Erich Blume
b1e2811077
## Summary - Bumps Grafana from 12.3.3 to 12.4.2 - Patches 7 CVEs, notably CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5) and CVE-2026-27879 (authenticated OOM via resample queries) - No config changes required — reviewed alerting, datasources, OIDC, and feature toggles against 12.4.x breaking changes ## Breaking changes reviewed | Change | Impact | |--------|--------| | Alerting: pending period applies to NoData/Error | Net positive — reduces noise from transient blips | | Default notification uses empty receiver | No impact — we explicitly set `ntfy-infra` | | Removed feature toggles (4) | No impact — none configured | | OAuth ID token signature validation | Low risk — verify OIDC login post-deploy | | OpsGenie deprecated | No impact — using webhook | ## Test plan - [ ] Container build completes at forge - [ ] Update kustomization.yaml with new image tag - [ ] `argocd app set grafana --revision upgrade/grafana-12.4.2 && argocd app sync grafana` - [ ] Verify Grafana UI loads at grafana.ops.eblu.me - [ ] Verify OIDC login via Authentik - [ ] Verify dashboards and datasources load - [ ] Check alerting rules are intact 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #322 |
||
|---|---|---|
| .. | ||
| alerting.yaml | ||
| datasources.yaml | ||
| deployment.yaml | ||
| grafana.ini | ||
| kustomization.yaml | ||
| provider.yaml | ||
| pvc.yaml | ||
| rbac.yaml | ||
| service.yaml | ||
| serviceaccount.yaml | ||