updates for the chart

9fd58f55 · Andrew Shoell · 4156cf83 · 9fd58f55 · 9fd58f55 · 9fd58f55
Unverified Commit 9fd58f55 authored 1 year ago by Andrew Shoell
--- a/chart/Chart.lock
+++ b/chart/Chart.lock
 dependencies:
 - name: redis
  repository: oci://registry1.dso.mil/bigbang
-  version: 17.10.2-bb.0
+  version: 18.0.4-bb.0
 - name: gluon
  repository: oci://registry1.dso.mil/bigbang
-  version: 0.4.0
-digest: sha256:dfc8baf065850367406ae59e8fb50e28d80602be15246c7de40b9c15d40f55f3
-generated: "2023-05-23T13:51:59.654826-05:00"
+  version: 0.4.1
+digest: sha256:f2fe83910c080540ea175c7059ee9b8d51dbf0a324df8f11a8e0b46ea227ec5d
+generated: "2023-10-19T12:56:49.749136508-06:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: '37.27.0'
 description: Universal dependency update tool that fits into your workflows.
 name: renovate
-version: '34.120.0-bb.2'
+version: '37.27.0-bb.0'
 icon: https://docs.renovatebot.com/assets/images/logo.png
 home: https://github.com/renovatebot/renovate
 keywords:
@@ -36,7 +36,9 @@ annotations:
  artifacthub.io/license: AGPL-3.0-only
  artifacthub.io/images: |
    - name: renovate
-      image: renovate/renovate:34.120.0
+      image: ghcr.io/renovatebot/renovate:37.27.0
+      platforms:
+        - linux/amd64
  artifacthub.io/links: |
    - name: docs
      url: https://docs.renovatebot.com

--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: 77c1901f381aa346e1e7805d278fce17ab16887e
+    commit: 95b66745005d3c7bc3422dc84ab13a23aeb9d54d
    repo: https://github.com/renovatebot/helm-charts
    directory: charts/renovate
-    ref: renovate-34.120.0
+    ref: renovate-37.27.0
--- a/chart/README.md
+++ b/chart/README.md
 # renovate

-![Version: 34.120.0](https://img.shields.io/badge/Version-34.120.0-informational?style=flat-square) ![AppVersion: 34.120.0](https://img.shields.io/badge/AppVersion-34.120.0-informational?style=flat-square)
+![Version: 37.27.0](https://img.shields.io/badge/Version-37.27.0-informational?style=flat-square) ![AppVersion: 37.27.0](https://img.shields.io/badge/AppVersion-37.27.0-informational?style=flat-square)

 Universal dependency update tool that fits into your workflows.

@@ -50,17 +50,13 @@ The following table lists the configurable parameters of the chart and the defau
 | cronjob.jobRestartPolicy | string | `"Never"` | Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails |
 | cronjob.labels | object | `{}` | Labels to set on the cronjob |
 | cronjob.preCommand | string | `""` | Prepend shell commands before renovate runs |
+| cronjob.postCommand | string | `""` | Append shell commands after renovate runs |
 | cronjob.schedule | string | `"0 1 * * *"` | Schedules the job to run using cron notation |
 | cronjob.startingDeadlineSeconds | string | `""` | Deadline to start the job, skips execution if job misses it's configured deadline |
 | cronjob.successfulJobsHistoryLimit | string | `""` | Amount of completed jobs to keep in history |
 | cronjob.suspend | bool | `false` | If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. |
+| cronJob.timeZone | string | `""` | You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones> |
 | cronjob.ttlSecondsAfterFinished | string | `"""` | Time to keep the job after it finished before automatically deleting it |
-| dind.enabled | bool | `false` | Enable dind sidecar usage? |
-| dind.image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
-| dind.image.repository | string | `"docker"` | Repository to pull dind image from |
-| dind.image.tag | string | `"20.10.23-dind"` | dind image tag to pull |
-| dind.securityContext | object | `{"privileged":true}` | DinD Container-level security-context. Privileged is needed for DinD, it will not work without! |
-| dind.slim.enabled | bool | `true` | Do not add `-slim` suffix to image tag when using dind |
 | env | object | `{}` | Environment variables to set on the renovate container |
 | envFrom | list | `[]` | Environment variables to add from existing secrets/configmaps. Uses the keys as variable name |
 | envList | list | `[]` | Additional env. Helpful too if you want to use anything other than a `value` source. |
@@ -68,12 +64,14 @@ The following table lists the configurable parameters of the chart and the defau
 | extraConfigmaps | list | `[]` | Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config |
 | extraVolumeMounts | list | `[]` | Additional volumeMounts to the container |
 | extraVolumes | list | `[]` | Additional volumes to the pod |
+| extraContainers | list | `[]` | Additional containers to the pod |
 | fullnameOverride | string | `""` | Override the fully qualified app name |
 | global.commonLabels | object | `{}` | Additional labels to be set on all renovate resources |
 | hostAliases | list | `[]` | Override hostname resolution |
 | image.pullPolicy | string | `"IfNotPresent"` | "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images |
-| image.repository | string | `"renovate/renovate"` | Repository to pull renovate image from |
-| image.tag | string | `"34.108.3"` | Renovate image tag to pull |
+| image.registry | string | `"ghcr.io"` | Registry to pull image from |
+| image.repository | string | `"renovatebot/renovate"` | Image name to pull |
+| image.tag | string | `"37.27.0"` | Renovate image tag to pull |
 | imagePullSecrets | object | `{}` | Secret to use to pull the image from the repository |
 | nameOverride | string | `""` | Override the name of the chart |
 | nodeSelector | object | `{}` | Select the node using labels to specify where the cronjob pod should run on |
@@ -123,13 +121,22 @@ Allows you to reference values using `"{{ .Values.someValue }}"` in your config
 escape your config entries containing `{{` (i.e. `"key": "{{depName}}"`) in the
 value by wrapping it like: `"key": "{{ "{{depName}}" }}"`.

-## Docker in Docker configuration
+## Renovate full image

-When `dind.enabled` is set to `true`, a Docker in Docker container will run as a sidecar to supply a Docker daemon to the RenovateBot container. This allows the configuration `binarySource` to be set to `docker`, which is the default configuration in the slim Docker images.
-
-The slim suffix will be added to the tag if not present. To disable this behaviour, set `dind.slim.enabled` to `false`.
+This chart is using the slim renovate image by default.
+If you want to use the full renovate image, set the `image.tag` to `full`.
+If you like to use a specific major version, set the `image.tag` to `36-full`.

 ## Redis

 Please check out [bitnami redis](https://artifacthub.io/packages/helm/bitnami/redis) chart for additional redis configuration.

+## Upgrading
+
+A major chart version change can indicate that there is an incompatible breaking change needing maual actions.
+
+### To v16
+
+- The `slim` options was removed, the `latest` tag now points to the slim renovate docker image.
+- The `dind` option was removed. The `slim` renovate version uses `binarySource=install`, so no need for complex Docker in Docker setup.
+- The renovate image is now pulled from `ghcr.io/renovatebot/renovate` by default.
--- a/chart/README.md.gotmpl
+++ b/chart/README.md.gotmpl
@@ -56,12 +56,21 @@ Allows you to reference values using `"{{ .Values.someValue }}"` in your config
 escape your config entries containing `{{` (i.e. `"key": "{{depName}}"`) in the
 value by wrapping it like: `"key": "{{ "{{depName}}" }}"`.

-## Docker in Docker configuration
+## Renovate full image

-When `dind.enabled` is set to `true`, a Docker in Docker container will run as a sidecar to supply a Docker daemon to the RenovateBot container. This allows the configuration `binarySource` to be set to `docker`, which is the default configuration in the slim Docker images.
-
-The slim suffix will be added to the tag if not present. To disable this behaviour, set `dind.slim.enabled` to `false`.
+This chart is using the slim renovate image by default.
+If you want to use the full renovate image, set the `image.tag` to `full`.
+If you like to use a specific major version, set the `image.tag` to `36-full`.

 ## Redis

 Please checkout [bitnami redis](https://artifacthub.io/packages/helm/bitnami/redis) chart for additional redis configuration.
+
+## Upgrading
+
+A major chart version change can indicate that there is an incompatible breaking change needing maual actions.
+
+### To v16
+
+- The `slim` options was removed, the `latest` tag now points to the slim renovate docker image.
+- The `dind` option was removed. The `slim` renovate version uses `binarySource=install`, so no need for complex Docker in Docker setup.
--- a/chart/charts/gluon-0.4.0.tgz
+++ b/chart/charts/gluon-0.4.0.tgz
--- a/chart/charts/gluon-0.4.1.tgz
+++ b/chart/charts/gluon-0.4.1.tgz
--- a/chart/charts/redis-17.10.2-bb.0.tgz
+++ b/chart/charts/redis-17.10.2-bb.0.tgz
--- a/chart/charts/redis-18.0.4-bb.0.tgz
+++ b/chart/charts/redis-18.0.4-bb.0.tgz
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
-A {{ template "renovate.name" . }} CronJob will run with schedule {{ .Values.cronjob.schedule }}.
\ No newline at end of file
+A {{ template "renovate.name" . }} CronJob will run with schedule {{ .Values.cronjob.schedule }}.
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -87,17 +87,6 @@ Define ssh config secret
 {{- end -}}
 {{- end -}}

-{{/*
-Force slim image if dind is enabled and slim is not disabled
-*/}}
-{{- define "renovate.imageTag" -}}
-{{- if and .Values.dind.enabled .Values.dind.slim.enabled (not (eq .Values.image.tag "slim")) (not (regexMatch "^.*-slim$" .Values.image.tag)) -}}
-{{- .Values.image.tag }}-slim
-{{- else -}}
-{{- .Values.image.tag }}
-{{- end -}}
-{{- end -}} 
-
 {{/*
 Create a default fully qualified Redis&trade; name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

--- a/chart/templates/cronjob.yaml
+++ b/chart/templates/cronjob.yaml
@@ -21,6 +21,9 @@ metadata:
 {{- end }}
 spec:
  schedule: "{{ .Values.cronjob.schedule }}"
+  {{- with .Values.cronjob.timeZone }}
+  timeZone: {{ . }}
+  {{- end }}
  {{- with .Values.cronjob.suspend }}
  suspend: {{ . }}
  {{- end }}
@@ -74,32 +77,21 @@ spec:
          {{- end }}
          containers:
            - name: {{ .Chart.Name }}
-              {{ if .Values.istio.enabled }}
-              command: ["/bin/sh"]
-              args:
-                - -c
-                - >- 
-                  docker-entrypoint.sh;
-                  x=$(echo $?);
-                  curl -fsI -X POST http://localhost:15020/quitquitquit;
-                  exit $x;
-              {{ end }}
-              image: "{{ .Values.image.repository }}:{{ include "renovate.imageTag" . }}"
+              image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
              imagePullPolicy: {{ .Values.image.pullPolicy }}
-              {{- if or .Values.dind.enabled .Values.cronjob.preCommand}}
+              {{- if or .Values.cronjob.preCommand .Values.cronjob.postCommand}}
              command: ["/bin/bash", "-c"]
              args:
                - |
-                {{- if .Values.dind.enabled }}
-                  trap "touch /tmp/main-terminated" EXIT
-                  while true; do if [[ -f "/tmp/dind-started" ]]; then break; fi; sleep 1; done
-                {{- end }}
                {{- if .Values.cronjob.preCommand }}
                  {{- .Values.cronjob.preCommand | nindent 18 }}
                {{- end }}
                  renovate
+                {{- if .Values.cronjob.postCommand }}
+                  {{- .Values.cronjob.postCommand | nindent 18 }}
+                {{- end }}
              {{- end }}
-              {{- if or .Values.renovate.config .Values.ssh_config.enabled .Values.dind.enabled .Values.extraVolumes }}
+              {{- if or .Values.renovate.config .Values.ssh_config.enabled .Values.extraVolumes }}
              volumeMounts:
              {{- if .Values.renovate.config }}
              - name: config-volume
@@ -119,10 +111,6 @@ spec:
              - name: {{ include "renovate.fullname" . }}-cache
                mountPath: /tmp/renovate
              {{- end }}
-              {{- if .Values.dind.enabled }}
-              - name: {{ .Chart.Name }}-tmp-volume
-                mountPath: /tmp
-              {{- end }}
              env:
                {{- if .Values.renovate.existingConfigFile }}
                - name: RENOVATE_CONFIG_FILE
@@ -139,14 +127,6 @@ spec:
                - name: {{ $k | quote }}
                  value: {{ $v | quote }}
                {{- end }}
-                {{- if .Values.dind.enabled }}
-                - name: DOCKER_HOST
-                  value: 127.0.0.1:2376
-                - name: DOCKER_CERT_PATH
-                  value: "/tmp/certs/client"
-                - name: DOCKER_TLS_VERIFY
-                  value: "true"
-                {{- end }}
                {{- with .Values.envList }}
                  {{- toYaml . | nindent 16 }}
                {{- end }}
@@ -166,31 +146,9 @@ spec:
              resources:
                {{- toYaml . | nindent 16 }}
            {{- end }}
-            {{- if .Values.dind.enabled }}
-            - name: {{ .Chart.Name }}-dind
-              image: "{{ .Values.dind.image.repository }}:{{ .Values.dind.image.tag }}"
-              imagePullPolicy: {{ .Values.dind.image.pullPolicy }}
-              command: ["/bin/sh", "-c"]
-              args:
-                - |
-                  dockerd-entrypoint.sh &
-                  CHILD_PID=$!
-                  while ! (pgrep containerd); do sleep 1; done
-                  touch /tmp/dind-started
-                  (while true; do if [[ -f "/tmp/main-terminated" ]]; then kill $CHILD_PID; fi; sleep 1; done) &
-                  wait $CHILD_PID
-                  if [[ -f "/tmp/main-terminated" ]]; then exit 0; fi
-              env:
-                - name: DOCKER_TLS_CERTDIR
-                  value: "/tmp/certs"
-            {{- with .Values.dind.securityContext }}
-              securityContext:
-                {{- toYaml . | nindent 16 }}
-            {{- end }}
-              volumeMounts:
-                - name: {{ .Chart.Name }}-tmp-volume
-                  mountPath: /tmp
-            {{- end }}
+          {{- with .Values.extraContainers }}
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
          volumes:
            {{- if .Values.renovate.config }}
              {{- if .Values.renovate.configIsSecret }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -10,6 +10,8 @@ fullnameOverride: ''
 cronjob:
  # -- Schedules the job to run using cron notation
  schedule: '0 1 * * *'  # At 01:00 every day
+  # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones>
+  timeZone: ''  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
  # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions.
  suspend: false
  # -- Annotations to set on the cronjob
@@ -44,6 +46,12 @@ cronjob:
  #   echo hello
  #   echo world

+  # -- Append shell commands after renovate runs
+  postCommand: ''
+  # postCommand: |
+  #   echo hello
+  #   echo world
+
 pod:
  # -- Annotations to set on the pod
  annotations: {}
@@ -54,7 +62,7 @@ image:
  # -- Repository to pull renovate image from
  repository: registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate
  # -- Renovate image tag to pull
-  tag: 34.120.0
+  tag: 37.27.0
  # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
  pullPolicy: IfNotPresent

@@ -119,24 +127,6 @@ secrets: {}
 # -- k8s secret to reference environment variables from. Overrides secrets if set
 existingSecret: ''

-dind:
-  # -- dind is non-functional in BB as it requires a privileged non-hardened container, changing this value does nothing
-  enabled: false
-  slim:
-    # -- Do not add `-slim` suffix to image tag when using dind
-    enabled: true
-  image:
-    # -- Repository to pull dind image from
-    repository: docker
-    # -- dind image tag to pull
-    tag: 20.10.23-dind
-    # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images
-    pullPolicy: IfNotPresent
-
-  # -- DinD Container-level security-context. Privileged is needed for DinD, it will not work without!
-  securityContext:
-    privileged: true
-
 # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config
 extraConfigmaps: []
 # extraConfigmaps:
@@ -166,6 +156,23 @@ extraVolumeMounts: []
 #     mountPath: /home/ubuntu/.netrc
 #     subPath: .netrc

+# -- Additional containers to the pod
+extraContainers: []
+# extraContainers:
+#   - name: vault-agent
+#     image: vault:1.6.2
+#     args:
+#     - agent
+#     - -config
+#     - /vault/config/config.hcl
+#     env:
+#     - name: VAULT_ADDR
+#       value: https://vault:8200
+#     - name: VAULT_SKIP_VERIFY
+#       value: "false"
+#     - name: VAULT_CACERT
+#       value: /vault/tls/ca.crt
+
 serviceAccount:
  # -- Specifies whether a service account should be created
  create: false