github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 10:18:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat!: FINALLY deploy Renovate

Browse Source
This commit is contained in:
JJGadgets
2023-11-24 05:33:37 +08:00
parent a4c064e6ab
commit db85210a48
12 changed files with 262 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.renovate/autoMerge.json5 Normal file
View File

@@ -0,0 +1,2 @@
{}
// TODO: set auto merge for apps in kube/deploy/apps folder

16
.renovate/commitMessage.json5 Normal file
View File

@@ -0,0 +1,16 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}",
"commitMessageSuffix": "",
"packageRules": [
{
"matchDatasources": ["helm"],
"commitMessageTopic": "chart {{depName}}"
},
{
"matchDatasources": ["docker"],
"commitMessageTopic": "image {{depName}}"
}
]
}

16
.renovate/groups.json5 Normal file
View File

@@ -0,0 +1,16 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": "Flux Group",
"groupName": "Flux",
"matchPackagePatterns": ["flux"],
"matchDatasources": ["docker", "github-tags"],
"versioning": "semver",
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
}
]
}

33
.renovate/labels.json5 Normal file
View File

@@ -0,0 +1,33 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"matchUpdateTypes": ["major"],
"labels": ["type/major"]
},
{
"matchUpdateTypes": ["minor"],
"labels": ["type/minor"]
},
{
"matchUpdateTypes": ["patch"],
"labels": ["type/patch"]
},
{
"matchDatasources": ["docker"],
"addLabels": ["renovate/container"]
},
{
"matchDatasources": ["helm"],
"addLabels": ["renovate/helm"]
},
{
"matchDatasources": ["github-releases", "github-tags"],
"addLabels": ["renovate/github-release"]
},
{
"matchManagers": ["github-actions"],
"addLabels": ["renovate/github-action"]
}
]
}

79
.renovate/semanticCommits.json5 Normal file
View File

@@ -0,0 +1,79 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(container)!: "
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["digest"],
"semanticCommitType": "chore",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(helm)!: "
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "helm"
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "helm"
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(github-release)!: "
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "github-release"
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "github-release"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(github-action)!: "
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "github-action"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "github-action"
}
]
}

12
kube/clusters/biohazard/config/secrets.sops.env
View File

@@ -53,6 +53,8 @@ SECRET_LITESTREAM_R2_AGE_PUBKEY=ENC[AES256_GCM,data:iuhbkyUGkhTeYWpnTBYpmig3GcMf
SECRET_GRAFANA_OIDC_ID=ENC[AES256_GCM,data:SN3VRQ9yqkSyENOyphwilukguOb9j4yDFAEw+eKnYQRUEtKXZQ3WYQ==,iv:d0fAQZTYT21JWwPIxN+omovxxZxMcUptgsc24AnDHkE=,tag:acj6i/Adt7SvmZBbHPs2hQ==,type:str]
SECRET_GRAFANA_OIDC_SECRET=ENC[AES256_GCM,data:g1slCCYzItuKAarADs7FqoyvbjCm89Ms/eYOvNLSWOcI3K+IyiTQQJCRA+7XDybSGZdDSEdT7rvgSAxYFkDl1M7PhvAXhYmj9FGYQPeP6jUODWc3NT0Ch+p3gc38FvFdfBEPIvpXQnhehGc0TCiqCDmeS4QJUGV0j7BRT768CSQ=,iv:+M3ozpf+2G/w7coF8LbhgM4b9SfTVtuL+lzpzoyEa3Q=,tag:1yH5tSvJlSQWszBjZRPDxg==,type:str]
SECRET_GRAFANA_OIDC_URL_SIGNOUT=ENC[AES256_GCM,data:srqHdaeL7hqtTI9sbwu8dIw1uLG5CEJ69DhwmvG7jjnBwfwaZ32jWl36EDRXkyy/GImuP9zV0IFx2KW74JM=,iv:2VxPgqjtaKtdGEVZLLX1bl/SwSENF+bb+fwY65mwN/E=,tag:uJhcSuFKXTbuMdEh7ZiOZA==,type:str]
SECRET_RENOVATE_TOKEN_GITHUB=ENC[AES256_GCM,data:0AYzHhYg7Mz1QjOXzTkFb0B6P2oh70vanF/8Dt+1KcrYdxJIbsgwrg==,iv:dvbQZurZ1z2y+X01DqkDwKrY/0LWETXt9toPVg4E0hE=,tag:c/+NJn8OfYv3NVeEQJB8aA==,type:str]
SECRET_RENOVATE_GITHUB_COM_TOKEN=ENC[AES256_GCM,data:474bqFTdlVjUgs0cs8FJeF5dvgFsOMXFa7Uq2G7DEYiGGBcxpTdzhPYi7j92SEP4/1VII8hc7sws51PZ5mrosKuvmgCibysc5lOLzKhwc1H6XT5k8bP94KgT+K0I,iv:olq3UCZhSmfWTVqy/KUgERS4qTtbg2kQLOOWSi1yAqc=,tag:nO7VH08bL+NcRo8cez4cnA==,type:str]
SECRET_GTS_OIDC_ISSUER=ENC[AES256_GCM,data:gxmtaBfHW0zVy1NhhFiotX28ubZ4yPm4sDHd7saFDoKvk89yiG7Jggr3ZnUk382BuL0+ABQh,iv:DXj+asZEemXXT2XrGZ5bFu8CAFNli8IIt5q7xC6YiaA=,tag:FXWUO3AmUZ4IYaiyD5sZZQ==,type:str]
SECRET_GTS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:4z9tVTkc2OXIq/lDEXmHJZnN1SiMAl7NfOLJq9wLpdrwPSdbx61QxA==,iv:wyutHo0Gw/jL93kf4xyy/JNn+tyTuicWBLAIyz6+J8I=,tag:e4gfFhY66NVr/kjOolg5Dw==,type:str]
SECRET_GTS_OIDC_CLIENT_SECRET=ENC[AES256_GCM,data:Zzak+jXxJvupbm3pO81+elm2EV6hdt7o2T1lneN0+dIZqjchFF8ljPAtY28J7aLgCFUS1KclputyzMqA5f2gCxBleH2TfEFtRkrCI9fBjGkWGC2o9RsJ9mTJwrxu9kdezQJtBYC3sP1SlrThjKPZVC+TOV076J7rIn7qvQYE+5g=,iv:IiQA0Vt1xmQFoVlealmgizGXbB74xJCnkIoc1EwPHoI=,tag:XcXE69tVkCNQcM+m/Pr78Q==,type:str]
@@ -155,12 +157,12 @@ SECRET_NEXTCLOUD_PASSWORDSALT=ENC[AES256_GCM,data:/JNV+qe9uIbWd7sr6RN4J8Yx2Q/ta4
SECRET_NEXTCLOUD_SECRET=ENC[AES256_GCM,data:EUYQDlwFh5I4NYkjxAVKETXYcOnFTv0JkHaMFxnWMBvDsKg9KFwU9ngyoKXORBML,iv:cNEjj5jH44wBJ6Ot1HVWNYeNcbZGSZOxS5uFrNF/jOU=,tag:A9NnS2a5lFu6XxBN3eTZLw==,type:str]
SECRET_NEXTCLOUD_ADMIN_USER=ENC[AES256_GCM,data:DPuZCJk8zKjZW+IM7ujaLg==,iv:aNM9RWMpuy3LSriNnojABFIcxCgl3H0Zk/Sm67ZWBOs=,tag:mcQEwj49Di4R+Wm/tnJqLw==,type:str]
SECRET_NEXTCLOUD_ADMIN_PASSWORD=ENC[AES256_GCM,data:PsdeZgQ5hlCMcx5OFxbXyL4N8wlHFGwPE09LrVCSSgqbXrpTDAAkyFE7TAxuyLn8jvwhZtQOP+GpIpCpBjxmHmGHRlncNdRJXcWuMgQoby+BmemMhxgDbmKbZbU9hB8blf89XpRqhmvfY4N6xp9Oaj88z4epRy2lH/DRDk8GXRncZxqwNNcu1BzI25Wzhou9gMtpxq62tSalJ3PdmnQALPCxaVXVhEwrwdIoOzVXto+kXSzeRY/RAVq/JTq/aUAeS7quTHMc7k70CHZMyRfXIC/CQXt9ZD6ToDQMrw==,iv:aHyVv2oAAWt3Ti4+9pgGy7mCL63gBl0G7gmv4trYOHM=,tag:w32Jy68K/v4hKqdql5ZAAg==,type:str]
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
sops_lastmodified=2023-11-23T21:23:28Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
sops_mac=ENC[AES256_GCM,data:IQJyrkNz3lF1K7tj4O98aNfDKXDw5sIL4F5RaIHUqamWEWuRZKdiUAyxONJQMfjwKa9zcCvhCLklKxWaEQL37rk/mBRS6M0uSvY8XlG/mQ0lZBklVMLHeHdvLTxFGYH+K3mRi8NYoSzk+I8cTofimFdRscg0J5z1hCuL99tCm7k=,iv:h7pzmvIWJPhZA3fWRrwSlpDj27dvOj21WMOqAaw2Mbc=,tag:Ns87+W+t94FIO2PSB0XR9g==,type:str]
sops_version=3.7.3
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
sops_unencrypted_suffix=_unencrypted
sops_lastmodified=2023-11-03T05:36:07Z
sops_version=3.7.3
sops_mac=ENC[AES256_GCM,data:5RykGkZ15FNdDFbojRhMRdupsTCZyfU0pM9C9REWwqXzbLuuJ+b+CGtSjCKU3DPMHp6jSEl7LYImEZsB8yXCHtLjxLcCrMeofueO0gNTmkrIioDccY3bE9AiWs74PcDJ1HJ1NEETyn8Xt9PcpThQ4xcziKLqHtDj4wYFTqNWRgE=,iv:upHh7y1g18AZLXC0AUNOmJhbGFuFiqeTrmoye9iaMlY=,tag:Cb7cPRgiS+r2mQKJlQgedw==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n

1
kube/clusters/biohazard/flux/kustomization.yaml
View File

@@ -39,6 +39,7 @@ resources:
- ../../../deploy/core/hardware/intel-device-plugins/
- ../../../deploy/core/flux-system/
- ../../../deploy/apps/tetragon/
- ../../../deploy/apps/renovate/
# - ../../../deploy/apps/kubevirt/
- ../../../deploy/apps/default/
- ../../../deploy/apps/whoogle/

76
kube/deploy/apps/renovate/app/hr.yaml Normal file
View File

@@ -0,0 +1,76 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app renovate
namespace: *app
spec:
chart:
spec:
chart: app-template
version: 2.0.3
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
controllers:
main:
# type: cronjob
type: "deployment" # TODO: 2023-11-24: trying out Renovate constantly restarting once it's finished
replicas: 1
# cronjob:
# concurrencyPolicy: Forbid
# schedule: "@hourly"
pod:
labels:
egress.home.arpa/world: "allow"
containers:
main:
image:
repository: "ghcr.io/renovatebot/renovate"
tag: "37.66.0"
args: ["JJGadgets/Biohazard"] # TODO: use only on main home-prod GitOps repo first
env:
TZ: "${CONFIG_TZ}"
LOG_LEVEL: "debug"
RENOVATE_PLATFORM: "github"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: "JJGadgets/Biohazard"
RENOVATE_GIT_AUTHOR: "367320+tinfoild[bot]@users.noreply.github.com"
envFrom:
- secretRef:
name: "renovate-secrets"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: 10m
memory: 128Mi
limits:
memory: 6000Mi
persistence:
tmp:
enabled: true
type: emptyDir
medium: Memory
globalMounts:
- path: "/tmp"
readOnly: false
dnsConfig:
options:
- name: ndots
value: "1"
defaultPodOptions:
restartPolicy: "Always"
automountServiceAccountToken: false
securityContext:
runAsUser: &uid ${APP_UID_RENOVATE}
runAsGroup: *uid
fsGroup: *uid
runAsNonRoot: false
seccompProfile: {type: "RuntimeDefault"}
fsGroupChangePolicy: Always

12
kube/deploy/apps/renovate/app/secrets.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Secret
metadata:
name: "renovate-secrets"
namespace: "renovate"
type: Opaque
stringData:
# repo read-only PAT for accessing GitHub.com repos without rate limits
GITHUB_COM_TOKEN: "${SECRET_RENOVATE_GITHUB_COM_TOKEN}"
# actual token of the Git user/bot to be used for Renovate to use for committing and PRs
RENOVATE_TOKEN: "${SECRET_RENOVATE_TOKEN_GITHUB}"

9
kube/deploy/apps/renovate/ks.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: renovate-app
namespace: flux-system
spec:
path: ./kube/deploy/apps/renovate/app
dependsOn: []

6
kube/deploy/apps/renovate/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- ks.yaml

5
kube/deploy/apps/renovate/ns.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: renovate