C1: alloy v1.16.0 — bump kustomization tags

Both container images published manually (CI on indri couldn't complete
due to host RAM pressure — 7.2 GB in macOS memory compressor causing
~10–100x slowdown on memory-touching work, see separate ticket thread):

  - registry.ops.eblu.me/blumeops/alloy:v1.16.0-26a3ab5
    (dagger build, run locally on gilbert via container.py)
  - registry.ops.eblu.me/blumeops/alloy:v1.16.0-26a3ab5-nix
    (nix build, run on ringtail's nix-container-builder)

Both images built from the alloy-v1.16.0 branch tip 26a3ab5b. After
PR squash-merge, follow up with a C0 to rebuild from the main SHA and
bump tags to a [main]-marked variant per the squash-merge convention.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

argocd/manifests/alloy-k8s/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 
 images:
   - name: registry.ops.eblu.me/blumeops/alloy
-    newTag: v1.14.0-fd0bebb
+    newTag: v1.16.0-26a3ab5
 
 configMapGenerator:
   - name: alloy-config

argocd/manifests/alloy-ringtail/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 
 images:
   - name: registry.ops.eblu.me/blumeops/alloy
-    newTag: v1.14.0-fd0bebb-nix
+    newTag: v1.16.0-26a3ab5-nix
 
 configMapGenerator:
   - name: alloy-config

argocd/manifests/alloy-tracing-ringtail/kustomization.yaml

@@ -9,7 +9,7 @@ resources:
 
 images:
   - name: registry.ops.eblu.me/blumeops/alloy
-    newTag: v1.14.0-fd0bebb-nix
+    newTag: v1.16.0-26a3ab5-nix
 
 configMapGenerator:
   - name: alloy-tracing-config

containers/alloy/Dockerfile

@@ -1,68 +0,0 @@
-# Grafana Alloy telemetry collector
-# Three-stage build: Web UI (Node), server (Go), runtime (Alpine)
-
-ARG CONTAINER_APP_VERSION=1.14.0
-ARG ALLOY_VERSION=v${CONTAINER_APP_VERSION}
-ARG ALLOY_COMMIT=626a738319812d58ebc25ca6d71651f4925b8b18
-
-FROM node:22-alpine AS ui-build
-
-ARG ALLOY_COMMIT
-RUN apk add --no-cache git
-
-RUN mkdir /app && cd /app \
-    && git init \
-    && git remote add origin https://forge.ops.eblu.me/mirrors/alloy.git \
-    && git fetch --depth 1 origin ${ALLOY_COMMIT} \
-    && git checkout FETCH_HEAD
-
-WORKDIR /app/internal/web/ui
-RUN npm ci
-RUN npx tsc -b && npx vite build
-
-FROM golang:1.25-alpine3.22 AS build
-
-ARG ALLOY_VERSION
-ARG ALLOY_COMMIT
-RUN apk add --no-cache build-base git
-
-RUN mkdir /app && cd /app \
-    && git init \
-    && git remote add origin https://forge.ops.eblu.me/mirrors/alloy.git \
-    && git fetch --depth 1 origin ${ALLOY_COMMIT} \
-    && git checkout FETCH_HEAD
-
-WORKDIR /app
-
-# Copy pre-built web UI assets
-COPY --from=ui-build /app/internal/web/ui/dist /app/internal/web/ui/dist
-
-ENV CGO_ENABLED=1
-
-# promtail_journal_enabled omitted: requires systemd headers (libsystemd-dev)
-# and our k8s deployments read pod logs from the filesystem, not journald
-RUN RELEASE_BUILD=1 VERSION=${ALLOY_VERSION} \
-    GO_TAGS="netgo embedalloyui" \
-    SKIP_UI_BUILD=1 \
-    make alloy
-
-FROM alpine:3.22
-
-ARG CONTAINER_APP_VERSION
-LABEL org.opencontainers.image.title="Alloy"
-LABEL org.opencontainers.image.description="Grafana Alloy is an OpenTelemetry Collector distribution"
-LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"
-LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"
-LABEL org.opencontainers.image.vendor="blumeops"
-
-RUN apk --no-cache add ca-certificates tzdata \
-    && addgroup -g 473 alloy \
-    && adduser -D -u 473 -G alloy alloy \
-    && mkdir -p /var/lib/alloy/data \
-    && chown -R alloy:alloy /var/lib/alloy
-
-COPY --from=build --chown=473:473 /app/build/alloy /bin/alloy
-
-ENTRYPOINT ["/bin/alloy"]
-ENV ALLOY_DEPLOY_MODE=docker
-CMD ["run", "/etc/alloy/config.alloy", "--storage.path=/var/lib/alloy/data"]

containers/alloy/container.py

@@ -0,0 +1,95 @@
+"""Grafana Alloy — telemetry collector, native Dagger build.
+
+Three-stage build: Node (UI), Go (server via upstream Makefile with embedded
+UI assets), Alpine (runtime). Source cloned from forge mirror.
+
+Notes:
+  - Builds via `make alloy` rather than plain `go build` so version stamping,
+    release flags, and the netgo+embedalloyui tags match upstream releases.
+  - promtail_journal_enabled is intentionally omitted: it requires
+    libsystemd-dev and our k8s deployments read pod logs from the filesystem,
+    not journald.
+  - Uses golang:alpine3.23 (currently Go 1.26.2 — matches alloy v1.16.0's
+    go.mod toolchain requirement and the go_build helper's image choice).
+"""
+
+import dagger
+from dagger import dag
+
+from blumeops.containers import (
+    alpine_runtime,
+    clone_from_forge,
+    node_build,
+    oci_labels,
+)
+
+VERSION = "v1.16.0"
+
+
+async def build(src: dagger.Directory) -> dagger.Container:
+    source = clone_from_forge("alloy", VERSION)
+
+    # Stage 1: Build the web UI (tsc + vite, not the package.json default).
+    ui = node_build(
+        source,
+        "internal/web/ui",
+        build_cmd=["sh", "-c", "npx tsc -b && npx vite build"],
+    )
+
+    # Stage 2: Build alloy via the upstream Makefile with embedded UI assets.
+    builder = (
+        dag.container()
+        .from_("golang:alpine3.23")
+        .with_exec(["apk", "add", "--no-cache", "build-base", "git", "make"])
+        .with_directory("/app", source)
+        .with_directory(
+            "/app/internal/web/ui/dist",
+            ui.directory("/app/internal/web/ui/dist"),
+        )
+        .with_workdir("/app")
+        .with_env_variable("CGO_ENABLED", "1")
+        .with_env_variable("RELEASE_BUILD", "1")
+        .with_env_variable("VERSION", VERSION)
+        .with_env_variable("GO_TAGS", "netgo embedalloyui")
+        .with_env_variable("SKIP_UI_BUILD", "1")
+        .with_exec(["make", "alloy"])
+    )
+
+    # Stage 3: Runtime as uid/gid 473 alloy.
+    runtime = alpine_runtime(
+        extra_apk=["ca-certificates", "tzdata"],
+        uid=473,
+        gid=473,
+        username="alloy",
+    )
+    runtime = oci_labels(
+        runtime,
+        title="Alloy",
+        description="Grafana Alloy is an OpenTelemetry Collector distribution",
+        version=VERSION,
+    )
+    return (
+        runtime.with_file(
+            "/bin/alloy",
+            builder.file("/app/build/alloy"),
+            permissions=0o555,
+        )
+        .with_exec(
+            [
+                "sh",
+                "-c",
+                "mkdir -p /var/lib/alloy/data && chown -R alloy:alloy /var/lib/alloy",
+            ]
+        )
+        .with_env_variable("ALLOY_DEPLOY_MODE", "docker")
+        .with_exposed_port(12345)
+        .with_user("alloy")
+        .with_entrypoint(["/bin/alloy"])
+        .with_default_args(
+            args=[
+                "run",
+                "/etc/alloy/config.alloy",
+                "--storage.path=/var/lib/alloy/data",
+            ]
+        )
+    )

containers/alloy/default.nix

@@ -1,24 +1,24 @@
 # Nix-built Grafana Alloy telemetry collector
-# Builds v1.14.0 from forge mirror with embedded web UI
+# Builds v1.16.0 from forge mirror with embedded web UI
 # Uses stdenv + make (not buildGoModule) due to multi-module workspace
 # with local replace directives (collector/ -> ../, ../syntax, ../extension)
 # Built with dockerTools.buildLayeredImage for efficient layer caching
 { pkgs ? import <nixpkgs> { } }:
 
 let
-  version = "1.14.0";
+  version = "1.16.0";
 
   src = pkgs.fetchgit {
     url = "https://forge.ops.eblu.me/mirrors/alloy.git";
     rev = "v${version}";
-    hash = "sha256-gxNz4XDE8XSl6LsP3k8DERqDdMLcmbWKfXZGGyRULkg=";
+    hash = "sha256-q5R2noxBZ3OPyZqmB+bx3iJKWFxC2WIprcgh9RwjLzk=";
   };
 
   ui = pkgs.buildNpmPackage {
     inherit version;
     pname = "alloy-ui";
     src = "${src}/internal/web/ui";
-    npmDepsHash = "sha256-GT0yisPn+3FCtWL3he0i5zPMlaWNparQDefU69G4Yis=";
+    npmDepsHash = "sha256-vResNUT4auDsK9ngnJYfMUUOYr/ikPhrvakqCjGq2Q8=";
 
     buildPhase = ''
       runHook preBuild
@@ -40,11 +40,12 @@ let
     pname = "alloy-go-modules";
     inherit src version;
 
-    nativeBuildInputs = with pkgs; [ go git cacert ];
+    nativeBuildInputs = with pkgs; [ go_1_26 git cacert ];
 
     buildPhase = ''
       export GOPATH=$TMPDIR/go
       export GOFLAGS=-modcacherw
+      export GOTOOLCHAIN=local
       # Download modules for all three go.mod files
       go mod download
       cd syntax && go mod download && cd ..
@@ -56,7 +57,7 @@ let
     '';
 
     outputHashMode = "recursive";
-    outputHash = "sha256-rD7zqomSVv4d8NaC7jXXgihuQvK8guaAN0KrsBRWMVQ=";
+    outputHash = "sha256-9/v85HyDInJB+9qHauKVuDol6Yf5mkXfMWgCr7RdRTk=";
     outputHashAlgo = "sha256";
   };
 
@@ -65,7 +66,7 @@ let
     pname = "alloy";
 
     nativeBuildInputs = with pkgs; [
-      go
+      go_1_26
       git
       gnumake
       cacert
@@ -77,6 +78,7 @@ let
       export HOME=$TMPDIR
       export GOPATH=$TMPDIR/go
       export GOFLAGS=-modcacherw
+      export GOTOOLCHAIN=local
 
       # Populate module cache from pre-fetched modules
       mkdir -p $GOPATH/pkg

docs/changelog.d/alloy-v1.16.0.infra.md

@@ -0,0 +1,5 @@
+Upgrade Grafana Alloy v1.14.0 → v1.16.0 across all four service deployments
+(alloy-k8s, alloy-ringtail, alloy-tracing-ringtail on k8s; alloy native on
+indri). Pulls in stable database observability (v1.15) and the OTel Collector
+v0.147.0 bump. Container build also migrated from Dockerfile to native Dagger
+`container.py` per the build-container-image migration playbook.

service-versions.yaml

@@ -72,22 +72,22 @@ services:
 
   - name: alloy-tracing-ringtail
     type: argocd
-    last-reviewed: 2026-03-13
-    current-version: "v1.14.0"
+    last-reviewed: 2026-04-30
+    current-version: "v1.16.0"
     upstream-source: https://github.com/grafana/alloy/releases
     notes: Privileged DaemonSet with Beyla eBPF for HTTP tracing on ringtail
 
   - name: alloy-ringtail
     type: argocd
-    last-reviewed: 2026-03-13
-    current-version: "v1.14.0"
+    last-reviewed: 2026-04-30
+    current-version: "v1.16.0"
     upstream-source: https://github.com/grafana/alloy/releases
     notes: DaemonSet on ringtail for host metrics and pod logs
 
   - name: alloy-k8s
     type: argocd
-    last-reviewed: 2026-03-13
-    current-version: "v1.14.0"
+    last-reviewed: 2026-04-30
+    current-version: "v1.16.0"
     upstream-source: https://github.com/grafana/alloy/releases
 
   - name: tailscale-operator
@@ -338,8 +338,8 @@ services:
 
   - name: alloy
     type: ansible
-    last-reviewed: 2026-03-13
-    current-version: "v1.14.0"
+    last-reviewed: 2026-04-30
+    current-version: "v1.16.0"
     upstream-source: https://github.com/grafana/alloy/releases
     notes: Built from source on indri