diff --git a/.renovate/autoMerge.json5 b/.renovate/autoMerge.json5 new file mode 100644 index 00000000..2fce0275 --- /dev/null +++ b/.renovate/autoMerge.json5 @@ -0,0 +1,2 @@ +{} +// TODO: set auto merge for apps in kube/deploy/apps folder \ No newline at end of file diff --git a/.renovate/commitMessage.json5 b/.renovate/commitMessage.json5 new file mode 100644 index 00000000..6142858c --- /dev/null +++ b/.renovate/commitMessage.json5 @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "commitMessageTopic": "{{depName}}", + "commitMessageExtra": "to {{newVersion}}", + "commitMessageSuffix": "", + "packageRules": [ + { + "matchDatasources": ["helm"], + "commitMessageTopic": "chart {{depName}}" + }, + { + "matchDatasources": ["docker"], + "commitMessageTopic": "image {{depName}}" + } + ] +} \ No newline at end of file diff --git a/.renovate/groups.json5 b/.renovate/groups.json5 new file mode 100644 index 00000000..98e4468d --- /dev/null +++ b/.renovate/groups.json5 @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "packageRules": [ + { + "description": "Flux Group", + "groupName": "Flux", + "matchPackagePatterns": ["flux"], + "matchDatasources": ["docker", "github-tags"], + "versioning": "semver", + "group": { + "commitMessageTopic": "{{{groupName}}} group" + }, + "separateMinorPatch": true + } + ] +} diff --git a/.renovate/labels.json5 b/.renovate/labels.json5 new file mode 100644 index 00000000..1d8b98e6 --- /dev/null +++ b/.renovate/labels.json5 @@ -0,0 +1,33 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "packageRules": [ + { + "matchUpdateTypes": ["major"], + "labels": ["type/major"] + }, + { + "matchUpdateTypes": ["minor"], + "labels": ["type/minor"] + }, + { + "matchUpdateTypes": ["patch"], + "labels": ["type/patch"] + }, + { + "matchDatasources": ["docker"], + "addLabels": ["renovate/container"] + }, + { + "matchDatasources": ["helm"], + "addLabels": ["renovate/helm"] + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "addLabels": ["renovate/github-release"] + }, + { + "matchManagers": ["github-actions"], + "addLabels": ["renovate/github-action"] + } + ] +} \ No newline at end of file diff --git a/.renovate/semanticCommits.json5 b/.renovate/semanticCommits.json5 new file mode 100644 index 00000000..942c5fcb --- /dev/null +++ b/.renovate/semanticCommits.json5 @@ -0,0 +1,79 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "packageRules": [ + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(container)!: " + }, + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "container" + }, + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "container" + }, + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["digest"], + "semanticCommitType": "chore", + "semanticCommitScope": "container" + }, + { + "matchDatasources": ["helm"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(helm)!: " + }, + { + "matchDatasources": ["helm"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "helm" + }, + { + "matchDatasources": ["helm"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "helm" + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(github-release)!: " + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "github-release" + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "github-release" + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(github-action)!: " + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "github-action" + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "github-action" + } + ] +} \ No newline at end of file diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index 3693d7b2..940a5aff 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -53,6 +53,8 @@ SECRET_LITESTREAM_R2_AGE_PUBKEY=ENC[AES256_GCM,data:iuhbkyUGkhTeYWpnTBYpmig3GcMf SECRET_GRAFANA_OIDC_ID=ENC[AES256_GCM,data:SN3VRQ9yqkSyENOyphwilukguOb9j4yDFAEw+eKnYQRUEtKXZQ3WYQ==,iv:d0fAQZTYT21JWwPIxN+omovxxZxMcUptgsc24AnDHkE=,tag:acj6i/Adt7SvmZBbHPs2hQ==,type:str] SECRET_GRAFANA_OIDC_SECRET=ENC[AES256_GCM,data:g1slCCYzItuKAarADs7FqoyvbjCm89Ms/eYOvNLSWOcI3K+IyiTQQJCRA+7XDybSGZdDSEdT7rvgSAxYFkDl1M7PhvAXhYmj9FGYQPeP6jUODWc3NT0Ch+p3gc38FvFdfBEPIvpXQnhehGc0TCiqCDmeS4QJUGV0j7BRT768CSQ=,iv:+M3ozpf+2G/w7coF8LbhgM4b9SfTVtuL+lzpzoyEa3Q=,tag:1yH5tSvJlSQWszBjZRPDxg==,type:str] SECRET_GRAFANA_OIDC_URL_SIGNOUT=ENC[AES256_GCM,data:srqHdaeL7hqtTI9sbwu8dIw1uLG5CEJ69DhwmvG7jjnBwfwaZ32jWl36EDRXkyy/GImuP9zV0IFx2KW74JM=,iv:2VxPgqjtaKtdGEVZLLX1bl/SwSENF+bb+fwY65mwN/E=,tag:uJhcSuFKXTbuMdEh7ZiOZA==,type:str] +SECRET_RENOVATE_TOKEN_GITHUB=ENC[AES256_GCM,data:0AYzHhYg7Mz1QjOXzTkFb0B6P2oh70vanF/8Dt+1KcrYdxJIbsgwrg==,iv:dvbQZurZ1z2y+X01DqkDwKrY/0LWETXt9toPVg4E0hE=,tag:c/+NJn8OfYv3NVeEQJB8aA==,type:str] +SECRET_RENOVATE_GITHUB_COM_TOKEN=ENC[AES256_GCM,data:474bqFTdlVjUgs0cs8FJeF5dvgFsOMXFa7Uq2G7DEYiGGBcxpTdzhPYi7j92SEP4/1VII8hc7sws51PZ5mrosKuvmgCibysc5lOLzKhwc1H6XT5k8bP94KgT+K0I,iv:olq3UCZhSmfWTVqy/KUgERS4qTtbg2kQLOOWSi1yAqc=,tag:nO7VH08bL+NcRo8cez4cnA==,type:str] SECRET_GTS_OIDC_ISSUER=ENC[AES256_GCM,data:gxmtaBfHW0zVy1NhhFiotX28ubZ4yPm4sDHd7saFDoKvk89yiG7Jggr3ZnUk382BuL0+ABQh,iv:DXj+asZEemXXT2XrGZ5bFu8CAFNli8IIt5q7xC6YiaA=,tag:FXWUO3AmUZ4IYaiyD5sZZQ==,type:str] SECRET_GTS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:4z9tVTkc2OXIq/lDEXmHJZnN1SiMAl7NfOLJq9wLpdrwPSdbx61QxA==,iv:wyutHo0Gw/jL93kf4xyy/JNn+tyTuicWBLAIyz6+J8I=,tag:e4gfFhY66NVr/kjOolg5Dw==,type:str] SECRET_GTS_OIDC_CLIENT_SECRET=ENC[AES256_GCM,data:Zzak+jXxJvupbm3pO81+elm2EV6hdt7o2T1lneN0+dIZqjchFF8ljPAtY28J7aLgCFUS1KclputyzMqA5f2gCxBleH2TfEFtRkrCI9fBjGkWGC2o9RsJ9mTJwrxu9kdezQJtBYC3sP1SlrThjKPZVC+TOV076J7rIn7qvQYE+5g=,iv:IiQA0Vt1xmQFoVlealmgizGXbB74xJCnkIoc1EwPHoI=,tag:XcXE69tVkCNQcM+m/Pr78Q==,type:str] @@ -155,12 +157,12 @@ SECRET_NEXTCLOUD_PASSWORDSALT=ENC[AES256_GCM,data:/JNV+qe9uIbWd7sr6RN4J8Yx2Q/ta4 SECRET_NEXTCLOUD_SECRET=ENC[AES256_GCM,data:EUYQDlwFh5I4NYkjxAVKETXYcOnFTv0JkHaMFxnWMBvDsKg9KFwU9ngyoKXORBML,iv:cNEjj5jH44wBJ6Ot1HVWNYeNcbZGSZOxS5uFrNF/jOU=,tag:A9NnS2a5lFu6XxBN3eTZLw==,type:str] SECRET_NEXTCLOUD_ADMIN_USER=ENC[AES256_GCM,data:DPuZCJk8zKjZW+IM7ujaLg==,iv:aNM9RWMpuy3LSriNnojABFIcxCgl3H0Zk/Sm67ZWBOs=,tag:mcQEwj49Di4R+Wm/tnJqLw==,type:str] SECRET_NEXTCLOUD_ADMIN_PASSWORD=ENC[AES256_GCM,data:PsdeZgQ5hlCMcx5OFxbXyL4N8wlHFGwPE09LrVCSSgqbXrpTDAAkyFE7TAxuyLn8jvwhZtQOP+GpIpCpBjxmHmGHRlncNdRJXcWuMgQoby+BmemMhxgDbmKbZbU9hB8blf89XpRqhmvfY4N6xp9Oaj88z4epRy2lH/DRDk8GXRncZxqwNNcu1BzI25Wzhou9gMtpxq62tSalJ3PdmnQALPCxaVXVhEwrwdIoOzVXto+kXSzeRY/RAVq/JTq/aUAeS7quTHMc7k70CHZMyRfXIC/CQXt9ZD6ToDQMrw==,iv:aHyVv2oAAWt3Ti4+9pgGy7mCL63gBl0G7gmv4trYOHM=,tag:w32Jy68K/v4hKqdql5ZAAg==,type:str] -sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z +sops_lastmodified=2023-11-23T21:23:28Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n +sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z +sops_mac=ENC[AES256_GCM,data:IQJyrkNz3lF1K7tj4O98aNfDKXDw5sIL4F5RaIHUqamWEWuRZKdiUAyxONJQMfjwKa9zcCvhCLklKxWaEQL37rk/mBRS6M0uSvY8XlG/mQ0lZBklVMLHeHdvLTxFGYH+K3mRi8NYoSzk+I8cTofimFdRscg0J5z1hCuL99tCm7k=,iv:h7pzmvIWJPhZA3fWRrwSlpDj27dvOj21WMOqAaw2Mbc=,tag:Ns87+W+t94FIO2PSB0XR9g==,type:str] +sops_version=3.7.3 sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 sops_unencrypted_suffix=_unencrypted -sops_lastmodified=2023-11-03T05:36:07Z -sops_version=3.7.3 -sops_mac=ENC[AES256_GCM,data:5RykGkZ15FNdDFbojRhMRdupsTCZyfU0pM9C9REWwqXzbLuuJ+b+CGtSjCKU3DPMHp6jSEl7LYImEZsB8yXCHtLjxLcCrMeofueO0gNTmkrIioDccY3bE9AiWs74PcDJ1HJ1NEETyn8Xt9PcpThQ4xcziKLqHtDj4wYFTqNWRgE=,iv:upHh7y1g18AZLXC0AUNOmJhbGFuFiqeTrmoye9iaMlY=,tag:Cb7cPRgiS+r2mQKJlQgedw==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index eb79bebb..313593f4 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -39,6 +39,7 @@ resources: - ../../../deploy/core/hardware/intel-device-plugins/ - ../../../deploy/core/flux-system/ - ../../../deploy/apps/tetragon/ + - ../../../deploy/apps/renovate/ # - ../../../deploy/apps/kubevirt/ - ../../../deploy/apps/default/ - ../../../deploy/apps/whoogle/ diff --git a/kube/deploy/apps/renovate/app/hr.yaml b/kube/deploy/apps/renovate/app/hr.yaml new file mode 100644 index 00000000..f5e91348 --- /dev/null +++ b/kube/deploy/apps/renovate/app/hr.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app renovate + namespace: *app +spec: + chart: + spec: + chart: app-template + version: 2.0.3 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + # type: cronjob + type: "deployment" # TODO: 2023-11-24: trying out Renovate constantly restarting once it's finished + replicas: 1 + # cronjob: + # concurrencyPolicy: Forbid + # schedule: "@hourly" + pod: + labels: + egress.home.arpa/world: "allow" + containers: + main: + image: + repository: "ghcr.io/renovatebot/renovate" + tag: "37.66.0" + args: ["JJGadgets/Biohazard"] # TODO: use only on main home-prod GitOps repo first + env: + TZ: "${CONFIG_TZ}" + LOG_LEVEL: "debug" + RENOVATE_PLATFORM: "github" + RENOVATE_AUTODISCOVER: "true" + RENOVATE_AUTODISCOVER_FILTER: "JJGadgets/Biohazard" + RENOVATE_GIT_AUTHOR: "367320+tinfoild[bot]@users.noreply.github.com" + envFrom: + - secretRef: + name: "renovate-secrets" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: 10m + memory: 128Mi + limits: + memory: 6000Mi + persistence: + tmp: + enabled: true + type: emptyDir + medium: Memory + globalMounts: + - path: "/tmp" + readOnly: false + dnsConfig: + options: + - name: ndots + value: "1" + defaultPodOptions: + restartPolicy: "Always" + automountServiceAccountToken: false + securityContext: + runAsUser: &uid ${APP_UID_RENOVATE} + runAsGroup: *uid + fsGroup: *uid + runAsNonRoot: false + seccompProfile: {type: "RuntimeDefault"} + fsGroupChangePolicy: Always diff --git a/kube/deploy/apps/renovate/app/secrets.yaml b/kube/deploy/apps/renovate/app/secrets.yaml new file mode 100644 index 00000000..3fa5cc9a --- /dev/null +++ b/kube/deploy/apps/renovate/app/secrets.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "renovate-secrets" + namespace: "renovate" +type: Opaque +stringData: + # repo read-only PAT for accessing GitHub.com repos without rate limits + GITHUB_COM_TOKEN: "${SECRET_RENOVATE_GITHUB_COM_TOKEN}" + # actual token of the Git user/bot to be used for Renovate to use for committing and PRs + RENOVATE_TOKEN: "${SECRET_RENOVATE_TOKEN_GITHUB}" \ No newline at end of file diff --git a/kube/deploy/apps/renovate/ks.yaml b/kube/deploy/apps/renovate/ks.yaml new file mode 100644 index 00000000..6e815c9a --- /dev/null +++ b/kube/deploy/apps/renovate/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: renovate-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/renovate/app + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/apps/renovate/kustomization.yaml b/kube/deploy/apps/renovate/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/renovate/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/renovate/ns.yaml b/kube/deploy/apps/renovate/ns.yaml new file mode 100644 index 00000000..4d1baf06 --- /dev/null +++ b/kube/deploy/apps/renovate/ns.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: renovate