diff --git a/CHANGELOG.md b/CHANGELOG.md index 78c0d12..c2953cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [v1.15.3] - 2026-04-05 + +### Infrastructure + +- Build Tempo container from source via forge mirror; bump 2.10.1 → 2.10.3 +- Pin NixOS service versions (forgejo-runner, snowflake, k3s) via `nixpkgs-services` overlay in ringtail flake, preventing silent upgrades from `nix flake update`. Add k3s and minikube to service-versions.yaml tracking. Fix stale nix-container-builder version (was 12.6.4, actually running 12.7.2). +- Migrate Immich from Helm chart to kustomize manifests and upgrade from v2.5.6 to v2.6.3 +- Upgrade Grafana from 12.3.3 to 12.4.2 — patches 7 CVEs including an unauthenticated DoS (CVE-2026-27880). + +### Documentation + +- First compensating control review: verified `single-user-cluster` still in effect. Added aspirational how-to card for PCI DSS evidence collection. +- Prowler `--registry` fix merged upstream (PR #10470); initContainer workaround documented as pending release. + + ## [v1.15.2] - 2026-03-30 ### Features diff --git a/argocd/manifests/docs/deployment.yaml b/argocd/manifests/docs/deployment.yaml index 3224a23..82140db 100644 --- a/argocd/manifests/docs/deployment.yaml +++ b/argocd/manifests/docs/deployment.yaml @@ -30,7 +30,7 @@ spec: name: http env: - name: DOCS_RELEASE_URL - value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.2/docs-v1.15.2.tar.gz" + value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.3/docs-v1.15.3.tar.gz" resources: requests: memory: "64Mi" diff --git a/docs/changelog.d/+prowler-registry-fix-upstream.doc.md b/docs/changelog.d/+prowler-registry-fix-upstream.doc.md deleted file mode 100644 index 360e460..0000000 --- a/docs/changelog.d/+prowler-registry-fix-upstream.doc.md +++ /dev/null @@ -1 +0,0 @@ -Prowler `--registry` fix merged upstream (PR #10470); initContainer workaround documented as pending release. diff --git a/docs/changelog.d/+review-single-user-cluster.doc.md b/docs/changelog.d/+review-single-user-cluster.doc.md deleted file mode 100644 index eddd1d4..0000000 --- a/docs/changelog.d/+review-single-user-cluster.doc.md +++ /dev/null @@ -1 +0,0 @@ -First compensating control review: verified `single-user-cluster` still in effect. Added aspirational how-to card for PCI DSS evidence collection. diff --git a/docs/changelog.d/immich-kustomize-v2.6.3.infra.md b/docs/changelog.d/immich-kustomize-v2.6.3.infra.md deleted file mode 100644 index 4d42094..0000000 --- a/docs/changelog.d/immich-kustomize-v2.6.3.infra.md +++ /dev/null @@ -1 +0,0 @@ -Migrate Immich from Helm chart to kustomize manifests and upgrade from v2.5.6 to v2.6.3 diff --git a/docs/changelog.d/local-tempo-container.infra.md b/docs/changelog.d/local-tempo-container.infra.md deleted file mode 100644 index 3771c24..0000000 --- a/docs/changelog.d/local-tempo-container.infra.md +++ /dev/null @@ -1 +0,0 @@ -Build Tempo container from source via forge mirror; bump 2.10.1 → 2.10.3 diff --git a/docs/changelog.d/pin-nixos-service-versions.infra.md b/docs/changelog.d/pin-nixos-service-versions.infra.md deleted file mode 100644 index 92bc07c..0000000 --- a/docs/changelog.d/pin-nixos-service-versions.infra.md +++ /dev/null @@ -1 +0,0 @@ -Pin NixOS service versions (forgejo-runner, snowflake, k3s) via `nixpkgs-services` overlay in ringtail flake, preventing silent upgrades from `nix flake update`. Add k3s and minikube to service-versions.yaml tracking. Fix stale nix-container-builder version (was 12.6.4, actually running 12.7.2). diff --git a/docs/changelog.d/upgrade-grafana-12.4.2.infra.md b/docs/changelog.d/upgrade-grafana-12.4.2.infra.md deleted file mode 100644 index 11bba26..0000000 --- a/docs/changelog.d/upgrade-grafana-12.4.2.infra.md +++ /dev/null @@ -1 +0,0 @@ -Upgrade Grafana from 12.3.3 to 12.4.2 — patches 7 CVEs including an unauthenticated DoS (CVE-2026-27880).