eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Upgrade Grafana 12.3.3 → 12.4.2 (#322)
All checks were successful
Build Container / detect (push) Successful in 2s
Details
Build Container / build-dockerfile (grafana) (push) Successful in 7s
Details

Browse source 
## Summary

- Bumps Grafana from 12.3.3 to 12.4.2
- Patches 7 CVEs, notably CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5) and CVE-2026-27879 (authenticated OOM via resample queries)
- No config changes required — reviewed alerting, datasources, OIDC, and feature toggles against 12.4.x breaking changes

## Breaking changes reviewed

| Change | Impact |
|--------|--------|
| Alerting: pending period applies to NoData/Error | Net positive — reduces noise from transient blips |
| Default notification uses empty receiver | No impact — we explicitly set `ntfy-infra` |
| Removed feature toggles (4) | No impact — none configured |
| OAuth ID token signature validation | Low risk — verify OIDC login post-deploy |
| OpsGenie deprecated | No impact — using webhook |

## Test plan

- [ ] Container build completes at forge
- [ ] Update kustomization.yaml with new image tag
- [ ] `argocd app set grafana --revision upgrade/grafana-12.4.2 && argocd app sync grafana`
- [ ] Verify Grafana UI loads at grafana.ops.eblu.me
- [ ] Verify OIDC login via Authentik
- [ ] Verify dashboards and datasources load
- [ ] Check alerting rules are intact

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #322
This commit is contained in:
Erich Blume 2026-04-02 11:33:19 -07:00
commit b1e2811077
4 changed files with 5 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
argocd/manifests/grafana/kustomization.yaml
View file

@ -18,7 +18,7 @@ images:
- name: registry.ops.eblu.me/blumeops/grafana-sidecar - name: registry.ops.eblu.me/blumeops/grafana-sidecar
newTag: v1.28.0-613f05d newTag: v1.28.0-613f05d
- name: registry.ops.eblu.me/blumeops/grafana - name: registry.ops.eblu.me/blumeops/grafana
newTag: v12.3.3-613f05d newTag: v12.4.2-4c54774
configMapGenerator: configMapGenerator:
- name: grafana - name: grafana

2
containers/grafana/Dockerfile
View file

@ -1,4 +1,4 @@
ARG CONTAINER_APP_VERSION=12.3.3 ARG CONTAINER_APP_VERSION=12.4.2
FROM alpine:3.22 FROM alpine:3.22

1
docs/changelog.d/upgrade-grafana-12.4.2.infra.md Normal file
View file

@ -0,0 +1 @@
Upgrade Grafana from 12.3.3 to 12.4.2 — patches 7 CVEs including an unauthenticated DoS (CVE-2026-27880).

4
service-versions.yaml
View file

@ -97,8 +97,8 @@ services:
- name: grafana - name: grafana
type: argocd type: argocd
last-reviewed: 2026-02-23 last-reviewed: 2026-04-02
current-version: "12.3.3" current-version: "12.4.2"
upstream-source: https://github.com/grafana/grafana/releases upstream-source: https://github.com/grafana/grafana/releases
notes: Home-built container from Alpine; upgraded from Helm to Kustomize notes: Home-built container from Alpine; upgraded from Helm to Kustomize