Update NATS to vuln free image

ddelnano · ddelnano · commit 03fbf2884fe2 · 2026-02-19T21:44:35.000-08:00
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/k8s/cloud_deps/base/nats/statefulset.yaml b/k8s/cloud_deps/base/nats/statefulset.yaml
@@ -158,7 +158,7 @@ spec:
       containers:
       - name: pl-nats
         # yamllint disable-line rule:line-length
-        image: ghcr.io/pixie-io/nats:2.9.25-scratch-pl1@sha256:ac7228464fbc7154e91c9a00cba85b5da1df9a3ded6c784cdd6009cece85a1e3
+        image: ghcr.io/pixie-io/nats:2.9.25-scratch-pl2@sha256:7b988768facb8b0c3f55a1da3cb4f4097d3fc817047d7651b78ac6f56818f1ed
         ports:
         - containerPort: 4222
           name: client
diff --git a/k8s/vizier_deps/base/nats/nats_statefulset.yaml b/k8s/vizier_deps/base/nats/nats_statefulset.yaml
@@ -111,7 +111,7 @@ spec:
       containers:
       - name: pl-nats
         # yamllint disable-line rule:line-length
-        image: ghcr.io/pixie-io/nats:2.9.25-scratch-pl1@sha256:ac7228464fbc7154e91c9a00cba85b5da1df9a3ded6c784cdd6009cece85a1e3
+        image: ghcr.io/pixie-io/nats:2.9.25-scratch-pl2@sha256:7b988768facb8b0c3f55a1da3cb4f4097d3fc817047d7651b78ac6f56818f1ed
         ports:
         - containerPort: 4222
           name: client
diff --git a/tools/docker/Makefile b/tools/docker/Makefile
@@ -116,7 +116,7 @@ LINUX_HEADERS_GS_PATH := gs://pixie-dev-public/linux-headers/$(LINUX_HEADERS_REV
 
 ## NATS image parameters.
 NATS_IMAGE_VERSION := 2.9.25
-NATS_IMAGE_REV := pl1
+NATS_IMAGE_REV := pl2
 nats_image_tag := "ghcr.io/pixie-io/nats:$(NATS_IMAGE_VERSION)-scratch-$(NATS_IMAGE_REV)"
 
 ## Ory image parameters.
diff --git a/tools/docker/nats_image/Dockerfile b/tools/docker/nats_image/Dockerfile
@@ -14,7 +14,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-FROM --platform=$BUILDPLATFORM golang:1.24-alpine@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS build
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS build
 
 ARG TARGETOS TARGETARCH
 ARG NATS_VERSION
@@ -37,7 +37,7 @@ ARG CGO_ENABLED=0
 RUN go mod download
 # TODO(ddelnano): Remove once NATS server is updated to have
 # vulnerability free upstream deps
-RUN go get golang.org/x/crypto@v0.35.0
+RUN go get golang.org/x/crypto@v0.45.0
 RUN go get github.com/nats-io/nkeys@v0.4.6
 RUN go build -trimpath -ldflags "-X github.com/nats-io/nats-server/v2/server.gitCommit=$(git rev-parse --short HEAD)" -o ./nats-server
 
