UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Unverified Commit 9fd58f55 authored by Andrew Shoell's avatar Andrew Shoell
Browse files

updates for the chart

parent 4156cf83
No related branches found
No related tags found
1 merge request!16Update Ironbank
This commit is part of merge request !16. Comments created here will be created in the context of that merge request.
dependencies:
- name: redis
repository: oci://registry1.dso.mil/bigbang
version: 17.10.2-bb.0
version: 18.0.4-bb.0
- name: gluon
repository: oci://registry1.dso.mil/bigbang
version: 0.4.0
digest: sha256:dfc8baf065850367406ae59e8fb50e28d80602be15246c7de40b9c15d40f55f3
generated: "2023-05-23T13:51:59.654826-05:00"
version: 0.4.1
digest: sha256:f2fe83910c080540ea175c7059ee9b8d51dbf0a324df8f11a8e0b46ea227ec5d
generated: "2023-10-19T12:56:49.749136508-06:00"
......@@ -2,7 +2,7 @@ apiVersion: v2
appVersion: '37.27.0'
description: Universal dependency update tool that fits into your workflows.
name: renovate
version: '34.120.0-bb.2'
version: '37.27.0-bb.0'
icon: https://docs.renovatebot.com/assets/images/logo.png
home: https://github.com/renovatebot/renovate
keywords:
......@@ -36,7 +36,9 @@ annotations:
artifacthub.io/license: AGPL-3.0-only
artifacthub.io/images: |
- name: renovate
image: renovate/renovate:34.120.0
image: ghcr.io/renovatebot/renovate:37.27.0
platforms:
- linux/amd64
artifacthub.io/links: |
- name: docs
url: https://docs.renovatebot.com
......
......@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
commit: 77c1901f381aa346e1e7805d278fce17ab16887e
commit: 95b66745005d3c7bc3422dc84ab13a23aeb9d54d
repo: https://github.com/renovatebot/helm-charts
directory: charts/renovate
ref: renovate-34.120.0
ref: renovate-37.27.0
# renovate
![Version: 34.120.0](https://img.shields.io/badge/Version-34.120.0-informational?style=flat-square) ![AppVersion: 34.120.0](https://img.shields.io/badge/AppVersion-34.120.0-informational?style=flat-square)
![Version: 37.27.0](https://img.shields.io/badge/Version-37.27.0-informational?style=flat-square) ![AppVersion: 37.27.0](https://img.shields.io/badge/AppVersion-37.27.0-informational?style=flat-square)
Universal dependency update tool that fits into your workflows.
......@@ -50,17 +50,13 @@ The following table lists the configurable parameters of the chart and the defau
| cronjob.jobRestartPolicy | string | `"Never"` | Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails |
| cronjob.labels | object | `{}` | Labels to set on the cronjob |
| cronjob.preCommand | string | `""` | Prepend shell commands before renovate runs |
| cronjob.postCommand | string | `""` | Append shell commands after renovate runs |
| cronjob.schedule | string | `"0 1 * * *"` | Schedules the job to run using cron notation |
| cronjob.startingDeadlineSeconds | string | `""` | Deadline to start the job, skips execution if job misses it's configured deadline |
| cronjob.successfulJobsHistoryLimit | string | `""` | Amount of completed jobs to keep in history |
| cronjob.suspend | bool | `false` | If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. |
| cronJob.timeZone | string | `""` | You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones> |
| cronjob.ttlSecondsAfterFinished | string | `"""` | Time to keep the job after it finished before automatically deleting it |
| dind.enabled | bool | `false` | Enable dind sidecar usage? |
| dind.image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
| dind.image.repository | string | `"docker"` | Repository to pull dind image from |
| dind.image.tag | string | `"20.10.23-dind"` | dind image tag to pull |
| dind.securityContext | object | `{"privileged":true}` | DinD Container-level security-context. Privileged is needed for DinD, it will not work without! |
| dind.slim.enabled | bool | `true` | Do not add `-slim` suffix to image tag when using dind |
| env | object | `{}` | Environment variables to set on the renovate container |
| envFrom | list | `[]` | Environment variables to add from existing secrets/configmaps. Uses the keys as variable name |
| envList | list | `[]` | Additional env. Helpful too if you want to use anything other than a `value` source. |
......@@ -68,12 +64,14 @@ The following table lists the configurable parameters of the chart and the defau
| extraConfigmaps | list | `[]` | Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config |
| extraVolumeMounts | list | `[]` | Additional volumeMounts to the container |
| extraVolumes | list | `[]` | Additional volumes to the pod |
| extraContainers | list | `[]` | Additional containers to the pod |
| fullnameOverride | string | `""` | Override the fully qualified app name |
| global.commonLabels | object | `{}` | Additional labels to be set on all renovate resources |
| hostAliases | list | `[]` | Override hostname resolution |
| image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
| image.repository | string | `"renovate/renovate"` | Repository to pull renovate image from |
| image.tag | string | `"34.108.3"` | Renovate image tag to pull |
| image.registry | string | `"ghcr.io"` | Registry to pull image from |
| image.repository | string | `"renovatebot/renovate"` | Image name to pull |
| image.tag | string | `"37.27.0"` | Renovate image tag to pull |
| imagePullSecrets | object | `{}` | Secret to use to pull the image from the repository |
| nameOverride | string | `""` | Override the name of the chart |
| nodeSelector | object | `{}` | Select the node using labels to specify where the cronjob pod should run on |
......@@ -123,13 +121,22 @@ Allows you to reference values using `"{{ .Values.someValue }}"` in your config
escape your config entries containing `{{` (i.e. `"key": "{{depName}}"`) in the
value by wrapping it like: `"key": "{{ "{{depName}}" }}"`.
## Docker in Docker configuration
## Renovate full image
When `dind.enabled` is set to `true`, a Docker in Docker container will run as a sidecar to supply a Docker daemon to the RenovateBot container. This allows the configuration `binarySource` to be set to `docker`, which is the default configuration in the slim Docker images.
The slim suffix will be added to the tag if not present. To disable this behaviour, set `dind.slim.enabled` to `false`.
This chart is using the slim renovate image by default.
If you want to use the full renovate image, set the `image.tag` to `full`.
If you like to use a specific major version, set the `image.tag` to `36-full`.
## Redis
Please check out [bitnami redis](https://artifacthub.io/packages/helm/bitnami/redis) chart for additional redis configuration.
## Upgrading
A major chart version change can indicate that there is an incompatible breaking change needing maual actions.
### To v16
- The `slim` options was removed, the `latest` tag now points to the slim renovate docker image.
- The `dind` option was removed. The `slim` renovate version uses `binarySource=install`, so no need for complex Docker in Docker setup.
- The renovate image is now pulled from `ghcr.io/renovatebot/renovate` by default.
......@@ -56,12 +56,21 @@ Allows you to reference values using `"{{ .Values.someValue }}"` in your config
escape your config entries containing `{{` (i.e. `"key": "{{depName}}"`) in the
value by wrapping it like: `"key": "{{ "{{depName}}" }}"`.
## Docker in Docker configuration
## Renovate full image
When `dind.enabled` is set to `true`, a Docker in Docker container will run as a sidecar to supply a Docker daemon to the RenovateBot container. This allows the configuration `binarySource` to be set to `docker`, which is the default configuration in the slim Docker images.
The slim suffix will be added to the tag if not present. To disable this behaviour, set `dind.slim.enabled` to `false`.
This chart is using the slim renovate image by default.
If you want to use the full renovate image, set the `image.tag` to `full`.
If you like to use a specific major version, set the `image.tag` to `36-full`.
## Redis
Please checkout [bitnami redis](https://artifacthub.io/packages/helm/bitnami/redis) chart for additional redis configuration.
## Upgrading
A major chart version change can indicate that there is an incompatible breaking change needing maual actions.
### To v16
- The `slim` options was removed, the `latest` tag now points to the slim renovate docker image.
- The `dind` option was removed. The `slim` renovate version uses `binarySource=install`, so no need for complex Docker in Docker setup.
File deleted
File added
File deleted
File added
A {{ template "renovate.name" . }} CronJob will run with schedule {{ .Values.cronjob.schedule }}.
\ No newline at end of file
A {{ template "renovate.name" . }} CronJob will run with schedule {{ .Values.cronjob.schedule }}.
......@@ -87,17 +87,6 @@ Define ssh config secret
{{- end -}}
{{- end -}}
{{/*
Force slim image if dind is enabled and slim is not disabled
*/}}
{{- define "renovate.imageTag" -}}
{{- if and .Values.dind.enabled .Values.dind.slim.enabled (not (eq .Values.image.tag "slim")) (not (regexMatch "^.*-slim$" .Values.image.tag)) -}}
{{- .Values.image.tag }}-slim
{{- else -}}
{{- .Values.image.tag }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified Redis&trade; name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
......
......@@ -21,6 +21,9 @@ metadata:
{{- end }}
spec:
schedule: "{{ .Values.cronjob.schedule }}"
{{- with .Values.cronjob.timeZone }}
timeZone: {{ . }}
{{- end }}
{{- with .Values.cronjob.suspend }}
suspend: {{ . }}
{{- end }}
......@@ -74,32 +77,21 @@ spec:
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{ if .Values.istio.enabled }}
command: ["/bin/sh"]
args:
- -c
- >-
docker-entrypoint.sh;
x=$(echo $?);
curl -fsI -X POST http://localhost:15020/quitquitquit;
exit $x;
{{ end }}
image: "{{ .Values.image.repository }}:{{ include "renovate.imageTag" . }}"
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or .Values.dind.enabled .Values.cronjob.preCommand}}
{{- if or .Values.cronjob.preCommand .Values.cronjob.postCommand}}
command: ["/bin/bash", "-c"]
args:
- |
{{- if .Values.dind.enabled }}
trap "touch /tmp/main-terminated" EXIT
while true; do if [[ -f "/tmp/dind-started" ]]; then break; fi; sleep 1; done
{{- end }}
{{- if .Values.cronjob.preCommand }}
{{- .Values.cronjob.preCommand | nindent 18 }}
{{- end }}
renovate
{{- if .Values.cronjob.postCommand }}
{{- .Values.cronjob.postCommand | nindent 18 }}
{{- end }}
{{- end }}
{{- if or .Values.renovate.config .Values.ssh_config.enabled .Values.dind.enabled .Values.extraVolumes }}
{{- if or .Values.renovate.config .Values.ssh_config.enabled .Values.extraVolumes }}
volumeMounts:
{{- if .Values.renovate.config }}
- name: config-volume
......@@ -119,10 +111,6 @@ spec:
- name: {{ include "renovate.fullname" . }}-cache
mountPath: /tmp/renovate
{{- end }}
{{- if .Values.dind.enabled }}
- name: {{ .Chart.Name }}-tmp-volume
mountPath: /tmp
{{- end }}
env:
{{- if .Values.renovate.existingConfigFile }}
- name: RENOVATE_CONFIG_FILE
......@@ -139,14 +127,6 @@ spec:
- name: {{ $k | quote }}
value: {{ $v | quote }}
{{- end }}
{{- if .Values.dind.enabled }}
- name: DOCKER_HOST
value: 127.0.0.1:2376
- name: DOCKER_CERT_PATH
value: "/tmp/certs/client"
- name: DOCKER_TLS_VERIFY
value: "true"
{{- end }}
{{- with .Values.envList }}
{{- toYaml . | nindent 16 }}
{{- end }}
......@@ -166,31 +146,9 @@ spec:
resources:
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if .Values.dind.enabled }}
- name: {{ .Chart.Name }}-dind
image: "{{ .Values.dind.image.repository }}:{{ .Values.dind.image.tag }}"
imagePullPolicy: {{ .Values.dind.image.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |
dockerd-entrypoint.sh &
CHILD_PID=$!
while ! (pgrep containerd); do sleep 1; done
touch /tmp/dind-started
(while true; do if [[ -f "/tmp/main-terminated" ]]; then kill $CHILD_PID; fi; sleep 1; done) &
wait $CHILD_PID
if [[ -f "/tmp/main-terminated" ]]; then exit 0; fi
env:
- name: DOCKER_TLS_CERTDIR
value: "/tmp/certs"
{{- with .Values.dind.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
volumeMounts:
- name: {{ .Chart.Name }}-tmp-volume
mountPath: /tmp
{{- end }}
{{- with .Values.extraContainers }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
volumes:
{{- if .Values.renovate.config }}
{{- if .Values.renovate.configIsSecret }}
......
......@@ -10,6 +10,8 @@ fullnameOverride: ''
cronjob:
# -- Schedules the job to run using cron notation
schedule: '0 1 * * *' # At 01:00 every day
# -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones>
timeZone: '' # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
# -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions.
suspend: false
# -- Annotations to set on the cronjob
......@@ -44,6 +46,12 @@ cronjob:
# echo hello
# echo world
# -- Append shell commands after renovate runs
postCommand: ''
# postCommand: |
# echo hello
# echo world
pod:
# -- Annotations to set on the pod
annotations: {}
......@@ -54,7 +62,7 @@ image:
# -- Repository to pull renovate image from
repository: registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate
# -- Renovate image tag to pull
tag: 34.120.0
tag: 37.27.0
# -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
pullPolicy: IfNotPresent
......@@ -119,24 +127,6 @@ secrets: {}
# -- k8s secret to reference environment variables from. Overrides secrets if set
existingSecret: ''
dind:
# -- dind is non-functional in BB as it requires a privileged non-hardened container, changing this value does nothing
enabled: false
slim:
# -- Do not add `-slim` suffix to image tag when using dind
enabled: true
image:
# -- Repository to pull dind image from
repository: docker
# -- dind image tag to pull
tag: 20.10.23-dind
# -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
pullPolicy: IfNotPresent
# -- DinD Container-level security-context. Privileged is needed for DinD, it will not work without!
securityContext:
privileged: true
# -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config
extraConfigmaps: []
# extraConfigmaps:
......@@ -166,6 +156,23 @@ extraVolumeMounts: []
# mountPath: /home/ubuntu/.netrc
# subPath: .netrc
# -- Additional containers to the pod
extraContainers: []
# extraContainers:
# - name: vault-agent
# image: vault:1.6.2
# args:
# - agent
# - -config
# - /vault/config/config.hcl
# env:
# - name: VAULT_ADDR
# value: https://vault:8200
# - name: VAULT_SKIP_VERIFY
# value: "false"
# - name: VAULT_CACERT
# value: /vault/tls/ca.crt
serviceAccount:
# -- Specifies whether a service account should be created
create: false
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment