renovate: default-allow + codify ArgoCD auto-sync in git
Two coordinated changes — open PR only, do NOT merge until dry-run passes.
1) admin-system/renovate.yaml: flip packageRules from Tier 1 allowlist to
default-allow with safety gates. Adds prHourlyLimit=8 + prConcurrentLimit=8
to throttle the first wave. New rules (7 total, order-sensitive):
- "*" : 3-day stability gate (minimumReleaseAge)
- minor/patch : automerge via platformAutomerge
- major : dependencyDashboardApproval (manual gate)
- k3s-bundled (3 images) : disabled (ride k3s upgrades)
- critical-core (6 imgs) : automerge=false (Viktor merges manually)
- gitea/gitea, ghcr.io/goauthentik/{server,ldap,proxy},
ghcr.io/cloudnative-pg/cloudnative-pg, quay.io/argoproj/argocd
- ArgoCD + authentik /ldap and /proxy are no-ops (not pinned in repo)
- termix : versioning=loose, extractVersion for "release-X.Y.Z"
- wanderer-db + -web : groupName=wanderer (one PR, prevents file race)
enabledManagers unchanged ([kubernetes, helm-values]) — keeps Helmfile-
managed infra invisible.
2) argocd-apps/homelab.yaml: codify per-app auto-sync intent in git
(currently lives only on live CRs via UI — DR risk).
- 35 existing bare-AUTO apps: add `automated: {enabled: true}` (matches live).
- jarr, version-checker: add `automated: {enabled: true, prune: true,
selfHeal: true}` (flipping MANUAL -> AUTO so Renovate merges deploy).
- Untouched: admin-tools, authentik, cnpg-operator, root-apps (already
have strict automated in git); monitoring, infrastructure, felhom,
gitea, pihole, database-system (explicitly kept MANUAL per Viktor).
NOTE: root-apps does NOT enforce syncPolicy.automated drift between git
and live, so jarr + version-checker will also need a one-off kubectl
patch after merge to actually become AUTO live. Done in go-live step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
admin
c308c0a85e