admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d063513869a255a8409805243ed6a935f1179fdf
homelab-manifests/admin-system/renovate.yaml
T
admin 1338bbb6ae wanderer/renovate: roll back meilisearch v1.45.2 -> v1.11.3 + gate future bumps 
Renovate PR #32 (merged 2026-06-06 09:30) bumped getmeili/meilisearch
from v1.11.3 to v1.45.2 under the default-allow + 3-day stability rule.
Meilisearch's on-disk index format is NOT forward-compatible across
that range; wanderer-meilisearch went into CrashLoopBackOff with:

  Error: Your database version (1.11.3) is incompatible with your
  current engine version (1.45.2).

The PVC still holds the v1.11.x index, so the safest immediate recovery
is reverting the image tag. Wanderer's search starts working again the
moment the pod comes up on v1.11.3.

To prevent recurrence, add a packageRule that holds ALL meilisearch
updates behind the dashboard's "Pending Approval" checkbox via
`dependencyDashboardApproval: true`. PRs won't be opened until the
user explicitly approves them on the dashboard, so the version bump
can be planned around the documented dump/restore migration path
(https://www.meilisearch.com/docs/learn/update_and_migration/updating).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 10:45:23 +02:00

211 lines
8.4 KiB
YAML
Raw Blame History

# ============================================
# Renovate Bot - Self-hosted dependency updater
# ============================================
# https://docs.renovatebot.com
# Image: renovate/renovate (plain tag = minimal image, "formerly slim";
# -slim suffix was retired after v37.440.x, so we pin the plain tag)
#
# PILOT SCOPE (intentionally narrow):
# Runs weekly (Sat 02:00 Europe/Budapest) as a CronJob and opens
# dependency-update PRs against admin/homelab-manifests on Gitea.
# Only the `kubernetes` and `helm-values` managers are enabled, and a
# default-deny packageRule limits updates to exactly four pilot images:
# - ghcr.io/thomiceli/opengist
# - louislam/uptime-kuma
# - f0rc3/gokapi
# - docker.io/calcom/cal.com
# minor/patch -> PR with Gitea native auto-merge; major -> waits for
# manual approval via a checkbox on the Dependency Dashboard issue.
#
# Stateless & ephemeral: no Service, Ingress, or PVC. Writable /tmp is an
# emptyDir (root FS is read-only); Renovate uses it for git clones + cache.
#
# Secrets (created manually, NOT in git) come from Secret `renovate-secrets`:
# - RENOVATE_TOKEN (Gitea PAT)
# - RENOVATE_GITHUB_COM_TOKEN (GitHub PAT, for release notes)
# ============================================
---
apiVersion: v1
kind: ConfigMap
metadata:
name: renovate-config
namespace: admin-system
labels:
app.kubernetes.io/instance: renovate
app.kubernetes.io/name: renovate
data:
config.json: |
{
"platform": "gitea",
"endpoint": "https://gitea.dooplex.hu/api/v1",
"gitAuthor": "Renovate Bot <renovate@dooplex.hu>",
"repositories": ["admin/homelab-manifests"],
"onboarding": false,
"requireConfig": "optional",
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
"prHourlyLimit": 16,
"prConcurrentLimit": 16,
"enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
"kubernetes": {
"managerFilePatterns": ["/.+\\.ya?ml$/"]
},
"customManagers": [
{
"description": "termix: docker image tag is `release-X.Y.Z` but the upstream GitHub release tag_name is `release-X.Y.Z-tag` (different from the release name). regex versioning parses currentValue (no -tag); extractVersion strips the -tag suffix from candidate tag_names so they normalize to the same shape Renovate writes back to the manifest.",
"customType": "regex",
"managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
"matchStrings": [
"image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
],
"datasourceTemplate": "github-releases",
"packageNameTemplate": "Termix-SSH/Termix",
"versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
"extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
}
],
"packageRules": [
{
"description": "All apps: 3-day stability gate before any PR opens",
"matchPackageNames": ["*"],
"minimumReleaseAge": "3 days"
},
{
"description": "Auto-merge minor/patch after the stability window",
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true
},
{
"description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)",
"matchUpdateTypes": ["major"],
"automerge": false,
"dependencyDashboardApproval": true
},
{
"description": "k3s-bundled components: never touch, they ride k3s upgrades",
"matchPackageNames": [
"rancher/local-path-provisioner",
"rancher/mirrored-coredns/coredns",
"rancher/mirrored-metrics-server"
],
"enabled": false
},
{
"description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).",
"matchPackageNames": [
"gitea/gitea",
"quay.io/argoproj/argocd",
"ghcr.io/goauthentik/server",
"ghcr.io/goauthentik/ldap",
"ghcr.io/goauthentik/proxy",
"ghcr.io/cloudnative-pg/cloudnative-pg"
],
"automerge": false
},
{
"description": "wanderer: db + web update together in one PR",
"matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
"groupName": "wanderer"
},
{
"description": "meilisearch: every version bump can require an index format migration via dump/restore (see https://www.meilisearch.com/docs/learn/update_and_migration/updating). PR #32 (v1.11.3 -> v1.45.2) on 2026-06-06 broke wanderer with `Your database version (1.11.3) is incompatible with your current engine version (1.45.2)`. Hold ALL meilisearch updates behind dashboard approval so the migration is planned before the PR even opens.",
"matchPackageNames": ["getmeili/meilisearch"],
"dependencyDashboardApproval": true
},
{
"description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
"matchManagers": ["kubernetes"],
"matchPackageNames": ["ghcr.io/lukegus/termix"],
"enabled": false
}
],
"labels": ["renovate"]
}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: renovate
namespace: admin-system
labels:
app.kubernetes.io/instance: renovate
app.kubernetes.io/name: renovate
app.kubernetes.io/version: "43.197.0"
spec:
# Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
# if a Renovate-merged update breaks something.
schedule: "0 2 * * 6"
timeZone: "Europe/Budapest"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
startingDeadlineSeconds: 600
jobTemplate:
metadata:
labels:
app.kubernetes.io/instance: renovate
app.kubernetes.io/name: renovate
app.kubernetes.io/version: "43.197.0"
spec:
template:
metadata:
labels:
app.kubernetes.io/instance: renovate
app.kubernetes.io/name: renovate
app.kubernetes.io/version: "43.197.0"
annotations:
# Renovate uses plain X.Y.Z semver tags (no -slim suffix anymore)
match-regex.version-checker.io/renovate: '^\d+\.\d+\.\d+$'
spec:
enableServiceLinks: false
restartPolicy: OnFailure
containers:
- name: renovate
image: renovate/renovate:43.209.3
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: renovate-secrets
env:
- name: TZ
value: Europe/Budapest
- name: LOG_LEVEL
value: info
- name: RENOVATE_CONFIG_FILE
value: /config/config.json
# Renovate needs a writable tmp for git clones + cache;
# root FS is read-only so point it at the emptyDir below.
- name: TMPDIR
value: /tmp
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 2000m
memory: 2Gi
securityContext:
runAsNonRoot: true
runAsUser: 12021
runAsGroup: 0
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /config
readOnly: true
- name: tmp
mountPath: /tmp
volumes:
- name: config
configMap:
name: renovate-config
- name: tmp
emptyDir:
sizeLimit: 2Gi
Reference in New Issue View Git Blame Copy Permalink