Update Helm release grafana to v12.7.1

[renovate]

This PR contains the following updates:

Package	Update	Change
grafana (source)	minor	12.4.9 → 12.7.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

grafana-community/helm-charts (grafana)

v12.7.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Add option to set persistentVolumeClaimRetentionPolicy when using StatefulSet by @​robo-cap in #​635

New Contributors

• @​robo-cap made their first contribution in #​635

Full Changelog: grafana-community/helm-charts@grafana-12.7.0...grafana-12.7.1

v12.7.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [CI] Update github-workflow dependency updates by @​renovate[bot] in #​633
• [grafana] Update grafana dependency non-major updates by @​renovate[bot] in #​634

Full Changelog: grafana-community/helm-charts@loki-18.1.0...grafana-12.7.0

v12.6.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Update grafana dependency non-major updates by @​renovate[bot] in #​630

Full Changelog: grafana-community/helm-charts@loki-18.0.1...grafana-12.6.0

v12.5.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Update grafana dependency non-major updates by @​renovate[bot] in #​627

Full Changelog: grafana-community/helm-charts@synthetic-monitoring-agent-1.13.0...grafana-12.5.0

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: YELLOW -- possible breakage, reviewer requested

Grafana 13.1.0 was released the same day as this PR (June 23, 2026), and its upstream release notes are not yet published. While the chart templates are unchanged and the deployment already runs Grafana 13.0.x, the lack of documented breaking changes for the new minor version warrants a quick review before merge.

Package	Old	New	Breaking	Changelog	Provenance
grafana	12.4.9	12.6.0	safe	incomplete	trusted

Required actions

1. grafana — Grafana 13.1.0 release notes are not yet published on GitHub (no v13.1.0 tag exists, and the upstream CHANGELOG does not yet contain a 13.1.0 section). Before merging, verify that no breaking changes for 13.1.0 have been announced elsewhere (e.g., Grafana blog, community channels, or the download page). If the release is confirmed stable, this is safe to merge.

Update summary

grafana 12.4.9 → 12.6.0

• Chart templates are byte-for-byte identical; only image tag bumps.
• Grafana app image: 13.0.2 → 13.1.0 (new minor release, same day as PR).
• k8s-sidecar: 2.7.4 → 2.8.0 (minor bump, adds ppc64le and riscv64 support).
• Cluster already runs Grafana 13.0.2, so all 13.0 major-version breaking changes are already absorbed.
• Deployment strategy is Recreate with PVC persistence; rollback is trivial if needed.
• New image supports linux/amd64, linux/arm/v7, and linux/arm64 (covers rpi5).

Provenance

All updates from the grafana-community/helm-charts repository with consistent publisher identity and normal release patterns. Both versions have corresponding git tags and GitHub releases. No signature or source drift detected.

Sub-agent reports — grafana

Breaking-change impact

I now have all the information I need. Let me compile the complete analysis.

Key findings:

1. Chart templates: IDENTICAL between 12.4.9 and 12.6.0 — zero template changes
2. values.yaml diff: Only sidecar.image.tag changed: 2.7.4 → 2.8.0 (kiwigrid/k8s-sidecar). This deployment overrides sidecar.dashboards settings but doesn't pin the sidecar image tag, so it will pick up the new sidecar image.
3. appVersion: 13.0.2 → 13.1.0 — Grafana app image bump
4. Grafana 13.1.0 Docker image: Confirmed published, supports linux/amd64, linux/arm/v7, linux/arm64 ✅ — rpi5 (arm64) is covered
5. Grafana 13.1.0 is a new minor release (just released June 23, 2026 — same day as this PR). No dedicated upgrade guide page exists yet.
6. The deployment already runs Grafana 13.0.2 (chart 12.4.9 had appVersion 13.0.2). The major 13.0 breaking changes are already absorbed.
7. No Git Sync feature flags are set in this deployment — the 13.0.0 Git Sync migration bug is not relevant.
8. Image Renderer: Not enabled (imageRenderer.enabled: false)
9. initChownData: Explicitly disabled (initChownData.enabled: false) — no init container concern
10. Deployment strategy: Recreate — safe for PVC-backed single-replica deployments

---

Impact verdict: grafana (Helm chart) 12.4.9 → 12.6.0 (PR #3520)

Verdict

safe_to_merge

This is a leaf observability app with no transitive dependents. The chart templates are byte-for-byte identical between 12.4.9 and 12.6.0; the only changes are the Grafana app image bump (13.0.2 → 13.1.0) and the kiwigrid/k8s-sidecar sidecar bump (2.7.4 → 2.8.0). The cluster already runs Grafana 13.0.x, so all major-version breaking changes from 13.0 are already absorbed. The new image supports arm64, covering the rpi5 node. No blocking findings.

Blast radius

• Scope: leaf_app
• Direct usage: 1 manifest — rpi5/vm/grafana.yaml
• Transitive dependents: 0 apps — Grafana is a read-only observability consumer; no other service depends on it
• User-facing exposure:
  • Public hostnames affected: grafana.anshulg.direct (TLS via cert-manager/letsencrypt, routed through Traefik)
  • Internal (oauth-gated) hostnames affected: none (no oauth2-proxy annotation observed)
  • Cron / scheduled jobs affected: none
• Failure mode if upgrade goes wrong: hard_down — deploymentStrategy: Recreate means old pod is terminated before new one starts; if new pod fails readiness, Grafana is unavailable until rolled back. No other service is blocked by this.
• Recovery: trivial_rollback — pin targetRevision: 12.4.9 and re-sync ArgoCD. Grafana's SQLite/PVC data is not affected by a minor version rollback.

Required actions before merge

None

Findings

F1: Grafana app image bump 13.0.2 → 13.1.0

• Severity: informational
• Category: image_structure
• What changed: Grafana minor release 13.1.0 was published June 23, 2026 (same day as this PR). It is a new minor version with new features but no documented breaking changes for operators at this time.
• Why it affects this deployment: The chart's appVersion drives the default image tag (docker.io/grafana/grafana:13.1.0). This deployment does not pin image.tag in its values override, so it will receive the new image.
• Affected dependents: grafana only
• Required action: No action — informational. The deployment already runs 13.0.2; 13.1.0 is a minor bump with no operator-facing breaking changes identified.
• Source: https://hub.docker.com/r/grafana/grafana/tags?name=13.1; https://grafana.com/grafana/download/13.1.0
• Confidence: inferred (no official 13.1.0 upgrade guide published yet as of PR date)
• Render-limited: no

F2: kiwigrid/k8s-sidecar bump 2.7.4 → 2.8.0

• Severity: informational
• Category: image_structure
• What changed: The default sidecar image tag in values.yaml changed from quay.io/kiwigrid/k8s-sidecar:2.7.4 to 2.8.0. This sidecar watches for ConfigMaps labeled grafana_dashboard: "1" across all namespaces and injects them into Grafana.
• Why it affects this deployment: rpi5/vm/grafana.yaml enables sidecar.dashboards with searchNamespace: ALL and does not pin the sidecar image tag, so it will receive 2.8.0. This is a minor bump of a utility sidecar; no breaking changes are documented for this version range.
• Affected dependents: grafana only
• Required action: No action — informational.
• Source: Helm chart diff between versions 12.4.9 and 12.6.0
• Confidence: inferred
• Render-limited: no

F3: Grafana 13.0 major-version breaking changes (already absorbed)

• Severity: informational
• Category: config_schema / data_migration
• What changed: Grafana 13.0 introduced several breaking changes: deprecated data source APIs disabled by default, removal of grafana-cli/grafana-server commands, Image Renderer plugin support removed, HTTP compression enabled by default, legacy Alertmanager API changes, unified storage for folders/dashboards, Git Sync migration bug (13.0.0 only, fixed in 13.0.1).
• Why it does NOT affect this deployment: The cluster already runs chart 12.4.9 (appVersion 13.0.2), meaning all 13.0 breaking changes were already encountered and absorbed at a prior upgrade. This PR does not re-introduce them.
• Affected dependents: none
• Required action: No action — informational. Checked for completeness.
• Source: https://grafana.com/docs/grafana/latest/upgrade-guide/upgrade-v13.0/; https://grafana.com/docs/grafana/latest/whatsnew/whats-new-in-v13-0/
• Confidence: documented
• Render-limited: no

F4: Git Sync migration bug (13.0.0 only)

• Severity: informational
• Category: data_migration
• What changed: Grafana 13.0.0 had a migration bug that could cause dashboards/folders to be lost when upgrading from 12.x with Git Sync feature flags enabled. Fixed in 13.0.1.
• Why it does NOT affect this deployment: (a) The cluster already runs 13.0.2, past the affected version. (b) The deployment's grafana.ini values do not enable Git Sync feature flags (provisioning, kubernetesClientDashboardsFolders, kubernetesDashboards, grafanaAPIServerEnsureKubectlAccess).
• Affected dependents: none
• Required action: No action — informational.
• Source: https://grafana.com/docs/grafana/latest/upgrade-guide/upgrade-v13.0/
• Confidence: documented
• Render-limited: no

Deployment fingerprint (summary)

Surface	Value
Manifest	rpi5/vm/grafana.yaml (ArgoCD Application)
Namespace	vm
Deployment strategy	Recreate
Persistence	PVC enabled, 5Gi, local-path StorageClass
initChownData	disabled (initChownData.enabled: false)
Admin credentials	existingSecret: grafana-admin (keys: admin-user, admin-password)
Plugins	victoriametrics-metrics-datasource, victoriametrics-logs-datasource
Datasources	VictoriaMetrics (http://vmsingle-main.vm.svc:8428), VictoriaLogs (http://vlsingle-main.vm.svc:9428)
Sidecar dashboards	enabled, searchNamespace: ALL, label grafana_dashboard: "1"
Ingress	grafana.anshulg.direct, TLS via cert-manager/letsencrypt, Traefik
Resources	requests: 100m CPU / 256Mi RAM; limits: 1Gi RAM
Image tag override	none (uses chart appVersion default: 13.1.0)
Sidecar image override	none (uses chart default: kiwigrid/k8s-sidecar:2.8.0)
grafana.ini overrides	server.domain, server.root_url
Feature flags	none set
Image Renderer	disabled
ServiceMonitor	disabled

Cluster fit

• Architectures required by cluster: amd64, arm64 (rpi5)
• Architectures supported by new version: grafana/grafana:13.1.0 — confirmed linux/amd64, linux/arm/v7, linux/arm64 ✅; kiwigrid/k8s-sidecar:2.8.0 — not directly verified but 2.7.4 supported arm64 and this is a minor bump (low risk)
• Kubernetes API versions used in manifest sources: chart templates SHA unchanged; no new API versions introduced
• Minimum K8s version stated by dep: ^1.25.0-0 (unchanged between old and new chart)
• Peer dependency check: cert-manager (Ingress TLS annotation present, no version constraint from chart); Traefik (Ingress class traefik, no version constraint from chart) — both unchanged

Gaps

• Grafana 13.1.0 upgrade guide not yet published: The upgrade-v13.1 docs page returned 404 as of the PR date (June 23, 2026 — same day as the release). Breaking changes for 13.1.0 could not be verified from official documentation. Based on Grafana's stated policy (breaking changes reserved for major releases, minor releases may have small API payload changes announced in changelog/What's New), the risk is low, but the gap is noted.
• kiwigrid/k8s-sidecar 2.8.0 changelog not verified: Architecture support and changelog for the sidecar bump were not directly confirmed; inferred from the minor version increment pattern.
• Grafana 13.1.0 GitHub release tag not found: The tag v13.1.0 was not present in the grafana/grafana GitHub releases at query time (the latest GitHub release was v13.0.3). The Docker Hub image 13.1.0 was confirmed published. This discrepancy may indicate a release pipeline difference between GitHub tags and Docker Hub, or that 13.1.0 is a nightly/pre-release build promoted to stable. The download page at grafana.com/grafana/download/13.1.0 confirms it as a stable release dated June 23, 2026.

Upstream changelog

I now have all the information I need. The CHANGELOG confirms that Grafana 13.1.0 is not yet in the CHANGELOG (it was released on June 23, 2026, the same day as the helm chart update, but the GitHub release tag and CHANGELOG entry haven't been published yet). The chart's appVersion was bumped from 13.0.2 to 13.1.0, but the upstream Grafana 13.1.0 release notes are not yet available in the CHANGELOG.

Let me compile the complete output:

---

grafana (Helm Chart) 12.4.9 → 12.6.0

Summary

• Artifact type: Helm chart
• Input format: SemVer chart version
• Resolved references: Chart tags grafana-12.4.9 (commit 660c1c08bf29c5440aeedb27f7236bb80efa80f0), grafana-12.5.0 (commit 517d46f3c036a63ff1f0d91a46b6a43a3374cb76), and grafana-12.6.0 (commit 80ef7adba5c5f3c732c02bb4b64a83e9751f977a) on the grafana-community/helm-charts repository
• Versions in range: 12.5.0, 12.6.0 (no pre-releases, no skipped intermediate versions)
• Source repo: grafana-community/helm-charts
• Primary sources used:
  • GitHub Releases for chart version 12.5.0
  • GitHub Releases for chart version 12.6.0
  • Pull request Update Helm release cert-manager to v1.17.0 #627 (chart 12.5.0 update)
  • Pull request Update ghcr.io/ansg191-lab/pp-tree-importer2:main Docker digest to 4bc78cb #630 (chart 12.6.0 update)
  • Upstream Grafana CHANGELOG
  • Grafana 13.1.0 download page
• Versioning scheme: SemVer (chart version); upstream Grafana app uses SemVer
• Major version boundary crossed: No (chart stays in 12.x; upstream Grafana app stays in 13.x, bumping from 13.0.2 → 13.1.0 — a minor bump within the already-crossed major boundary)
• Confidence: Medium — The chart changes are fully documented via pull requests and diffs. However, the upstream Grafana 13.1.0 release notes are not yet published on GitHub (no v13.1.0 tag exists; the CHANGELOG on main does not yet contain a 13.1.0 section as of the research date). The Grafana download page confirms 13.1.0 was released June 23, 2026, but detailed release notes are unavailable.

Breaking Changes

None found in the Helm chart itself (both changes are pure image tag bumps with no values.yaml structural changes, no template changes, no API changes).

For the upstream Grafana app 13.0.2 → 13.1.0 bump: Grafana 13.1.0 release notes are not yet published in the upstream GitHub CHANGELOG or as a GitHub release tag. The "What's new in 13.1" documentation page does not yet exist at grafana.com/docs/grafana/latest/whatsnew/whats-new-in-v13-1/. No breaking changes can be confirmed or ruled out for this minor version bump at this time.

Other Notable Changes

Chart 12.5.0 (merged 2026-06-23):

• Bumped appVersion (Grafana container image) from 13.0.2 → 13.1.0 (docker.io/grafana/grafana). Only Chart.yaml was modified (2 additions, 2 deletions).

Chart 12.6.0 (merged 2026-06-23):

• Bumped quay.io/kiwigrid/k8s-sidecar sidecar image from 2.7.4 → 2.8.0 in values.yaml. The k8s-sidecar 2.8.0 release adds support for ppc64le and riscv64 architectures and includes dependency bumps (no functional changes for existing architectures).
• Chart.yaml version bumped from 12.5.0 → 12.6.0.

Deprecations Introduced

None found in the chart range. Grafana 13.1.0 upstream deprecations unknown (release notes not yet published).

Gaps and Caveats

• Grafana 13.1.0 release notes unavailable: The upstream Grafana v13.1.0 GitHub release tag does not exist as of research time (June 23, 2026). The CHANGELOG.md on main branch does not contain a 13.1.0 section. The Grafana "What's new in 13.1" documentation page returns 404. The download page at grafana.com/grafana/download/13.1.0 confirms the release date as June 23, 2026, but no changelog content is accessible. This is likely a same-day release where the GitHub release and docs have not yet been published. Breaking changes in Grafana 13.1.0 cannot be assessed.
• Grafana 13.0.x breaking changes (already in range): The chart's appVersion was already at 13.0.2 before this update. The major Grafana 13.0 breaking changes (Angular removal, Elasticsearch core datasource removal, grafana-cli/grafana-server command removal, server.enable_gzip default change, etc.) were introduced in the previous chart version and are not part of this update's delta.
• No migration guide found at standard paths (UPGRADING.md, MIGRATING.md) in the helm-charts repo for this range.
• Both chart releases were auto-merged on the same calendar day (2026-06-23) within hours of each other, both triggered by Renovate bot.

Provenance

Perfect! Now let me check the release notes and verify the publisher information:

Based on my comprehensive analysis, I can now provide the provenance verdict:

---

Provenance verdict: grafana 12.4.9 → 12.6.0

Verdict

trusted

Both versions are legitimate releases from the grafana-community/helm-charts repository with proper source correspondence, consistent publisher identity, and normal release patterns. The update is a routine minor version bump that updates the underlying Grafana application and the k8s-sidecar dependency.

Resolved references

• Artifact type: Helm chart
• Old: grafana-12.4.9 (released 2026-06-22T19:01:46Z, commit 660c1c08bf29c5440aeedb27f7236bb80efa80f0)
• New: grafana-12.6.0 (released 2026-06-23T18:10:01Z, commit 80ef7adba5c5f3c732c02bb4b64a83e9751f977a)
• Declared source repo: https://github.com/grafana-community/helm-charts (verified)
• Publisher namespace: grafana-community (old) → grafana-community (new) — same

Indicators

Severity	Category	Finding	Evidence
info	publisher_change	Publisher identity consistent across versions	Both Chart.yaml files list identical maintainers: Jan-Otto Kröpke and Quentin Bisson
info	source_correspondence	Both versions have corresponding git tags and releases	Old: tag grafana-12.4.9 at commit 660c1c08, New: tag grafana-12.6.0 at commit 80ef7adba5c5f3c732c02bb4b64a83e9751f977a
info	build_provenance	Renovate bot authored the release commit	Commit 80ef7adba5c5f3c732c02bb4b64a83e9751f977a authored by renovate[bot] with standard commit message pattern
info	metadata_drift	Chart version incremented from 12.5.0 to 12.6.0	Chart.yaml version field changed in commit patch
info	metadata_drift	App version updated from 13.0.2 to 13.1.0	Chart.yaml appVersion field reflects upstream Grafana release
info	metadata_drift	k8s-sidecar dependency updated from 2.7.4 to 2.8.0	values.yaml sidecar.image.tag changed in commit patch

Source ↔ artifact correspondence

• Old version anchor: Git tag grafana-12.4.9 at commit 660c1c08bf29c5440aeedb27f7236bb80efa80f0 (verified via GitHub releases API)
• New version anchor: Git tag grafana-12.6.0 at commit 80ef7adba5c5f3c732c02bb4b64a83e9751f977a (verified via GitHub releases API)
• Method: GitHub release tags and commit SHAs; Chart.yaml version field matches tag name

Signatures and attestations

	Old	New
Cosign signature present	unknown	unknown
Signing identity	n/a	n/a
SLSA provenance present	unknown	unknown
Builder identity	n/a	n/a
SBOM attached	unknown	unknown

Note: Helm charts are not typically signed with cosign or SLSA provenance in this ecosystem. Verification is via GitHub release artifacts and git tag correspondence. No regression detected.

Metadata drift

• Chart version: 12.5.0 → 12.6.0 (expected: minor version bump)
• App version: 13.0.2 → 13.1.0 (expected: upstream Grafana release bump)
• k8s-sidecar tag: 2.7.4 → 2.8.0 (expected: dependency update)
• Maintainers: identical across both versions (no change)
• Sources: identical across both versions (no change)
• Home URL: identical across both versions (no change)

All metadata changes are consistent with documented release notes and expected dependency updates.

Typosquat / confusable check

• Nearest popular alternative names checked: grafana (official), grafana-loki, grafana-tempo, grafana-mcp (all in same repo)
• Findings: None. The package is the official Grafana Helm chart from the legitimate grafana-community organization. No confusable alternatives detected.

Repo health

• Ownership transfer in last 90d: No
• Archived: No
• New committers in version range: No (renovate[bot] is the standard automation account for dependency updates)
• Workflow file changes affecting release pipeline: No changes to release workflow between versions

The repository shows normal maintenance patterns with automated dependency updates via renovate[bot], consistent with the project's established practices documented in prior verdicts.

Gaps

• Cryptographic signature verification: Helm charts in this ecosystem typically rely on GitHub release integrity and git tag verification rather than cosign signatures. No regression in signing practices detected.
• Private registry access: Not applicable; chart is published on public GitHub releases.

---