Add renovate package to core

Package Merge Request

Package Changes

Adds Renovate as a core package in the Big Bang umbrella chart. Previously, Renovate was only deployable via the generic packages: wrapper. This promotes it to a first-class core package with dedicated templates, values, schema validation, and full Big Bang integration.

Changes

• chart/values.yaml: Added renovate: section at root level (core, not addon) with enabled: false by default, sourcing from product/maintained/renovate.git at tag 46.31.6-bb.1
• chart/values.schema.json: Added renovate to the required array and defined property schema inheriting from basePackage
• chart/templates/renovate/: Created 7 template files following the standard core package pattern:
  • namespace.yaml — renovate namespace with core component label and conditional Istio injection
  • helmrelease.yaml — with dependsOn: istio, gatekeeper, kyverno-policies, monitoring, gitlab
  • gitrepository.yaml — standard git repository source
  • values.yaml — bigbang.defaults.renovate helper with Istio, network policies, monitoring integration
  • imagepullsecret.yaml — private registry support
  • git-credentials.yaml — git auth credentials
  • _bb-common-migrations.tpl — kubeAPI egress network policy migration
• tests/disable-core-values.yaml: Added renovate: enabled: false entry

Design Decisions

• enabled: false by default: Unlike most core packages, Renovate requires user-specific configuration (platform, token, repositories) to function. Deploying without config would create a failing CronJob.
• Own namespace (renovate): Renovate doesn't belong to an existing functional grouping (logging, monitoring, security).
• GitLab dependency: Renovate operates against a GitLab instance, so dependsOn includes gitlab when enabled.
• Minimal defaults: Renovate is a CronJob-based tool — no Istio ingress routes, SSO, object storage, or complex ServiceMonitors needed. Network policies focus on egress to git registries.

Package MR

N/A — This is an umbrella chart change only.

For Issue

Closes big-bang/product/maintained/renovate#76

Upgrade Notices

• Renovate is disabled by default (renovate.enabled: false), so existing deployments are unaffected.
• To enable, set renovate.enabled: true and provide platform configuration via renovate.values.
• Requires GitLab addon to be enabled (addons.gitlab.enabled: true) for the dependency chain.

Supporting Evidence

Deployed Renovate as a core package (not addon, not packages: wrapper) to a k3d dev cluster with GitLab. Imported the customer template repo into the test GitLab with BB pinned to 3.20.0 and podinfo pinned to 6.7.1-bb.3. Configured Renovate to autodiscover and triggered scans.

Dependency Dashboard — 2 Dependencies Detected

Renovate detected both BB 3.20.0 in k8s/base/kustomization.yaml and podinfo 6.7.1-bb.3 in k8s/dev/values.yaml. The dashboard shows both open update MRs:

MR !3 (merged) — BB Version Update (3.20.0 → 3.21.0)

Renovate created MR !3 (merged) to bump Big Bang from 3.20.0 to 3.21.0 (minor update) in k8s/base/kustomization.yaml, updating the ?ref= tag:

MR !2 (closed) — Podinfo Package Update (6.7.1-bb.3 → 6.11.1-bb.0)

Renovate created MR !2 (closed) to bump podinfo from 6.7.1-bb.3 to 6.11.1-bb.0 (minor update) in k8s/dev/values.yaml, updating the pinned package tag:

Cluster Deployment — 19/19 HelmReleases Ready

All HelmReleases healthy, Renovate deployed as core package at renovate@46.31.6-bb.1 with Istio, network policies, and full BB integration:

Renovate Tag + Scan Verification

HelmRelease at renovate@46.31.6-bb.1, GitRepository with stored artifact, CronJob on schedule with completed pod, and Renovate logs showing successful dependency extraction (fileCount: 2, depCount: 2):