Upgrade Grafana 12.3.3 → 12.4.2 #322

Merged

eblume merged 2 commits from upgrade/grafana-12.4.2 into main 2026-04-02 11:33:20 -07:00

Conversation 0 Commits 2 Files changed 4 +5 -4

eblume commented 2026-04-02 11:23:11 -07:00

Owner

Copy link

Summary

• Bumps Grafana from 12.3.3 to 12.4.2
• Patches 7 CVEs, notably CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5) and CVE-2026-27879 (authenticated OOM via resample queries)
• No config changes required — reviewed alerting, datasources, OIDC, and feature toggles against 12.4.x breaking changes

Breaking changes reviewed

Change	Impact
Alerting: pending period applies to NoData/Error	Net positive — reduces noise from transient blips
Default notification uses empty receiver	No impact — we explicitly set ntfy-infra
Removed feature toggles (4)	No impact — none configured
OAuth ID token signature validation	Low risk — verify OIDC login post-deploy
OpsGenie deprecated	No impact — using webhook

Test plan

• Container build completes at forge
• Update kustomization.yaml with new image tag
• argocd app set grafana --revision upgrade/grafana-12.4.2 && argocd app sync grafana
• Verify Grafana UI loads at grafana.ops.eblu.me
• Verify OIDC login via Authentik
• Verify dashboards and datasources load
• Check alerting rules are intact

🤖 Generated with Claude Code

## Summary - Bumps Grafana from 12.3.3 to 12.4.2 - Patches 7 CVEs, notably CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5) and CVE-2026-27879 (authenticated OOM via resample queries) - No config changes required — reviewed alerting, datasources, OIDC, and feature toggles against 12.4.x breaking changes ## Breaking changes reviewed | Change | Impact | |--------|--------| | Alerting: pending period applies to NoData/Error | Net positive — reduces noise from transient blips | | Default notification uses empty receiver | No impact — we explicitly set `ntfy-infra` | | Removed feature toggles (4) | No impact — none configured | | OAuth ID token signature validation | Low risk — verify OIDC login post-deploy | | OpsGenie deprecated | No impact — using webhook | ## Test plan - [ ] Container build completes at forge - [ ] Update kustomization.yaml with new image tag - [ ] `argocd app set grafana --revision upgrade/grafana-12.4.2 && argocd app sync grafana` - [ ] Verify Grafana UI loads at grafana.ops.eblu.me - [ ] Verify OIDC login via Authentik - [ ] Verify dashboards and datasources load - [ ] Check alerting rules are intact 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-04-02 11:23:11 -07:00

Upgrade Grafana 12.3.3 → 12.4.2 ... 4c547745bf

Patches 7 CVEs including CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5).
No config changes needed — alerting pending period behavior change is a net
improvement for our NoData/Error rules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-04-02 11:27:29 -07:00

Update Grafana image tag to v12.4.2-4c54774 ... 4f80b1e075

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume merged commit b1e2811077 into main 2026-04-02 11:33:20 -07:00

eblume referenced this pull request from a commit 2026-04-02 11:33:21 -07:00

Upgrade Grafana 12.3.3 → 12.4.2 (#322)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!322

No description provided.