refactor: renovate update

- remove matchStrings and use build managers - add renovate groups and automerge - add dummy-check as renovate need at least on status check for automerge - extend renovate.json5 from projects - change secret resolution strategy from sops to AWS SSM injection on talos configs
timtorChen · Mar 16, 2024 · 24662ac · 24662ac
1 parent 4afbc06
commit 24662ac
Show file tree

Hide file tree

Showing 43 changed files with 308 additions and 366 deletions.
diff --git a/.github/workflows/dummy-check.yaml b/.github/workflows/dummy-check.yaml
@@ -0,0 +1,11 @@
+---
+name: dummy-check
+"on":
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  echo:
+    runs-on: "ubuntu-latest"
+    steps:
+      - run: echo "dummy-check"
diff --git a/.github/workflows/cron-renovate.yaml → .github/workflows/renovate.yaml b/.github/workflows/cron-renovate.yaml → .github/workflows/renovate.yaml
@@ -1,9 +1,13 @@
 ---
-name: cron-renovate
+name: renovate
 "on":
+  workflow_dispatch:
   push:
     branches:
       - "main"
+    paths:
+      - "renovate.json5"
+      - "**/renovate.json5"
   schedule:
     - cron: "0 0 * * *" # every 08:00 UTC+8
 jobs:

diff --git a/amethyst/Taskfile.yaml b/amethyst/Taskfile.yaml
@@ -170,31 +170,43 @@ tasks:
   talos:apply:
     silent: true
     dir: talos
+    env: &talos-env
+      SECRET_ENV:
+        sh: |
+          export AWS_PROFILE=sso-admin@aws-homelab
+          aws ssm get-parameters --with-decryption \
+          --names /amethyst/talos-machine /amethyst/talos-cluster |\
+          jq -r '.Parameters[].Value | fromjson | to_entries[] | "\(.key)=\(.value)"'
     cmds:
       - |
         NODE={{.NODE}}
         [ -z "$NODE" ] && echo -n "Apply node: " && read NODE
         export IP="$(yq 'head_comment' "${NODE}.yaml" | yq '.ip')"
         [ -z "$IP" ] && exit 1
+
         export TYPE="$(yq '.machine.type' "${NODE}.yaml")"
-        export TYPE_CONFIG="$(sops -d "${TYPE}.sops.yaml")"
-        export CONFIG="$(yq '. *= env(TYPE_CONFIG)' "${NODE}.yaml")"
+        export CONFIG="$(yq ea '. as $item ireduce ({}; . * $item)' "${TYPE}.yaml" "${NODE}.yaml")"
+        export $SECRET_ENV
+        export CONFIG="$(echo "$CONFIG" | envsubst)"
         talosctl apply-config -f <(echo -n "$CONFIG") -n "$IP" {{.CLI_ARGS}}
 
   talos:upgrade:
     silent: true
     dir: talos
     prompt: The upgrade process will cause a reboot... continue?
+    env: *talos-env
     cmds:
       - |
         NODE={{.NODE}}
         [ -z "$NODE" ] && echo -n "Upgrade node: " && read NODE
         export IP="$(yq 'head_comment' "${NODE}.yaml" | yq '.ip')"
         [ -z "$IP" ] && exit 1
+
         export TYPE="$(yq '.machine.type' "${NODE}.yaml")"
-        export IMAGE="$(yq '.machine.install.image' "${TYPE}.sops.yaml")"
-        export TYPE_CONFIG="$(sops -d "${TYPE}.sops.yaml")"
-        export CONFIG="$(yq '. *= env(TYPE_CONFIG)' "${NODE}.yaml")"
+        export IMAGE="$(yq '.machine.install.image' "${TYPE}.yaml")"
+        export CONFIG="$(yq ea '. as $item ireduce ({}; . * $item)' "${TYPE}.yaml" "${NODE}.yaml")"
+        export $SECRET_ENV
+        export CONFIG="$(echo "$CONFIG" | envsubst)"
 
         echo "> Apply configuration"
         talosctl apply-config -f <(echo -n "$CONFIG") -n "$IP"

diff --git a/amethyst/kubernetes/archive/wego/wego.yaml b/amethyst/kubernetes/archive/wego/wego.yaml
@@ -21,7 +21,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: wego
-      # renovate: packageName=ghcr.io/weaveworks/charts/weave-gitops
       chart: weave-gitops
       version: 4.0.36
   interval: 1h

diff --git a/amethyst/kubernetes/aws-identity-webhook/aws-identity-webhook.yaml b/amethyst/kubernetes/aws-identity-webhook/aws-identity-webhook.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: jkroepke
-      # renovate: registryUrl=https://jkroepke.github.io/helm-charts/
       chart: amazon-eks-pod-identity-webhook
       version: 2.1.3
   interval: 1h

diff --git a/amethyst/kubernetes/cert-manager/cert-manager.yaml b/amethyst/kubernetes/cert-manager/cert-manager.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: cert-manager
-      # renovate: registryUrl=https://charts.jetstack.io
       chart: cert-manager
       version: v1.12.2
   install:

diff --git a/amethyst/kubernetes/cloudflared/cloudflared.yaml b/amethyst/kubernetes/cloudflared/cloudflared.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -31,7 +30,6 @@ spec:
       rollingUpdate:
         unavailable: 1
     image:
-      # renovate:
       repository: cloudflare/cloudflared
       tag: 2024.2.1
     args:

diff --git a/amethyst/kubernetes/cnpg/cnpg.yaml b/amethyst/kubernetes/cnpg/cnpg.yaml
@@ -21,7 +21,6 @@ spec:
         kind: HelmRepository
         namespace: cnpg
         name: cnpg
-      # renovate: registryUrl=https://cloudnative-pg.github.io/charts
       chart: cloudnative-pg
       version: 0.18.1
   install:

diff --git a/amethyst/kubernetes/flux-system/flux2.yaml b/amethyst/kubernetes/flux-system/flux2.yaml
@@ -9,7 +9,6 @@ spec:
   interval: 1m
   url: https://github.com/fluxcd/flux2
   ref:
-    # renovate: github-repo=fluxcd/flux2
     tag: v2.2.3
   ignore: |
     /*

diff --git a/amethyst/kubernetes/grafana/app/grafana.yaml b/amethyst/kubernetes/grafana/app/grafana.yaml
@@ -20,7 +20,6 @@ spec:
         kind: HelmRepository
         namespace: grafana
         name: grafana
-      # renovate: registryUrl=https://grafana.github.io/helm-charts
       chart: grafana
       version: 7.3.7
   interval: 1h

diff --git a/amethyst/kubernetes/ingress-nginx/ingress-nginx.yaml b/amethyst/kubernetes/ingress-nginx/ingress-nginx.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
-      # renovate: registryUrl=https://kubernetes.github.io/ingress-nginx
       chart: ingress-nginx
       version: 4.7.0
   interval: 1h

diff --git a/amethyst/kubernetes/kube-system/metrics-server.yaml b/amethyst/kubernetes/kube-system/metrics-server.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: metrics-server
-      # renovate: registryUrl=https://kubernetes-sigs.github.io/metrics-server/
       chart: metrics-server
       version: 3.12.0
   interval: 1h

diff --git a/amethyst/kubernetes/kube-system/secrets-store-csi-driver-provider-aws.yaml b/amethyst/kubernetes/kube-system/secrets-store-csi-driver-provider-aws.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: aws-secrets-manager
-      # renovate: registryUrl=https://aws.github.io/secrets-store-csi-driver-provider-aws
       chart: secrets-store-csi-driver-provider-aws
       version: 0.3.6
   interval: 1h

diff --git a/amethyst/kubernetes/kube-system/secrets-store-csi-driver.yaml b/amethyst/kubernetes/kube-system/secrets-store-csi-driver.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: secrets-store-csi-driver
-      # renovate: registryUrl=https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
       chart: secrets-store-csi-driver
       version: 1.4.2
   install:

diff --git a/amethyst/kubernetes/kube-system/snapshot-controller.yaml b/amethyst/kubernetes/kube-system/snapshot-controller.yaml
@@ -10,8 +10,7 @@ spec:
   interval: 5m
   url: https://github.com/kubernetes-csi/external-snapshotter
   ref:
-    # renovate: github-repo=kubernetes-csi/external-snapshotter
-    tag: v6.2.2
+    tag: v6.3.3
   ignore: |
     /*
     # include the crd folder
@@ -39,8 +38,7 @@ spec:
   interval: 5m
   url: https://github.com/kubernetes-csi/external-snapshotter
   ref:
-    # renovate: github-repo=kubernetes-csi/external-snapshotter
-    tag: v6.2.2
+    tag: v6.3.3
   ignore: |
     /*
     # include the manifest folder

diff --git a/amethyst/kubernetes/kyverno/kyverno.yaml b/amethyst/kubernetes/kyverno/kyverno.yaml
@@ -21,7 +21,6 @@ spec:
         kind: HelmRepository
         name: kyverno
       version: 3.0.1
-      # renovate: registryUrl=https://kyverno.github.io/kyverno
       chart: kyverno
   install:
     crds: CreateReplace

diff --git a/amethyst/kubernetes/loki/loki.yaml b/amethyst/kubernetes/loki/loki.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: grafana
-      # renovate: registryUrl=https://grafana.github.io/helm-charts
       chart: loki
       version: 5.26.0
   interval: 1h

diff --git a/amethyst/kubernetes/metallb-system/metallb.yaml b/amethyst/kubernetes/metallb-system/metallb.yaml
@@ -21,7 +21,6 @@ spec:
         kind: HelmRepository
         name: metallb
       version: 0.13.10
-      # renovate: registryUrl=https://metallb.github.io/metallb
       chart: metallb
   interval: 1h
   maxHistory: 1

diff --git a/amethyst/kubernetes/mimir/mimir.yaml b/amethyst/kubernetes/mimir/mimir.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: grafana
-      # renovate: registryUrl=https://grafana.github.io/helm-charts
       chart: mimir-distributed
       version: 5.0.0
   interval: 1h

diff --git a/amethyst/kubernetes/mydata/immich/app/immich.yaml b/amethyst/kubernetes/mydata/immich/app/immich.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -28,7 +27,6 @@ spec:
     controller:
       strategy: RollingUpdate
     image:
-      # renovate:
       repository: ghcr.io/immich-app/immich-server
       tag: v1.98.2
     command: ["./start.sh", "immich"]
@@ -118,7 +116,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -127,7 +124,6 @@ spec:
     controller:
       strategy: RollingUpdate
     image:
-      # renovate:
       repository: ghcr.io/immich-app/immich-server
       tag: v1.98.2
     command: ["./start.sh", "microservices"]
@@ -214,14 +210,12 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
   maxHistory: 1
   values:
     image:
-      # renovate:
       repository: ghcr.io/immich-app/immich-machine-learning
       tag: v1.98.2
     env:

diff --git a/amethyst/kubernetes/mydata/immich/deps/immich-dragonfly.yaml b/amethyst/kubernetes/mydata/immich/deps/immich-dragonfly.yaml
@@ -10,7 +10,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -20,7 +19,6 @@ spec:
       type: statefulset
       replicas: 1
     image:
-      # renovate:
       repository: ghcr.io/dragonflydb/dragonfly
       tag: v1.6.2
     args:

diff --git a/amethyst/kubernetes/mydata/navidrome/navidrome.yaml b/amethyst/kubernetes/mydata/navidrome/navidrome.yaml
@@ -11,14 +11,12 @@ spec:
         kind: HelmRepository
         namespace: mydata
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
   maxHistory: 1
   values:
     image:
-      # renovate:
       repository: deluan/navidrome
       tag: 0.51.1
 

diff --git a/amethyst/kubernetes/mydata/nextcloud/app/nextcloud.yaml b/amethyst/kubernetes/mydata/nextcloud/app/nextcloud.yaml
@@ -10,7 +10,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -22,7 +21,6 @@ spec:
       rollingUpdate:
         unavailable: 1
     image:
-      # renovate:
       repository: nextcloud
       tag: 28.0.3-apache
     serviceAccount:

diff --git a/amethyst/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml b/amethyst/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml
@@ -10,7 +10,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -19,7 +18,6 @@ spec:
       type: statefulset
       replicas: 1
     image:
-      # renovate:
       repository: ghcr.io/dragonflydb/dragonfly
       tag: v1.6.2
     args:

diff --git a/amethyst/kubernetes/node-exporter/node-exporter.yaml b/amethyst/kubernetes/node-exporter/node-exporter.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: prometheus-community
-      # renovate: registryUrl=https://prometheus-community.github.io/helm-charts
       chart: prometheus-node-exporter
       version: 4.31.0
   interval: 1h

diff --git a/amethyst/kubernetes/prometheus/kube-prometheus-stack.yaml b/amethyst/kubernetes/prometheus/kube-prometheus-stack.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: prometheus-community
-      # renovate: registryUrl=https://prometheus-community.github.io/helm-charts
       chart: kube-prometheus-stack
       version: 48.2.1
   install:

diff --git a/amethyst/kubernetes/promtail/promtail.yaml b/amethyst/kubernetes/promtail/promtail.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: grafana
-      # renovate: registryUrl=https://grafana.github.io/helm-charts
       chart: promtail
       version: 6.15.5
   interval: 1h

diff --git a/amethyst/kubernetes/reloader/reloader.yaml b/amethyst/kubernetes/reloader/reloader.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: stakater
-      # renovate: registryUrl=https://stakater.github.io/stakater-charts
       chart: reloader
       version: 1.0.67
   interval: 1h

diff --git a/amethyst/kubernetes/rook-ceph/rook-ceph.yaml b/amethyst/kubernetes/rook-ceph/rook-ceph.yaml
@@ -20,7 +20,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: rook-ceph
-      # renovate: registryUrl=https://charts.rook.io/release
       chart: rook-ceph
       version: v1.11.8
   install:

diff --git a/amethyst/kubernetes/smart-exporter/smart-exporter.yaml b/amethyst/kubernetes/smart-exporter/smart-exporter.yaml
@@ -19,7 +19,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: bjw-s
-      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
       chart: app-template
       version: 1.5.1
   interval: 1h
@@ -28,7 +27,6 @@ spec:
     controller:
       type: daemonset
     image:
-      # renovate:
       repository: matusnovak/prometheus-smartctl
       tag: v2.3.0
     env:

diff --git a/amethyst/kubernetes/snapscheduler/snapscheduler.yaml b/amethyst/kubernetes/snapscheduler/snapscheduler.yaml
@@ -20,7 +20,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: backube
-      # renovate: registryUrl=https://backube.github.io/helm-charts/
       chart: snapscheduler
       version: 3.2.0
   install: