Add :kustomized sentinel tag to manifest images, review devpi

Bare image references in manifests were ambiguous — unclear whether the tag was intentionally omitted or managed by kustomize. Add :kustomized sentinel to all 37 image refs overridden by kustomize images transformer. Add sync notes for tailscale-operator proxyclass (CRD fields not processed by kustomize). Mark devpi reviewed (6.19.1 is current). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 08:15:06 -08:00 · 2026-03-06 08:15:06 -08:00 · 6e8d11c6bb
commit 6e8d11c6bb
parent 2ac1a1abc2
34 changed files with 44 additions and 38 deletions
--- a/argocd/manifests/alloy-k8s/daemonset.yaml
+++ b/argocd/manifests/alloy-k8s/daemonset.yaml
@ -19,7 +19,7 @@ spec:
        fsGroup: 473  # alloy user group
      containers:
        - name: alloy
-          image: grafana/alloy
+          image: grafana/alloy:kustomized
          args:
            - run
            - --server.http.listen-addr=0.0.0.0:12345
--- a/argocd/manifests/alloy-ringtail/daemonset.yaml
+++ b/argocd/manifests/alloy-ringtail/daemonset.yaml
@ -19,7 +19,7 @@ spec:
        fsGroup: 473  # alloy user group
      containers:
        - name: alloy
-          image: grafana/alloy
+          image: grafana/alloy:kustomized
          args:
            - run
            - --server.http.listen-addr=0.0.0.0:12345
--- a/argocd/manifests/alloy-tracing-ringtail/daemonset.yaml
+++ b/argocd/manifests/alloy-tracing-ringtail/daemonset.yaml
@ -18,7 +18,7 @@ spec:
      hostPID: true
      containers:
        - name: alloy
-          image: grafana/alloy
+          image: grafana/alloy:kustomized
          args:
            - run
            - --server.http.listen-addr=0.0.0.0:12346
--- a/argocd/manifests/authentik/deployment-redis.yaml
+++ b/argocd/manifests/authentik/deployment-redis.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: docker.io/library/redis
+          image: docker.io/library/redis:kustomized
          ports:
            - name: redis
              containerPort: 6379
--- a/argocd/manifests/authentik/deployment-server.yaml
+++ b/argocd/manifests/authentik/deployment-server.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: server
-          image: registry.ops.eblu.me/blumeops/authentik
+          image: registry.ops.eblu.me/blumeops/authentik:kustomized
          args: ["server"]
          ports:
            - name: http
--- a/argocd/manifests/authentik/deployment-worker.yaml
+++ b/argocd/manifests/authentik/deployment-worker.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: worker
-          image: registry.ops.eblu.me/blumeops/authentik
+          image: registry.ops.eblu.me/blumeops/authentik:kustomized
          args: ["worker"]
          env:
            - name: AUTHENTIK_SECRET_KEY
--- a/argocd/manifests/cv/deployment.yaml
+++ b/argocd/manifests/cv/deployment.yaml
@ -21,7 +21,7 @@ spec:
    spec:
      containers:
        - name: cv
-          image: registry.ops.eblu.me/blumeops/cv
+          image: registry.ops.eblu.me/blumeops/cv:kustomized
          ports:
            - containerPort: 80
              name: http
--- a/argocd/manifests/devpi/statefulset.yaml
+++ b/argocd/manifests/devpi/statefulset.yaml
@ -18,7 +18,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: devpi
-          image: registry.ops.eblu.me/blumeops/devpi
+          image: registry.ops.eblu.me/blumeops/devpi:kustomized
          env:
            - name: DEVPI_ROOT_PASSWORD
              valueFrom:
--- a/argocd/manifests/docs/deployment.yaml
+++ b/argocd/manifests/docs/deployment.yaml
@ -21,7 +21,7 @@ spec:
    spec:
      containers:
        - name: docs
-          image: registry.ops.eblu.me/blumeops/quartz
+          image: registry.ops.eblu.me/blumeops/quartz:kustomized
          ports:
            - containerPort: 80
              name: http
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@ -18,7 +18,7 @@ spec:
      containers:
        # Forgejo runner daemon
        - name: runner
-          image: code.forgejo.org/forgejo/runner
+          image: code.forgejo.org/forgejo/runner:kustomized
          env:
            - name: TZ
              value: America/Los_Angeles
@ -68,7 +68,7 @@ spec:
        # Docker-in-Docker sidecar
        - name: dind
-          image: docker
+          image: docker:kustomized
          securityContext:
            privileged: true
          env:
--- a/argocd/manifests/frigate/deployment-notify.yaml
+++ b/argocd/manifests/frigate/deployment-notify.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: frigate-notify
-          image: ghcr.io/0x2142/frigate-notify
+          image: ghcr.io/0x2142/frigate-notify:kustomized
          env:
            - name: TZ
              value: America/Los_Angeles
--- a/argocd/manifests/frigate/deployment.yaml
+++ b/argocd/manifests/frigate/deployment.yaml
@ -19,7 +19,7 @@ spec:
      runtimeClassName: nvidia
      initContainers:
        - name: copy-config
-          image: busybox
+          image: busybox:kustomized
          command: ["cp", "/config-ro/config.yml", "/config/config.yml"]
          volumeMounts:
            - name: config-ro
@ -28,7 +28,7 @@ spec:
              mountPath: /config
      containers:
        - name: frigate
-          image: ghcr.io/blakeblackshear/frigate
+          image: ghcr.io/blakeblackshear/frigate:kustomized
          ports:
            - containerPort: 5000
              name: http
--- a/argocd/manifests/grafana/deployment.yaml
+++ b/argocd/manifests/grafana/deployment.yaml
@ -32,7 +32,7 @@ spec:
        runAsUser: 472
      initContainers:
        - name: init-chown-data
-          image: docker.io/library/busybox
+          image: docker.io/library/busybox:kustomized
          imagePullPolicy: IfNotPresent
          command: ["chown", "-R", "472:472", "/var/lib/grafana"]
          securityContext:
@ -48,7 +48,7 @@ spec:
      containers:
        # Dashboard sidecar - watches ConfigMaps with grafana_dashboard=1
        - name: grafana-sc-dashboard
-          image: registry.ops.eblu.me/blumeops/grafana-sidecar
+          image: registry.ops.eblu.me/blumeops/grafana-sidecar:kustomized
          imagePullPolicy: IfNotPresent
          env:
            - name: METHOD
@ -88,7 +88,7 @@ spec:
              mountPath: /tmp/dashboards
        # Grafana
        - name: grafana
-          image: registry.ops.eblu.me/blumeops/grafana
+          image: registry.ops.eblu.me/blumeops/grafana:kustomized
          imagePullPolicy: IfNotPresent
          env:
            - name: POD_IP
--- a/argocd/manifests/homepage/deployment.yaml
+++ b/argocd/manifests/homepage/deployment.yaml
@ -20,7 +20,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: homepage
-          image: registry.ops.eblu.me/blumeops/homepage
+          image: registry.ops.eblu.me/blumeops/homepage:kustomized
          securityContext:
            runAsNonRoot: true
            allowPrivilegeEscalation: false
--- a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
+++ b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
@ -15,7 +15,7 @@ spec:
          serviceAccountName: zim-watcher
          containers:
            - name: watcher
-              image: registry.ops.eblu.me/blumeops/kubectl
+              image: registry.ops.eblu.me/blumeops/kubectl:kustomized
              command: ["/bin/bash", "-c"]
              args:
                - |
--- a/argocd/manifests/kiwix/deployment.yaml
+++ b/argocd/manifests/kiwix/deployment.yaml
@ -20,7 +20,7 @@ spec:
      containers:
        # Main kiwix-serve container
        - name: kiwix-serve
-          image: registry.ops.eblu.me/blumeops/kiwix-serve
+          image: registry.ops.eblu.me/blumeops/kiwix-serve:kustomized
          args:
            - "/bin/sh"
            - "-c"
@ -53,7 +53,7 @@ spec:
        # Sidecar: Syncs declarative ZIM torrents to transmission
        - name: torrent-sync
-          image: registry.ops.eblu.me/blumeops/transmission
+          image: registry.ops.eblu.me/blumeops/transmission:kustomized
          command: ["/bin/bash", "-c"]
          args:
            - |
--- a/argocd/manifests/kube-state-metrics-ringtail/deployment.yaml
+++ b/argocd/manifests/kube-state-metrics-ringtail/deployment.yaml
@ -18,7 +18,7 @@ spec:
      serviceAccountName: kube-state-metrics
      containers:
        - name: kube-state-metrics
-          image: registry.k8s.io/kube-state-metrics/kube-state-metrics
+          image: registry.k8s.io/kube-state-metrics/kube-state-metrics:kustomized
          ports:
            - containerPort: 8080
              name: http-metrics
--- a/argocd/manifests/kube-state-metrics/deployment.yaml
+++ b/argocd/manifests/kube-state-metrics/deployment.yaml
@ -18,7 +18,7 @@ spec:
      serviceAccountName: kube-state-metrics
      containers:
        - name: kube-state-metrics
-          image: registry.k8s.io/kube-state-metrics/kube-state-metrics
+          image: registry.k8s.io/kube-state-metrics/kube-state-metrics:kustomized
          ports:
            - containerPort: 8080
              name: http-metrics
--- a/argocd/manifests/loki/statefulset.yaml
+++ b/argocd/manifests/loki/statefulset.yaml
@ -20,7 +20,7 @@ spec:
        runAsUser: 10001
      containers:
        - name: loki
-          image: grafana/loki
+          image: grafana/loki:kustomized
          args:
            - -config.file=/etc/loki/loki-config.yaml
          ports:
--- a/argocd/manifests/miniflux/deployment.yaml
+++ b/argocd/manifests/miniflux/deployment.yaml
@ -15,7 +15,7 @@ spec:
    spec:
      containers:
        - name: miniflux
-          image: registry.ops.eblu.me/blumeops/miniflux
+          image: registry.ops.eblu.me/blumeops/miniflux:kustomized
          ports:
            - containerPort: 8080
          env:
--- a/argocd/manifests/mosquitto/deployment.yaml
+++ b/argocd/manifests/mosquitto/deployment.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: mosquitto
-          image: eclipse-mosquitto
+          image: eclipse-mosquitto:kustomized
          ports:
            - containerPort: 1883
              name: mqtt
--- a/argocd/manifests/navidrome/deployment.yaml
+++ b/argocd/manifests/navidrome/deployment.yaml
@ -20,7 +20,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: navidrome
-          image: registry.ops.eblu.me/blumeops/navidrome
+          image: registry.ops.eblu.me/blumeops/navidrome:kustomized
          securityContext:
            runAsNonRoot: true
            allowPrivilegeEscalation: false
--- a/argocd/manifests/ntfy/deployment.yaml
+++ b/argocd/manifests/ntfy/deployment.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: ntfy
-          image: registry.ops.eblu.me/blumeops/ntfy
+          image: registry.ops.eblu.me/blumeops/ntfy:kustomized
          args: ["serve", "--config", "/etc/ntfy/server.yml"]
          ports:
            - containerPort: 80
--- a/argocd/manifests/nvidia-device-plugin/daemonset.yaml
+++ b/argocd/manifests/nvidia-device-plugin/daemonset.yaml
@ -22,7 +22,7 @@ spec:
      priorityClassName: system-node-critical
      containers:
        - name: nvidia-device-plugin
-          image: nvcr.io/nvidia/k8s-device-plugin
+          image: nvcr.io/nvidia/k8s-device-plugin:kustomized
          args:
            - --device-id-strategy=index
            - --config-file=/config/config.yaml
--- a/argocd/manifests/ollama/deployment.yaml
+++ b/argocd/manifests/ollama/deployment.yaml
@ -19,7 +19,7 @@ spec:
      runtimeClassName: nvidia
      containers:
        - name: ollama
-          image: ollama/ollama
+          image: ollama/ollama:kustomized
          ports:
            - containerPort: 11434
              name: http
@ -56,7 +56,7 @@ spec:
            initialDelaySeconds: 10
            periodSeconds: 10
        - name: model-sync
-          image: ollama/ollama
+          image: ollama/ollama:kustomized
          command: ["/bin/bash", "/scripts/sync-models.sh"]
          env:
            - name: MODEL_LIST
--- a/argocd/manifests/prometheus/statefulset.yaml
+++ b/argocd/manifests/prometheus/statefulset.yaml
@ -20,7 +20,7 @@ spec:
        runAsUser: 65534
      containers:
        - name: prometheus
-          image: registry.ops.eblu.me/blumeops/prometheus
+          image: registry.ops.eblu.me/blumeops/prometheus:kustomized
          args:
            - --config.file=/etc/prometheus/prometheus.yml
            - --storage.tsdb.path=/prometheus
--- a/argocd/manifests/tailscale-operator-base/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-base/kustomization.yaml
@ -9,6 +9,10 @@ resources:
  - proxyclass.yaml
  - dnsconfig.yaml
 # NOTE: also update proxyclass.yaml when changing the Tailscale version.
 # The kustomize images transformer only processes standard k8s container specs
 # (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
 # proxyclass.yaml tags must be updated manually.
 images:
  - name: docker.io/tailscale/k8s-operator
    newTag: v1.94.2
--- a/argocd/manifests/tailscale-operator-base/operator.yaml
+++ b/argocd/manifests/tailscale-operator-base/operator.yaml
@ -5362,7 +5362,7 @@ spec:
                      valueFrom:
                        fieldRef:
                            fieldPath: metadata.uid
-                  image: docker.io/tailscale/k8s-operator
+                  image: docker.io/tailscale/k8s-operator:kustomized
                  imagePullPolicy: Always
                  name: operator
                  volumeMounts:
--- a/argocd/manifests/tailscale-operator-base/proxyclass.yaml
+++ b/argocd/manifests/tailscale-operator-base/proxyclass.yaml
@ -18,6 +18,7 @@ spec:
  statefulSet:
    pod:
      tailscaleContainer:
        # NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
        image: docker.io/tailscale/tailscale:v1.94.2
      tailscaleInitContainer:
        image: docker.io/tailscale/tailscale:v1.94.2
--- a/argocd/manifests/tempo/statefulset.yaml
+++ b/argocd/manifests/tempo/statefulset.yaml
@ -20,7 +20,7 @@ spec:
        runAsUser: 10001
      containers:
        - name: tempo
-          image: grafana/tempo
+          image: grafana/tempo:kustomized
          args:
            - -config.file=/etc/tempo/tempo.yaml
          ports:
--- a/argocd/manifests/teslamate/deployment.yaml
+++ b/argocd/manifests/teslamate/deployment.yaml
@ -15,7 +15,7 @@ spec:
    spec:
      containers:
        - name: teslamate
-          image: registry.ops.eblu.me/blumeops/teslamate
+          image: registry.ops.eblu.me/blumeops/teslamate:kustomized
          ports:
            - containerPort: 4000
          env:
--- a/argocd/manifests/torrent/deployment.yaml
+++ b/argocd/manifests/torrent/deployment.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: transmission
-          image: registry.ops.eblu.me/blumeops/transmission
+          image: registry.ops.eblu.me/blumeops/transmission:kustomized
          env:
            - name: PUID
              value: "1000"
@ -56,7 +56,7 @@ spec:
            initialDelaySeconds: 10
            periodSeconds: 10
        - name: transmission-exporter
-          image: registry.ops.eblu.me/blumeops/transmission-exporter
+          image: registry.ops.eblu.me/blumeops/transmission-exporter:kustomized
          env:
            - name: TRANSMISSION_ADDR
              value: "http://localhost:9091"
--- a/docs/changelog.d/+kustomized-image-tags.infra.md
+++ b/docs/changelog.d/+kustomized-image-tags.infra.md
@ -0,0 +1 @@
 Add `:kustomized` sentinel tag to all manifest image references overridden by kustomize, making it clear the real tag lives in kustomization.yaml.
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -201,7 +201,7 @@ services:
  - name: devpi
    type: argocd
-    last-reviewed: null
+    last-reviewed: 2026-03-06
    current-version: "6.19.1"
    upstream-source: https://github.com/devpi/devpi/releases
		`@ -0,0 +1 @@`
							Add `:kustomized` sentinel tag to all manifest image references overridden by kustomize, making it clear the real tag lives in kustomization.yaml.