renovate

2026-04-14 12:05:14 +02:00
parent 58ccc9fd2e
commit 0e8524b84a
5 changed files with 138 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -95,6 +95,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │   ├── fluent-bit.yaml
 │   ├── trivy.yaml
 │   ├── sealedsecrets.yaml
+│   ├── renovate.yaml
 │   └── values/                # Helm value overrides
 │
 ├── apps/                      # Business Applications
@@ -335,6 +336,7 @@ kubectl patch application myapp -n argocd \
 | **Tempo** | Distributed tracing | `monitoring` | 1 |
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
+| **Renovate** | Dependency updates | `renovate` | CronJob |
 | **Trivy** | Vulnerability scanning | `trivy-system` | 1 |

 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -90,6 +90,7 @@ launchpad/
 │   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
 │   ├── secrets.yaml
+│   ├── renovate.yaml
 │   └── values/
 │       ├── argocd-values.yaml
 │       ├── prometheus-values.yaml
@@ -98,7 +99,8 @@ launchpad/
 │       ├── tempo-values.yaml
 │       ├── gitea-values.yaml
 │       ├── gitea-actions-values.yaml
-│       └── fluent-bit-values.yaml
+│       ├── fluent-bit-values.yaml
+│       └── renovate-values.yaml
 │
 ├── apps/                          # Business applications
 │   ├── mcp10x.yaml
@@ -867,6 +869,48 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes

+### Renovate
+
+**Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
+**Version**: 46.109.0 (app v43.113.0)
+**Namespace**: `renovate`
+**Sync Wave**: 2
+
+**Purpose**: Automated dependency update bot. Runs as a CronJob that scans Gitea repositories for outdated dependencies and creates pull requests with updates.
+
+**Configuration**:
+```yaml
+# infra/renovate.yaml + infra/values/renovate-values.yaml
+cronjob:
+  schedule: "@hourly"
+  concurrencyPolicy: Forbid
+
+renovate:
+  config:
+    platform: gitea
+    endpoint: https://git.forteapps.net
+    autodiscover: true
+    gitAuthor: "Renovate Bot <renovate@forteapps.net>"
+
+resources:
+  requests: { cpu: 250m, memory: 512Mi }
+  limits: { cpu: "1", memory: 1Gi }
+```
+
+**Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing:
+- `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions
+- `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching
+
+**Setup Steps**:
+1. Fill in `private/renovate-env.yaml` with tokens
+2. Seal: `kubeseal --format yaml < private/renovate-env.yaml > secrets/renovate-env-sealed.yaml`
+3. Commit and push — ArgoCD deploys the CronJob, Kyverno clones the secret
+
+**Verification**:
+- `kubectl get cronjob -n renovate` — CronJob exists
+- `kubectl create job --from=cronjob/renovate renovate-test -n renovate` — manual trigger
+- `kubectl logs -n renovate job/renovate-test` — check logs
+
 ---

 ## Kyverno Policies
@@ -1472,6 +1516,7 @@ team: platform
 | **Fluent-Bit** | 2.1.0+ | Latest |
 | **Gitea** | 1.25.4 | 12.5.0 |
 | **Gitea Act Runner** | Latest | Latest |
+| **Renovate** | v43.113.0 | 46.109.0 |
 | **PostgreSQL** | 16-alpine | N/A |
 | **Trivy** | Latest | Latest |

@@ -1483,6 +1528,6 @@ team: platform

 ---

-**Last Updated**: 2026-04-08
+**Last Updated**: 2026-04-14
 **Maintained By**: Platform Team
 **Version**: 1.0.0
--- a/infra/renovate.yaml
+++ b/infra/renovate.yaml
@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: renovate
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ghcr.io/renovatebot/charts
+    chart: renovate
+    targetRevision: "46.109.0"
+    helm:
+      releaseName: renovate
+      valueFiles:
+      - $values/infra/values/renovate-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
--- a/infra/values/renovate-values.yaml
+++ b/infra/values/renovate-values.yaml
@@ -0,0 +1,28 @@
+cronjob:
+  schedule: "@hourly"
+  concurrencyPolicy: Forbid
+
+renovate:
+  config: |
+    {
+      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+      "platform": "gitea",
+      "endpoint": "https://git.forteapps.net",
+      "autodiscover": true,
+      "gitAuthor": "Renovate Bot <renovate@forteapps.net>"
+    }
+
+envFrom:
+- secretRef:
+    name: renovate-env
+
+env:
+  LOG_LEVEL: debug
+
+resources:
+  requests:
+    cpu: 250m
+    memory: 512Mi
+  limits:
+    cpu: "1"
+    memory: 1Gi
--- a/secrets/renovate-env-sealed.yaml
+++ b/secrets/renovate-env-sealed.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: renovate-env
+  namespace: secrets
+spec:
+  encryptedData:
+    RENOVATE_GITHUB_COM_TOKEN: AgBpci12KEAs8A5ujnMyoE5/0V5r8EU0MKBrd/465FUIv4n80veSEvpD10k3oA9I6Cyieb0O4uKIE3efx2FdtqnB3sDu8Zb+++hNahxCTN2CPHkr1ULBf/8oD8HpHh1+ajQNX3O5CcZ0mYumyQzGNg30RcvTo0gSq4d/TFFdRDMJSi5w/J7EZWE/Zanl8g6q+ShVSNPSwLoe6mfZkL65nlL057wlWiVEkgu82rTHB27ssRGptnyM32dYNg0i7Z1+jMqqK6pIMRth13HhxCNITtBKa9wjg30rnyNdHZ6O+++jB2vP4c6mRuF/mIUVPr6SCkHqYthqgJQRj1VTVn07jSgWkKxe3g/tBtUglq8nItoRAiXH9AuhDG6Y6UxG6YFC3KCO5/Hjp6pHVMsbZWBLzmUGlHvDR9nNtDeQGndt/R+LHSA6hlxE7lzrip87x9pD2dSgoBbDwOOb19D99+88rkeTiRYg8Z8UUJ2ty+UjcyLb8RgseuBQEKrYM1nV/QzykEVaD5CtUeMTR4yrULDgPWuOznYm+nbj4KN6cfeRIQ9qcRjdlv9qEyVQZHMBjE971cBDbnacrknB8oZhCzUdVvNKxSfer+D4jTP1DQwd/ePHBsT1epdypfwi63kArqIUIx8HcU0uy29jUYr4FIoI9O+WcSiZ9YxRlCrXzIGEHBe57pXzcCsejQnymztZzXUiUItRjIxLxIdXMReYyMgUFlPLr0n70JallREfpBSR71kZdEC4yu1R6g7gcdI7AX1WvuRm2EYNtF4oP2IlOUMGZsU7LsR6oucSLSKPGEB/qSS1YUu5hm6q5C3mLQMu2hk=
+    RENOVATE_TOKEN: AgBZX1CBmvBz+1bDFfkfjK3c3UISoCHPGfJxCs3GboH+uBAo+foZP59JzlLIxY7qcMnPtesMVcQlVe3MXnSdPy9R/fkYrLLAmbKi8wpGgmZx/+pHu5ZTcZ8wRgszNCamLjB23Sk+xObNbeECo6PTDVSCSvpgUy4UVH7yVdFP/iFZjMDyd8GZyW/jf7kroQlliRSFm9eNupUC4BE2Qr3O5pkY0k48KXJIeTtoTuI525NUUSHmkoq8xKX7mA/Qe8HA7hLIBZy3iZvwUm9QdyrbsxQbLHip0EEG/44PyTQ5q9y4ufpLpbbkpMBqDbLlUCrZZmYP2anzrrXtqAx81tpjwBTOV+3ko+WwiZJhEouG22Y7EfDs56g8Zue7FBGqS6HdIRh5oet7LhKLUo8ZfXYIS+qMfNwKV1aOobUQ75U4rH73iOAexeHtLZBnCETCYK+iK7ea6nHNyJhvStpquWb0m/05MZBBJw/hG1/ShOm2+2v99qNXLG+bKE2NXX56JMr0S5eVlPRUq7gHgmzxQtoWWCV7Tz2R5ej/3c2QniD4Cz8Rxsej3FLQwZInICM5AS5u03jQTehzy+wLZ8TJJW9VApc6Z/lkfJixPOKzD+B6/NBEq5PuAatINtqj9Lzh/OzcbHV9qUj1Q+8Wydny6afYdjqrcx0+N15WPMI5tMglMpsggYd26MQ2aAaIa/vY/O4aRAIepmbFlzy6LwsGxd1ZfkeSP3nGc25zEbt7H9tOLA5nwuq9kCRl5vb0
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        allowedToBeCloned: "true"
+      name: renovate-env
+      namespace: secrets
+    type: Opaque