Merge branch 'renovate-dash' into 'master'

Renovate dash SKIP UPGRADE

See merge request platform-one/big-bang/apps/sandbox/renovate!10

.gitignore

+overlay.yaml
\ No newline at end of file

CHANGELOG.md

+# Changelog
+
+Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+
+## [32.71.3-bb.0] - 2022-06-09
+
+- Initial renovate release
\ No newline at end of file

CODEOWNERS

-* @michaelmcleroy @runyontr
+* @runyontr @jmcclintock @brandt.w.keller @gedd.johnson @matt.strong @anthonywendt @gavin.scallon @chinenyeanumudu @darcy.cleaver @rothandrew2 @michaelmcleroy
\ No newline at end of file

README.md

-# Renovate
+# renovate
 
+![Version: 32.38.0-bb.0](https://img.shields.io/badge/Version-32.38.0--bb.0-informational?style=flat-square) ![AppVersion: 32.38.0](https://img.shields.io/badge/AppVersion-32.38.0-informational?style=flat-square)
+
+Universal dependency update tool that fits into your workflows.
+
+## Upstream References
+* <https://github.com/renovatebot/renovate>
+
+* <https://github.com/renovatebot/renovate>
+* <https://github.com/renovatebot/helm-charts>
+
+## Learn More
+* [Application Overview](docs/overview.md)
+* [Other Documentation](docs/)
+
+## Pre-Requisites
+
+* Kubernetes Cluster deployed
+* Kubernetes config installed in `~/.kube/config`
+* Helm installed
+
+Install Helm
+
+https://helm.sh/docs/intro/install/
+
+## Deployment
+
+* Clone down the repository
+* cd into directory
+```bash
+helm install renovate chart/
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cronjob.schedule | string | `"0 1 * * *"` |  |
+| cronjob.suspend | bool | `false` | If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. |
+| cronjob.annotations | object | `{}` |  |
+| cronjob.labels | object | `{}` |  |
+| cronjob.concurrencyPolicy | string | `""` |  |
+| cronjob.failedJobsHistoryLimit | string | `""` |  |
+| cronjob.successfulJobsHistoryLimit | string | `""` |  |
+| cronjob.jobRestartPolicy | string | `"Never"` |  |
+| cronjob.jobBackoffLimit | string | `""` |  |
+| cronjob.startingDeadlineSeconds | string | `""` |  |
+| pod.annotations | object | `{}` |  |
+| pod.labels | object | `{}` |  |
+| image.repository | string | `"registry1.dso.mil/ironbank/container-hardening-tools/renovate/renovate"` |  |
+| image.tag | string | `"32.38.0"` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| imagePullSecrets[0].name | string | `"private-registry"` |  |
+| renovate.existingConfigFile | string | `""` | Custom exiting global renovate config |
+| renovate.config | string | `""` | Inline global renovate config.json |
+| ssh_config.enabled | bool | `false` |  |
+| ssh_config.id_rsa | string | `""` |  |
+| ssh_config.id_rsa_pub | string | `""` |  |
+| ssh_config.config | string | `""` |  |
+| ssh_config.existingSecret | string | `""` |  |
+| secrets | object | `{}` |  |
+| existingSecret | string | `""` |  |
+| dind.enabled | bool | `false` | dind is non-functional in BB as it requires a privileged non-hardened container, changing this value does nothing |
+| extraConfigmaps | list | `[]` | Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config |
+| extraVolumes | list | `[]` | Additional volumes to the pod |
+| extraVolumeMounts | list | `[]` | Additional volumeMounts to the container |
+| serviceAccount.create | bool | `false` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.name | string | `""` |  |
+| resources | object | `{}` |  |
+| envFrom | list | `[]` |  |
+| env | object | `{}` |  |
+| redis.enabled | bool | `false` | Enable the Redis subchart? |
+| redis.architecture | string | `"standalone"` | Disable replication by default |
+| redis.auth.enabled | bool | `false` | Don't require a password by default |
+| redis.kubeVersion | string | `""` | Override Kubernetes version for redis chart |
+| apiVersionOverrides.cronjob | string | `""` | String to override apiVersion of cronjob rendered by this helm chart |
+| domain | string | `"bigbang.dev"` | Big Bang Values |
+| istio.enabled | bool | `false` |  |
+| istio.mtls.mode | string | `"PERMISSIVE"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic PERMISSIVE is required for any action which redeploys pods because STRICT interferes with initContainers Can be changed to STRICT after all initContainers have finished but will interfere with upgrades/pod deployments that have initContainers |
+| istio.renovate.enabled | bool | `true` |  |
+| istio.renovate.gateways[0] | string | `"istio-system/public"` |  |
+| networkPolicies.enabled | bool | `false` |  |
+| networkPolicies.ingressLabels.app | string | `"istio-ingressgateway"` |  |
+| networkPolicies.ingressLabels.istio | string | `"ingressgateway"` |  |
+| networkPolicies.renovateTargetIpRange | string | `""` | IP range of target deployment |
+
+## Contributing
+
+Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.

bigbang/Chart.yaml

+apiVersion: v2
+name: bigbang-renovate
+description: BigBang compatible Helm chart for Renovate
+type: application
+version: 0.1.0
+appVersion: 1.0.0

bigbang/README.md

+# Big Bang compatible Helm chart
+
+This helm chart deploys the application using the same methods and values as Big Bang.
+
+## Prerequisites
+
+- Kubernetes cluster matching [Big Bang's Prerequisites](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/tree/master/docs/guides/prerequisites)
+- [FluxCD](https://fluxcd.io/) running in the cluster
+- The [Big Bang git repository](https://repo1.dso.mil/platform-one/big-bang/bigbang) cloned into `~/bigbang`
+- [Helm](https://helm.sh/docs/intro/install/)
+
+## Usage
+
+### Installation
+
+1. Install Big Bang
+
+```helm upgrade -i -n bigbang --create-namespace -f ~/bigbang/chart/values.yaml -f bigbang/values.yaml bigbang ~/bigbang/chart```
+
+2. Install this chart
+
+```helm upgrade -i -n bigbang --create-namespace -f ~/bigbang/chart/values.yaml -f bigbang/values.yaml bigbang-renovate bigbang```
+
+### Removal
+
+```helm delete -n bigbang bigbang-renovate```
+

bigbang/templates/_helpers.tpl

+{{- define "imagePullSecret" }}
+  {{- if .Values.registryCredentials -}}
+    {{- $credType := typeOf .Values.registryCredentials -}}
+          {{- /* If we have a list, embed that here directly. This allows for complex configuration from configmap, downward API, etc. */ -}}
+    {{- if eq $credType "[]interface {}" -}}
+    {{- include "multipleCreds" . | b64enc }}
+    {{- else if eq $credType "map[string]interface {}" }}
+      {{- /* If we have a map, treat those as key-value pairs. */ -}}
+      {{- if and .Values.registryCredentials.username .Values.registryCredentials.password }}
+      {{- with .Values.registryCredentials }}
+      {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+      {{- end }}
+      {{- end }}
+    {{- end -}}
+  {{- end }}
+{{- end }}
+
+{{- define "multipleCreds" -}}
+{
+  "auths": {
+    {{- range $i, $m := .Values.registryCredentials }}
+    {{- /* Only create entry if resulting entry is valid */}}
+    {{- if and $m.registry $m.username $m.password }}
+    {{- if $i }},{{ end }}
+    "{{ $m.registry }}": {
+      "username": "{{ $m.username }}",
+      "password": "{{ $m.password }}",
+      "email": "{{ $m.email | default "" }}",
+      "auth": "{{ printf "%s:%s" $m.username $m.password | b64enc }}"
+    }
+    {{- end }}
+    {{- end }}
+  }
+}
+{{- end }}
+
+{{/*
+Build the appropriate spec.ref.{} given git branch, commit values
+*/}}
+{{- define "validRef" -}}
+{{- if .commit -}}
+{{- if not .branch -}}
+{{- fail "A valid branch is required when a commit is specified!" -}}
+{{- end -}}
+branch: {{ .branch | quote }}
+commit: {{ .commit }}
+{{- else if .semver -}}
+semver: {{ .semver | quote }}
+{{- else if .tag -}}
+tag: {{ .tag }}
+{{- else -}}
+branch: {{ .branch | quote }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Build the appropriate git credentials secret for private git repositories
+*/}}
+{{- define "gitCreds" -}}
+{{- if .Values.git.existingSecret -}}
+secretRef:
+  name: {{ .Values.git.existingSecret }}
+{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.caFile .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
+{{- /* Input validation happens in git-credentials.yaml template */ -}}
+secretRef:
+  name: {{ $.Release.Name }}-git-credentials
+{{- end -}}
+{{- end -}}
+
+{{/*
+Build common set of file extensions to include/exclude
+*/}}
+{{- define "gitIgnore" -}}
+  ignore: |
+    # exclude file extensions
+    /**/*.md
+    /**/*.txt
+    /**/*.sh
+    !/chart/tests/scripts/*.sh
+{{- end -}}
+
+{{/*
+Common labels for all objects
+*/}}
+{{- define "commonLabels" -}}
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/version: "{{ .Chart.Version }}"
+app.kubernetes.io/part-of: "bigbang"
+app.kubernetes.io/managed-by: "flux"
+{{- end -}}
+
+{{- define "values-secret" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .root.Release.Name }}-{{ .name }}-values
+  namespace: {{ .root.Release.Namespace }}
+type: generic
+stringData:
+  common: |
+  defaults: {{- toYaml .defaults | nindent 4 }}
+  overlays: |
+    {{- toYaml .package.values | nindent 4 }}
+{{- end -}}
+
+{{/* 
+bigbang.addValueIfSet can be used to nil check parameters before adding them to the values.
+  Expects a list with the following params:
+    * [0] - (string) <yaml_key_to_add>
+    * [1] - (interface{}) <value_to_check>
+  
+  No output is generated if <value> is undefined, however, explicitly set empty values 
+  (i.e. `username=""`) will be passed along. All string fields will be quoted.
+
+  Example command: 
+  - `{{ (list "name" .username) | include "bigbang.addValueIfSet" }}`
+    * When `username: Aniken`
+      -> `name: "Aniken"`
+    * When `username: ""`
+      -> `name: ""`
+    * When username is not defined
+      -> no output 
+*/}}
+{{- define "bigbang.addValueIfSet" -}}
+  {{- $key := (index . 0) }}
+  {{- $value := (index . 1) }}
+  {{- /*If the value is explicitly set (even if it's empty)*/}}
+  {{- if not (kindIs "invalid" $value) }}
+    {{- /*Handle strings*/}}
+    {{- if kindIs "string" $value }}
+      {{- printf "\n%s" $key }}: {{ $value | quote }} 
+    {{- /*Hanldle slices*/}}
+    {{- else if kindIs "slice" $value }}
+      {{- printf "\n%s" $key }}:    
+        {{- range $value }}
+          {{- if kindIs "string" . }}
+            {{- printf "\n  - %s" (. | quote) }}
+          {{- else }} 
+            {{- printf "\n  - %v" . }}
+          {{- end }}
+        {{- end }}
+    {{- /*Handle other types (no quotes)*/}}
+    {{- else }}
+      {{- printf "\n%s" $key }}: {{ $value }} 
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Annotation for Istio version
+*/}}
+{{- define "istioAnnotation" -}}
+{{- if .Values.istio.git.semver -}}
+bigbang.dev/istioVersion: {{ .Values.istio.git.semver | trimSuffix (regexFind "-bb.*" .Values.istio.git.semver) }}
+{{- else if .Values.istio.git.tag -}}
+bigbang.dev/istioVersion: {{ .Values.istio.git.tag | trimSuffix (regexFind "-bb.*" .Values.istio.git.tag) }}
+{{- else if .Values.istio.git.branch -}}
+bigbang.dev/istioVersion: {{ .Values.istio.git.branch }}
+{{- end -}}
+{{- end -}}

bigbang/templates/renovate/gitrepository.yaml

+{{- $pkg := "renovate" }}
+{{- if (get .Values $pkg).enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ (get .Values $pkg).git.repo }}
+  ref:
+    {{- include "validRef" (get .Values $pkg).git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}

bigbang/templates/renovate/helmrelease.yaml

+{{- $pkg := "renovate" }}
+{{- $fluxSettings := merge (get .Values $pkg).flux .Values.flux -}}
+{{- if (get .Values $pkg).enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  {{- if or (.Values.istio.enabled) (.Values.gatekeeper.enabled) (.Values.clusterAuditor.enabled) }}
+  dependsOn:
+    {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.clusterAuditor.enabled }}
+    - name: cluster-auditor
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+  {{- end }}
+  targetNamespace: {{ $pkg }}
+  chart:
+    spec:
+      chart: {{ (get .Values $pkg).git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: {{ $pkg }}
+        namespace: {{ .Release.Namespace }}
+
+  {{- toYaml $fluxSettings | nindent 2 }}
+
+  {{- if (get .Values $pkg).postRenderers }}
+  postRenderers:
+  {{ toYaml (get .Values $pkg).postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-{{ $pkg }}-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-{{ $pkg }}-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-{{ $pkg }}-values
+      kind: Secret
+      valuesKey: "overlays"
+{{- end }}

bigbang/templates/renovate/imagepullsecret.yaml

+{{- $pkg := "renovate" }}
+{{- if (get .Values $pkg).enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: {{ $pkg }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}

bigbang/templates/renovate/namespace.yaml

+{{- $pkg := "renovate" }}
+{{- if (get .Values $pkg).enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ $pkg }}
+  labels:
+    {{- if .Values.istio.enabled }}
+    istio-injection: "enabled"
+    {{- end }}
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" . | nindent 4}}
+{{- end }}

bigbang/templates/renovate/values.yaml

+{{- $pkg := "renovate" }}
+{{- define "bigbang.defaults.renovate" -}}
+# hostname is deprecated and replaced with domain. But if hostname exists then use it.
+domain: {{ default .Values.domain .Values.hostname }}
+istio:
+  enabled: {{ .Values.istio.enabled }}
+  renovate:
+    gateways:
+    - istio-system/{{ default "public" .Values.renovate.ingress.gateway }}
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.renovate.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+{{- end }}
+
+{{- /* Create secret */ -}}
+{{- if (get .Values $pkg).enabled }}
+{{- include "values-secret" (dict "root" $ "package" (get .Values $pkg) "name" $pkg "defaults" (include (printf "bigbang.defaults.%s" $pkg) .)) }}
+{{- end }}

bigbang/values.yaml

+renovate:
+  enabled: true
+
+  git:
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/renovate
+    branch: main
+    path: chart
+
+  flux: {}
+
+  ingress:
+    gateway: ""
+
+# Big Bang 
+domain: bigbang.dev
+
+networkPolicies:
+  enabled: true
+
+istiooperator:
+  enabled: true
+
+istio:
+  enabled: true
+
+gatekeeper:
+  enabled: true
+
+clusterAuditor:
+  enabled: true
+
+eckoperator:
+  enabled: false
+
+logging:
+  enabled: false
+
+fluentbit:
+  enabled: false
+
+# -- This is because integration job in bbci is broken and clusterAuditor fails without monitoring enabled
+monitoring:
+  enabled: true
+
+jaeger:
+  enabled: false
+
+kiali:
+  enabled: false
+
+twistlock:
+  enabled: false
+
+promtail:
+  enabled: false
\ No newline at end of file

chart/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+ci/
+README.md.gotmpl

chart/Chart.lock

+dependencies:
+- name: redis
+  repository: file://deps/redis
+  version: 16.9.2-bb.0
+digest: sha256:5bc0be4aa74148551cec5556e12a42f81ccf5ab9d3aea0ff2d616c4c511539f8
+generated: "2022-06-09T15:54:24.194470134-05:00"

chart/Chart.yaml

+apiVersion: v2
+appVersion: '32.38.0'
+description: Universal dependency update tool that fits into your workflows.
+name: renovate
+version: '32.38.0-bb.0'
+icon: https://docs.renovatebot.com/assets/images/logo.png
+home: https://github.com/renovatebot/renovate
+keywords:
+  - automated
+  - dependencies
+  - dependency
+  - management
+  - update
+sources:
+  - https://github.com/renovatebot/renovate
+  - https://github.com/renovatebot/helm-charts
+maintainers:
+  - name: JamieMagee
+    email: jamie.magee@gmail.com
+  - name: viceice
+    email: michael.kriese@visualon.de
+  - name: rarkins
+    email: rhys@arkins.net
+annotations:
+  artifacthub.io/license: AGPL-3.0-only
+  artifacthub.io/images: |
+    - name: renovate
+      image: renovate/renovate:32.38.0
+  artifacthub.io/links: |
+    - name: docs
+      url: https://docs.renovatebot.com
+dependencies:
+  - name: redis
+    repository: file://deps/redis
+    version: 16.9.2-bb.0
+    condition: redis.enabled

chart/Kptfile

+apiVersion: kpt.dev/v1alpha1
+kind: Kptfile
+metadata:
+  name: renovate
+upstream:
+  type: git
+  git:
+    commit: 25e5fc95267f20ada51d0a8f458221e2d43f9405
+    repo: https://github.com/renovatebot/helm-charts
+    directory: charts/renovate
+    ref: renovate-32.38.0