admin
24be0b45fd
Replaces the security-flagged `minimumReleaseAge: 0` bypass with a proper datasource swap. Why: ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a release timestamp, so Renovate's default `timestamp-required` mode holds updates indefinitely. The previous fix (zeroing the gate) was flagged as a supply-chain control regression -- correctly, since it weakens the stability protection for that package. Cleaner fix: point Renovate's version lookup at the upstream GitHub Releases (Termix-SSH/Termix per the OCI source label) where timestamps ARE published. The 3-day gate then works for termix the same way it works for other packages with intact timestamps. Renovate still updates the same image -- the manager extracts ghcr.io/lukegus/termix from termix.yaml and writes the new tag back; only the version-source lookup is redirected. The ghcr.io registry hosts every release-X.Y.Z tag (verified release-2.3.2 present), so the writeback target stays valid. Major bumps (1.x -> 2.x) continue to queue for dashboard approval via the global major rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
191 lines
7.0 KiB
YAML
191 lines
7.0 KiB
YAML
# ============================================
|
|
# Renovate Bot - Self-hosted dependency updater
|
|
# ============================================
|
|
# https://docs.renovatebot.com
|
|
# Image: renovate/renovate (plain tag = minimal image, "formerly slim";
|
|
# -slim suffix was retired after v37.440.x, so we pin the plain tag)
|
|
#
|
|
# PILOT SCOPE (intentionally narrow):
|
|
# Runs weekly (Sun 04:00 Europe/Budapest) as a CronJob and opens
|
|
# dependency-update PRs against admin/homelab-manifests on Gitea.
|
|
# Only the `kubernetes` and `helm-values` managers are enabled, and a
|
|
# default-deny packageRule limits updates to exactly four pilot images:
|
|
# - ghcr.io/thomiceli/opengist
|
|
# - louislam/uptime-kuma
|
|
# - f0rc3/gokapi
|
|
# - docker.io/calcom/cal.com
|
|
# minor/patch -> PR with Gitea native auto-merge; major -> waits for
|
|
# manual approval via a checkbox on the Dependency Dashboard issue.
|
|
#
|
|
# Stateless & ephemeral: no Service, Ingress, or PVC. Writable /tmp is an
|
|
# emptyDir (root FS is read-only); Renovate uses it for git clones + cache.
|
|
#
|
|
# Secrets (created manually, NOT in git) come from Secret `renovate-secrets`:
|
|
# - RENOVATE_TOKEN (Gitea PAT)
|
|
# - RENOVATE_GITHUB_COM_TOKEN (GitHub PAT, for release notes)
|
|
# ============================================
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: renovate-config
|
|
namespace: admin-system
|
|
labels:
|
|
app.kubernetes.io/instance: renovate
|
|
app.kubernetes.io/name: renovate
|
|
data:
|
|
config.json: |
|
|
{
|
|
"platform": "gitea",
|
|
"endpoint": "https://gitea.dooplex.hu/api/v1",
|
|
"gitAuthor": "Renovate Bot <renovate@dooplex.hu>",
|
|
"repositories": ["admin/homelab-manifests"],
|
|
"onboarding": false,
|
|
"requireConfig": "optional",
|
|
"dependencyDashboard": true,
|
|
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
|
|
"prHourlyLimit": 8,
|
|
"prConcurrentLimit": 8,
|
|
"enabledManagers": ["kubernetes", "helm-values"],
|
|
"kubernetes": {
|
|
"managerFilePatterns": ["/.+\\.ya?ml$/"]
|
|
},
|
|
"packageRules": [
|
|
{
|
|
"description": "All apps: 3-day stability gate before any PR opens",
|
|
"matchPackageNames": ["*"],
|
|
"minimumReleaseAge": "3 days"
|
|
},
|
|
{
|
|
"description": "Auto-merge minor/patch after the stability window",
|
|
"matchUpdateTypes": ["minor", "patch"],
|
|
"automerge": true,
|
|
"automergeType": "pr",
|
|
"platformAutomerge": true
|
|
},
|
|
{
|
|
"description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)",
|
|
"matchUpdateTypes": ["major"],
|
|
"automerge": false,
|
|
"dependencyDashboardApproval": true
|
|
},
|
|
{
|
|
"description": "k3s-bundled components: never touch, they ride k3s upgrades",
|
|
"matchPackageNames": [
|
|
"rancher/local-path-provisioner",
|
|
"rancher/mirrored-coredns/coredns",
|
|
"rancher/mirrored-metrics-server"
|
|
],
|
|
"enabled": false
|
|
},
|
|
{
|
|
"description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).",
|
|
"matchPackageNames": [
|
|
"gitea/gitea",
|
|
"quay.io/argoproj/argocd",
|
|
"ghcr.io/goauthentik/server",
|
|
"ghcr.io/goauthentik/ldap",
|
|
"ghcr.io/goauthentik/proxy",
|
|
"ghcr.io/cloudnative-pg/cloudnative-pg"
|
|
],
|
|
"automerge": false
|
|
},
|
|
{
|
|
"description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).",
|
|
"matchPackageNames": ["ghcr.io/lukegus/termix"],
|
|
"datasource": "github-releases",
|
|
"packageName": "Termix-SSH/Termix",
|
|
"versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
|
|
},
|
|
{
|
|
"description": "wanderer: db + web update together in one PR",
|
|
"matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
|
|
"groupName": "wanderer"
|
|
}
|
|
],
|
|
"labels": ["renovate"]
|
|
}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: renovate
|
|
namespace: admin-system
|
|
labels:
|
|
app.kubernetes.io/instance: renovate
|
|
app.kubernetes.io/name: renovate
|
|
app.kubernetes.io/version: "43.197.0"
|
|
spec:
|
|
schedule: "0 4 * * 0"
|
|
timeZone: "Europe/Budapest"
|
|
concurrencyPolicy: Forbid
|
|
successfulJobsHistoryLimit: 3
|
|
failedJobsHistoryLimit: 3
|
|
startingDeadlineSeconds: 600
|
|
jobTemplate:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/instance: renovate
|
|
app.kubernetes.io/name: renovate
|
|
app.kubernetes.io/version: "43.197.0"
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/instance: renovate
|
|
app.kubernetes.io/name: renovate
|
|
app.kubernetes.io/version: "43.197.0"
|
|
annotations:
|
|
# Renovate uses plain X.Y.Z semver tags (no -slim suffix anymore)
|
|
match-regex.version-checker.io/renovate: '^\d+\.\d+\.\d+$'
|
|
spec:
|
|
enableServiceLinks: false
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: renovate
|
|
image: renovate/renovate:43.197.0
|
|
imagePullPolicy: IfNotPresent
|
|
envFrom:
|
|
- secretRef:
|
|
name: renovate-secrets
|
|
env:
|
|
- name: TZ
|
|
value: Europe/Budapest
|
|
- name: LOG_LEVEL
|
|
value: info
|
|
- name: RENOVATE_CONFIG_FILE
|
|
value: /config/config.json
|
|
# Renovate needs a writable tmp for git clones + cache;
|
|
# root FS is read-only so point it at the emptyDir below.
|
|
- name: TMPDIR
|
|
value: /tmp
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 2000m
|
|
memory: 2Gi
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 12021
|
|
runAsGroup: 0
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config
|
|
readOnly: true
|
|
- name: tmp
|
|
mountPath: /tmp
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: renovate-config
|
|
- name: tmp
|
|
emptyDir:
|
|
sizeLimit: 2Gi
|