From 96c254109f2b6f9279243871ca16fea8b9939bd4 Mon Sep 17 00:00:00 2001
From: Leonhardt Wille <leonhardt.wille@wire.com>
Date: Wed, 18 Feb 2026 16:03:32 +0100
Subject: [PATCH] feat(docker): use hardened images for kubectl and redis
 dependencies

related to WPB-23412
---
 charts/reaper/values.yaml                  | 6 +++---
 charts/redis-ephemeral/values.yaml         | 4 +++-
 charts/restund/values.yaml                 | 6 +++---
 hack/helm_vars/redis-ephemeral/values.yaml | 4 ++--
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/charts/reaper/values.yaml b/charts/reaper/values.yaml
index fdc3fb5b46f..254196d4410 100644
--- a/charts/reaper/values.yaml
+++ b/charts/reaper/values.yaml
@@ -1,8 +1,8 @@
 image:
   # Use a kubectl image that includes a shell (sh/bash). Distroless images will fail to exec the script.
-  registry: docker.io
-  repository: bitnamilegacy/kubectl
-  tag: 1.32.4
+  registry: dhi.io
+  repository: kubectl
+  tag: 1.35.0
 podSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
diff --git a/charts/redis-ephemeral/values.yaml b/charts/redis-ephemeral/values.yaml
index aafcf440e40..1b9f091e01b 100644
--- a/charts/redis-ephemeral/values.yaml
+++ b/charts/redis-ephemeral/values.yaml
@@ -1,6 +1,8 @@
 redis-ephemeral:
   image:
-    tag: "7.4.6"
+    registry: dhi.io
+    repository: redis
+    tag: "7.4.7"
 
   haMode:
     enabled: false
diff --git a/charts/restund/values.yaml b/charts/restund/values.yaml
index e45c63670c2..ba7a12458f6 100644
--- a/charts/restund/values.yaml
+++ b/charts/restund/values.yaml
@@ -12,9 +12,9 @@ image:
 
 kubectlImage:
   # Use a kubectl image that includes a shell (sh/bash). Distroless images will fail to exec the script.
-  registry: docker.io
-  repository: bitnamilegacy/kubectl
-  tag: 1.32.4
+  registry: dhi.io
+  repository: kubectl
+  tag: 1.35.0
 
 # If you have multiple deployments of Restund running in one cluster, it is
 # important that they run on disjoint sets of nodes, you can use nodeSelector to enforce this
diff --git a/hack/helm_vars/redis-ephemeral/values.yaml b/hack/helm_vars/redis-ephemeral/values.yaml
index 996dc30e45c..87eac525dbf 100644
--- a/hack/helm_vars/redis-ephemeral/values.yaml
+++ b/hack/helm_vars/redis-ephemeral/values.yaml
@@ -1,7 +1,7 @@
 redis-ephemeral:
   image:
-    registry: public.ecr.aws
-    repository: docker/library/redis
+    registry: dhi.io
+    repository: redis
 
   redisConfig: |
     requirepass very-secure-redis-master-password