crossplane-function-environment-configs-fips

Last changed

Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

Chainguard Container for crossplane-function-environment-configs-fips

Crossplane function that manages environment-specific configurations for resources in compositions with FIPS 140-3 compliance

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:


docker pull cgr.dev/ORGANIZATION/crossplane-function-environment-configs-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

The function-environment-configs-fips image is based on the Crossplane function-environment-configs project. This Chainguard Image provides a secure, minimal runtime environment with the following differences from upstream images:

Built on Wolfi rather than a traditional Linux distribution, resulting in a smaller attack surface
Runs as a non-root user (uid 65532) by default for enhanced security
Contains minimal dependencies with few-to-zero CVEs
Includes both the function binary and compatibility layer for seamless integration

Getting Started

The function-environment-configs-fips image is designed to work with Crossplane compositions for managing environment-specific configurations in FIPS-compliant environments. The image contains a Crossplane function that can be used to inject environment-specific settings into your resources while maintaining cryptographic compliance.

Basic Usage

You can run the function directly to verify it's working:


docker run --rm cgr.dev/ORGANIZATION/function-environment-configs-fips:latest --help

Using with Crossplane

Create a function definition for use in your Crossplane cluster:


cat > function-environment-configs-fips.yaml <<EOF
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-environment-configs-fips
spec:
  package: cgr.dev/ORGANIZATION/function-environment-configs-fips:latest
EOF

Apply the function to your cluster:


kubectl apply -f function-environment-configs-fips.yaml

Integration in Compositions

Use the function in your Crossplane compositions to inject environment-specific configurations:


cat > composition-example-fips.yaml <<EOF
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: example-with-env-configs-fips
spec:
  compositeTypeRef:
    apiVersion: example.com/v1alpha1
    kind: XExample
  functions:
  - name: environment-configs-fips
    type: function
    source: Function
    ref:
      name: function-environment-configs-fips
    input:
      apiVersion: environmentconfigs.fn.crossplane.io/v1beta1
      kind: Input
      spec:
        environmentConfigs:
        - ref:
            name: dev-config
          policy:
            merge: merge
        - ref:
            name: common-config
          policy:
            merge: replace
EOF

Development with the `-dev` Variant

For debugging and development, use the -dev variant which includes additional tools:


docker run -it cgr.dev/ORGANIZATION/function-environment-configs-fips:latest-dev sh

Configuration

The function accepts configuration through its input specification. Key configuration options include:

Environment Config References

Specify which environment configs to apply:


spec:
  environmentConfigs:
  - ref:
      name: my-environment-config
    policy:
      merge: merge  # or "replace"

Merge Policies

merge: Merge environment config with existing values
replace: Replace existing values with environment config

FIPS Compliance

This image automatically uses FIPS 140-3 validated cryptographic modules. No additional configuration is required to enable FIPS mode, as it is built into the base system. This makes it suitable for environments requiring federal compliance standards such as FedRAMP.

Troubleshooting

Crossplane Version Compatibility

If you encounter errors like "incompatible Crossplane version: package is not compatible with Crossplane version (): Invalid Semantic Version", this typically occurs when:

Using latest tags: Crossplane requires semantic versioning for compatibility checks. Ensure your Crossplane deployment uses specific version tags (e.g., 2.0.2) instead of latest.
Version detection issues: If the error persists with proper version tags, you can bypass version constraints by adding ignoreCrossplaneConstraints: true to your Function specification:


apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: crossplane-function-environment-configs-fips
spec:
  package: cgr.dev/ORGANIZATION/crossplane-function-environment-configs-fips:latest
  ignoreCrossplaneConstraints: true  # Add this line

Documentation and Resources

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

Minimal design, without unnecessary software bloat
Daily builds to ensure container images are up-to-date with available security patches
High quality build-time SBOMs attesting to the provenance of all artifacts within the image
Verifiable signatures provided by Sigstore
Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.

Licenses

Chainguard container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:

Apache-2.0
GCC-exception-3.1
GPL-3.0-or-later
LGPL-2.1-or-later
MIT
MPL-2.0

For a complete list of licenses, please refer to this Image's SBOM.

Software license agreement

Compliance

This is a FIPS validated image for FedRAMP compliance.

This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.

Learn more about STIGs Get started with STIGs

Related images

crossplane-function-environment-configs

Product

Chainguard Containers Chainguard Libraries Chainguard VMs Integrations Pricing

Solutions

FedRAMP PCI DSS Golden Images CVE Remediation Public Sector

Customers

Customer Stories Chainguard Reviews

Resources

Events & Webinars Chainguard Courses Documentation Trust Center

Company

About Us Blog Partners Newsroom Careers Legal