values.yaml

global:
  # -- Additional labels to be set on all renovate resources
  commonLabels: {}

# -- Override the name of the chart
nameOverride: ''
# -- Override the fully qualified app name
fullnameOverride: ''

cronjob:
  # -- Schedules the job to run using cron notation
  schedule: '0 1 * * *'  # At 01:00 every day
  # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones>
  timeZone: ''  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
  # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions.
  suspend: false
  # -- Annotations to set on the cronjob
  annotations: {}
  # -- Labels to set on the cronjob
  labels: {}
  # -- "Allow" to allow concurrent runs, "Forbid" to skip new runs if a previous run is still running or "Replace" to replace the previous run
  concurrencyPolicy: ''
  # -- "Number of successful completions is reached to mark the job as complete"
  completions: ''
  # -- "Where the jobs should be NonIndexed or Indexed"
  completionMode: ''
  # -- Amount of failed jobs to keep in history
  failedJobsHistoryLimit: ''
  # -- Amount of completed jobs to keep in history
  successfulJobsHistoryLimit: ''
  # -- Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails
  jobRestartPolicy: Never
  # -- Time to keep the job after it finished before automatically deleting it
  ttlSecondsAfterFinished: ''
  # -- Deadline for the job to finish
  activeDeadlineSeconds: ''
  # -- Number of times to retry running the pod before considering the job as being failed
  jobBackoffLimit: ''
  # -- Deadline to start the job, skips execution if job misses it's configured deadline
  startingDeadlineSeconds: ''
  # -- Additional initContainers that can be executed before renovate
  initContainers: []
  # initContainers:
  # - name: INIT_CONTAINER_NAME
  #   image: INIT_CONTAINER_IMAGE
  # -- Number of pods to run in parallel
  parallelism: ''
  # -- Custom command to run in the container
  commandOverride: []
  # -- Custom arguments to run in the container
  argsOverride: []
  # -- Prepend shell commands before renovate runs
  preCommand: ''
  # preCommand: |
  #   echo hello
  #   echo world

  # -- Append shell commands after renovate runs
  postCommand: ''
  # postCommand: |
  #   echo hello
  #   echo world

pod:
  # -- Annotations to set on the pod
  annotations: {}
  # -- Labels to set on the pod
  labels: {}

image:
  # -- Repository to pull renovate image from
  registry: registry1.dso.mil
  repository: ironbank/container-hardening-tools/renovate/renovate
  # -- Renovate image tag to pull
  tag: 39.88.0
  # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
  pullPolicy: IfNotPresent
  # -- Set `true` to use the full image. See https://docs.renovatebot.com/getting-started/running/#the-full-image
  useFull: false

# -- Secret to use to pull the image from the repository
imagePullSecrets:
  - name: private-registry

renovate:
  # -- Custom exiting global renovate config
  existingConfigFile: ''
  # -- Inline global renovate config.json
  config: '{}'
  # See https://docs.renovatebot.com/self-hosted-configuration
  # config: |
  #   {
  #     "platform": "gitlab",
  #     "endpoint": "https://gitlab.example.com/api/v4",
  #     "token": "your-gitlab-renovate-user-token",
  #     "autodiscover": "false",
  #     "dryRun": true,
  #     "printConfig": true,
  #     "repositories": ["username/repo", "orgname/repo"]
  #   }

  # -- Use the Helm tpl function on your configuration. See README for how to use this value
  configEnableHelmTpl: false

  # -- Use this to create the renovate-config as a secret instead of a configmap
  configIsSecret: true

  # -- Renovate Container-level security-context
  securityContext:
    runAsUser: 1001
    runAsGroup: 1001
    runAsNonRoot: true

  # -- Options related to persistence
  persistence:
    cache:
      # -- Allow the cache to persist between runs
      enabled: false
      # -- Storage class of the cache PVC
      storageClass: ""
      # -- Storage size of the cache PVC
      storageSize: "512Mi"
      # -- Existing volume, enables binding the pvc to an existing volume
      volumeName: ""

ssh_config:
  # -- Whether to enable the use and creation of a secret containing .ssh files
  enabled: false

  # Provide .ssh config file contents
  # -- Contents of the id_rsa file
  id_rsa: ''
  # -- Contents of the id_rsa_pub file
  id_rsa_pub: ''
  # -- Contents of the config file
  config: ''

  # or provide the name of an existing secret to be read instead.
  # -- Name of the existing secret containing a valid .ssh configuration
  existingSecret: ''

# -- Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set
secrets: {}
# -- k8s secret to reference environment variables from. Overrides secrets if set
existingSecret: ''

# -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config
extraConfigmaps: []
# extraConfigmaps:
#   - name: netrc-config
#     data:
#       .netrc: |-
#         machine gitlab.example.com
#         login gitlab-ci-token
#         password some-pass
#   - name: yet-another-config
#     data:
#       ya-config.yaml: |-
#         "key"="value"
#         "key1"="value1"

# -- Additional volumes to the pod
extraVolumes: []
# extraVolumes:
#   - name: netrc-config
#     configMap:
#       name: renovate-extra-netrc-config

# -- Additional volumeMounts to the container
extraVolumeMounts: []
# extraVolumeMounts:
#   - name: netrc-config
#     mountPath: /home/ubuntu/.netrc
#     subPath: .netrc

# -- Additional containers to the pod
extraContainers: []
# extraContainers:
#   - name: vault-agent
#     image: vault:1.6.2
#     args:
#     - agent
#     - -config
#     - /vault/config/config.hcl
#     env:
#     - name: VAULT_ADDR
#       value: https://vault:8200
#     - name: VAULT_SKIP_VERIFY
#       value: "false"
#     - name: VAULT_CACERT
#       value: /vault/tls/ca.crt

serviceAccount:
  # -- Specifies whether a service account should be created
  create: false
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use
  # If not set and create is true, a name is generated using the fullname template
  name: ''

# -- Specify resource limits and requests for the renovate container
resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi

# -- Environment variables to add from existing secrets/configmaps. Uses the keys as variable name
envFrom: []
# envFrom:
#   - secretRef:
#       name: env-secrets
#   - configMapRef:
#       name: env-configmap

# -- Environment variables to set on the renovate container
env: {}
# env:
#   VARIABLE_NAME: "value"

# -- Additional env. Helpful too if you want to use anything other than a `value` source.
envList: []
# envList:
#   - name: POD_NAME
#     valueFrom:
#       fieldRef:
#         fieldPath: metadata.name

redis:
  # Configuration for a Redis subchart. Additional documentation at
  # https://github.com/bitnami/charts/tree/master/bitnami/redis

  # -- Enable the Redis subchart?
  enabled: false

  # -- Override the prefix of the redisHost
  nameOverride: ''

  # -- Disable replication by default
  architecture: standalone

  auth:
    # -- Don't require a password by default
    enabled: false

  # -- Override Kubernetes version for redis chart
  kubeVersion: ''

# -- Override hostname resolution
hostAliases: []
# See: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
# hostAliases:
#   - ip: "your-ip"
#     hostnames:
#       - "your-hostname"

# -- Pod-level security-context
securityContext:
  runAsUser: 1001
  runAsGroup: 1001
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
  runAsNonRoot: true

# -- Select the node using labels to specify where the cronjob pod should run on
nodeSelector: {}
# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
# renovate: true

# -- Configure the pod(Anti)Affinity and/or node(Anti)Affinity
affinity: {}
# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

# -- Configure which node taints the pod should tolerate
tolerations: []
# See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
# -- Big Bang Values
domain: bigbang.dev
istio:
  enabled: false
  hardened:
    enabled: false
    customAuthorizationPolicies: []
    # - name: "allow-nothing"
    #   enabled: true
    #   spec: {}
  mtls:
    # -- STRICT = Allow only mutual TLS traffic,
    # PERMISSIVE = Allow both plain text and mutual TLS traffic
    # PERMISSIVE is required for any action which redeploys pods because STRICT interferes with initContainers
    # Can be changed to STRICT after all initContainers have finished but will interfere with upgrades/pod deployments that have initContainers
    mode: PERMISSIVE
  renovate:
    enabled: true
    gateways:
    - istio-system/public

networkPolicies:
  enabled: false
  ingressLabels: 
    app: istio-ingressgateway
    istio: ingressgateway
  # -- IP range of target deployment
  renovateTargetIpRange: ""
  # Additional network policies
  # ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
  additionalPolicies: []