From e12c7b43e4d022f5da71b1c0d190a20fcfc2de1a Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 19 Apr 2026 10:26:31 +0000 Subject: [PATCH] [mailserver] Pin dovecot_exporter to SHA + add Diun [ci skip] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context `viktorbarzin/dovecot_exporter:latest` was consumed with `IfNotPresent` pull, which means whichever node landed the pod kept whatever digest was cached from an earlier pull. A SHA-level pin is the reproducibility baseline this repo uses for every other home-built image (`headscale`, `excalidraw`, `linkwarden`). ## This change - Pins `dovecot-exporter` container image to `viktorbarzin/dovecot_exporter@sha256:1114224c...` — the digest the pod is actually running today (captured from live `imageID`). - Enables Diun tag watching on the mailserver Deployment (`diun.enable=true`, `diun.include_tags=^latest$`) so new `:latest` digests trigger a notification rather than silently landing on the next `IfNotPresent` miss. Deviation from task spec (code-cno): the task asked for an 8-char SHA *tag*, but Docker Hub only publishes `:latest` for this image — a SHA tag doesn't exist. Used the digest-pin pattern already established at `stacks/headscale/modules/headscale/main.tf:204` instead; Diun watches the `:latest` tag for drift, which is the equivalent notification. ## What is NOT in this change - Volume-mount ordering drift on `kubernetes_deployment.mailserver` (pre-existing; tolerated by Waves 1+2). - Splitting the metrics port into its own Service (code-izl). ## Test Plan ### Automated ``` $ kubectl get pod -n mailserver -l app=mailserver \ -o jsonpath='{.items[0].spec.containers[*].image}' docker.io/mailserver/docker-mailserver:15.0.0 \ viktorbarzin/dovecot_exporter@sha256:1114224c9bf0261ca8e9949a6b42d3c5a2c923d34ca4593f6b62f034daf14fc5 $ kubectl get deployment -n mailserver mailserver \ -o jsonpath='{.spec.template.metadata.annotations}' {"diun.enable":"true","diun.include_tags":"^latest$"} $ kubectl rollout status deployment/mailserver -n mailserver deployment "mailserver" successfully rolled out ``` ### Manual Verification 1. Push a new `:latest` digest to the exporter image (or wait for one). 2. Check Diun notifier output: a tag event for `^latest$` should fire. 3. `kubectl describe deployment/mailserver -n mailserver` shows the digest pin unchanged until someone rebumps it. ## Reproduce locally 1. `kubectl -n mailserver get pod -l app=mailserver -o yaml | \ grep -A1 dovecot_exporter` 2. Expected: `image: viktorbarzin/dovecot_exporter@sha256:1114224c...`. Closes: code-cno Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/mailserver/modules/mailserver/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index 43e7d5d2..02076682 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -230,7 +230,8 @@ resource "kubernetes_deployment" "mailserver" { template { metadata { annotations = { - # "diun.enable" = "true" + "diun.enable" = "true" + "diun.include_tags" = "^latest$" } labels = { "app" = "mailserver" @@ -433,7 +434,7 @@ resource "kubernetes_deployment" "mailserver" { container { name = "dovecot-exporter" - image = "viktorbarzin/dovecot_exporter:latest" + image = "viktorbarzin/dovecot_exporter@sha256:1114224c9bf0261ca8e9949a6b42d3c5a2c923d34ca4593f6b62f034daf14fc5" command = [ "/dovecot_exporter/exporter", "--dovecot.socket-path=/var/run/dovecot/stats-reader"