Merge branch 'renovate/ironbank' into 'main'

Update Ironbank

See merge request !16

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
+---
+
+## [37.27.0-bb.0] - 2023-11-14
+### Changed
+- Bumped Redis chart dependency to `18.0.4-bb.0`
+- Bumped Gluon chart dependency to `0.4.4`
+- Updated redis to `7.2.2`
+- Updated redis-exporter to `v1.55.0``
+- Updated renovate to `37.27.0`
+
 ## [34.120.0-bb.3] - 2023-10-30
 ### Changed
 - Removed an upstream annotation from being managed by our renovate

README.md

 # renovate
 
-![Version: 34.120.0-bb.3](https://img.shields.io/badge/Version-34.120.0--bb.3-informational?style=flat-square) ![AppVersion: 34.120.0](https://img.shields.io/badge/AppVersion-34.120.0-informational?style=flat-square)
+![Version: 37.27.0-bb.0](https://img.shields.io/badge/Version-37.27.0--bb.0-informational?style=flat-square) ![AppVersion: 37.27.0](https://img.shields.io/badge/AppVersion-37.27.0-informational?style=flat-square)
 
 Universal dependency update tool that fits into your workflows.
 
@@ -40,6 +40,7 @@ helm install renovate chart/
 | nameOverride | string | `""` | Override the name of the chart |
 | fullnameOverride | string | `""` | Override the fully qualified app name |
 | cronjob.schedule | string | `"0 1 * * *"` | Schedules the job to run using cron notation |
+| cronjob.timeZone | string | `""` | You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones> |
 | cronjob.suspend | bool | `false` | If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. |
 | cronjob.annotations | object | `{}` | Annotations to set on the cronjob |
 | cronjob.labels | object | `{}` | Labels to set on the cronjob |
@@ -53,10 +54,12 @@ helm install renovate chart/
 | cronjob.startingDeadlineSeconds | string | `""` | Deadline to start the job, skips execution if job misses it's configured deadline |
 | cronjob.initContainers | list | `[]` | Additional initContainers that can be executed before renovate |
 | cronjob.preCommand | string | `""` | Prepend shell commands before renovate runs |
+| cronjob.postCommand | string | `""` | Append shell commands after renovate runs |
 | pod.annotations | object | `{}` | Annotations to set on the pod |
 | pod.labels | object | `{}` | Labels to set on the pod |
-| image.repository | string | `"registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate"` | Repository to pull renovate image from |
-| image.tag | string | `"34.120.0"` | Renovate image tag to pull |
+| image.registry | string | `"registry1.dso.mil"` | Repository to pull renovate image from |
+| image.repository | string | `"ironbank/container-hardening-tools/renovate/renovate"` |  |
+| image.tag | string | `"37.27.0"` | Renovate image tag to pull |
 | image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
 | imagePullSecrets | list | `[{"name":"private-registry"}]` | Secret to use to pull the image from the repository |
 | renovate.existingConfigFile | string | `""` | Custom exiting global renovate config |
@@ -75,15 +78,10 @@ helm install renovate chart/
 | ssh_config.existingSecret | string | `""` | Name of the existing secret containing a valid .ssh configuration |
 | secrets | object | `{}` | Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set |
 | existingSecret | string | `""` | k8s secret to reference environment variables from. Overrides secrets if set |
-| dind.enabled | bool | `false` | dind is non-functional in BB as it requires a privileged non-hardened container, changing this value does nothing |
-| dind.slim.enabled | bool | `true` | Do not add `-slim` suffix to image tag when using dind |
-| dind.image.repository | string | `"docker"` | Repository to pull dind image from |
-| dind.image.tag | string | `"20.10.23-dind"` | dind image tag to pull |
-| dind.image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
-| dind.securityContext | object | `{"privileged":true}` | DinD Container-level security-context. Privileged is needed for DinD, it will not work without! |
 | extraConfigmaps | list | `[]` | Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config |
 | extraVolumes | list | `[]` | Additional volumes to the pod |
 | extraVolumeMounts | list | `[]` | Additional volumeMounts to the container |
+| extraContainers | list | `[]` | Additional containers to the pod |
 | serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.name | string | `""` | The name of the service account to use If not set and create is true, a name is generated using the fullname template |

chart/Chart.lock

 dependencies:
 - name: redis
   repository: oci://registry1.dso.mil/bigbang
-  version: 17.10.2-bb.0
+  version: 18.0.4-bb.0
 - name: gluon
   repository: oci://registry1.dso.mil/bigbang
-  version: 0.4.0
-digest: sha256:dfc8baf065850367406ae59e8fb50e28d80602be15246c7de40b9c15d40f55f3
-generated: "2023-05-23T13:51:59.654826-05:00"
+  version: 0.4.4
+digest: sha256:b9fb502e56e3a8a8c299c00e650079bcd571c40e1d589922f7ab148de10840f9
+generated: "2023-11-09T11:02:15.559669-06:00"

chart/Chart.yaml

 apiVersion: v2
-appVersion: '34.120.0'
+appVersion: '37.27.0'
 description: Universal dependency update tool that fits into your workflows.
 name: renovate
-version: '34.120.0-bb.3'
+version: '37.27.0-bb.0'
 icon: https://docs.renovatebot.com/assets/images/logo.png
 home: https://github.com/renovatebot/renovate
 keywords:
@@ -23,28 +23,30 @@ maintainers:
     email: rhys@arkins.net
 annotations:
   bigbang.dev/applicationVersions: |
-    - Renovate: 34.120.0
+    - Renovate: 37.27.0
   helm.sh/images: |
     - name: renovate
-      image: registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate:34.120.0
+      image: registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate:37.27.0
     - name: redis
-      image: registry1.dso.mil/ironbank/bitnami/redis:7.0.11
+      image: registry1.dso.mil/ironbank/bitnami/redis:7.2.2
       condition: redis.enabled
     - name: exporter
-      image: registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter:v1.50.0
+      image: registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter:v1.55.0
       condition: redis.enabled
   artifacthub.io/license: AGPL-3.0-only
   artifacthub.io/images: |
     - name: renovate
-      image: renovate/renovate:34.120.0
+      image: ghcr.io/renovatebot/renovate:37.27.0
+      platforms:
+        - linux/amd64
   artifacthub.io/links: |
     - name: docs
       url: https://docs.renovatebot.com
 dependencies:
   - name: redis
     repository:  "oci://registry1.dso.mil/bigbang"
-    version: 17.10.2-bb.0
+    version: 18.0.4-bb.0
     condition: redis.enabled
   - name: gluon
-    version: "0.4.0"
+    version: "0.4.4"
     repository: "oci://registry1.dso.mil/bigbang"

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: 77c1901f381aa346e1e7805d278fce17ab16887e
+    commit: 95b66745005d3c7bc3422dc84ab13a23aeb9d54d
     repo: https://github.com/renovatebot/helm-charts
     directory: charts/renovate
-    ref: renovate-34.120.0
+    ref: renovate-37.27.0

chart/README.md

 # renovate
 
-![Version: 34.120.0](https://img.shields.io/badge/Version-34.120.0-informational?style=flat-square) ![AppVersion: 34.120.0](https://img.shields.io/badge/AppVersion-34.120.0-informational?style=flat-square)
+![Version: 37.27.0](https://img.shields.io/badge/Version-37.27.0-informational?style=flat-square) ![AppVersion: 37.27.0](https://img.shields.io/badge/AppVersion-37.27.0-informational?style=flat-square)
 
 Universal dependency update tool that fits into your workflows.
 
@@ -50,17 +50,13 @@ The following table lists the configurable parameters of the chart and the defau
 | cronjob.jobRestartPolicy | string | `"Never"` | Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails |
 | cronjob.labels | object | `{}` | Labels to set on the cronjob |
 | cronjob.preCommand | string | `""` | Prepend shell commands before renovate runs |
+| cronjob.postCommand | string | `""` | Append shell commands after renovate runs |
 | cronjob.schedule | string | `"0 1 * * *"` | Schedules the job to run using cron notation |
 | cronjob.startingDeadlineSeconds | string | `""` | Deadline to start the job, skips execution if job misses it's configured deadline |
 | cronjob.successfulJobsHistoryLimit | string | `""` | Amount of completed jobs to keep in history |
 | cronjob.suspend | bool | `false` | If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. |
+| cronJob.timeZone | string | `""` | You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones> |
 | cronjob.ttlSecondsAfterFinished | string | `"""` | Time to keep the job after it finished before automatically deleting it |
-| dind.enabled | bool | `false` | Enable dind sidecar usage? |
-| dind.image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
-| dind.image.repository | string | `"docker"` | Repository to pull dind image from |
-| dind.image.tag | string | `"20.10.23-dind"` | dind image tag to pull |
-| dind.securityContext | object | `{"privileged":true}` | DinD Container-level security-context. Privileged is needed for DinD, it will not work without! |
-| dind.slim.enabled | bool | `true` | Do not add `-slim` suffix to image tag when using dind |
 | env | object | `{}` | Environment variables to set on the renovate container |
 | envFrom | list | `[]` | Environment variables to add from existing secrets/configmaps. Uses the keys as variable name |
 | envList | list | `[]` | Additional env. Helpful too if you want to use anything other than a `value` source. |
@@ -68,12 +64,14 @@ The following table lists the configurable parameters of the chart and the defau
 | extraConfigmaps | list | `[]` | Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config |
 | extraVolumeMounts | list | `[]` | Additional volumeMounts to the container |
 | extraVolumes | list | `[]` | Additional volumes to the pod |
+| extraContainers | list | `[]` | Additional containers to the pod |
 | fullnameOverride | string | `""` | Override the fully qualified app name |
 | global.commonLabels | object | `{}` | Additional labels to be set on all renovate resources |
 | hostAliases | list | `[]` | Override hostname resolution |
 | image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
-| image.repository | string | `"renovate/renovate"` | Repository to pull renovate image from |
-| image.tag | string | `"34.108.3"` | Renovate image tag to pull |
+| image.registry | string | `"ghcr.io"` | Registry to pull image from |
+| image.repository | string | `"renovatebot/renovate"` | Image name to pull |
+| image.tag | string | `"37.27.0"` | Renovate image tag to pull |
 | imagePullSecrets | object | `{}` | Secret to use to pull the image from the repository |
 | nameOverride | string | `""` | Override the name of the chart |
 | nodeSelector | object | `{}` | Select the node using labels to specify where the cronjob pod should run on |
@@ -123,13 +121,22 @@ Allows you to reference values using `"{{ .Values.someValue }}"` in your config
 escape your config entries containing `{{` (i.e. `"key": "{{depName}}"`) in the
 value by wrapping it like: `"key": "{{ "{{depName}}" }}"`.
 
-## Docker in Docker configuration
+## Renovate full image
 
-When `dind.enabled` is set to `true`, a Docker in Docker container will run as a sidecar to supply a Docker daemon to the RenovateBot container. This allows the configuration `binarySource` to be set to `docker`, which is the default configuration in the slim Docker images.
-
-The slim suffix will be added to the tag if not present. To disable this behaviour, set `dind.slim.enabled` to `false`.
+This chart is using the slim renovate image by default.
+If you want to use the full renovate image, set the `image.tag` to `full`.
+If you like to use a specific major version, set the `image.tag` to `36-full`.
 
 ## Redis
 
 Please check out [bitnami redis](https://artifacthub.io/packages/helm/bitnami/redis) chart for additional redis configuration.
 
+## Upgrading
+
+A major chart version change can indicate that there is an incompatible breaking change needing maual actions.
+
+### To v16
+
+- The `slim` options was removed, the `latest` tag now points to the slim renovate docker image.
+- The `dind` option was removed. The `slim` renovate version uses `binarySource=install`, so no need for complex Docker in Docker setup.
+- The renovate image is now pulled from `ghcr.io/renovatebot/renovate` by default.

chart/README.md.gotmpl

@@ -56,12 +56,21 @@ Allows you to reference values using `"{{ .Values.someValue }}"` in your config
 escape your config entries containing `{{` (i.e. `"key": "{{depName}}"`) in the
 value by wrapping it like: `"key": "{{ "{{depName}}" }}"`.
 
-## Docker in Docker configuration
+## Renovate full image
 
-When `dind.enabled` is set to `true`, a Docker in Docker container will run as a sidecar to supply a Docker daemon to the RenovateBot container. This allows the configuration `binarySource` to be set to `docker`, which is the default configuration in the slim Docker images.
-
-The slim suffix will be added to the tag if not present. To disable this behaviour, set `dind.slim.enabled` to `false`.
+This chart is using the slim renovate image by default.
+If you want to use the full renovate image, set the `image.tag` to `full`.
+If you like to use a specific major version, set the `image.tag` to `36-full`.
 
 ## Redis
 
 Please checkout [bitnami redis](https://artifacthub.io/packages/helm/bitnami/redis) chart for additional redis configuration.
+
+## Upgrading
+
+A major chart version change can indicate that there is an incompatible breaking change needing maual actions.
+
+### To v16
+
+- The `slim` options was removed, the `latest` tag now points to the slim renovate docker image.
+- The `dind` option was removed. The `slim` renovate version uses `binarySource=install`, so no need for complex Docker in Docker setup.

chart/templates/NOTES.txt

-A {{ template "renovate.name" . }} CronJob will run with schedule {{ .Values.cronjob.schedule }}.
\ No newline at end of file
+A {{ template "renovate.name" . }} CronJob will run with schedule {{ .Values.cronjob.schedule }}.

chart/templates/_helpers.tpl

@@ -87,17 +87,6 @@ Define ssh config secret
 {{- end -}}
 {{- end -}}
 
-{{/*
-Force slim image if dind is enabled and slim is not disabled
-*/}}
-{{- define "renovate.imageTag" -}}
-{{- if and .Values.dind.enabled .Values.dind.slim.enabled (not (eq .Values.image.tag "slim")) (not (regexMatch "^.*-slim$" .Values.image.tag)) -}}
-{{- .Values.image.tag }}-slim
-{{- else -}}
-{{- .Values.image.tag }}
-{{- end -}}
-{{- end -}} 
-
 {{/*
 Create a default fully qualified Redis™ name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

chart/templates/cronjob.yaml

@@ -21,6 +21,9 @@ metadata:
 {{- end }}
 spec:
   schedule: "{{ .Values.cronjob.schedule }}"
+  {{- with .Values.cronjob.timeZone }}
+  timeZone: {{ . }}
+  {{- end }}
   {{- with .Values.cronjob.suspend }}
   suspend: {{ . }}
   {{- end }}
@@ -84,22 +87,21 @@ spec:
                   curl -fsI -X POST http://localhost:15020/quitquitquit;
                   exit $x;
               {{ end }}
-              image: "{{ .Values.image.repository }}:{{ include "renovate.imageTag" . }}"
+              image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
               imagePullPolicy: {{ .Values.image.pullPolicy }}
-              {{- if or .Values.dind.enabled .Values.cronjob.preCommand}}
+              {{- if or .Values.cronjob.preCommand .Values.cronjob.postCommand}}
               command: ["/bin/bash", "-c"]
               args:
                 - |
-                {{- if .Values.dind.enabled }}
-                  trap "touch /tmp/main-terminated" EXIT
-                  while true; do if [[ -f "/tmp/dind-started" ]]; then break; fi; sleep 1; done
-                {{- end }}
                 {{- if .Values.cronjob.preCommand }}
                   {{- .Values.cronjob.preCommand | nindent 18 }}
                 {{- end }}
                   renovate
+                {{- if .Values.cronjob.postCommand }}
+                  {{- .Values.cronjob.postCommand | nindent 18 }}
+                {{- end }}
               {{- end }}
-              {{- if or .Values.renovate.config .Values.ssh_config.enabled .Values.dind.enabled .Values.extraVolumes }}
+              {{- if or .Values.renovate.config .Values.ssh_config.enabled .Values.extraVolumes }}
               volumeMounts:
               {{- if .Values.renovate.config }}
               - name: config-volume
@@ -119,10 +121,6 @@ spec:
               - name: {{ include "renovate.fullname" . }}-cache
                 mountPath: /tmp/renovate
               {{- end }}
-              {{- if .Values.dind.enabled }}
-              - name: {{ .Chart.Name }}-tmp-volume
-                mountPath: /tmp
-              {{- end }}
               env:
                 {{- if .Values.renovate.existingConfigFile }}
                 - name: RENOVATE_CONFIG_FILE
@@ -139,14 +137,6 @@ spec:
                 - name: {{ $k | quote }}
                   value: {{ $v | quote }}
                 {{- end }}
-                {{- if .Values.dind.enabled }}
-                - name: DOCKER_HOST
-                  value: 127.0.0.1:2376
-                - name: DOCKER_CERT_PATH
-                  value: "/tmp/certs/client"
-                - name: DOCKER_TLS_VERIFY
-                  value: "true"
-                {{- end }}
                 {{- with .Values.envList }}
                   {{- toYaml . | nindent 16 }}
                 {{- end }}
@@ -166,31 +156,9 @@ spec:
               resources:
                 {{- toYaml . | nindent 16 }}
             {{- end }}
-            {{- if .Values.dind.enabled }}
-            - name: {{ .Chart.Name }}-dind
-              image: "{{ .Values.dind.image.repository }}:{{ .Values.dind.image.tag }}"
-              imagePullPolicy: {{ .Values.dind.image.pullPolicy }}
-              command: ["/bin/sh", "-c"]
-              args:
-                - |
-                  dockerd-entrypoint.sh &
-                  CHILD_PID=$!
-                  while ! (pgrep containerd); do sleep 1; done
-                  touch /tmp/dind-started
-                  (while true; do if [[ -f "/tmp/main-terminated" ]]; then kill $CHILD_PID; fi; sleep 1; done) &
-                  wait $CHILD_PID
-                  if [[ -f "/tmp/main-terminated" ]]; then exit 0; fi
-              env:
-                - name: DOCKER_TLS_CERTDIR
-                  value: "/tmp/certs"
-            {{- with .Values.dind.securityContext }}
-              securityContext:
-                {{- toYaml . | nindent 16 }}
-            {{- end }}
-              volumeMounts:
-                - name: {{ .Chart.Name }}-tmp-volume
-                  mountPath: /tmp
-            {{- end }}
+          {{- with .Values.extraContainers }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
           volumes:
             {{- if .Values.renovate.config }}
               {{- if .Values.renovate.configIsSecret }}

chart/values.yaml

@@ -10,6 +10,8 @@ fullnameOverride: ''
 cronjob:
   # -- Schedules the job to run using cron notation
   schedule: '0 1 * * *'  # At 01:00 every day
+  # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones>
+  timeZone: ''  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
   # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions.
   suspend: false
   # -- Annotations to set on the cronjob
@@ -44,6 +46,12 @@ cronjob:
   #   echo hello
   #   echo world
 
+  # -- Append shell commands after renovate runs
+  postCommand: ''
+  # postCommand: |
+  #   echo hello
+  #   echo world
+
 pod:
   # -- Annotations to set on the pod
   annotations: {}
@@ -52,9 +60,10 @@ pod:
 
 image:
   # -- Repository to pull renovate image from
-  repository: registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate
+  registry: registry1.dso.mil
+  repository: ironbank/container-hardening-tools/renovate/renovate
   # -- Renovate image tag to pull
-  tag: 34.120.0
+  tag: 37.27.0
   # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
   pullPolicy: IfNotPresent
 
@@ -119,24 +128,6 @@ secrets: {}
 # -- k8s secret to reference environment variables from. Overrides secrets if set
 existingSecret: ''
 
-dind:
-  # -- dind is non-functional in BB as it requires a privileged non-hardened container, changing this value does nothing
-  enabled: false
-  slim:
-    # -- Do not add `-slim` suffix to image tag when using dind
-    enabled: true
-  image:
-    # -- Repository to pull dind image from
-    repository: docker
-    # -- dind image tag to pull
-    tag: 20.10.23-dind
-    # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
-    pullPolicy: IfNotPresent
-
-  # -- DinD Container-level security-context. Privileged is needed for DinD, it will not work without!
-  securityContext:
-    privileged: true
-
 # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config
 extraConfigmaps: []
 # extraConfigmaps:
@@ -166,6 +157,23 @@ extraVolumeMounts: []
 #     mountPath: /home/ubuntu/.netrc
 #     subPath: .netrc
 
+# -- Additional containers to the pod
+extraContainers: []
+# extraContainers:
+#   - name: vault-agent
+#     image: vault:1.6.2
+#     args:
+#     - agent
+#     - -config
+#     - /vault/config/config.hcl
+#     env:
+#     - name: VAULT_ADDR
+#       value: https://vault:8200
+#     - name: VAULT_SKIP_VERIFY
+#       value: "false"
+#     - name: VAULT_CACERT
+#       value: /vault/tls/ca.crt
+
 serviceAccount:
   # -- Specifies whether a service account should be created
   create: false

docs/DEVELOPMENT_MAINTENANCE.md

@@ -16,7 +16,8 @@ kpt pkg update chart/@renovate-${chart.version} --strategy alpha-git-patch
 - set registry1 image and imagepullsecret
 ```yaml
 image:
-  repository: registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate
+  registry: registry1.dso.mil
+  repository: ironbank/container-hardening-tools/renovate/renovate
   tag: 34.120.0
   pullPolicy: IfNotPresent
 
@@ -59,6 +60,28 @@ networkPolicies:
 - Add directory for network policies
 - Add peer-authentication resource
 
+### chart/templates/cronjob.yaml
+- Merge this in
+    ```yaml
+    spec:
+      jobTemplate:
+        spec:
+          template:
+            spec:
+              containers:
+                - name: {{ .Chart.Name }}
+                  {{ if .Values.istio.enabled }}
+                  command: ["/bin/sh"]
+                  args:
+                    - -c
+                    - >- 
+                      docker-entrypoint.sh;
+                      x=$(echo $?);
+                      curl -fsI -X POST http://localhost:15020/quitquitquit;
+                      exit $x;
+                  {{ end }}
+    ```
+
 # Testing new Renovate Version
 Identify a repository with a valid `renovate.json` to execute renovate against.