cgr.dev/defenseunicorns.com/prometheus-blackbox-exporter-fips:0.28.0" - - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.90.1" + - "cgr.dev/defenseunicorns.com/prometheus-config-reloader-fips:0.91.0" diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 72a95ef978..b176e3d7c7 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -126,16 +126,11 @@ tasks: # Download latest release bundle curl -sSL https://raw.githubusercontent.com/defenseunicorns/uds-core/v${LATEST_CORE_TAG}/bundles/k3d-standard/uds-bundle.yaml -o tmp/core-shim/uds-bundle.yaml - # Read k3d ref from local bundle so the cluster matches the current branch's expected node OS - UDS_K3D_REF=$(./uds zarf tools yq '.packages[] | select(.name == "uds-k3d-dev") | .ref' bundles/k3d-standard/uds-bundle.yaml) - - # Update the bundle: pin core to the latest release OCI ref, and k3d to the current branch's version + # Update the bundle: pin core to the latest release OCI ref ./uds zarf tools yq e -i " del(.packages[] | select(.name == \"core\").path) | .packages[] |= (select(.name == \"core\") | - .repository = \"${TARGET_REPO}/core\" | .ref = \"${LATEST_VERSION}\") | - .packages[] |= (select(.name == \"uds-k3d-dev\") | - .ref = \"${UDS_K3D_REF}\")" \ + .repository = \"${TARGET_REPO}/core\" | .ref = \"${LATEST_VERSION}\")" \ tmp/core-shim/uds-bundle.yaml # Create and deploy the bundle From 8208d9e9963bea4447e741d67093cfe5cb7a65da Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Mon, 18 May 2026 13:50:42 -0700 Subject: [PATCH 9/9] distroless promstack node exporter --- src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml index 8a328520f5..fe03ccce92 100644 --- a/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml +++ b/src/prometheus-stack/values/unicorn/kube-prometheus-stack.yaml @@ -29,6 +29,7 @@ prometheus-node-exporter: registry: cgr.dev repository: defenseunicorns.com/prometheus-node-exporter-fips tag: 1.11.1 + distroless: false prometheusOperator: admissionWebhooks: containerSecurityContext: