diff --git a/argocd/manifests/alloy-k8s/daemonset.yaml b/argocd/manifests/alloy-k8s/daemonset.yaml index 89cb930..98d69dc 100644 --- a/argocd/manifests/alloy-k8s/daemonset.yaml +++ b/argocd/manifests/alloy-k8s/daemonset.yaml @@ -19,7 +19,7 @@ spec: fsGroup: 473 # alloy user group containers: - name: alloy - image: grafana/alloy + image: grafana/alloy:kustomized args: - run - --server.http.listen-addr=0.0.0.0:12345 diff --git a/argocd/manifests/alloy-ringtail/daemonset.yaml b/argocd/manifests/alloy-ringtail/daemonset.yaml index a8d060a..6f723b8 100644 --- a/argocd/manifests/alloy-ringtail/daemonset.yaml +++ b/argocd/manifests/alloy-ringtail/daemonset.yaml @@ -19,7 +19,7 @@ spec: fsGroup: 473 # alloy user group containers: - name: alloy - image: grafana/alloy + image: grafana/alloy:kustomized args: - run - --server.http.listen-addr=0.0.0.0:12345 diff --git a/argocd/manifests/alloy-tracing-ringtail/daemonset.yaml b/argocd/manifests/alloy-tracing-ringtail/daemonset.yaml index 93c7d3e..75cfea7 100644 --- a/argocd/manifests/alloy-tracing-ringtail/daemonset.yaml +++ b/argocd/manifests/alloy-tracing-ringtail/daemonset.yaml @@ -18,7 +18,7 @@ spec: hostPID: true containers: - name: alloy - image: grafana/alloy + image: grafana/alloy:kustomized args: - run - --server.http.listen-addr=0.0.0.0:12346 diff --git a/argocd/manifests/authentik/deployment-redis.yaml b/argocd/manifests/authentik/deployment-redis.yaml index e70ac98..8ee822e 100644 --- a/argocd/manifests/authentik/deployment-redis.yaml +++ b/argocd/manifests/authentik/deployment-redis.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: redis - image: docker.io/library/redis + image: docker.io/library/redis:kustomized ports: - name: redis containerPort: 6379 diff --git a/argocd/manifests/authentik/deployment-server.yaml b/argocd/manifests/authentik/deployment-server.yaml index c3fdb52..cef8ceb 100644 --- a/argocd/manifests/authentik/deployment-server.yaml +++ b/argocd/manifests/authentik/deployment-server.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: server - image: registry.ops.eblu.me/blumeops/authentik + image: registry.ops.eblu.me/blumeops/authentik:kustomized args: ["server"] ports: - name: http diff --git a/argocd/manifests/authentik/deployment-worker.yaml b/argocd/manifests/authentik/deployment-worker.yaml index 11d9e44..2b341bf 100644 --- a/argocd/manifests/authentik/deployment-worker.yaml +++ b/argocd/manifests/authentik/deployment-worker.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: worker - image: registry.ops.eblu.me/blumeops/authentik + image: registry.ops.eblu.me/blumeops/authentik:kustomized args: ["worker"] env: - name: AUTHENTIK_SECRET_KEY diff --git a/argocd/manifests/cv/deployment.yaml b/argocd/manifests/cv/deployment.yaml index 2e929b4..cda0bfe 100644 --- a/argocd/manifests/cv/deployment.yaml +++ b/argocd/manifests/cv/deployment.yaml @@ -21,7 +21,7 @@ spec: spec: containers: - name: cv - image: registry.ops.eblu.me/blumeops/cv + image: registry.ops.eblu.me/blumeops/cv:kustomized ports: - containerPort: 80 name: http diff --git a/argocd/manifests/devpi/statefulset.yaml b/argocd/manifests/devpi/statefulset.yaml index 7bb5db0..bd383d9 100644 --- a/argocd/manifests/devpi/statefulset.yaml +++ b/argocd/manifests/devpi/statefulset.yaml @@ -18,7 +18,7 @@ spec: fsGroup: 1000 containers: - name: devpi - image: registry.ops.eblu.me/blumeops/devpi + image: registry.ops.eblu.me/blumeops/devpi:kustomized env: - name: DEVPI_ROOT_PASSWORD valueFrom: diff --git a/argocd/manifests/docs/deployment.yaml b/argocd/manifests/docs/deployment.yaml index 322aee8..96e1a67 100644 --- a/argocd/manifests/docs/deployment.yaml +++ b/argocd/manifests/docs/deployment.yaml @@ -21,7 +21,7 @@ spec: spec: containers: - name: docs - image: registry.ops.eblu.me/blumeops/quartz + image: registry.ops.eblu.me/blumeops/quartz:kustomized ports: - containerPort: 80 name: http diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml index 7e36c07..3923f66 100644 --- a/argocd/manifests/forgejo-runner/deployment.yaml +++ b/argocd/manifests/forgejo-runner/deployment.yaml @@ -18,7 +18,7 @@ spec: containers: # Forgejo runner daemon - name: runner - image: code.forgejo.org/forgejo/runner + image: code.forgejo.org/forgejo/runner:kustomized env: - name: TZ value: America/Los_Angeles @@ -68,7 +68,7 @@ spec: # Docker-in-Docker sidecar - name: dind - image: docker + image: docker:kustomized securityContext: privileged: true env: diff --git a/argocd/manifests/frigate/deployment-notify.yaml b/argocd/manifests/frigate/deployment-notify.yaml index a6e1361..740d104 100644 --- a/argocd/manifests/frigate/deployment-notify.yaml +++ b/argocd/manifests/frigate/deployment-notify.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: frigate-notify - image: ghcr.io/0x2142/frigate-notify + image: ghcr.io/0x2142/frigate-notify:kustomized env: - name: TZ value: America/Los_Angeles diff --git a/argocd/manifests/frigate/deployment.yaml b/argocd/manifests/frigate/deployment.yaml index 14a799c..ba69a5b 100644 --- a/argocd/manifests/frigate/deployment.yaml +++ b/argocd/manifests/frigate/deployment.yaml @@ -19,7 +19,7 @@ spec: runtimeClassName: nvidia initContainers: - name: copy-config - image: busybox + image: busybox:kustomized command: ["cp", "/config-ro/config.yml", "/config/config.yml"] volumeMounts: - name: config-ro @@ -28,7 +28,7 @@ spec: mountPath: /config containers: - name: frigate - image: ghcr.io/blakeblackshear/frigate + image: ghcr.io/blakeblackshear/frigate:kustomized ports: - containerPort: 5000 name: http diff --git a/argocd/manifests/grafana/deployment.yaml b/argocd/manifests/grafana/deployment.yaml index 7a734f9..e352e92 100644 --- a/argocd/manifests/grafana/deployment.yaml +++ b/argocd/manifests/grafana/deployment.yaml @@ -32,7 +32,7 @@ spec: runAsUser: 472 initContainers: - name: init-chown-data - image: docker.io/library/busybox + image: docker.io/library/busybox:kustomized imagePullPolicy: IfNotPresent command: ["chown", "-R", "472:472", "/var/lib/grafana"] securityContext: @@ -48,7 +48,7 @@ spec: containers: # Dashboard sidecar - watches ConfigMaps with grafana_dashboard=1 - name: grafana-sc-dashboard - image: registry.ops.eblu.me/blumeops/grafana-sidecar + image: registry.ops.eblu.me/blumeops/grafana-sidecar:kustomized imagePullPolicy: IfNotPresent env: - name: METHOD @@ -88,7 +88,7 @@ spec: mountPath: /tmp/dashboards # Grafana - name: grafana - image: registry.ops.eblu.me/blumeops/grafana + image: registry.ops.eblu.me/blumeops/grafana:kustomized imagePullPolicy: IfNotPresent env: - name: POD_IP diff --git a/argocd/manifests/homepage/deployment.yaml b/argocd/manifests/homepage/deployment.yaml index 203e06d..7f66c41 100644 --- a/argocd/manifests/homepage/deployment.yaml +++ b/argocd/manifests/homepage/deployment.yaml @@ -20,7 +20,7 @@ spec: fsGroup: 1000 containers: - name: homepage - image: registry.ops.eblu.me/blumeops/homepage + image: registry.ops.eblu.me/blumeops/homepage:kustomized securityContext: runAsNonRoot: true allowPrivilegeEscalation: false diff --git a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml index e6fc7ac..2373343 100644 --- a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml +++ b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: zim-watcher containers: - name: watcher - image: registry.ops.eblu.me/blumeops/kubectl + image: registry.ops.eblu.me/blumeops/kubectl:kustomized command: ["/bin/bash", "-c"] args: - | diff --git a/argocd/manifests/kiwix/deployment.yaml b/argocd/manifests/kiwix/deployment.yaml index 28065bd..01532a2 100644 --- a/argocd/manifests/kiwix/deployment.yaml +++ b/argocd/manifests/kiwix/deployment.yaml @@ -20,7 +20,7 @@ spec: containers: # Main kiwix-serve container - name: kiwix-serve - image: registry.ops.eblu.me/blumeops/kiwix-serve + image: registry.ops.eblu.me/blumeops/kiwix-serve:kustomized args: - "/bin/sh" - "-c" @@ -53,7 +53,7 @@ spec: # Sidecar: Syncs declarative ZIM torrents to transmission - name: torrent-sync - image: registry.ops.eblu.me/blumeops/transmission + image: registry.ops.eblu.me/blumeops/transmission:kustomized command: ["/bin/bash", "-c"] args: - | diff --git a/argocd/manifests/kube-state-metrics-ringtail/deployment.yaml b/argocd/manifests/kube-state-metrics-ringtail/deployment.yaml index cba8cac..ae34339 100644 --- a/argocd/manifests/kube-state-metrics-ringtail/deployment.yaml +++ b/argocd/manifests/kube-state-metrics-ringtail/deployment.yaml @@ -18,7 +18,7 @@ spec: serviceAccountName: kube-state-metrics containers: - name: kube-state-metrics - image: registry.k8s.io/kube-state-metrics/kube-state-metrics + image: registry.k8s.io/kube-state-metrics/kube-state-metrics:kustomized ports: - containerPort: 8080 name: http-metrics diff --git a/argocd/manifests/kube-state-metrics/deployment.yaml b/argocd/manifests/kube-state-metrics/deployment.yaml index cba8cac..ae34339 100644 --- a/argocd/manifests/kube-state-metrics/deployment.yaml +++ b/argocd/manifests/kube-state-metrics/deployment.yaml @@ -18,7 +18,7 @@ spec: serviceAccountName: kube-state-metrics containers: - name: kube-state-metrics - image: registry.k8s.io/kube-state-metrics/kube-state-metrics + image: registry.k8s.io/kube-state-metrics/kube-state-metrics:kustomized ports: - containerPort: 8080 name: http-metrics diff --git a/argocd/manifests/loki/statefulset.yaml b/argocd/manifests/loki/statefulset.yaml index 5683eab..eb4fe3b 100644 --- a/argocd/manifests/loki/statefulset.yaml +++ b/argocd/manifests/loki/statefulset.yaml @@ -20,7 +20,7 @@ spec: runAsUser: 10001 containers: - name: loki - image: grafana/loki + image: grafana/loki:kustomized args: - -config.file=/etc/loki/loki-config.yaml ports: diff --git a/argocd/manifests/miniflux/deployment.yaml b/argocd/manifests/miniflux/deployment.yaml index e139de3..b5b3239 100644 --- a/argocd/manifests/miniflux/deployment.yaml +++ b/argocd/manifests/miniflux/deployment.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: miniflux - image: registry.ops.eblu.me/blumeops/miniflux + image: registry.ops.eblu.me/blumeops/miniflux:kustomized ports: - containerPort: 8080 env: diff --git a/argocd/manifests/mosquitto/deployment.yaml b/argocd/manifests/mosquitto/deployment.yaml index b58d926..3c8b8fa 100644 --- a/argocd/manifests/mosquitto/deployment.yaml +++ b/argocd/manifests/mosquitto/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: mosquitto - image: eclipse-mosquitto + image: eclipse-mosquitto:kustomized ports: - containerPort: 1883 name: mqtt diff --git a/argocd/manifests/navidrome/deployment.yaml b/argocd/manifests/navidrome/deployment.yaml index 5da3948..6074d28 100644 --- a/argocd/manifests/navidrome/deployment.yaml +++ b/argocd/manifests/navidrome/deployment.yaml @@ -20,7 +20,7 @@ spec: fsGroup: 1000 containers: - name: navidrome - image: registry.ops.eblu.me/blumeops/navidrome + image: registry.ops.eblu.me/blumeops/navidrome:kustomized securityContext: runAsNonRoot: true allowPrivilegeEscalation: false diff --git a/argocd/manifests/ntfy/deployment.yaml b/argocd/manifests/ntfy/deployment.yaml index 2a58604..3bbb172 100644 --- a/argocd/manifests/ntfy/deployment.yaml +++ b/argocd/manifests/ntfy/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: ntfy - image: registry.ops.eblu.me/blumeops/ntfy + image: registry.ops.eblu.me/blumeops/ntfy:kustomized args: ["serve", "--config", "/etc/ntfy/server.yml"] ports: - containerPort: 80 diff --git a/argocd/manifests/nvidia-device-plugin/daemonset.yaml b/argocd/manifests/nvidia-device-plugin/daemonset.yaml index b484959..04431f3 100644 --- a/argocd/manifests/nvidia-device-plugin/daemonset.yaml +++ b/argocd/manifests/nvidia-device-plugin/daemonset.yaml @@ -22,7 +22,7 @@ spec: priorityClassName: system-node-critical containers: - name: nvidia-device-plugin - image: nvcr.io/nvidia/k8s-device-plugin + image: nvcr.io/nvidia/k8s-device-plugin:kustomized args: - --device-id-strategy=index - --config-file=/config/config.yaml diff --git a/argocd/manifests/ollama/deployment.yaml b/argocd/manifests/ollama/deployment.yaml index de74329..65f17c6 100644 --- a/argocd/manifests/ollama/deployment.yaml +++ b/argocd/manifests/ollama/deployment.yaml @@ -19,7 +19,7 @@ spec: runtimeClassName: nvidia containers: - name: ollama - image: ollama/ollama + image: ollama/ollama:kustomized ports: - containerPort: 11434 name: http @@ -56,7 +56,7 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 - name: model-sync - image: ollama/ollama + image: ollama/ollama:kustomized command: ["/bin/bash", "/scripts/sync-models.sh"] env: - name: MODEL_LIST diff --git a/argocd/manifests/prometheus/statefulset.yaml b/argocd/manifests/prometheus/statefulset.yaml index 24953e0..c549368 100644 --- a/argocd/manifests/prometheus/statefulset.yaml +++ b/argocd/manifests/prometheus/statefulset.yaml @@ -20,7 +20,7 @@ spec: runAsUser: 65534 containers: - name: prometheus - image: registry.ops.eblu.me/blumeops/prometheus + image: registry.ops.eblu.me/blumeops/prometheus:kustomized args: - --config.file=/etc/prometheus/prometheus.yml - --storage.tsdb.path=/prometheus diff --git a/argocd/manifests/tailscale-operator-base/kustomization.yaml b/argocd/manifests/tailscale-operator-base/kustomization.yaml index 82ff89e..54750fa 100644 --- a/argocd/manifests/tailscale-operator-base/kustomization.yaml +++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml @@ -9,6 +9,10 @@ resources: - proxyclass.yaml - dnsconfig.yaml +# NOTE: also update proxyclass.yaml when changing the Tailscale version. +# The kustomize images transformer only processes standard k8s container specs +# (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so +# proxyclass.yaml tags must be updated manually. images: - name: docker.io/tailscale/k8s-operator newTag: v1.94.2 diff --git a/argocd/manifests/tailscale-operator-base/operator.yaml b/argocd/manifests/tailscale-operator-base/operator.yaml index adfa1c2..644bf9a 100644 --- a/argocd/manifests/tailscale-operator-base/operator.yaml +++ b/argocd/manifests/tailscale-operator-base/operator.yaml @@ -5362,7 +5362,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.uid - image: docker.io/tailscale/k8s-operator + image: docker.io/tailscale/k8s-operator:kustomized imagePullPolicy: Always name: operator volumeMounts: diff --git a/argocd/manifests/tailscale-operator-base/proxyclass.yaml b/argocd/manifests/tailscale-operator-base/proxyclass.yaml index f5d99ef..aff896d 100644 --- a/argocd/manifests/tailscale-operator-base/proxyclass.yaml +++ b/argocd/manifests/tailscale-operator-base/proxyclass.yaml @@ -18,6 +18,7 @@ spec: statefulSet: pod: tailscaleContainer: + # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images) image: docker.io/tailscale/tailscale:v1.94.2 tailscaleInitContainer: image: docker.io/tailscale/tailscale:v1.94.2 diff --git a/argocd/manifests/tempo/statefulset.yaml b/argocd/manifests/tempo/statefulset.yaml index 7975347..f871ebc 100644 --- a/argocd/manifests/tempo/statefulset.yaml +++ b/argocd/manifests/tempo/statefulset.yaml @@ -20,7 +20,7 @@ spec: runAsUser: 10001 containers: - name: tempo - image: grafana/tempo + image: grafana/tempo:kustomized args: - -config.file=/etc/tempo/tempo.yaml ports: diff --git a/argocd/manifests/teslamate/deployment.yaml b/argocd/manifests/teslamate/deployment.yaml index c590185..a2f7aca 100644 --- a/argocd/manifests/teslamate/deployment.yaml +++ b/argocd/manifests/teslamate/deployment.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: teslamate - image: registry.ops.eblu.me/blumeops/teslamate + image: registry.ops.eblu.me/blumeops/teslamate:kustomized ports: - containerPort: 4000 env: diff --git a/argocd/manifests/torrent/deployment.yaml b/argocd/manifests/torrent/deployment.yaml index df715a8..c109861 100644 --- a/argocd/manifests/torrent/deployment.yaml +++ b/argocd/manifests/torrent/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: transmission - image: registry.ops.eblu.me/blumeops/transmission + image: registry.ops.eblu.me/blumeops/transmission:kustomized env: - name: PUID value: "1000" @@ -56,7 +56,7 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 - name: transmission-exporter - image: registry.ops.eblu.me/blumeops/transmission-exporter + image: registry.ops.eblu.me/blumeops/transmission-exporter:kustomized env: - name: TRANSMISSION_ADDR value: "http://localhost:9091" diff --git a/docs/changelog.d/+kustomized-image-tags.infra.md b/docs/changelog.d/+kustomized-image-tags.infra.md new file mode 100644 index 0000000..28e00e0 --- /dev/null +++ b/docs/changelog.d/+kustomized-image-tags.infra.md @@ -0,0 +1 @@ +Add `:kustomized` sentinel tag to all manifest image references overridden by kustomize, making it clear the real tag lives in kustomization.yaml. diff --git a/service-versions.yaml b/service-versions.yaml index f8befdf..cc4d491 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -201,7 +201,7 @@ services: - name: devpi type: argocd - last-reviewed: null + last-reviewed: 2026-03-06 current-version: "6.19.1" upstream-source: https://github.com/devpi/devpi/releases