eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Tier 1 version bumps (#186)
All checks were successful
Build Container / build (push) Successful in 8s
Details

Browse source 
## Summary

Audit and upgrade of all deployed images, helm charts, and custom container Dockerfiles to latest stable versions. This PR covers Tier 1 (low-risk minor/patch bumps only).

### Upstream images
| Image | Old | New |
|-------|-----|-----|
| kube-state-metrics | v2.13.0 | v2.18.0 |
| prometheus | v3.2.1 | v3.9.1 |
| loki | 3.3.2 | 3.6.5 |
| alloy | v1.5.1 | v1.13.1 |
| tailscale (proxy + operator) | v1.92.5 | v1.94.1 |
| navidrome | :latest | v0.60.3 (pinned) |

### Helm charts
| Chart | Old | New |
|-------|-----|-----|
| CloudNativePG | v0.27.0 | v0.27.1 |
| 1Password Connect | 2.2.1 | 2.3.0 |

### Custom containers (Dockerfiles updated, images not yet tagged)
| Container | Changes | New tag |
|-----------|---------|---------|
| miniflux | 2.2.16→2.2.17 (security), alpine 3.22 | v1.1.0 |
| kubectl | v1.34.1→v1.34.4, alpine 3.22 | v1.1.0 |
| kiwix-serve | alpine 3.22 | v1.1.0 |
| nettest | alpine 3.22 | v0.14.0 |
| transmission | alpine 3.22, pkg 4.0.6-r4 | v1.1.0 |

All custom containers verified with local `dagger call build`.

### Deferred to Tier 2 (separate PRs)
- Forgejo runner 6→12 (major version scheme change)
- Docker DinD 27→29
- Grafana chart 8→11 (repo migration)
- External Secrets 1→2 (breaking changes)
- Python 3.12→3.13, Elixir 1.18→1.19, Node 22→24
- Transmission 4.0.6→4.1.0 (not in Alpine yet)

## Deployment

After merge:
1. Tag custom containers: `mise run container-tag-and-release <name> <version>` for each
2. Wait for CI builds to complete
3. `argocd app sync apps` then sync individual apps, or let ArgoCD auto-detect

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/186
This commit is contained in:
Erich Blume 2026-02-13 17:16:37 -08:00
commit b3747f6c95
19 changed files with 26 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

2
argocd/apps/1password-connect.yaml
View file

@ -21,7 +21,7 @@ spec:
project: default project: default
sources: sources:
- repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/connect-helm-charts.git
targetRevision: connect-2.2.1 targetRevision: connect-2.3.0
path: charts/connect path: charts/connect
helm: helm:
releaseName: onepassword-connect releaseName: onepassword-connect

2
argocd/apps/cloudnative-pg.yaml
View file

@ -12,7 +12,7 @@ spec:
sources: sources:
# Helm chart from forge mirror (SSH via egress) # Helm chart from forge mirror (SSH via egress)
- repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/cloudnative-pg-charts.git - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/cloudnative-pg-charts.git
targetRevision: cloudnative-pg-v0.27.0 targetRevision: cloudnative-pg-v0.27.1
path: charts/cloudnative-pg path: charts/cloudnative-pg
helm: helm:
releaseName: cloudnative-pg releaseName: cloudnative-pg

2
argocd/manifests/alloy-k8s/daemonset.yaml
View file

@ -19,7 +19,7 @@ spec:
fsGroup: 473 # alloy user group fsGroup: 473 # alloy user group
containers: containers:
- name: alloy - name: alloy
image: grafana/alloy:v1.5.1 image: grafana/alloy:v1.13.1
args: args:
- run - run
- --server.http.listen-addr=0.0.0.0:12345 - --server.http.listen-addr=0.0.0.0:12345

2
argocd/manifests/kiwix/cronjob-zim-watcher.yaml
View file

@ -15,7 +15,7 @@ spec:
serviceAccountName: zim-watcher serviceAccountName: zim-watcher
containers: containers:
- name: watcher - name: watcher
image: registry.ops.eblu.me/blumeops/kubectl:v1.0.0 image: registry.ops.eblu.me/blumeops/kubectl:v1.1.0
command: ["/bin/bash", "-c"] command: ["/bin/bash", "-c"]
args: args:
- | - |

4
argocd/manifests/kiwix/deployment.yaml
View file

@ -20,7 +20,7 @@ spec:
containers: containers:
# Main kiwix-serve container # Main kiwix-serve container
- name: kiwix-serve - name: kiwix-serve
image: registry.ops.eblu.me/blumeops/kiwix-serve:v1.0.0 image: registry.ops.eblu.me/blumeops/kiwix-serve:v1.1.0
args: args:
- "/bin/sh" - "/bin/sh"
- "-c" - "-c"
@ -53,7 +53,7 @@ spec:
# Sidecar: Syncs declarative ZIM torrents to transmission # Sidecar: Syncs declarative ZIM torrents to transmission
- name: torrent-sync - name: torrent-sync
image: registry.ops.eblu.me/blumeops/transmission:v1.0.1 image: registry.ops.eblu.me/blumeops/transmission:v1.1.0
command: ["/bin/bash", "-c"] command: ["/bin/bash", "-c"]
args: args:
- | - |

2
argocd/manifests/kube-state-metrics/deployment.yaml
View file

@ -18,7 +18,7 @@ spec:
serviceAccountName: kube-state-metrics serviceAccountName: kube-state-metrics
containers: containers:
- name: kube-state-metrics - name: kube-state-metrics
image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0 image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.18.0
ports: ports:
- containerPort: 8080 - containerPort: 8080
name: http-metrics name: http-metrics

2
argocd/manifests/loki/statefulset.yaml
View file

@ -20,7 +20,7 @@ spec:
runAsUser: 10001 runAsUser: 10001
containers: containers:
- name: loki - name: loki
image: grafana/loki:3.3.2 image: grafana/loki:3.6.5
args: args:
- -config.file=/etc/loki/loki-config.yaml - -config.file=/etc/loki/loki-config.yaml
ports: ports:

2
argocd/manifests/miniflux/deployment.yaml
View file

@ -15,7 +15,7 @@ spec:
spec: spec:
containers: containers:
- name: miniflux - name: miniflux
image: registry.ops.eblu.me/blumeops/miniflux:v1.0.0 image: registry.ops.eblu.me/blumeops/miniflux:v1.1.0
ports: ports:
- containerPort: 8080 - containerPort: 8080
env: env:

2
argocd/manifests/navidrome/deployment.yaml
View file

@ -16,7 +16,7 @@ spec:
spec: spec:
containers: containers:
- name: navidrome - name: navidrome
image: deluan/navidrome:latest image: deluan/navidrome:v0.60.3
ports: ports:
- containerPort: 4533 - containerPort: 4533
name: http name: http

2
argocd/manifests/prometheus/statefulset.yaml
View file

@ -20,7 +20,7 @@ spec:
runAsUser: 65534 runAsUser: 65534
containers: containers:
- name: prometheus - name: prometheus
image: prom/prometheus:v3.2.1 image: prom/prometheus:v3.9.1
args: args:
- --config.file=/etc/prometheus/prometheus.yml - --config.file=/etc/prometheus/prometheus.yml
- --storage.tsdb.path=/prometheus - --storage.tsdb.path=/prometheus

2
argocd/manifests/tailscale-operator/operator.yaml
View file

@ -5362,7 +5362,7 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.uid fieldPath: metadata.uid
image: docker.io/tailscale/k8s-operator:v1.92.5 image: docker.io/tailscale/k8s-operator:v1.94.1
imagePullPolicy: Always imagePullPolicy: Always
name: operator name: operator
volumeMounts: volumeMounts:

4
argocd/manifests/tailscale-operator/proxyclass.yaml
View file

@ -18,6 +18,6 @@ spec:
statefulSet: statefulSet:
pod: pod:
tailscaleContainer: tailscaleContainer:
image: docker.io/tailscale/tailscale:v1.92.5 image: docker.io/tailscale/tailscale:v1.94.1
tailscaleInitContainer: tailscaleInitContainer:
image: docker.io/tailscale/tailscale:v1.92.5 image: docker.io/tailscale/tailscale:v1.94.1

2
argocd/manifests/torrent/deployment.yaml
View file

@ -16,7 +16,7 @@ spec:
spec: spec:
containers: containers:
- name: transmission - name: transmission
image: registry.ops.eblu.me/blumeops/transmission:v1.0.1 image: registry.ops.eblu.me/blumeops/transmission:v1.1.0
env: env:
- name: PUID - name: PUID
value: "1000" value: "1000"

2
containers/kiwix-serve/Dockerfile
View file

@ -1,7 +1,7 @@
# kiwix-serve container # kiwix-serve container
# Downloads pre-built binary from kiwix mirror # Downloads pre-built binary from kiwix mirror
FROM alpine:3.21 FROM alpine:3.22
ARG TARGETPLATFORM ARG TARGETPLATFORM
ARG KIWIX_VERSION=3.8.1 ARG KIWIX_VERSION=3.8.1

6
containers/kubectl/Dockerfile
View file

@ -1,10 +1,10 @@
# Minimal kubectl container # Minimal kubectl container
# Multi-arch build: downloads correct binary for target platform # Multi-arch build: downloads correct binary for target platform
FROM alpine:3.21 AS downloader FROM alpine:3.22 AS downloader
ARG TARGETARCH ARG TARGETARCH
ARG KUBECTL_VERSION=v1.34.1 ARG KUBECTL_VERSION=v1.34.4
RUN apk add --no-cache curl && \ RUN apk add --no-cache curl && \
# Detect architecture - use TARGETARCH if set, otherwise detect from uname # Detect architecture - use TARGETARCH if set, otherwise detect from uname
@ -22,7 +22,7 @@ RUN apk add --no-cache curl && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \ curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" && \
chmod +x kubectl chmod +x kubectl
FROM alpine:3.21 FROM alpine:3.22
COPY --from=downloader /kubectl /usr/local/bin/kubectl COPY --from=downloader /kubectl /usr/local/bin/kubectl

6
containers/miniflux/Dockerfile
View file

@ -1,9 +1,9 @@
# Miniflux RSS feed reader # Miniflux RSS feed reader
# Based on upstream packaging/docker/alpine/Dockerfile # Based on upstream packaging/docker/alpine/Dockerfile
ARG MINIFLUX_VERSION=2.2.16 ARG MINIFLUX_VERSION=2.2.17
FROM golang:alpine3.21 AS build FROM golang:alpine3.22 AS build
ARG MINIFLUX_VERSION ARG MINIFLUX_VERSION
RUN apk add --no-cache build-base git make RUN apk add --no-cache build-base git make
@ -15,7 +15,7 @@ RUN git clone --depth 1 --branch ${MINIFLUX_VERSION} \
WORKDIR /go/src/app WORKDIR /go/src/app
RUN make miniflux RUN make miniflux
FROM alpine:3.21 FROM alpine:3.22
LABEL org.opencontainers.image.title=Miniflux LABEL org.opencontainers.image.title=Miniflux
LABEL org.opencontainers.image.description="Miniflux is a minimalist and opinionated feed reader" LABEL org.opencontainers.image.description="Miniflux is a minimalist and opinionated feed reader"

2
containers/nettest/Dockerfile
View file

@ -4,7 +4,7 @@
# - Docker on indri (during CI build) # - Docker on indri (during CI build)
# - Minikube pods (manual testing) # - Minikube pods (manual testing)
FROM alpine:3.21 FROM alpine:3.22
RUN apk add --no-cache \ RUN apk add --no-cache \
curl \ curl \

4
containers/transmission/Dockerfile
View file

@ -1,9 +1,9 @@
# Transmission BitTorrent daemon # Transmission BitTorrent daemon
# Simpler alternative to linuxserver image # Simpler alternative to linuxserver image
FROM alpine:3.21 FROM alpine:3.22
ARG TRANSMISSION_VERSION=4.0.6-r0 ARG TRANSMISSION_VERSION=4.0.6-r4
RUN apk add --no-cache \ RUN apk add --no-cache \
transmission-daemon=${TRANSMISSION_VERSION} \ transmission-daemon=${TRANSMISSION_VERSION} \

1
docs/changelog.d/feature-tier1-version-bumps.infra.md Normal file
View file

@ -0,0 +1 @@
Tier 1 version bumps: upstream images (prometheus, loki, alloy, kube-state-metrics, tailscale, navidrome), helm charts (CloudNativePG, 1Password Connect), and custom containers (miniflux, kubectl, kiwix-serve, nettest, transmission) updated to latest stable versions with Alpine 3.22 base.