From b3747f6c959fa1eb39d28b92f3cb728ea3c69d0c Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 13 Feb 2026 17:16:37 -0800 Subject: [PATCH] Tier 1 version bumps (#186) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Audit and upgrade of all deployed images, helm charts, and custom container Dockerfiles to latest stable versions. This PR covers Tier 1 (low-risk minor/patch bumps only). ### Upstream images | Image | Old | New | |-------|-----|-----| | kube-state-metrics | v2.13.0 | v2.18.0 | | prometheus | v3.2.1 | v3.9.1 | | loki | 3.3.2 | 3.6.5 | | alloy | v1.5.1 | v1.13.1 | | tailscale (proxy + operator) | v1.92.5 | v1.94.1 | | navidrome | :latest | v0.60.3 (pinned) | ### Helm charts | Chart | Old | New | |-------|-----|-----| | CloudNativePG | v0.27.0 | v0.27.1 | | 1Password Connect | 2.2.1 | 2.3.0 | ### Custom containers (Dockerfiles updated, images not yet tagged) | Container | Changes | New tag | |-----------|---------|---------| | miniflux | 2.2.16→2.2.17 (security), alpine 3.22 | v1.1.0 | | kubectl | v1.34.1→v1.34.4, alpine 3.22 | v1.1.0 | | kiwix-serve | alpine 3.22 | v1.1.0 | | nettest | alpine 3.22 | v0.14.0 | | transmission | alpine 3.22, pkg 4.0.6-r4 | v1.1.0 | All custom containers verified with local `dagger call build`. ### Deferred to Tier 2 (separate PRs) - Forgejo runner 6→12 (major version scheme change) - Docker DinD 27→29 - Grafana chart 8→11 (repo migration) - External Secrets 1→2 (breaking changes) - Python 3.12→3.13, Elixir 1.18→1.19, Node 22→24 - Transmission 4.0.6→4.1.0 (not in Alpine yet) ## Deployment After merge: 1. Tag custom containers: `mise run container-tag-and-release ` for each 2. Wait for CI builds to complete 3. `argocd app sync apps` then sync individual apps, or let ArgoCD auto-detect Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/186 --- argocd/apps/1password-connect.yaml | 2 +- argocd/apps/cloudnative-pg.yaml | 2 +- argocd/manifests/alloy-k8s/daemonset.yaml | 2 +- argocd/manifests/kiwix/cronjob-zim-watcher.yaml | 2 +- argocd/manifests/kiwix/deployment.yaml | 4 ++-- argocd/manifests/kube-state-metrics/deployment.yaml | 2 +- argocd/manifests/loki/statefulset.yaml | 2 +- argocd/manifests/miniflux/deployment.yaml | 2 +- argocd/manifests/navidrome/deployment.yaml | 2 +- argocd/manifests/prometheus/statefulset.yaml | 2 +- argocd/manifests/tailscale-operator/operator.yaml | 2 +- argocd/manifests/tailscale-operator/proxyclass.yaml | 4 ++-- argocd/manifests/torrent/deployment.yaml | 2 +- containers/kiwix-serve/Dockerfile | 2 +- containers/kubectl/Dockerfile | 6 +++--- containers/miniflux/Dockerfile | 6 +++--- containers/nettest/Dockerfile | 2 +- containers/transmission/Dockerfile | 4 ++-- docs/changelog.d/feature-tier1-version-bumps.infra.md | 1 + 19 files changed, 26 insertions(+), 25 deletions(-) create mode 100644 docs/changelog.d/feature-tier1-version-bumps.infra.md diff --git a/argocd/apps/1password-connect.yaml b/argocd/apps/1password-connect.yaml index 89263da..972a467 100644 --- a/argocd/apps/1password-connect.yaml +++ b/argocd/apps/1password-connect.yaml @@ -21,7 +21,7 @@ spec: project: default sources: - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git - targetRevision: connect-2.2.1 + targetRevision: connect-2.3.0 path: charts/connect helm: releaseName: onepassword-connect diff --git a/argocd/apps/cloudnative-pg.yaml b/argocd/apps/cloudnative-pg.yaml index 73c3bf0..273bdc3 100644 --- a/argocd/apps/cloudnative-pg.yaml +++ b/argocd/apps/cloudnative-pg.yaml @@ -12,7 +12,7 @@ spec: sources: # Helm chart from forge mirror (SSH via egress) - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/cloudnative-pg-charts.git - targetRevision: cloudnative-pg-v0.27.0 + targetRevision: cloudnative-pg-v0.27.1 path: charts/cloudnative-pg helm: releaseName: cloudnative-pg diff --git a/argocd/manifests/alloy-k8s/daemonset.yaml b/argocd/manifests/alloy-k8s/daemonset.yaml index 95f780b..b78633a 100644 --- a/argocd/manifests/alloy-k8s/daemonset.yaml +++ b/argocd/manifests/alloy-k8s/daemonset.yaml @@ -19,7 +19,7 @@ spec: fsGroup: 473 # alloy user group containers: - name: alloy - image: grafana/alloy:v1.5.1 + image: grafana/alloy:v1.13.1 args: - run - --server.http.listen-addr=0.0.0.0:12345 diff --git a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml index 5de0990..50d6883 100644 --- a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml +++ b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: zim-watcher containers: - name: watcher - image: registry.ops.eblu.me/blumeops/kubectl:v1.0.0 + image: registry.ops.eblu.me/blumeops/kubectl:v1.1.0 command: ["/bin/bash", "-c"] args: - | diff --git a/argocd/manifests/kiwix/deployment.yaml b/argocd/manifests/kiwix/deployment.yaml index bf45625..8dbb4d4 100644 --- a/argocd/manifests/kiwix/deployment.yaml +++ b/argocd/manifests/kiwix/deployment.yaml @@ -20,7 +20,7 @@ spec: containers: # Main kiwix-serve container - name: kiwix-serve - image: registry.ops.eblu.me/blumeops/kiwix-serve:v1.0.0 + image: registry.ops.eblu.me/blumeops/kiwix-serve:v1.1.0 args: - "/bin/sh" - "-c" @@ -53,7 +53,7 @@ spec: # Sidecar: Syncs declarative ZIM torrents to transmission - name: torrent-sync - image: registry.ops.eblu.me/blumeops/transmission:v1.0.1 + image: registry.ops.eblu.me/blumeops/transmission:v1.1.0 command: ["/bin/bash", "-c"] args: - | diff --git a/argocd/manifests/kube-state-metrics/deployment.yaml b/argocd/manifests/kube-state-metrics/deployment.yaml index 69d3bd2..2ba12ba 100644 --- a/argocd/manifests/kube-state-metrics/deployment.yaml +++ b/argocd/manifests/kube-state-metrics/deployment.yaml @@ -18,7 +18,7 @@ spec: serviceAccountName: kube-state-metrics containers: - name: kube-state-metrics - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0 + image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.18.0 ports: - containerPort: 8080 name: http-metrics diff --git a/argocd/manifests/loki/statefulset.yaml b/argocd/manifests/loki/statefulset.yaml index 18067b4..d3a75a7 100644 --- a/argocd/manifests/loki/statefulset.yaml +++ b/argocd/manifests/loki/statefulset.yaml @@ -20,7 +20,7 @@ spec: runAsUser: 10001 containers: - name: loki - image: grafana/loki:3.3.2 + image: grafana/loki:3.6.5 args: - -config.file=/etc/loki/loki-config.yaml ports: diff --git a/argocd/manifests/miniflux/deployment.yaml b/argocd/manifests/miniflux/deployment.yaml index f5324ac..ed64246 100644 --- a/argocd/manifests/miniflux/deployment.yaml +++ b/argocd/manifests/miniflux/deployment.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: miniflux - image: registry.ops.eblu.me/blumeops/miniflux:v1.0.0 + image: registry.ops.eblu.me/blumeops/miniflux:v1.1.0 ports: - containerPort: 8080 env: diff --git a/argocd/manifests/navidrome/deployment.yaml b/argocd/manifests/navidrome/deployment.yaml index e30cc99..591caa6 100644 --- a/argocd/manifests/navidrome/deployment.yaml +++ b/argocd/manifests/navidrome/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: navidrome - image: deluan/navidrome:latest + image: deluan/navidrome:v0.60.3 ports: - containerPort: 4533 name: http diff --git a/argocd/manifests/prometheus/statefulset.yaml b/argocd/manifests/prometheus/statefulset.yaml index 651451f..9cad55d 100644 --- a/argocd/manifests/prometheus/statefulset.yaml +++ b/argocd/manifests/prometheus/statefulset.yaml @@ -20,7 +20,7 @@ spec: runAsUser: 65534 containers: - name: prometheus - image: prom/prometheus:v3.2.1 + image: prom/prometheus:v3.9.1 args: - --config.file=/etc/prometheus/prometheus.yml - --storage.tsdb.path=/prometheus diff --git a/argocd/manifests/tailscale-operator/operator.yaml b/argocd/manifests/tailscale-operator/operator.yaml index 78a84ee..203b8d6 100644 --- a/argocd/manifests/tailscale-operator/operator.yaml +++ b/argocd/manifests/tailscale-operator/operator.yaml @@ -5362,7 +5362,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.uid - image: docker.io/tailscale/k8s-operator:v1.92.5 + image: docker.io/tailscale/k8s-operator:v1.94.1 imagePullPolicy: Always name: operator volumeMounts: diff --git a/argocd/manifests/tailscale-operator/proxyclass.yaml b/argocd/manifests/tailscale-operator/proxyclass.yaml index 3e4e2b4..2591b39 100644 --- a/argocd/manifests/tailscale-operator/proxyclass.yaml +++ b/argocd/manifests/tailscale-operator/proxyclass.yaml @@ -18,6 +18,6 @@ spec: statefulSet: pod: tailscaleContainer: - image: docker.io/tailscale/tailscale:v1.92.5 + image: docker.io/tailscale/tailscale:v1.94.1 tailscaleInitContainer: - image: docker.io/tailscale/tailscale:v1.92.5 + image: docker.io/tailscale/tailscale:v1.94.1 diff --git a/argocd/manifests/torrent/deployment.yaml b/argocd/manifests/torrent/deployment.yaml index 5eafce8..9a2bc1d 100644 --- a/argocd/manifests/torrent/deployment.yaml +++ b/argocd/manifests/torrent/deployment.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: transmission - image: registry.ops.eblu.me/blumeops/transmission:v1.0.1 + image: registry.ops.eblu.me/blumeops/transmission:v1.1.0 env: - name: PUID value: "1000" diff --git a/containers/kiwix-serve/Dockerfile b/containers/kiwix-serve/Dockerfile index 37255a4..5bedee4 100644 --- a/containers/kiwix-serve/Dockerfile +++ b/containers/kiwix-serve/Dockerfile @@ -1,7 +1,7 @@ # kiwix-serve container # Downloads pre-built binary from kiwix mirror -FROM alpine:3.21 +FROM alpine:3.22 ARG TARGETPLATFORM ARG KIWIX_VERSION=3.8.1 diff --git a/containers/kubectl/Dockerfile b/containers/kubectl/Dockerfile index 31a2536..7203520 100644 --- a/containers/kubectl/Dockerfile +++ b/containers/kubectl/Dockerfile @@ -1,10 +1,10 @@ # Minimal kubectl container # Multi-arch build: downloads correct binary for target platform -FROM alpine:3.21 AS downloader +FROM alpine:3.22 AS downloader ARG TARGETARCH -ARG KUBECTL_VERSION=v1.34.1 +ARG KUBECTL_VERSION=v1.34.4 RUN apk add --no-cache curl && \ # Detect architecture - use TARGETARCH if set, otherwise detect from uname @@ -22,7 +22,7 @@ RUN apk add --no-cache curl && \ curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \ chmod +x kubectl -FROM alpine:3.21 +FROM alpine:3.22 COPY --from=downloader /kubectl /usr/local/bin/kubectl diff --git a/containers/miniflux/Dockerfile b/containers/miniflux/Dockerfile index eecee4d..ba5c3c4 100644 --- a/containers/miniflux/Dockerfile +++ b/containers/miniflux/Dockerfile @@ -1,9 +1,9 @@ # Miniflux RSS feed reader # Based on upstream packaging/docker/alpine/Dockerfile -ARG MINIFLUX_VERSION=2.2.16 +ARG MINIFLUX_VERSION=2.2.17 -FROM golang:alpine3.21 AS build +FROM golang:alpine3.22 AS build ARG MINIFLUX_VERSION RUN apk add --no-cache build-base git make @@ -15,7 +15,7 @@ RUN git clone --depth 1 --branch ${MINIFLUX_VERSION} \ WORKDIR /go/src/app RUN make miniflux -FROM alpine:3.21 +FROM alpine:3.22 LABEL org.opencontainers.image.title=Miniflux LABEL org.opencontainers.image.description="Miniflux is a minimalist and opinionated feed reader" diff --git a/containers/nettest/Dockerfile b/containers/nettest/Dockerfile index 1e18861..576bfe5 100644 --- a/containers/nettest/Dockerfile +++ b/containers/nettest/Dockerfile @@ -4,7 +4,7 @@ # - Docker on indri (during CI build) # - Minikube pods (manual testing) -FROM alpine:3.21 +FROM alpine:3.22 RUN apk add --no-cache \ curl \ diff --git a/containers/transmission/Dockerfile b/containers/transmission/Dockerfile index b17a59e..42b9ecc 100644 --- a/containers/transmission/Dockerfile +++ b/containers/transmission/Dockerfile @@ -1,9 +1,9 @@ # Transmission BitTorrent daemon # Simpler alternative to linuxserver image -FROM alpine:3.21 +FROM alpine:3.22 -ARG TRANSMISSION_VERSION=4.0.6-r0 +ARG TRANSMISSION_VERSION=4.0.6-r4 RUN apk add --no-cache \ transmission-daemon=${TRANSMISSION_VERSION} \ diff --git a/docs/changelog.d/feature-tier1-version-bumps.infra.md b/docs/changelog.d/feature-tier1-version-bumps.infra.md new file mode 100644 index 0000000..ca21952 --- /dev/null +++ b/docs/changelog.d/feature-tier1-version-bumps.infra.md @@ -0,0 +1 @@ +Tier 1 version bumps: upstream images (prometheus, loki, alloy, kube-state-metrics, tailscale, navidrome), helm charts (CloudNativePG, 1Password Connect), and custom containers (miniflux, kubectl, kiwix-serve, nettest, transmission) updated to latest stable versions with Alpine 3.22 base.