defenseunicorns · chance-coleman · May 20, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
@@ -23,7 +23,7 @@ The action performs the following steps:
      The action applies specific labels based on which versions are out of sync:
      - `waiting on upstream`: If package.json version is behind both/either image versions (indicates a Pepr release issue)
      - `waiting on ironbank`: If Ironbank image is behind package.json
-     - `waiting on unicorn`: If Unicorn image is behind package.json
+     - `waiting on chainguard`: If Chainguard image is behind package.json
      - Multiple `waiting on` labels can be applied if multiple images are behind
    - **Support Dependencies**: For support dependency updates, the action adds the `needs-review` label and sets `should_process` to `false` to prevent excessive IAC runs.
 
@@ -33,7 +33,7 @@ The action performs the following steps:
    - It compares the extracted data using the `compareImagesAndCharts.ts` script.
    - Based on the comparison, it applies appropriate labels to the PR:
      - `waiting on ironbank`: If a registry1 image is behind
-     - `waiting on rapidfort`: If a rapidfort image is behind
+     - `waiting on chainguard`: If a Chainguard image is behind
      - `helm-chart-only`: If a PR only contains a helm chart update
      - `needs-review`: If PR is NOT waiting on image updates
      - `major-helm-update`: If the PR contains a major chart version bump

@@ -1,4 +1,4 @@
-# Copyright 2024 Defense Unicorns
+# Copyright 2024-2026 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: renovate-readiness
@@ -120,7 +120,7 @@ runs:
             echo "Upstream package.json is behind image versions - possible Pepr release issue"
             gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on upstream"
             gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true
-            gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
+            gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true
           else
             gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true
 
@@ -131,9 +131,9 @@ runs:
             fi
 
             if [[ "$UNICORN_MISMATCH" == "true" ]]; then
-              gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on unicorn"
+              gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on chainguard"
             else
-              gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
+              gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true
             fi
           fi
 
@@ -142,7 +142,7 @@ runs:
           echo "All Pepr versions are in sync. Ready for review."
           gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true
           gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true
-          gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
+          gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on chainguard" || true
           gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review"
         fi
 
@@ -229,7 +229,7 @@ runs:
         echo "labels=$LABELS" >> $GITHUB_OUTPUT
 
         # Check if waiting on labels are present, or this is a helm chart update only
-        if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on rapidfort"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then
+        if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on chainguard"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then
           echo "waiting=true" >> $GITHUB_OUTPUT
         else
           echo "waiting=false" >> $GITHUB_OUTPUT
@@ -251,7 +251,7 @@ runs:
           echo "Current labels: $CURRENT_LABELS"
 
           # Define the managed labels we care about
-          MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "waiting on rapidfort" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update")
+          MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on chainguard" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update")
 
           # Remove labels that are currently on the PR but not in the new set
           for LABEL in "${MANAGED_LABELS[@]}"; do

@@ -17,12 +17,8 @@ inputs:
     description: "IRON_BANK_ROBOT_PASSWORD"
     required: false
     default: ''
-  rapidfortUsername:
-    description: "RAPIDFORT_USERNAME"
-    required: false
-    default: ''
-  rapidfortPassword:
-    description: "RAPIDFORT_PASSWORD"
+  chainguardIdentity:
+    description: "ID for Chainguard Identity"
     required: false
     default: ''
   installUv:
@@ -69,10 +65,8 @@ runs:
         echo "MARU_AUTH=\"{\"raw.githubusercontent.com\": \"${{ inputs.ghToken }}\"}\"" >> "$GITHUB_ENV"
       shell: bash
 
-    - name: Rapidfort Login
-      if: ${{ inputs.rapidfortUsername != '' && inputs.rapidfortPassword != '' }}
-      shell: bash
-      env:
-        RAPIDFORT_USERNAME: ${{ inputs.rapidfortUsername }}
-        RAPIDFORT_PASSWORD: ${{ inputs.rapidfortPassword }}
-      run: echo "${{ env.RAPIDFORT_PASSWORD }}" | uds zarf tools registry login -u "${{ env.RAPIDFORT_USERNAME }}" --password-stdin quay.io
+    - name: Chainguard Login
+      if: ${{ inputs.chainguardIdentity != '' }}
+      uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1
+      with:
+        identity: ${{ inputs.chainguardIdentity }}
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2024 Defense Unicorns
+# Copyright 2024-2026 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 info() {
@@ -63,6 +63,17 @@ rm -rf ./yq
 
 pre_userdata
 
+# Allow CNI plugins and their bundled libraries to be opened/executed by fapolicyd.
+# fapolicyd starts before cloud-init runs this script, so we must recompile rules and restart.
+# Guard: fapolicyd is RHEL-specific; skip on distros where it is absent or disabled.
+if command -v fagenrules >/dev/null 2>&1; then
+  mkdir -p /etc/fapolicyd/rules.d
+  cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF'
+allow perm=any all : dir=/opt/cni/bin/
+EOF
+  fagenrules && systemctl restart fapolicyd
+fi
+
 # If no bootstrap IP is provided then start RKE2 as single node/bootstrap
 if [[ "${BOOTSTRAP_IP}" == "" ]]; then
     bootstrap_ip=$(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+')

@@ -52,8 +52,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Run UDS Core Private PKI Test

@@ -41,8 +41,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: (Snapshot) Get snapshot version using git commit short sha and date
@@ -123,8 +122,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Test and Publish Core Package Layer

@@ -146,8 +146,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
-          rapidfortUsername: ${{ secrets.RAPIDFORT_USERNAME }}
-          rapidfortPassword: ${{ secrets.RAPIDFORT_PASSWORD }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - name: Check multi-arch images
         uses: ./.github/actions/check-multiarch

@@ -69,8 +69,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
 
       - name: Setup Tofu
         uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0

@@ -66,8 +66,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
 
       - name: Setup Tofu
         uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0

@@ -52,8 +52,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Run UDS Core Install HA Test

@@ -70,8 +70,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
 
       - name: Setup Tofu
         uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0

@@ -44,7 +44,7 @@ jobs:
   test:
     # Use the 8 core runner for full-core or 4 core runner (with larger disk) for func layers tests
     runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'uds-ubuntu-big-boy-4-core'}}"
-    # Increase the timeout for longer upgrades - temporarily increased to 60 for longer upgrade from cgr -> rf
+    # Increase the timeout for longer upgrades
     timeout-minutes: ${{ inputs.test_type == 'upgrade' && 60 || 30 }}
     name: Test
     env:
@@ -60,8 +60,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (inputs.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Test a single layer package

diff --git a/docs/dev/unicorn-registry-auth.md b/docs/dev/unicorn-registry-auth.md
@@ -0,0 +1,39 @@
+# Unicorn registry authentication
+
+The `unicorn` flavor images are hosted on `cgr.dev/defenseunicorns.com`, a private Chainguard organization. Working with the unicorn flavor locally requires authentication to pull images from this registry.
+
+Use `chainctl` as a Docker credential helper. This approach exchanges short-lived OIDC tokens at pull time and requires no stored credentials. Do not create a static pull token for local development: tokens expire, require manual rotation, and expand your credential surface.
+
+## Prerequisites
+
+You must have `chainctl` installed and be a member of the `defenseunicorns.com` Chainguard organization. Install `chainctl` using the method appropriate for your OS from the [Chainguard documentation](https://edu.chainguard.dev/chainguard/administration/iam-organizations/how-to-install-chainctl/). Then log in:
+
+```bash
+chainctl auth login
+```
+
+## Configure the credential helper
+
+Register `chainctl` as the credential helper for `cgr.dev`:
+
+```bash
+chainctl auth configure-docker
+```
+
+This adds a `cgr.dev` entry to your `~/.docker/config.json` credential helper map. Any Docker-compatible tool that reads this config (Docker, Zarf, `crane`, `uds`) will automatically call `chainctl` for authentication when accessing `cgr.dev`.
+
+Verify access by pulling a unicorn image:
+
+```bash
+docker pull cgr.dev/defenseunicorns.com/keycloak-fips:26.6.1
+```
+
+## How it works
+
+When a tool needs credentials for `cgr.dev`, Docker calls `chainctl` as a subprocess to get a short-lived token backed by your SSO session. No password is stored. Your access is determined by your Chainguard organization membership, not by a credential you manage.
+
+## Troubleshooting
+
+**`unauthorized` or `403` error when pulling:** Run `chainctl auth login` to refresh your session, then retry.
+
+**`chainctl: command not found`:** Install `chainctl` and ensure it is on your `PATH`.
@@ -101,6 +101,18 @@ done
 
 See [Istio's platform requirements](https://istio.io/latest/docs/ops/deployment/platform-requirements/) for the full upstream list.
 
+> [!NOTE]
+> **Unicorn flavor on RHEL 9 with fapolicyd:** The unicorn flavor uses FIPS-compliant CNI images that write `libcrypto.so.3` into `/opt/cni/bin/.cgr/` at runtime. If fapolicyd is running in enforcing mode, it will block access to this file because it is not RPM-managed, preventing istio-cni from starting. Add the following rule to allow access, then recompile and restart fapolicyd:
+>
+> ```bash
+> mkdir -p /etc/fapolicyd/rules.d
+> cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF'
+> allow perm=any all : dir=/opt/cni/bin/
+> EOF
+> fagenrules
+> systemctl restart fapolicyd
+> ```
+
 ## Falco requirements
 
 UDS Core uses [Falco](https://falco.org/)'s [Modern eBPF Probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe), which has the following requirements:

@@ -38,10 +38,12 @@ trap "rm -f $TEMP_IMAGES $TEMP_MISSING" EXIT
 
 echo "Scanning $SRC_DIR for unicorn and registry1 images..."
 
-# Extract all quay.io/rfcurated/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images
-find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "quay.io/rfcurated/|registry1.dso.mil/ironbank/" {} \; | \
+# Extract all cgr.dev/defenseunicorns.com/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images
+find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "cgr.dev/defenseunicorns.com/|registry1.dso.mil/ironbank/" {} \; | \
     sed 's/^[[:space:]]*-[[:space:]]*//' | \
+    sed 's/#.*//' | \
     sed 's/"//g' | \
+    sed 's/[[:space:]]*$//' | \
     sort -u > "$TEMP_IMAGES"
 
 TOTAL=$(wc -l < "$TEMP_IMAGES")

@@ -44,7 +44,7 @@ This script will:
 The scripts can apply the following labels to PRs:
 
 - `waiting on ironbank`: If a registry1 image is behind
-- `waiting on rapidfort`: If a rapidfort image is behind
+- `waiting on chainguard`: If a Chainguard image is behind
 - `helm-chart-only`: If a PR only contains a helm chart update
 - `needs-review`: If PR is NOT waiting on image updates
 - `major-helm-update`: If the PR contains a major chart version bump