chore: Update manifests after change

2026-05-03 00:44:49 +00:00
parent 3ddc7529c1
commit c177565a34
24 changed files with 554 additions and 134 deletions
--- a/clusters/cl01tl/manifests/loki/ClusterRole-loki-clusterrole.yaml
+++ b/clusters/cl01tl/manifests/loki/ClusterRole-loki-clusterrole.yaml
@@ -2,10 +2,10 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
  name: loki-clusterrole
 rules:
  - apiGroups: [""]
--- a/clusters/cl01tl/manifests/loki/ClusterRoleBinding-loki-clusterrolebinding.yaml
+++ b/clusters/cl01tl/manifests/loki/ClusterRoleBinding-loki-clusterrolebinding.yaml
@@ -3,10 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: loki-clusterrolebinding
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
 subjects:
  - kind: ServiceAccount
    name: loki
--- a/clusters/cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml
+++ b/clusters/cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml
--- a/clusters/cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml
+++ b/clusters/cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki-runtime
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
 data:
  runtime-config.yaml: |
    {}
--- a/clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml
+++ b/clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
 data:
  config.yaml: |2

@@ -57,6 +57,9 @@ data:
      scheduler_address: ""
    index_gateway:
      mode: simple
+    ingester:
+      wal:
+        flush_on_shutdown: true
    ingester_client:
      pool_config:
        remote_timeout: 10s
@@ -74,8 +77,16 @@ data:
      split_queries_by_interval: 15m
      volume_enabled: true
    memberlist:
+      abort_if_cluster_join_fails: true
+      advertise_addr: ${HASH_RING_INSTANCE_ADDR}
+      advertise_port: 7946
+      bind_port: 7946
      join_members:
      - loki-memberlist.loki.svc.cluster.local
+      max_join_backoff: 1m
+      max_join_retries: 10
+      min_join_backoff: 1s
+      rejoin_interval: 90s
    pattern_ingester:
      enabled: false
    query_range:
@@ -109,10 +120,18 @@ data:
        schema: v13
        store: boltdb-shipper
    server:
+      graceful_shutdown_timeout: 5s
      grpc_listen_port: 9095
+      grpc_server_max_concurrent_streams: 1000
+      grpc_server_max_recv_msg_size: 104857600
+      grpc_server_max_send_msg_size: 104857600
+      grpc_server_min_time_between_pings: 10s
+      grpc_server_ping_without_stream_allowed: true
      http_listen_port: 3100
-      http_server_read_timeout: 600s
-      http_server_write_timeout: 600s
+      http_server_idle_timeout: 30s
+      http_server_read_timeout: 10m0s
+      http_server_write_timeout: 10m0s
+      log_level: info
    storage_config:
      bloom_shipper:
        working_directory: /var/loki/data/bloomshipper
--- a/clusters/cl01tl/manifests/loki/DaemonSet-loki-canary.yaml
+++ b/clusters/cl01tl/manifests/loki/DaemonSet-loki-canary.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki-canary
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: canary
 spec:
  selector:
@@ -21,34 +21,39 @@ spec:
    type: RollingUpdate
  template:
    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: "canary"
      labels:
+        helm.sh/chart: loki-13.5.0
        app.kubernetes.io/name: loki
        app.kubernetes.io/instance: loki
+        app.kubernetes.io/version: "3.7.1"
        app.kubernetes.io/component: canary
    spec:
      serviceAccountName: loki-canary
+      enableServiceLinks: true
+      automountServiceAccountToken: false
      securityContext:
        fsGroup: 10001
        fsGroupChangePolicy: OnRootMismatch
        runAsGroup: 10001
        runAsNonRoot: true
        runAsUser: 10001
+        seccompProfile:
+          type: RuntimeDefault
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: temp
+          emptyDir: {}
      containers:
-        - name: loki-canary
-          image: docker.io/grafana/loki-canary:3.6.7
+        - name: canary
+          image: docker.io/grafana/loki-canary:3.7.1
          imagePullPolicy: IfNotPresent
          args:
            - -addr=loki-gateway.loki.svc.cluster.local.:80
            - -labelname=pod
            - -labelvalue=$(POD_NAME)
            - -push=true
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-            readOnlyRootFilesystem: true
-          volumeMounts:
          ports:
            - name: http-metrics
              containerPort: 3500
@@ -58,10 +63,32 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
+            - name: GOGC
+              value: "80"
+            - name: HASH_RING_INSTANCE_ADDR
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: http-metrics
+            initialDelaySeconds: 15
+            timeoutSeconds: 1
          readinessProbe:
            httpGet:
              path: /metrics
              port: http-metrics
            initialDelaySeconds: 15
            timeoutSeconds: 1
-      volumes:
+          volumeMounts:
+            - name: temp
+              mountPath: /tmp
--- a/clusters/cl01tl/manifests/loki/Deployment-loki-gateway.yaml
+++ b/clusters/cl01tl/manifests/loki/Deployment-loki-gateway.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki-gateway
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: gateway
 spec:
  replicas: 1
@@ -22,32 +22,35 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: d76bd0b627b1549dddc6ce5304d9322ebdeb13e5b813234d8067357925630015
+        checksum/config: 7f59b16a0121fadc14a504ba3bc07ec5d397a0093def094ae56ba0c10f467dbb
      labels:
        app.kubernetes.io/name: loki
        app.kubernetes.io/instance: loki
        app.kubernetes.io/component: gateway
    spec:
-      serviceAccountName: loki
+      serviceAccountName: loki-gateway
+      automountServiceAccountToken: false
      enableServiceLinks: true
      securityContext:
        fsGroup: 101
        runAsGroup: 101
        runAsNonRoot: true
        runAsUser: 101
+        seccompProfile:
+          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
      containers:
        - name: nginx
-          image: docker.io/nginxinc/nginx-unprivileged:1.29-alpine
+          image: docker.io/nginxinc/nginx-unprivileged:1.30-alpine
          imagePullPolicy: IfNotPresent
          ports:
-            - name: http-metrics
+            - name: http
              containerPort: 8080
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /
-              port: http-metrics
+              port: http
            initialDelaySeconds: 15
            timeoutSeconds: 1
          securityContext:
@@ -56,6 +59,8 @@ spec:
              drop:
                - ALL
            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
          volumeMounts:
            - name: config
              mountPath: /etc/nginx
@@ -67,6 +72,54 @@ spec:
            requests:
              cpu: 10m
              memory: 20Mi
+        - name: exporter
+          image: ghcr.io/jkroepke/access-log-exporter:0.3.11
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 4040
+              name: http-metrics
+            - containerPort: 8514
+              name: syslog
+          args:
+            - --nginx.scrape-url
+            - http://127.0.0.1:8080/stub_status
+            - --preset
+            - loki
+          resources:
+            limits: {}
+            requests: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 65532
+            runAsNonRoot: true
+            runAsUser: 65532
+            seccompProfile:
+              type: RuntimeDefault
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: http-metrics
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: http-metrics
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+          volumeMounts:
+            - name: config
+              mountPath: /config.yaml
+              subPath: access-log-exporter.yaml
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
--- a/clusters/cl01tl/manifests/loki/HTTPRoute-loki-gateway.yaml
+++ b/clusters/cl01tl/manifests/loki/HTTPRoute-loki-gateway.yaml
@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: loki-gateway
+  namespace: loki
+  labels:
+    helm.sh/chart: loki-13.5.0
+    app.kubernetes.io/name: loki
+    app.kubernetes.io/instance: loki
+    app.kubernetes.io/version: "3.7.1"
+    app.kubernetes.io/component: gateway
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - loki.alexlebens.net
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: loki-gateway
+          port: 80
+          weight: 1
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
--- a/clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml
+++ b/clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml
@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "loki-helm-test"
-  namespace: loki
-  labels:
-    helm.sh/chart: loki-6.55.0
-    app.kubernetes.io/name: loki
-    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
-    app.kubernetes.io/component: helm-test
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: loki-helm-test
-      image: docker.io/grafana/loki-helm-test:latest
-      env:
-        - name: CANARY_SERVICE_ADDRESS
-          value: "http://loki-canary.loki.svc.cluster.local:3500/metrics"
-        - name: CANARY_PROMETHEUS_ADDRESS
-          value: ""
-        - name: CANARY_TEST_TIMEOUT
-          value: "1m"
-      args:
-        - -test.v
-  restartPolicy: Never
--- a/clusters/cl01tl/manifests/loki/Service-loki-canary.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-canary.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki-canary
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: canary
  annotations:
 spec:
--- a/clusters/cl01tl/manifests/loki/Service-loki-chunks-cache.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-chunks-cache.yaml
@@ -3,10 +3,10 @@ kind: Service
 metadata:
  name: loki-chunks-cache
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: "memcached-chunks-cache"
  annotations: {}
  namespace: "loki"
--- a/clusters/cl01tl/manifests/loki/Service-loki-gateway-exporter.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-gateway-exporter.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki-gateway-exporter
+  namespace: loki
+  labels:
+    helm.sh/chart: loki-13.5.0
+    app.kubernetes.io/name: loki
+    app.kubernetes.io/instance: loki
+    app.kubernetes.io/version: "3.7.1"
+    app.kubernetes.io/component: gateway
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+    - name: http-metrics
+      port: 4040
+      targetPort: http-metrics
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: loki
+    app.kubernetes.io/instance: loki
+    app.kubernetes.io/component: gateway
--- a/clusters/cl01tl/manifests/loki/Service-loki-gateway.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-gateway.yaml
@@ -4,19 +4,19 @@ metadata:
  name: loki-gateway
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: gateway
    prometheus.io/service-monitor: "false"
  annotations:
 spec:
  type: ClusterIP
  ports:
-    - name: http-metrics
+    - name: http
      port: 80
-      targetPort: http-metrics
+      targetPort: http
      protocol: TCP
  selector:
    app.kubernetes.io/name: loki
--- a/clusters/cl01tl/manifests/loki/Service-loki-headless.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-headless.yaml
@@ -1,23 +1,35 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: loki-headless
+  name: "loki-headless"
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
-    variant: headless
+    app.kubernetes.io/version: "3.7.1"
+    app.kubernetes.io/component: "single-binary"
    prometheus.io/service-monitor: "false"
+    variant: headless
  annotations:
 spec:
  clusterIP: None
+  type: ClusterIP
+  publishNotReadyAddresses: true
  ports:
    - name: http-metrics
      port: 3100
      targetPort: http-metrics
      protocol: TCP
+    - name: grpc
+      port: 9095
+      targetPort: grpc
+      protocol: TCP
+    - name: grpclb
+      port: 9096
+      targetPort: grpc
+      protocol: TCP
  selector:
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
+    app.kubernetes.io/component: "single-binary"
--- a/clusters/cl01tl/manifests/loki/Service-loki-memberlist.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-memberlist.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki-memberlist
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
  annotations:
 spec:
  type: ClusterIP
--- a/clusters/cl01tl/manifests/loki/Service-loki-results-cache.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki-results-cache.yaml
@@ -3,10 +3,10 @@ kind: Service
 metadata:
  name: loki-results-cache
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: "memcached-results-cache"
  annotations: {}
  namespace: "loki"
--- a/clusters/cl01tl/manifests/loki/Service-loki.yaml
+++ b/clusters/cl01tl/manifests/loki/Service-loki.yaml
@@ -1,16 +1,18 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: loki
-  namespace: loki
+  name: "loki"
+  namespace: "loki"
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
+    app.kubernetes.io/component: "single-binary"
  annotations:
 spec:
  type: ClusterIP
+  publishNotReadyAddresses: true
  ports:
    - name: http-metrics
      port: 3100
@@ -20,7 +22,11 @@ spec:
      port: 9095
      targetPort: grpc
      protocol: TCP
+    - name: grpclb
+      port: 9096
+      targetPort: grpc
+      protocol: TCP
  selector:
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/component: single-binary
+    app.kubernetes.io/component: "single-binary"
--- a/clusters/cl01tl/manifests/loki/ServiceAccount-loki-canary.yaml
+++ b/clusters/cl01tl/manifests/loki/ServiceAccount-loki-canary.yaml
@@ -4,9 +4,9 @@ metadata:
  name: loki-canary
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: canary
-automountServiceAccountToken: true
+automountServiceAccountToken: false
--- a/clusters/cl01tl/manifests/loki/ServiceAccount-loki-gateway.yaml
+++ b/clusters/cl01tl/manifests/loki/ServiceAccount-loki-gateway.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loki-gateway
+  namespace: loki
+  labels:
+    helm.sh/chart: loki-13.5.0
+    app.kubernetes.io/name: loki
+    app.kubernetes.io/instance: loki
+    app.kubernetes.io/version: "3.7.1"
+    app.kubernetes.io/component: gateway
+automountServiceAccountToken: false
--- a/clusters/cl01tl/manifests/loki/ServiceAccount-loki-memcached.yaml
+++ b/clusters/cl01tl/manifests/loki/ServiceAccount-loki-memcached.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loki-memcached
+  namespace: loki
+  labels:
+    helm.sh/chart: loki-13.5.0
+    app.kubernetes.io/name: loki
+    app.kubernetes.io/instance: loki
+    app.kubernetes.io/version: "3.7.1"
+    app.kubernetes.io/component: memcached
+automountServiceAccountToken: false
--- a/clusters/cl01tl/manifests/loki/ServiceAccount-loki.yaml
+++ b/clusters/cl01tl/manifests/loki/ServiceAccount-loki.yaml
@@ -4,8 +4,8 @@ metadata:
  name: loki
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
 automountServiceAccountToken: true
--- a/clusters/cl01tl/manifests/loki/StatefulSet-loki-chunks-cache.yaml
+++ b/clusters/cl01tl/manifests/loki/StatefulSet-loki-chunks-cache.yaml
@@ -3,10 +3,10 @@ kind: StatefulSet
 metadata:
  name: loki-chunks-cache
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: "memcached-chunks-cache"
    name: "memcached-chunks-cache"
  annotations: {}
@@ -32,12 +32,14 @@ spec:
        name: "memcached-chunks-cache"
      annotations:
    spec:
-      serviceAccountName: loki
+      serviceAccountName: loki-memcached
      securityContext:
        fsGroup: 11211
        runAsGroup: 11211
        runAsNonRoot: true
        runAsUser: 11211
+        seccompProfile:
+          type: RuntimeDefault
      initContainers: []
      nodeSelector: {}
      affinity: {}
@@ -46,7 +48,7 @@ spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: memcached
-          image: memcached:1.6.39-alpine
+          image: memcached:1.6.41-alpine
          imagePullPolicy: IfNotPresent
          resources:
            limits:
@@ -72,6 +74,9 @@ spec:
              drop:
                - ALL
            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          readinessProbe:
            failureThreshold: 6
            initialDelaySeconds: 5
@@ -87,7 +92,7 @@ spec:
              port: client
            timeoutSeconds: 5
        - name: exporter
-          image: prom/memcached-exporter:v0.15.4
+          image: prom/memcached-exporter:v0.16.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9150
@@ -104,6 +109,9 @@ spec:
              drop:
                - ALL
            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          readinessProbe:
            failureThreshold: 3
            httpGet:
--- a/clusters/cl01tl/manifests/loki/StatefulSet-loki-results-cache.yaml
+++ b/clusters/cl01tl/manifests/loki/StatefulSet-loki-results-cache.yaml
@@ -3,10 +3,10 @@ kind: StatefulSet
 metadata:
  name: loki-results-cache
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: "memcached-results-cache"
    name: "memcached-results-cache"
  annotations: {}
@@ -32,12 +32,14 @@ spec:
        name: "memcached-results-cache"
      annotations:
    spec:
-      serviceAccountName: loki
+      serviceAccountName: loki-memcached
      securityContext:
        fsGroup: 11211
        runAsGroup: 11211
        runAsNonRoot: true
        runAsUser: 11211
+        seccompProfile:
+          type: RuntimeDefault
      initContainers: []
      nodeSelector: {}
      affinity: {}
@@ -46,7 +48,7 @@ spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: memcached
-          image: memcached:1.6.39-alpine
+          image: memcached:1.6.41-alpine
          imagePullPolicy: IfNotPresent
          resources:
            limits:
@@ -72,6 +74,9 @@ spec:
              drop:
                - ALL
            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          readinessProbe:
            failureThreshold: 6
            initialDelaySeconds: 5
@@ -87,7 +92,7 @@ spec:
              port: client
            timeoutSeconds: 5
        - name: exporter
-          image: prom/memcached-exporter:v0.15.4
+          image: prom/memcached-exporter:v0.16.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 9150
@@ -104,6 +109,9 @@ spec:
              drop:
                - ALL
            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          readinessProbe:
            failureThreshold: 3
            httpGet:
--- a/clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml
+++ b/clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml
@@ -4,10 +4,10 @@ metadata:
  name: loki
  namespace: loki
  labels:
-    helm.sh/chart: loki-6.55.0
+    helm.sh/chart: loki-13.5.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: loki
-    app.kubernetes.io/version: "3.6.7"
+    app.kubernetes.io/version: "3.7.1"
    app.kubernetes.io/component: single-binary
    app.kubernetes.io/part-of: memberlist
 spec:
@@ -29,31 +29,61 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: 9cded33d7ba292eb76711b451f5ecd9bade13c7fb5ffb5622229f5706f8f90dd
-        storage/size: "150Gi"
+        checksum/config: 19e0049d8578b5fadd19fbcef19075cf8df1c30f6a3e6fc48aeeeaae41e30e27
+        storage/size: 150Gi
        kubectl.kubernetes.io/default-container: "loki"
      labels:
+        helm.sh/chart: loki-13.5.0
        app.kubernetes.io/name: loki
        app.kubernetes.io/instance: loki
+        app.kubernetes.io/version: "3.7.1"
        app.kubernetes.io/component: single-binary
        app.kubernetes.io/part-of: memberlist
    spec:
      serviceAccountName: loki
-      automountServiceAccountToken: true
      enableServiceLinks: true
+      automountServiceAccountToken: true
      securityContext:
        fsGroup: 10001
        fsGroupChangePolicy: OnRootMismatch
        runAsGroup: 10001
        runAsNonRoot: true
        runAsUser: 10001
+        seccompProfile:
+          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app.kubernetes.io/component: single-binary
+                  app.kubernetes.io/instance: 'loki'
+                  app.kubernetes.io/name: 'loki'
+              topologyKey: kubernetes.io/hostname
+      volumes:
+        - name: temp
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: loki
+            items:
+              - key: "config.yaml"
+                path: "config.yaml"
+        - name: runtime-config
+          configMap:
+            name: loki-runtime
+        - name: sc-rules-volume
+          emptyDir: {}
+        - name: sc-rules-temp
+          emptyDir: {}
      containers:
        - name: loki
-          image: docker.io/grafana/loki:3.6.7
+          image: docker.io/grafana/loki:3.7.1
          imagePullPolicy: IfNotPresent
          args:
            - -config.file=/etc/loki/config/config.yaml
+            - -config.expand-env=true
            - -target=all
          ports:
            - name: http-metrics
@@ -65,12 +95,29 @@ spec:
            - name: http-memberlist
              containerPort: 7946
              protocol: TCP
+          env:
+            - name: GOGC
+              value: "80"
+            - name: HASH_RING_INSTANCE_ADDR
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /loki/api/v1/status/buildinfo
+              port: http-metrics
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
@@ -81,14 +128,14 @@ spec:
            successThreshold: 1
            timeoutSeconds: 1
          volumeMounts:
-            - name: tmp
-              mountPath: /tmp
            - name: config
              mountPath: /etc/loki/config
            - name: runtime-config
              mountPath: /etc/loki/runtime-config
            - name: storage
              mountPath: /var/loki
+            - name: temp
+              mountPath: /tmp
            - name: sc-rules-volume
              mountPath: "/rules"
          resources:
@@ -96,8 +143,38 @@ spec:
              cpu: 100m
              memory: 800Mi
        - name: loki-sc-rules
-          image: docker.io/kiwigrid/k8s-sidecar:2.5.0
+          image: docker.io/kiwigrid/k8s-sidecar:2.7.1
          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http-sidecar
+              containerPort: 8080
+              protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: http-sidecar
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: http-sidecar
+            initialDelaySeconds: 3
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
          env:
            - name: METHOD
              value: WATCH
@@ -113,40 +190,13 @@ spec:
              value: "60"
            - name: LOG_LEVEL
              value: "INFO"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-            readOnlyRootFilesystem: true
+            - name: HEALTH_PORT
+              value: "8080"
          volumeMounts:
-            - name: tmp
+            - name: sc-rules-temp
              mountPath: /tmp
            - name: sc-rules-volume
              mountPath: "/rules"
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/component: single-binary
-                  app.kubernetes.io/instance: 'loki'
-                  app.kubernetes.io/name: 'loki'
-              topologyKey: kubernetes.io/hostname
-      volumes:
-        - name: tmp
-          emptyDir: {}
-        - name: config
-          configMap:
-            name: loki
-            items:
-              - key: "config.yaml"
-                path: "config.yaml"
-        - name: runtime-config
-          configMap:
-            name: loki-runtime
-        - name: sc-rules-volume
-          emptyDir: {}
  volumeClaimTemplates:
    - apiVersion: v1
      kind: PersistentVolumeClaim