renovate bot

helm/renovate-bot/templates/application.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-bot
+spec:
+  project: default
+  source:
+    repoURL: https://git.example.com/agentguard-ci.git
+    targetRevision: main
+    path: helm/renovate-bot
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

helm/renovate-bot/templates/clusterrole.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: renovate-bot
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "list", "watch"]

helm/renovate-bot/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: renovate-bot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: renovate-bot
+subjects:
+  - kind: ServiceAccount
+    name: renovate-bot
+    namespace: default

helm/renovate-bot/templates/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renovate-bot-config
+data:
+  renovate.json: |
+    {
+      "extends": ["github>my-org/my-repo//renovate-preset"],
+      "onboarding": false,
+      "platform": "github",
+      "repositories": {{ toJson .Values.repositories }}
+    }

helm/renovate-bot/templates/cronjob.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate-bot
+spec:
+  schedule: {{ .Values.schedule | quote }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: renovate-bot
+          restartPolicy: Never
+          containers:
+            - name: renovate
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              env:
+                - name: RENOVATE_CONFIG_FILE
+                  value: /etc/renovate/renovate.json
+                - name: RENOVATE_REPOSITORIES
+                  value: {{ join "," .Values.repositories | quote }}
+                - name: GITHUB_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: renovate-bot
+                      key: github-token
+                - name: GITLAB_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: renovate-bot
+                      key: gitlab-token
+              args:
+                - renovate
+              volumeMounts:
+                - name: config
+                  mountPath: /etc/renovate
+          volumes:
+            - name: config
+              configMap:
+                name: renovate-bot-config

helm/renovate-bot/templates/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: renovate-bot
+  annotations:
+    secrets.infisical.com/auto-reload: "true"