From 0e8524b84a0c8252e228a9b53ad392b766de6346 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 14 Apr 2026 12:05:14 +0200 Subject: [PATCH] renovate --- README.md | 2 ++ docs/REFERENCE.md | 49 +++++++++++++++++++++++++++++-- infra/renovate.yaml | 42 ++++++++++++++++++++++++++ infra/values/renovate-values.yaml | 28 ++++++++++++++++++ secrets/renovate-env-sealed.yaml | 19 ++++++++++++ 5 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 infra/renovate.yaml create mode 100644 infra/values/renovate-values.yaml create mode 100644 secrets/renovate-env-sealed.yaml diff --git a/README.md b/README.md index 585d9fa..1dea06c 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl │ ├── fluent-bit.yaml │ ├── trivy.yaml │ ├── sealedsecrets.yaml +│ ├── renovate.yaml │ └── values/ # Helm value overrides │ ├── apps/ # Business Applications @@ -335,6 +336,7 @@ kubectl patch application myapp -n argocd \ | **Tempo** | Distributed tracing | `monitoring` | 1 | | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet | | **OpenCost** | Cost monitoring | `monitoring` | 1 | +| **Renovate** | Dependency updates | `renovate` | CronJob | | **Trivy** | Vulnerability scanning | `trivy-system` | 1 | **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index fed299c..222d042 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -90,6 +90,7 @@ launchpad/ │ ├── gitea-actions.yaml │ ├── sealedsecrets.yaml │ ├── secrets.yaml +│ ├── renovate.yaml │ └── values/ │ ├── argocd-values.yaml │ ├── prometheus-values.yaml @@ -98,7 +99,8 @@ launchpad/ │ ├── tempo-values.yaml │ ├── gitea-values.yaml │ ├── gitea-actions-values.yaml -│ └── fluent-bit-values.yaml +│ ├── fluent-bit-values.yaml +│ └── renovate-values.yaml │ ├── apps/ # Business applications │ ├── mcp10x.yaml @@ -867,6 +869,48 @@ dind: - Gitea admin panel (`/admin/runners`) — runners show as Online - Create test workflow in `.gitea/workflows/test.yml` — job executes +### Renovate + +**Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`) +**Version**: 46.109.0 (app v43.113.0) +**Namespace**: `renovate` +**Sync Wave**: 2 + +**Purpose**: Automated dependency update bot. Runs as a CronJob that scans Gitea repositories for outdated dependencies and creates pull requests with updates. + +**Configuration**: +```yaml +# infra/renovate.yaml + infra/values/renovate-values.yaml +cronjob: + schedule: "@hourly" + concurrencyPolicy: Forbid + +renovate: + config: + platform: gitea + endpoint: https://git.forteapps.net + autodiscover: true + gitAuthor: "Renovate Bot " + +resources: + requests: { cpu: 250m, memory: 512Mi } + limits: { cpu: "1", memory: 1Gi } +``` + +**Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing: +- `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions +- `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching + +**Setup Steps**: +1. Fill in `private/renovate-env.yaml` with tokens +2. Seal: `kubeseal --format yaml < private/renovate-env.yaml > secrets/renovate-env-sealed.yaml` +3. Commit and push — ArgoCD deploys the CronJob, Kyverno clones the secret + +**Verification**: +- `kubectl get cronjob -n renovate` — CronJob exists +- `kubectl create job --from=cronjob/renovate renovate-test -n renovate` — manual trigger +- `kubectl logs -n renovate job/renovate-test` — check logs + --- ## Kyverno Policies @@ -1472,6 +1516,7 @@ team: platform | **Fluent-Bit** | 2.1.0+ | Latest | | **Gitea** | 1.25.4 | 12.5.0 | | **Gitea Act Runner** | Latest | Latest | +| **Renovate** | v43.113.0 | 46.109.0 | | **PostgreSQL** | 16-alpine | N/A | | **Trivy** | Latest | Latest | @@ -1483,6 +1528,6 @@ team: platform --- -**Last Updated**: 2026-04-08 +**Last Updated**: 2026-04-14 **Maintained By**: Platform Team **Version**: 1.0.0 diff --git a/infra/renovate.yaml b/infra/renovate.yaml new file mode 100644 index 0000000..bc1d34e --- /dev/null +++ b/infra/renovate.yaml @@ -0,0 +1,42 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: renovate + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "2" + labels: + app.kubernetes.io/name: renovate + app.kubernetes.io/part-of: platform + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + - repoURL: ghcr.io/renovatebot/charts + chart: renovate + targetRevision: "46.109.0" + helm: + releaseName: renovate + valueFiles: + - $values/infra/values/renovate-values.yaml + + - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: renovate + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true diff --git a/infra/values/renovate-values.yaml b/infra/values/renovate-values.yaml new file mode 100644 index 0000000..0feb572 --- /dev/null +++ b/infra/values/renovate-values.yaml @@ -0,0 +1,28 @@ +cronjob: + schedule: "@hourly" + concurrencyPolicy: Forbid + +renovate: + config: | + { + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "platform": "gitea", + "endpoint": "https://git.forteapps.net", + "autodiscover": true, + "gitAuthor": "Renovate Bot " + } + +envFrom: +- secretRef: + name: renovate-env + +env: + LOG_LEVEL: debug + +resources: + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: "1" + memory: 1Gi diff --git a/secrets/renovate-env-sealed.yaml b/secrets/renovate-env-sealed.yaml new file mode 100644 index 0000000..b03051b --- /dev/null +++ b/secrets/renovate-env-sealed.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: renovate-env + namespace: secrets +spec: + encryptedData: + RENOVATE_GITHUB_COM_TOKEN: AgBpci12KEAs8A5ujnMyoE5/0V5r8EU0MKBrd/465FUIv4n80veSEvpD10k3oA9I6Cyieb0O4uKIE3efx2FdtqnB3sDu8Zb+++hNahxCTN2CPHkr1ULBf/8oD8HpHh1+ajQNX3O5CcZ0mYumyQzGNg30RcvTo0gSq4d/TFFdRDMJSi5w/J7EZWE/Zanl8g6q+ShVSNPSwLoe6mfZkL65nlL057wlWiVEkgu82rTHB27ssRGptnyM32dYNg0i7Z1+jMqqK6pIMRth13HhxCNITtBKa9wjg30rnyNdHZ6O+++jB2vP4c6mRuF/mIUVPr6SCkHqYthqgJQRj1VTVn07jSgWkKxe3g/tBtUglq8nItoRAiXH9AuhDG6Y6UxG6YFC3KCO5/Hjp6pHVMsbZWBLzmUGlHvDR9nNtDeQGndt/R+LHSA6hlxE7lzrip87x9pD2dSgoBbDwOOb19D99+88rkeTiRYg8Z8UUJ2ty+UjcyLb8RgseuBQEKrYM1nV/QzykEVaD5CtUeMTR4yrULDgPWuOznYm+nbj4KN6cfeRIQ9qcRjdlv9qEyVQZHMBjE971cBDbnacrknB8oZhCzUdVvNKxSfer+D4jTP1DQwd/ePHBsT1epdypfwi63kArqIUIx8HcU0uy29jUYr4FIoI9O+WcSiZ9YxRlCrXzIGEHBe57pXzcCsejQnymztZzXUiUItRjIxLxIdXMReYyMgUFlPLr0n70JallREfpBSR71kZdEC4yu1R6g7gcdI7AX1WvuRm2EYNtF4oP2IlOUMGZsU7LsR6oucSLSKPGEB/qSS1YUu5hm6q5C3mLQMu2hk= + RENOVATE_TOKEN: AgBZX1CBmvBz+1bDFfkfjK3c3UISoCHPGfJxCs3GboH+uBAo+foZP59JzlLIxY7qcMnPtesMVcQlVe3MXnSdPy9R/fkYrLLAmbKi8wpGgmZx/+pHu5ZTcZ8wRgszNCamLjB23Sk+xObNbeECo6PTDVSCSvpgUy4UVH7yVdFP/iFZjMDyd8GZyW/jf7kroQlliRSFm9eNupUC4BE2Qr3O5pkY0k48KXJIeTtoTuI525NUUSHmkoq8xKX7mA/Qe8HA7hLIBZy3iZvwUm9QdyrbsxQbLHip0EEG/44PyTQ5q9y4ufpLpbbkpMBqDbLlUCrZZmYP2anzrrXtqAx81tpjwBTOV+3ko+WwiZJhEouG22Y7EfDs56g8Zue7FBGqS6HdIRh5oet7LhKLUo8ZfXYIS+qMfNwKV1aOobUQ75U4rH73iOAexeHtLZBnCETCYK+iK7ea6nHNyJhvStpquWb0m/05MZBBJw/hG1/ShOm2+2v99qNXLG+bKE2NXX56JMr0S5eVlPRUq7gHgmzxQtoWWCV7Tz2R5ej/3c2QniD4Cz8Rxsej3FLQwZInICM5AS5u03jQTehzy+wLZ8TJJW9VApc6Z/lkfJixPOKzD+B6/NBEq5PuAatINtqj9Lzh/OzcbHV9qUj1Q+8Wydny6afYdjqrcx0+N15WPMI5tMglMpsggYd26MQ2aAaIa/vY/O4aRAIepmbFlzy6LwsGxd1ZfkeSP3nGc25zEbt7H9tOLA5nwuq9kCRl5vb0 + template: + metadata: + creationTimestamp: null + labels: + allowedToBeCloned: "true" + name: renovate-env + namespace: secrets + type: Opaque