blumeops

Author	SHA1	Message	Date
Erich Blume	b1e2811077	Upgrade Grafana 12.3.3 → 12.4.2 (#322 ) All checks were successful Build Container / detect (push) Successful in 2s Details Build Container / build-dockerfile (grafana) (push) Successful in 7s Details ## Summary - Bumps Grafana from 12.3.3 to 12.4.2 - Patches 7 CVEs, notably CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5) and CVE-2026-27879 (authenticated OOM via resample queries) - No config changes required — reviewed alerting, datasources, OIDC, and feature toggles against 12.4.x breaking changes ## Breaking changes reviewed \| Change \| Impact \| \|--------\|--------\| \| Alerting: pending period applies to NoData/Error \| Net positive — reduces noise from transient blips \| \| Default notification uses empty receiver \| No impact — we explicitly set `ntfy-infra` \| \| Removed feature toggles (4) \| No impact — none configured \| \| OAuth ID token signature validation \| Low risk — verify OIDC login post-deploy \| \| OpsGenie deprecated \| No impact — using webhook \| ## Test plan - [ ] Container build completes at forge - [ ] Update kustomization.yaml with new image tag - [ ] `argocd app set grafana --revision upgrade/grafana-12.4.2 && argocd app sync grafana` - [ ] Verify Grafana UI loads at grafana.ops.eblu.me - [ ] Verify OIDC login via Authentik - [ ] Verify dashboards and datasources load - [ ] Check alerting rules are intact 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #322	2026-04-02 11:33:19 -07:00
Erich Blume	613f05dfde	Add consistent OCI labels to all container Dockerfiles All checks were successful Build Container (Nix) / build (miniflux) (push) Successful in 2s Details Build Container (Nix) / build (navidrome) (push) Successful in 2s Details Build Container / build (devpi) (push) Successful in 41s Details Build Container (Nix) / build (nettest) (push) Successful in 15s Details Build Container / build (grafana-sidecar) (push) Successful in 1m27s Details Build Container / build (grafana) (push) Successful in 3m23s Details Build Container (Nix) / build (ntfy) (push) Successful in 3m19s Details Build Container (Nix) / build (prometheus) (push) Successful in 1s Details Build Container (Nix) / build (quartz) (push) Successful in 1s Details Build Container (Nix) / build (runner-job-image) (push) Successful in 1s Details Build Container (Nix) / build (teslamate) (push) Successful in 2s Details Build Container (Nix) / build (transmission) (push) Successful in 2s Details Build Container (Nix) / build (transmission-exporter) (push) Successful in 1s Details Build Container (Nix) / build (unpoller) (push) Successful in 1s Details Build Container / build (kiwix-serve) (push) Successful in 1m17s Details Build Container / build (kubectl) (push) Successful in 41s Details Build Container / build (homepage) (push) Successful in 8m21s Details Build Container / build (mealie) (push) Successful in 1m1s Details Build Container / build (loki) (push) Successful in 8m21s Details Build Container / build (miniflux) (push) Successful in 2m24s Details Build Container / build (nettest) (push) Successful in 14s Details Build Container / build (ntfy) (push) Successful in 8m33s Details Build Container / build (prometheus) (push) Successful in 37s Details Build Container / build (quartz) (push) Successful in 19s Details Build Container / build (navidrome) (push) Successful in 10m36s Details Build Container / build (runner-job-image) (push) Successful in 3m18s Details Build Container / build (transmission) (push) Successful in 20s Details Build Container / build (transmission-exporter) (push) Successful in 21s Details Build Container / build (unpoller) (push) Successful in 11s Details Build Container / build (teslamate) (push) Successful in 4m42s Details Every container now carries title, description, version, source, and vendor labels per the OCI image spec. Version is derived from the existing CONTAINER_APP_VERSION ARG at build time. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 20:42:00 -07:00
Erich Blume	d05d2fbaff	C2: Upgrade Grafana to 12.x with Nix container and Kustomize (#260 ) All checks were successful Build Container (Nix) / detect (push) Successful in 2s Details Build Container / detect (push) Successful in 1s Details Build Container (Nix) / build (grafana) (push) Successful in 2s Details Build Container / build (grafana) (push) Successful in 7s Details ## Summary Mikado chain to upgrade Grafana from 11.4.0 (Helm chart) to 12.x with: - Home-built Nix container image (`forge.ops.eblu.me/eblume/grafana`) - Kustomize manifests replacing the Helm chart - Single-source ArgoCD app ## Chain Goal: `upgrade-grafana` Leaves: `build-grafana-container`, `kustomize-grafana-deployment` Track with: `mise run docs-mikado upgrade-grafana` ## Test plan - [ ] Container builds successfully via Nix - [ ] Container pushed to registry - [ ] Kustomize manifests produce equivalent resources to current Helm - [ ] Pod runs, UI loads, OIDC works, datasources healthy - [ ] `mise run services-check` passes Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/260	2026-02-23 18:07:18 -08:00

3 commits