eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add :kustomized sentinel tag to manifest images, review devpi

Browse source 
Bare image references in manifests were ambiguous — unclear whether the
tag was intentionally omitted or managed by kustomize. Add :kustomized
sentinel to all 37 image refs overridden by kustomize images transformer.
Add sync notes for tailscale-operator proxyclass (CRD fields not processed
by kustomize). Mark devpi reviewed (6.19.1 is current).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-06 08:15:06 -08:00
commit 6e8d11c6bb
34 changed files with 44 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

2
argocd/manifests/alloy-k8s/daemonset.yaml
View file

@ -19,7 +19,7 @@ spec:
fsGroup: 473 # alloy user group
containers:
- name: alloy
image: grafana/alloy
image: grafana/alloy:kustomized
args:
- run
- --server.http.listen-addr=0.0.0.0:12345

2
argocd/manifests/alloy-ringtail/daemonset.yaml
View file

@ -19,7 +19,7 @@ spec:
fsGroup: 473 # alloy user group
containers:
- name: alloy
image: grafana/alloy
image: grafana/alloy:kustomized
args:
- run
- --server.http.listen-addr=0.0.0.0:12345

2
argocd/manifests/alloy-tracing-ringtail/daemonset.yaml
View file

@ -18,7 +18,7 @@ spec:
hostPID: true
containers:
- name: alloy
image: grafana/alloy
image: grafana/alloy:kustomized
args:
- run
- --server.http.listen-addr=0.0.0.0:12346

2
argocd/manifests/authentik/deployment-redis.yaml
View file

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: redis
image: docker.io/library/redis
image: docker.io/library/redis:kustomized
ports:
- name: redis
containerPort: 6379

2
argocd/manifests/authentik/deployment-server.yaml
View file

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: server
image: registry.ops.eblu.me/blumeops/authentik
image: registry.ops.eblu.me/blumeops/authentik:kustomized
args: ["server"]
ports:
- name: http

2
argocd/manifests/authentik/deployment-worker.yaml
View file

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: worker
image: registry.ops.eblu.me/blumeops/authentik
image: registry.ops.eblu.me/blumeops/authentik:kustomized
args: ["worker"]
env:
- name: AUTHENTIK_SECRET_KEY

2
argocd/manifests/cv/deployment.yaml
View file

@ -21,7 +21,7 @@ spec:
spec:
containers:
- name: cv
image: registry.ops.eblu.me/blumeops/cv
image: registry.ops.eblu.me/blumeops/cv:kustomized
ports:
- containerPort: 80
name: http

2
argocd/manifests/devpi/statefulset.yaml
View file

@ -18,7 +18,7 @@ spec:
fsGroup: 1000
containers:
- name: devpi
image: registry.ops.eblu.me/blumeops/devpi
image: registry.ops.eblu.me/blumeops/devpi:kustomized
env:
- name: DEVPI_ROOT_PASSWORD
valueFrom:

2
argocd/manifests/docs/deployment.yaml
View file

@ -21,7 +21,7 @@ spec:
spec:
containers:
- name: docs
image: registry.ops.eblu.me/blumeops/quartz
image: registry.ops.eblu.me/blumeops/quartz:kustomized
ports:
- containerPort: 80
name: http

4
argocd/manifests/forgejo-runner/deployment.yaml
View file

@ -18,7 +18,7 @@ spec:
containers:
# Forgejo runner daemon
- name: runner
image: code.forgejo.org/forgejo/runner
image: code.forgejo.org/forgejo/runner:kustomized
env:
- name: TZ
value: America/Los_Angeles
@ -68,7 +68,7 @@ spec:
# Docker-in-Docker sidecar
- name: dind
image: docker
image: docker:kustomized
securityContext:
privileged: true
env:

2
argocd/manifests/frigate/deployment-notify.yaml
View file

@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: frigate-notify
image: ghcr.io/0x2142/frigate-notify
image: ghcr.io/0x2142/frigate-notify:kustomized
env:
- name: TZ
value: America/Los_Angeles

4
argocd/manifests/frigate/deployment.yaml
View file

@ -19,7 +19,7 @@ spec:
runtimeClassName: nvidia
initContainers:
- name: copy-config
image: busybox
image: busybox:kustomized
command: ["cp", "/config-ro/config.yml", "/config/config.yml"]
volumeMounts:
- name: config-ro
@ -28,7 +28,7 @@ spec:
mountPath: /config
containers:
- name: frigate
image: ghcr.io/blakeblackshear/frigate
image: ghcr.io/blakeblackshear/frigate:kustomized
ports:
- containerPort: 5000
name: http

6
argocd/manifests/grafana/deployment.yaml
View file

@ -32,7 +32,7 @@ spec:
runAsUser: 472
initContainers:
- name: init-chown-data
image: docker.io/library/busybox
image: docker.io/library/busybox:kustomized
imagePullPolicy: IfNotPresent
command: ["chown", "-R", "472:472", "/var/lib/grafana"]
securityContext:
@ -48,7 +48,7 @@ spec:
containers:
# Dashboard sidecar - watches ConfigMaps with grafana_dashboard=1
- name: grafana-sc-dashboard
image: registry.ops.eblu.me/blumeops/grafana-sidecar
image: registry.ops.eblu.me/blumeops/grafana-sidecar:kustomized
imagePullPolicy: IfNotPresent
env:
- name: METHOD
@ -88,7 +88,7 @@ spec:
mountPath: /tmp/dashboards
# Grafana
- name: grafana
image: registry.ops.eblu.me/blumeops/grafana
image: registry.ops.eblu.me/blumeops/grafana:kustomized
imagePullPolicy: IfNotPresent
env:
- name: POD_IP

2
argocd/manifests/homepage/deployment.yaml
View file

@ -20,7 +20,7 @@ spec:
fsGroup: 1000
containers:
- name: homepage
image: registry.ops.eblu.me/blumeops/homepage
image: registry.ops.eblu.me/blumeops/homepage:kustomized
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false

2
argocd/manifests/kiwix/cronjob-zim-watcher.yaml
View file

@ -15,7 +15,7 @@ spec:
serviceAccountName: zim-watcher
containers:
- name: watcher
image: registry.ops.eblu.me/blumeops/kubectl
image: registry.ops.eblu.me/blumeops/kubectl:kustomized
command: ["/bin/bash", "-c"]
args:
- |

4
argocd/manifests/kiwix/deployment.yaml
View file

@ -20,7 +20,7 @@ spec:
containers:
# Main kiwix-serve container
- name: kiwix-serve
image: registry.ops.eblu.me/blumeops/kiwix-serve
image: registry.ops.eblu.me/blumeops/kiwix-serve:kustomized
args:
- "/bin/sh"
- "-c"
@ -53,7 +53,7 @@ spec:
# Sidecar: Syncs declarative ZIM torrents to transmission
- name: torrent-sync
image: registry.ops.eblu.me/blumeops/transmission
image: registry.ops.eblu.me/blumeops/transmission:kustomized
command: ["/bin/bash", "-c"]
args:
- |

2
argocd/manifests/kube-state-metrics-ringtail/deployment.yaml
View file

@ -18,7 +18,7 @@ spec:
serviceAccountName: kube-state-metrics
containers:
- name: kube-state-metrics
image: registry.k8s.io/kube-state-metrics/kube-state-metrics
image: registry.k8s.io/kube-state-metrics/kube-state-metrics:kustomized
ports:
- containerPort: 8080
name: http-metrics

2
argocd/manifests/kube-state-metrics/deployment.yaml
View file

@ -18,7 +18,7 @@ spec:
serviceAccountName: kube-state-metrics
containers:
- name: kube-state-metrics
image: registry.k8s.io/kube-state-metrics/kube-state-metrics
image: registry.k8s.io/kube-state-metrics/kube-state-metrics:kustomized
ports:
- containerPort: 8080
name: http-metrics

2
argocd/manifests/loki/statefulset.yaml
View file

@ -20,7 +20,7 @@ spec:
runAsUser: 10001
containers:
- name: loki
image: grafana/loki
image: grafana/loki:kustomized
args:
- -config.file=/etc/loki/loki-config.yaml
ports:

2
argocd/manifests/miniflux/deployment.yaml
View file

@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: miniflux
image: registry.ops.eblu.me/blumeops/miniflux
image: registry.ops.eblu.me/blumeops/miniflux:kustomized
ports:
- containerPort: 8080
env:

2
argocd/manifests/mosquitto/deployment.yaml
View file

@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: mosquitto
image: eclipse-mosquitto
image: eclipse-mosquitto:kustomized
ports:
- containerPort: 1883
name: mqtt

2
argocd/manifests/navidrome/deployment.yaml
View file

@ -20,7 +20,7 @@ spec:
fsGroup: 1000
containers:
- name: navidrome
image: registry.ops.eblu.me/blumeops/navidrome
image: registry.ops.eblu.me/blumeops/navidrome:kustomized
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false

2
argocd/manifests/ntfy/deployment.yaml
View file

@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: ntfy
image: registry.ops.eblu.me/blumeops/ntfy
image: registry.ops.eblu.me/blumeops/ntfy:kustomized
args: ["serve", "--config", "/etc/ntfy/server.yml"]
ports:
- containerPort: 80

2
argocd/manifests/nvidia-device-plugin/daemonset.yaml
View file

@ -22,7 +22,7 @@ spec:
priorityClassName: system-node-critical
containers:
- name: nvidia-device-plugin
image: nvcr.io/nvidia/k8s-device-plugin
image: nvcr.io/nvidia/k8s-device-plugin:kustomized
args:
- --device-id-strategy=index
- --config-file=/config/config.yaml

4
argocd/manifests/ollama/deployment.yaml
View file

@ -19,7 +19,7 @@ spec:
runtimeClassName: nvidia
containers:
- name: ollama
image: ollama/ollama
image: ollama/ollama:kustomized
ports:
- containerPort: 11434
name: http
@ -56,7 +56,7 @@ spec:
initialDelaySeconds: 10
periodSeconds: 10
- name: model-sync
image: ollama/ollama
image: ollama/ollama:kustomized
command: ["/bin/bash", "/scripts/sync-models.sh"]
env:
- name: MODEL_LIST

2
argocd/manifests/prometheus/statefulset.yaml
View file

@ -20,7 +20,7 @@ spec:
runAsUser: 65534
containers:
- name: prometheus
image: registry.ops.eblu.me/blumeops/prometheus
image: registry.ops.eblu.me/blumeops/prometheus:kustomized
args:
- --config.file=/etc/prometheus/prometheus.yml
- --storage.tsdb.path=/prometheus

4
argocd/manifests/tailscale-operator-base/kustomization.yaml
View file

@ -9,6 +9,10 @@ resources:
- proxyclass.yaml
- dnsconfig.yaml
# NOTE: also update proxyclass.yaml when changing the Tailscale version.
# The kustomize images transformer only processes standard k8s container specs
# (Deployments, StatefulSets, etc.), not CRD fields like ProxyClass, so
# proxyclass.yaml tags must be updated manually.
images:
- name: docker.io/tailscale/k8s-operator
newTag: v1.94.2

2
argocd/manifests/tailscale-operator-base/operator.yaml
View file

@ -5362,7 +5362,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.uid
image: docker.io/tailscale/k8s-operator
image: docker.io/tailscale/k8s-operator:kustomized
imagePullPolicy: Always
name: operator
volumeMounts:

1
argocd/manifests/tailscale-operator-base/proxyclass.yaml
View file

@ -18,6 +18,7 @@ spec:
statefulSet:
pod:
tailscaleContainer:
# NOTE: keep in sync with kustomization.yaml (CRD fields aren't processed by kustomize images)
image: docker.io/tailscale/tailscale:v1.94.2
tailscaleInitContainer:
image: docker.io/tailscale/tailscale:v1.94.2

2
argocd/manifests/tempo/statefulset.yaml
View file

@ -20,7 +20,7 @@ spec:
runAsUser: 10001
containers:
- name: tempo
image: grafana/tempo
image: grafana/tempo:kustomized
args:
- -config.file=/etc/tempo/tempo.yaml
ports:

2
argocd/manifests/teslamate/deployment.yaml
View file

@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: teslamate
image: registry.ops.eblu.me/blumeops/teslamate
image: registry.ops.eblu.me/blumeops/teslamate:kustomized
ports:
- containerPort: 4000
env:

4
argocd/manifests/torrent/deployment.yaml
View file

@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: transmission
image: registry.ops.eblu.me/blumeops/transmission
image: registry.ops.eblu.me/blumeops/transmission:kustomized
env:
- name: PUID
value: "1000"
@ -56,7 +56,7 @@ spec:
initialDelaySeconds: 10
periodSeconds: 10
- name: transmission-exporter
image: registry.ops.eblu.me/blumeops/transmission-exporter
image: registry.ops.eblu.me/blumeops/transmission-exporter:kustomized
env:
- name: TRANSMISSION_ADDR
value: "http://localhost:9091"

1
docs/changelog.d/+kustomized-image-tags.infra.md Normal file
View file

@ -0,0 +1 @@
Add `:kustomized` sentinel tag to all manifest image references overridden by kustomize, making it clear the real tag lives in kustomization.yaml.

2
service-versions.yaml
View file

@ -201,7 +201,7 @@ services:
- name: devpi
type: argocd
last-reviewed: null
last-reviewed: 2026-03-06
current-version: "6.19.1"
upstream-source: https://github.com/devpi/devpi/releases