C2: Upgrade Grafana to 12.x with Nix container and Kustomize (#260)

## Summary Mikado chain to upgrade Grafana from 11.4.0 (Helm chart) to 12.x with: - Home-built Nix container image (`forge.ops.eblu.me/eblume/grafana`) - Kustomize manifests replacing the Helm chart - Single-source ArgoCD app ## Chain Goal: `upgrade-grafana` Leaves: `build-grafana-container`, `kustomize-grafana-deployment` Track with: `mise run docs-mikado upgrade-grafana` ## Test plan - [ ] Container builds successfully via Nix - [ ] Container pushed to registry - [ ] Kustomize manifests produce equivalent resources to current Helm - [ ] Pod runs, UI loads, OIDC works, datasources healthy - [ ] `mise run services-check` passes Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/260
2026-02-23 18:07:18 -08:00 · 2026-02-23 18:07:18 -08:00 · d05d2fbaff
commit d05d2fbaff
parent 9b419abf24
15 changed files with 510 additions and 208 deletions
--- a/containers/grafana/Dockerfile
+++ b/containers/grafana/Dockerfile
@ -0,0 +1,65 @@
+ARG CONTAINER_APP_VERSION=12.3.3
+
+FROM alpine:3.22
+
+ARG TARGETPLATFORM
+ARG CONTAINER_APP_VERSION
+ARG GRAFANA_VERSION=${CONTAINER_APP_VERSION}
+
+RUN set -e && \
+    apk --no-cache add dumb-init curl && \
+    # Detect architecture
+    if [ -n "$TARGETPLATFORM" ]; then \
+        echo "TARGETPLATFORM: $TARGETPLATFORM"; \
+        case "$TARGETPLATFORM" in \
+            linux/arm64*) ARCH="arm64" ;; \
+            linux/amd64*) ARCH="amd64" ;; \
+            *) ARCH="" ;; \
+        esac; \
+    else \
+        echo "TARGETPLATFORM not set, detecting from uname..."; \
+        UNAME_ARCH=$(uname -m); \
+        echo "uname -m: $UNAME_ARCH"; \
+        case "$UNAME_ARCH" in \
+            aarch64|arm64) ARCH="arm64" ;; \
+            x86_64) ARCH="amd64" ;; \
+            *) ARCH="" ;; \
+        esac; \
+    fi && \
+    if [ -z "$ARCH" ]; then \
+        echo "ERROR: Unsupported architecture"; \
+        exit 1; \
+    fi && \
+    url="https://dl.grafana.com/oss/release/grafana-${GRAFANA_VERSION}.linux-${ARCH}.tar.gz" && \
+    echo "URL: $url" && \
+    curl -fSL "$url" | tar -xz -C /tmp && \
+    mv /tmp/grafana-${GRAFANA_VERSION} /usr/share/grafana && \
+    apk del curl
+
+# Standard Grafana paths
+RUN mkdir -p /etc/grafana /var/lib/grafana /var/log/grafana && \
+    cp /usr/share/grafana/conf/defaults.ini /etc/grafana/grafana.ini && \
+    cp /usr/share/grafana/conf/defaults.ini /etc/grafana/defaults.ini
+
+# UID 472 matches official Grafana image for PVC compatibility
+RUN adduser -D -u 472 -h /usr/share/grafana grafana && \
+    chown -R grafana:grafana /usr/share/grafana /etc/grafana /var/lib/grafana /var/log/grafana
+
+ENV PATH="/usr/share/grafana/bin:$PATH"
+
+USER grafana
+WORKDIR /usr/share/grafana
+EXPOSE 3000
+
+LABEL org.opencontainers.image.title="Grafana"
+LABEL org.opencontainers.image.description="Grafana OSS observability platform"
+LABEL org.opencontainers.image.source="https://github.com/grafana/grafana"
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+CMD ["grafana", "server", \
+     "--homepath=/usr/share/grafana", \
+     "--config=/etc/grafana/grafana.ini", \
+     "cfg:default.paths.data=/var/lib/grafana", \
+     "cfg:default.paths.logs=/var/log/grafana", \
+     "cfg:default.paths.plugins=/var/lib/grafana/plugins", \
+     "cfg:default.paths.provisioning=/etc/grafana/provisioning"]