├── .github ├── CODEOWNERS ├── ct.yaml └── workflows │ ├── lint.yml │ └── main.yml ├── helm-charts ├── mend-renovate-ce │ ├── .gitignore │ ├── templates │ │ ├── extra-configmaps.yaml │ │ ├── configmap.yaml │ │ ├── serviceaccount.yaml │ │ ├── service.yaml │ │ ├── pvc.yaml │ │ ├── ingress.yaml │ │ ├── _helpers.tpl │ │ ├── NOTES.txt │ │ └── secret.yaml │ ├── Chart.yaml │ ├── .helmignore │ ├── README.md │ └── values.yaml └── mend-renovate-ee │ ├── .gitignore │ ├── templates │ ├── extra-configmaps.yaml │ ├── server-extra-configmaps.yaml │ ├── worker-extra-configmaps.yaml │ ├── configmap.yaml │ ├── server-serviceaccount.yaml │ ├── worker-serviceaccount.yaml │ ├── server-svc.yaml │ ├── pvc.yaml │ ├── ingress.yaml │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── secret.yaml │ ├── worker-deployment.yaml │ └── server-deployment.yaml │ ├── Chart.yaml │ ├── .helmignore │ └── README.md ├── examples ├── tls │ ├── tls_worker_config.json │ ├── tls_server_config.json │ └── README.md ├── env │ ├── renovate-core.env │ ├── github.env │ ├── event-notifications.env │ ├── postgres-db.env │ ├── minio.env │ ├── gitlab.env │ ├── mend-renovate.env │ ├── bitbucket-server.env │ ├── renovate-worker-config.env │ └── renovate-server-config.env ├── docker-compose │ ├── docker-compose-nginx.yml │ ├── docker-compose-minio-s3.yml │ ├── docker-compose-postgresql.yml │ ├── docker-compose-ngrok.yml │ ├── docker-compose-kafka.yml │ ├── docker-compose-renovate-community.yml │ └── docker-compose-renovate-enterprise.yml ├── conf │ └── nginx.conf ├── dockerfiles │ └── pgadmin │ │ └── Dockerfile └── README.md ├── .gitignore ├── docs ├── images │ ├── bb-log-in.png │ ├── bb-add-user.png │ ├── bb-new-token.png │ ├── bb-access-token.png │ ├── bb-admin-token.png │ ├── bb-admin-users.png │ ├── bb-create-user.png │ ├── bb-postman-sync.png │ ├── bb-renovate-bot.png │ ├── bb-manage-account.png │ ├── bb-repo-webhooks.png │ ├── bb-user-access-1.png │ ├── bb-user-access-2.png │ ├── bb-create-webhook-1.png │ ├── bb-create-webhook-2.png │ ├── bb-repo-permissions.png │ ├── bb-create-admin-token.png │ ├── gitlab_webhook_details.png │ └── gitlab_webhook_triggers.png ├── configure-renovate-ce-github.md ├── configure-renovate-ce-gitlab.md ├── configure-renovate-bitbucket-server.md ├── read-only-fs.md ├── installation-helm.md ├── README.md ├── migrating-to-renovate-ce.md ├── prometheus-metrics.md ├── configure-postgres-db.md ├── api.md ├── high-server-availability.md ├── advanced.md ├── api-system.md ├── events.md ├── setup-for-github.md ├── overview.md ├── api-jobs.md ├── setup-for-gitlab.md ├── tls.md └── setup-for-bitbucket-data-center.md ├── .whitesource ├── README.md ├── LICENSE └── renovate.json /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @mend/renovate-admins 2 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/.gitignore: -------------------------------------------------------------------------------- 1 | charts/*.tgz 2 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/.gitignore: -------------------------------------------------------------------------------- 1 | charts/*.tgz 2 | -------------------------------------------------------------------------------- /examples/tls/tls_worker_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ca": "file:///tls/local_ca.pem" 3 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore IntelliJ project files 2 | /.idea/ 3 | *.iml 4 | 5 | .env* 6 | local* 7 | -------------------------------------------------------------------------------- /docs/images/bb-log-in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-log-in.png -------------------------------------------------------------------------------- /docs/images/bb-add-user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-add-user.png -------------------------------------------------------------------------------- /docs/images/bb-new-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-new-token.png -------------------------------------------------------------------------------- /docs/images/bb-access-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-access-token.png -------------------------------------------------------------------------------- /docs/images/bb-admin-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-admin-token.png -------------------------------------------------------------------------------- /docs/images/bb-admin-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-admin-users.png -------------------------------------------------------------------------------- /docs/images/bb-create-user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-create-user.png -------------------------------------------------------------------------------- /docs/images/bb-postman-sync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-postman-sync.png -------------------------------------------------------------------------------- /docs/images/bb-renovate-bot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-renovate-bot.png -------------------------------------------------------------------------------- /docs/images/bb-manage-account.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-manage-account.png -------------------------------------------------------------------------------- /docs/images/bb-repo-webhooks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-repo-webhooks.png -------------------------------------------------------------------------------- /docs/images/bb-user-access-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-user-access-1.png -------------------------------------------------------------------------------- /docs/images/bb-user-access-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-user-access-2.png -------------------------------------------------------------------------------- /docs/images/bb-create-webhook-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-create-webhook-1.png -------------------------------------------------------------------------------- /docs/images/bb-create-webhook-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-create-webhook-2.png -------------------------------------------------------------------------------- /docs/images/bb-repo-permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-repo-permissions.png -------------------------------------------------------------------------------- /docs/images/bb-create-admin-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/bb-create-admin-token.png -------------------------------------------------------------------------------- /docs/images/gitlab_webhook_details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/gitlab_webhook_details.png -------------------------------------------------------------------------------- /docs/images/gitlab_webhook_triggers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mend/renovate-ce-ee/HEAD/docs/images/gitlab_webhook_triggers.png -------------------------------------------------------------------------------- /docs/configure-renovate-ce-github.md: -------------------------------------------------------------------------------- 1 | ## This page has been moved. 2 | Content is now available in the [Setup Guide for GitHub](setup-for-github.md) -------------------------------------------------------------------------------- /docs/configure-renovate-ce-gitlab.md: -------------------------------------------------------------------------------- 1 | ## This page has been moved. 2 | Content is now available in the [Setup Guide for GitLab](setup-for-gitlab.md) -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "remediateSettings": { 3 | "workflowRules": { 4 | "enabled": false 5 | }, 6 | "enabled": false 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/extra-configmaps.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.extraConfigMaps }} 2 | --- 3 | {{- toYaml . | nindent 0 }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/extra-configmaps.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.extraConfigMaps }} 2 | --- 3 | {{- toYaml . | nindent 0 }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/server-extra-configmaps.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.renovateServer.extraConfigMaps }} 2 | --- 3 | {{- toYaml . | nindent 0 }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/worker-extra-configmaps.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.renovateWorker.extraConfigMaps }} 2 | --- 3 | {{- toYaml . | nindent 0 }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /docs/configure-renovate-bitbucket-server.md: -------------------------------------------------------------------------------- 1 | ## This page has been moved. 2 | Content is now available in the [Setup Guide for Bitbucket Data Center](setup-for-bitbucket-data-center.md) -------------------------------------------------------------------------------- /examples/tls/tls_server_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "baseConfig": { 3 | "key": "file:///tls/local_server.key", 4 | "cert": "file:///tls/local_server.pem", 5 | "maxVersion": "TLSv1.3", 6 | "minVersion": "TLSv1.2" 7 | } 8 | } -------------------------------------------------------------------------------- /.github/ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing/blob/main/doc/ct_lint.md 2 | target-branch: main 3 | 4 | # Turn off maintainer validation since this checks that 5 | # the mainainer names are valid GitHub usernames 6 | validate-maintainers: false 7 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: mend-renovate-ce 3 | version: 13.1.0 4 | appVersion: 13.1.0 5 | description: Mend Renovate Community Edition 6 | home: https://github.com/mend/renovate-ce-ee 7 | sources: 8 | - https://github.com/renovatebot/renovate 9 | icon: https://app.renovatebot.com/images/logo.png 10 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: mend-renovate-enterprise-edition 3 | version: 7.1.0 4 | appVersion: 13.1.0 5 | description: Mend Renovate Enterprise Edition 6 | home: https://github.com/mend/renovate-ce-ee 7 | sources: 8 | - https://github.com/renovatebot/renovate 9 | icon: https://app.renovatebot.com/images/logo.png 10 | -------------------------------------------------------------------------------- /examples/env/renovate-core.env: -------------------------------------------------------------------------------- 1 | # Configure Renovate Core 2 | # The core Renovate CLI functionality can be configured using environment variables (e.g. `RENOVATE_XXXXXX`) 3 | 4 | ## Example Renovate CLI Options 5 | # RENOVATE_REPOSITORY_CACHE=enabled # Repo cache is required for using some Enterprise reporting APIs. 6 | # RENOVATE_NODE_OPTIONS= # Defines `NODE_OPTIONS` for the Renovate CLI. -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-nginx.yml: -------------------------------------------------------------------------------- 1 | ## Load balancer for Renovate Server containers 2 | ## Will balance traffic sent to http://localhost:4000/ between Renovate Server instances (rnv-ee-server) 3 | ## Note! Requires 'nginx.conf' file (available in 'conf' directory). 4 | services: 5 | nginx: 6 | image: nginx:1.29.3 7 | restart: always 8 | volumes: 9 | - ../conf/nginx.conf:/etc/nginx/nginx.conf:ro 10 | ports: 11 | - "4000:4000" 12 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /examples/conf/nginx.conf: -------------------------------------------------------------------------------- 1 | # nginx.conf 2 | 3 | user nginx; 4 | 5 | events { 6 | worker_connections 1024; 7 | } 8 | 9 | http { 10 | server { 11 | listen 4000; 12 | 13 | location / { 14 | proxy_pass http://rnv-ee-server:8080; 15 | proxy_set_header Host $host; 16 | proxy_set_header X-Real-IP $remote_addr; 17 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 18 | proxy_set_header X-Forwarded-Proto $scheme; 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "mend-renovate.fullname" . }}-config-js 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 8 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | data: 12 | config.js: {{ .Values.renovate.config | quote }} 13 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "mend-renovate.fullname" . }}-config-js 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 8 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | data: 12 | config.js: {{ .Values.renovateWorker.config | quote }} 13 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/README.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate Installation - Helm 2 | 3 | ## Add Helm repository 4 | 5 | ```shell 6 | helm repo add mend-renovate-ce-ee https://mend.github.io/renovate-ce-ee 7 | helm repo update 8 | ``` 9 | 10 | ## Install Renovate chart 11 | 12 | ```shell 13 | helm install --generate-name --set renovate.config='\{\"token\":\"...\"\}' mend-renovate-ce-ee/mend-renovate-ce 14 | ``` 15 | 16 | See [Configuration Options](https://github.com/mend/renovate-ce-ee/blob/main/docs/configuration-options.md) for more information. 17 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/README.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate Installation - Helm 2 | 3 | ## Add Helm repository 4 | 5 | ```shell 6 | helm repo add mend-renovate-ce-ee https://mend.github.io/renovate-ce-ee 7 | helm repo update 8 | ``` 9 | 10 | ## Install Renovate chart 11 | 12 | ```shell 13 | helm install --generate-name --set renovateWorker.config='\{\"token\":\"...\"\}' mend-renovate-ce-ee/mend-renovate-enterprise-edition 14 | ``` 15 | 16 | See [Configuration Options](https://github.com/mend/renovate-ce-ee/blob/main/docs/configuration-options.md) for more information. 17 | -------------------------------------------------------------------------------- /examples/env/github.env: -------------------------------------------------------------------------------- 1 | # Connection details for the Renovate App on GitHub 2 | # Available at: https://github.com/settings/apps/ 3 | MEND_RNV_PLATFORM=github 4 | MEND_RNV_GITHUB_APP_ID= # App ID 5 | MEND_RNV_GITHUB_APP_KEY= # Private key 6 | MEND_RNV_WEBHOOK_SECRET= # Webhook secret (Defaults to 'renovate') 7 | 8 | # [GitHub Enterprise Server only] 9 | # GitHub.com PAT for fetching changelogs and release notes, and GO-lang packages 10 | # GITHUB_COM_TOKEN= # A Personal Access Token for a user account on github.com. It needs only "read-only" access privileges 11 | -------------------------------------------------------------------------------- /examples/env/event-notifications.env: -------------------------------------------------------------------------------- 1 | # Event notifications to Kafka 2 | # Note: Ensure that the Kafka topic already exists 3 | 4 | MEND_RNV_KAFKA_TOPIC_NAME=mend-renovate-ee # The Kafka topic to which messages are submitted. Default is 'mend-renovate-ee' 5 | # MEND_RNV_KAFKA_TOPIC_CONFIG # Topic configuration for Kafka producer. 6 | MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG='{"metadata.broker.list": "kafka:9093"}' # Global configuration for the Kafka producer. Expects a JSON string. 7 | # MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG_PATH # Path to a global producer configuration file. 8 | MEND_RNV_KAFKA_PARTITION_KEY_CANDIDATES=repository # List of keys whose values will be used as Kafka message keys. Default is 'null' 9 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.renovateServer.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "mend-renovate.server-service-account-name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | {{- with .Values.renovateServer.serviceAccount.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/worker-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.renovateWorker.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "mend-renovate.worker-service-account-name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | {{- with .Values.renovateWorker.serviceAccount.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (eq "string" (printf "%T" .Values.serviceAccount))) .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "mend-renovate.service-account-name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | {{- with .Values.serviceAccount.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /examples/env/postgres-db.env: -------------------------------------------------------------------------------- 1 | # To configure Mend Renovate to use a PostgreSQL database, the following environment variables should be supplied to the Server containers (not required for Worker environment config). 2 | # For more information, see the [Postgres DB Configuration](../../docs/configure-postgres-db.md) documentation. 3 | 4 | MEND_RNV_DATA_HANDLER_TYPE=postgresql # Set to 'postgresql' to use a PostgreSQL database 5 | # MEND_RNV_POSTGRES_SSL_PEM_PATH= # The `.pem` file location in the container for SSL connection 6 | PGDATABASE=postgres # Name of the database instance. Eg. ‘postgres’ 7 | PGUSER=postgres # Postgres User name. Must have 'Create Schema' permission. 8 | PGPASSWORD=password # Postgres User password 9 | PGHOST=postgres-database # Host name of the PostgreSQL instance 10 | PGPORT=5432 # Host Port for the PostgreSQL instance 11 | -------------------------------------------------------------------------------- /examples/env/minio.env: -------------------------------------------------------------------------------- 1 | ## MinIO S3 job log storage 2 | 3 | # Define connection variables 4 | # Note: Uses standard AWS environment variables to establish connection. 5 | AWS_REGION=us-east-1 # Use any valid AWS region. This value will be ignore, but is required when using MinIO. 6 | AWS_ENDPOINT_URL_S3=http://minio-s3:9000 # Set the same as : 7 | #AWS_ENDPOINT_URL_S3=http://host.docker.internal:9000 # Use this endpoint when MinIO is started from outside the Docker Compose 8 | AWS_ACCESS_KEY_ID=minioadmin # Set the same as MINIO_ROOT_USER 9 | AWS_SECRET_ACCESS_KEY=minioadmin # Set the same as MINIO_ROOT_PASSWORD 10 | 11 | # Define bucket/folders and path style 12 | MEND_RNV_LOG_HISTORY_S3=s3://job-logs # S3 storage location (eg. s3:///dir1/dir2) Note: Ensure that bucket exists 13 | MEND_RNV_S3_FORCE_PATH_STYLE=true # Set to 'true' when accessing local MinIO -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-minio-s3.yml: -------------------------------------------------------------------------------- 1 | ## Docker Compose file to run an instance of MinIO S3 2 | # To start a MinIO S3 container from the command line, run the following 'docker run' command: 3 | # docker run -p 9000:9000 -p 9001:9001 --name minio-s3 -v C:\tmp\minio\data:/data -e "MINIO_ROOT_USER=minioadmin" -e "MINIO_ROOT_PASSWORD=minioadmin" quay.io/minio/minio server /data --console-address ":9001" 4 | 5 | services: 6 | 7 | ## MinIO S3 - used for job log storage 8 | minio: 9 | # restart: always 10 | image: quay.io/minio/minio 11 | container_name: minio-s3 12 | ports: 13 | - "9000:9000" 14 | - "9001:9001" 15 | environment: 16 | MINIO_ROOT_USER: minioadmin 17 | MINIO_ROOT_PASSWORD: minioadmin 18 | volumes: 19 | - /tmp/minio/data:/data # Unix version 20 | # - C:\tmp\minio\data:/data # Windows version 21 | command: server /data --console-address ":9001" 22 | -------------------------------------------------------------------------------- /.github/workflows/lint.yml: -------------------------------------------------------------------------------- 1 | name: Lint charts 2 | 3 | on: 4 | merge_group: 5 | pull_request: 6 | paths: 7 | - 'helm-charts/**' 8 | 9 | jobs: 10 | lint: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 15 | with: 16 | fetch-depth: 0 17 | 18 | - name: Set up Helm 19 | uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 20 | with: 21 | version: v3.12.2 # renovate: datasource=github-releases depName=helm packageName=helm/helm 22 | 23 | - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 24 | with: 25 | python-version: "3.10" 26 | 27 | - name: Set up chart-testing 28 | uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 29 | 30 | - name: lint charts 31 | run: ct lint --config .github/ct.yaml 32 | -------------------------------------------------------------------------------- /examples/env/gitlab.env: -------------------------------------------------------------------------------- 1 | # Connection details for the Renovate Bot user account on GitLab 2 | MEND_RNV_PLATFORM=gitlab 3 | MEND_RNV_ENDPOINT= # API endpoint for your GitLab host. e.g. like https://gitlab.company.com/api/v4/. Include the trailing slash. 4 | MEND_RNV_GITLAB_PAT= # Personal access token for the GitLab Renovate user account 5 | MEND_RNV_WEBHOOK_SECRET= # Webhook secret (Defaults to 'renovate') 6 | 7 | # GitHub.com PAT for fetching changelogs and release notes, and GO-lang packages 8 | # GITHUB_COM_TOKEN= # A Personal Access Token for a user account on github.com. It needs only "read-only" access privileges 9 | 10 | # Automatic Webhook creation (Optional) 11 | # MEND_RNV_WEBHOOK_URL=http://renovate.yourcompany.com:8080/webhook # The URL of the Renovate Server plus '/webhook' 12 | # MEND_RNV_ADMIN_TOKEN= # Optional. A token used for searching/add/removing repository webhooks. 13 | # Note: Webhooks will be only installed on repos that the account has at least `Maintainer` access to. 14 | -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-postgresql.yml: -------------------------------------------------------------------------------- 1 | ## Docker Compose file to run an instance of PostgreSQL 2 | ## Creates a PostgeSQL DB container and a container for PGAdmin 3 | 4 | services: 5 | 6 | ## Postgres Database 7 | postgres-database: 8 | restart: always 9 | image: postgres:16.1-alpine3.17 10 | container_name: postgres-db 11 | environment: 12 | POSTGRES_USER: postgres 13 | POSTGRES_PASSWORD: password 14 | ports: 15 | - "5432:5432" 16 | 17 | ## [Optional] Postgres Web Frontend (pgAdmin) 18 | ## View the database contents via URL: http://localhost:5050/ with user/pwd as defined below 19 | ## Note! pgAdmin requires 'Dockerfile' file (available in 'dockerfiles/pgadmin' directory). 20 | pgadmin: 21 | restart: unless-stopped 22 | container_name: pgadmin 23 | build: 24 | context: ../dockerfiles/pgadmin 25 | dockerfile: Dockerfile 26 | depends_on: 27 | - postgres-database 28 | ports: 29 | - "5050:5050" 30 | environment: 31 | - PGADMIN_LISTEN_PORT=5050 32 | -------------------------------------------------------------------------------- /examples/env/mend-renovate.env: -------------------------------------------------------------------------------- 1 | # Essential environment variables for Renovate CE and EE Server and Worker 2 | 3 | ## Mend licensing config 4 | # Provide a valid license key for Renovate Community Edition or Enterprise Edition 5 | # Use this key for up to 10 repos on Community Edition: eyJsaW1pdCI6IjEwIn0=.30440220457941b71ea8eb345c729031718b692169f0ce2cf020095fd328812f4d7d5bc1022022648d1a29e71d486f89f27bdc8754dfd6df0ddda64a23155000a61a105da2a1 6 | # For a free unrestricted repo Community Edition license key register at https://www.mend.io/renovate-community/ 7 | # For an Enterprise license key. Get License key from Mend.io 8 | MEND_RNV_LICENSE_KEY=eyJsaW1pdCI6IjEwIn0=.30440220457941b71ea8eb345c729031718b692169f0ce2cf020095fd328812f4d7d5bc1022022648d1a29e71d486f89f27bdc8754dfd6df0ddda64a23155000a61a105da2a1 9 | MEND_RNV_ACCEPT_TOS= # Set to 'Y' to accept Terms of Service 10 | 11 | ## Server API config 12 | # API secret is required to enable APIs. Required on Server and Worker for internal communication. (Also see `MEND_RNV_ADMIN_API_ENABLED`.) 13 | MEND_RNV_SERVER_API_SECRET=abc123 14 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "mend-renovate.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 8 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | {{- with .Values.service.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- with .Values.service.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | type: {{ .Values.service.type }} 20 | ports: 21 | - port: {{ .Values.service.ports.http }} 22 | targetPort: http 23 | protocol: TCP 24 | name: http 25 | - port: {{ .Values.service.ports.https }} 26 | targetPort: https 27 | protocol: TCP 28 | name: https 29 | selector: 30 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 31 | app.kubernetes.io/instance: {{ .Release.Name }} 32 | -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-ngrok.yml: -------------------------------------------------------------------------------- 1 | # Run ngrok to provide a publicly accessible endpoint for the Renovate Server to receive webhooks from the repo. 2 | # Configure webhooks with url: https:///webhook 3 | # For instructions, see: https://ngrok.com/docs/using-ngrok-with/docker/ 4 | # Use the ngrok service below, or run the following command (replace values as appropriate): 5 | # $ docker run --net=host -it -e NGROK_AUTHTOKEN=xyz ngrok/ngrok:latest http 80 6 | # View ngrok requests at http://localhost:4040/inspect/http 7 | 8 | services: 9 | ngrok: 10 | image: ngrok/ngrok:latest 11 | container_name: ngrok 12 | command: 13 | - "http" 14 | - "http://host.docker.internal:80" # If using multiple servers, use the port assigned to the load balancer (eg. 4000) 15 | # - "--url=your-domain.ngrok.io" # Provide your personal ngrok domain, if you have one. 16 | environment: 17 | LOG_LEVEL: debug 18 | # Get your ngrok authtoken from https://dashboard.ngrok.com/get-started/your-authtoken 19 | NGROK_AUTHTOKEN: ${NGROK_AUTHTOKEN} 20 | ports: 21 | - "4040:4040" 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Mend Renovate banner](https://app.renovatebot.com/images/whitesource_renovate_660_220.jpg) 2 | 3 | # Mend Renovate Community and Enterprise Editions 4 | 5 | This repository contains documentation, release notes and an issue tracker for Mend Renovate Community Edition (Renovate CE) and Mend Renovate Enterprise Edition (Renovate EE). 6 | 7 | ## Documentation 8 | 9 | Please view [the Markdown docs in this repository](https://github.com/mend/renovate-ce-ee/tree/main/docs). 10 | 11 | ## Download 12 | 13 | Mend Renovate CE/EE is distributed via GitHub's Container Registry under the [`mend` GHCR namespace](https://github.com/orgs/mend/packages?ecosystem=container). 14 | 15 | ## License 16 | 17 | Use of Mend Renovate CE/EE is bound by [Mend's Terms of Service](https://www.mend.io/terms-of-service/). 18 | You can request a license key by submitting the form at [https://www.mend.io/renovate-community/](https://www.mend.io/renovate-community/). 19 | 20 | The documentation and examples in this repository are MIT-licensed. 21 | 22 | ## Usage 23 | 24 | Please see the `docs/` and `examples/` directories within this repository. 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mend Renovate is proprietary software, however the docs and examples in this repository are licensed under MIT license. 2 | 3 | Copyright 2020 Mend Ltd 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /examples/env/bitbucket-server.env: -------------------------------------------------------------------------------- 1 | # Connection details for the Bitbucket Data Center Renovate bot user account 2 | # Important! Create a separate user account for the Renovate Bot user with only "Bitbucket User" access 3 | MEND_RNV_PLATFORM=bitbucket-server 4 | MEND_RNV_ENDPOINT= # API endpoint for the Bitbucker Data Center. Include the trailing slash. 5 | MEND_RNV_BITBUCKET_USER= # Renovate Bot user account (with only “Bitbucket User” access) 6 | MEND_RNV_BITBUCKET_PAT= # Bitbucket access token for the bot user `MEND_RNV_BITBUCKET_USER` 7 | MEND_RNV_WEBHOOK_SECRET=renovate # Webhook secret (Defaults to 'renovate') 8 | 9 | # GitHub.com PAT for fetching changelogs and release notes, and GO-lang packages 10 | # GITHUB_COM_TOKEN= # A Personal Access Token for a user account on github.com. It needs only "read-only" access privileges 11 | 12 | # Automatic Webhook creation (Optional) 13 | # MEND_RNV_WEBHOOK_URL=http://renovate.yourcompany.com:8080/webhook # The URL of the Renovate Server plus '/webhook' 14 | # MEND_RNV_ADMIN_TOKEN= # Optional. A token used for searching/add/removing repository webhooks. 15 | # Note: Webhooks will be only installed on repos that the account has at least `Maintainer` access to. 16 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/server-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "mend-renovate.fullname" . }}-svc-server 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 8 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | {{- with .Values.service.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- with .Values.service.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | type: {{ .Values.service.type }} 20 | ports: 21 | - port: {{ .Values.service.ports.http }} 22 | targetPort: ee-server 23 | protocol: TCP 24 | name: http 25 | - port: {{ .Values.service.ports.https }} 26 | targetPort: ee-server-https 27 | protocol: TCP 28 | name: https 29 | selector: 30 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 31 | app.kubernetes.io/instance: {{ .Release.Name }} 32 | app: {{ include "mend-renovate.name" . }}-server 33 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Release Charts 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | workflow_dispatch: 8 | 9 | jobs: 10 | release: 11 | runs-on: ubuntu-latest 12 | permissions: 13 | contents: write 14 | steps: 15 | - name: Checkout 16 | uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 17 | with: 18 | fetch-depth: 0 19 | 20 | - name: Configure Git 21 | run: | 22 | git config user.name "$GITHUB_ACTOR" 23 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 24 | - name: Install Helm 25 | uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 26 | with: 27 | version: v3.10.0 # renovate: datasource=github-releases depName=helm packageName=helm/helm 28 | 29 | - name: Run chart-releaser 30 | uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 31 | with: 32 | version: v1.4.1 # renovate: datasource=github-releases depName=chart-releaser packageName=helm/chart-releaser 33 | charts_dir: helm-charts 34 | env: 35 | CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}' 36 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.dataPersistence.enabled (not .Values.dataPersistence.existingClaim) }} 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: {{ include "mend-renovate.fullname" . }}-data 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | spec: 13 | accessModes: 14 | {{- if not (empty .Values.dataPersistence.accessModes) }} 15 | {{- range .Values.dataPersistence.accessModes }} 16 | - {{ . | quote }} 17 | {{- end }} 18 | {{- else }} 19 | - {{ .Values.dataPersistence.accessMode | quote }} 20 | {{- end }} 21 | resources: 22 | requests: 23 | storage: {{ .Values.dataPersistence.size | quote }} 24 | {{- if .Values.dataPersistence.storageClass }} 25 | {{- if (eq "-" .Values.dataPersistence.storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ .Values.dataPersistence.storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cachePersistence.enabled (not .Values.cachePersistence.existingClaim) }} 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: {{ include "mend-renovate.fullname" . }}-cache 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | spec: 13 | accessModes: 14 | {{- if not (empty .Values.cachePersistence.accessModes) }} 15 | {{- range .Values.cachePersistence.accessModes }} 16 | - {{ . | quote }} 17 | {{- end }} 18 | {{- else }} 19 | - {{ .Values.cachePersistence.accessMode | quote }} 20 | {{- end }} 21 | resources: 22 | requests: 23 | storage: {{ .Values.cachePersistence.size | quote }} 24 | {{- if .Values.cachePersistence.storageClass }} 25 | {{- if (eq "-" .Values.cachePersistence.storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ .Values.cachePersistence.storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-kafka.yml: -------------------------------------------------------------------------------- 1 | services: 2 | kafka: 3 | image: apache/kafka-native 4 | ports: 5 | - "9092:9092" 6 | environment: 7 | # Configure listeners for both docker and host communication 8 | KAFKA_LISTENERS: CONTROLLER://localhost:9091,HOST://0.0.0.0:9092,DOCKER://0.0.0.0:9093 9 | KAFKA_ADVERTISED_LISTENERS: HOST://localhost:9092,DOCKER://kafka:9093 10 | KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,DOCKER:PLAINTEXT,HOST:PLAINTEXT 11 | 12 | # Settings required for KRaft mode 13 | KAFKA_NODE_ID: 1 14 | KAFKA_PROCESS_ROLES: broker,controller 15 | KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER 16 | KAFKA_CONTROLLER_QUORUM_VOTERS: 1@localhost:9091 17 | 18 | # Listener to use for broker-to-broker communication 19 | KAFKA_INTER_BROKER_LISTENER_NAME: DOCKER 20 | 21 | # Required for a single node cluster 22 | KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 23 | 24 | # Disable automatic topic creation 25 | KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" 26 | 27 | kafka-ui: 28 | image: ghcr.io/kafbat/kafka-ui:latest 29 | ports: 30 | - "8081:8080" 31 | environment: 32 | DYNAMIC_CONFIG_ENABLED: "true" 33 | KAFKA_CLUSTERS_0_NAME: local 34 | KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9093 35 | depends_on: 36 | - kafka 37 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:recommended", 4 | ":pinDigestsDisabled" 5 | ], 6 | "packageRules": [{ 7 | "groupName": "Update Mend Renovate docker images", 8 | "matchPackageNames": [ 9 | "ghcr.io/mend/renovate-ce", 10 | "ghcr.io/mend/renovate-ee-server", 11 | "ghcr.io/mend/renovate-ee-worker" 12 | ], 13 | "minimumGroupSize": 3, 14 | "versioning": "docker", 15 | "automerge": true, 16 | "bumpVersions": [ 17 | { 18 | "description": "Bump the `version` for the Helm charts, in line with the version bump from the Docker image", 19 | "filePatterns": [ 20 | "helm-charts/mend-renovate-ce/Chart.yaml", 21 | "helm-charts/mend-renovate-ee/Chart.yaml" 22 | ], 23 | "matchStrings": [ 24 | "version:\\s(?[^\\s]+)" 25 | ], 26 | "bumpType": "{{updateType}}" 27 | }, 28 | { 29 | "description": "Bump the `appVersion` for the Helm charts, in line with the version bump from the Docker image", 30 | "filePatterns": [ 31 | "helm-charts/mend-renovate-ce/Chart.yaml", 32 | "helm-charts/mend-renovate-ee/Chart.yaml" 33 | ], 34 | "matchStrings": [ 35 | "appVersion:\\s(?[^\\s]+)" 36 | ], 37 | "bumpType": "{{updateType}}" 38 | } 39 | ] 40 | }], 41 | "ignorePaths": [] 42 | } 43 | -------------------------------------------------------------------------------- /docs/read-only-fs.md: -------------------------------------------------------------------------------- 1 | # Read-only File Systems 2 | 3 | Support for read-only file systems is available from version 9.0.0 4 | 5 | To test it, follow these steps: 6 | 7 | ## Use the official release images: 8 | * Community: `ghcr.io/mend/renovate-ce:9.0.0` 9 | * Enterprise: `ghcr.io/mend/renovate-ee-server:9.0.0` and `ghcr.io/mend/renovate-ee-worker:9.0.0` 10 | 11 | ## Run the images in read-only mode 12 | 13 | Set both the Server and Worker images to run with read-only file systems (e.g. `readOnlyRootFilesystem` in Kubernetes). 14 | 15 | ## Map read-write volumes 16 | 17 | Ensure that the EE Server has a read-write `/tmp` volume. 18 | 19 | Ensure that the EE Worker has read-write `/tmp` and `/opt/containerbase` volumes. 20 | 21 | ## Other volumes 22 | 23 | The main "risk" of a read-only FS for Renovate is that there are dozens of package managers that can be called, and those package managers can choose to write files into unexpected locations. 24 | 25 | When such cases are found, the best scenario is that the Renovate CLI can be enhanced to "coerce" managers into writing to `/tmp/renovate`, e.g. through the configuration of environment variables. 26 | However, it may also be feasible to selectively map files or folders as a stopgap solution (e.g. `/home/ubuntu/.some-manager`). 27 | 28 | ## Testing and release 29 | 30 | The measure of success is that all packager managers succeed (e.g. at updating lock files) using the read-write volumes only. 31 | -------------------------------------------------------------------------------- /docs/installation-helm.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate Installation 2 | 3 | ## Choice of image type 4 | 5 | Renovate CE comes with both the default image (e.g. `ghcr.io/mend/renovate-ce:6.0.0`) and a "full" image (e.g. `ghcr.io/mend/renovate-ce:6.0.0-full`). 6 | 7 | The default image is optimized for size and only contains the core Renovate functionality. 8 | It is intended for use with Renovate's `binarySource=install` capability, which dynamically selects and installs third party tools at runtime. 9 | 10 | The full image contains preinstalled third-party tools (e.g. Python, Poetry, Node.js, Gradle, etc.) so that you can run Renovate with `binarySource=global` and not require any dynamic runtime installation. 11 | 12 | Renovate On-Premises (v5 and earlier) was built with a "full" image only, so if upgrading from an earlier version you may want to use the full image for compatibility. 13 | 14 | ## Installation using Helm 15 | 16 | ### Add Helm repository 17 | 18 | ```shell 19 | helm repo add mend-renovate-ce-ee https://mend.github.io/renovate-ce-ee 20 | helm repo update 21 | ``` 22 | 23 | ### Install Renovate chart 24 | 25 | ```shell 26 | helm install --generate-name --set renovate.config='\{\"token\":\"...\"\}' mend-renovate-ce-ee/mend-renovate-ce 27 | ``` 28 | 29 | See the available [values](../helm-charts/mend-renovate-ce/values.yaml) for full configuration and review configuration guides for [GitHub](setup-for-github.md), [GitLab](setup-for-gitlab.md) or [Bitbucket](setup-for-bitbucket.md). 30 | 31 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "mend-renovate.fullname" . -}} 3 | apiVersion: networking.k8s.io/v1 4 | kind: Ingress 5 | metadata: 6 | name: {{ $fullName }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 10 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{- with .Values.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | {{- if .Values.ingress.ingressClassName }} 19 | ingressClassName: {{ .Values.ingress.ingressClassName }} 20 | {{- end }} 21 | {{- if .Values.ingress.tls }} 22 | tls: 23 | {{- range .Values.ingress.tls }} 24 | - hosts: 25 | {{- range .hosts }} 26 | - {{ . | quote }} 27 | {{- end }} 28 | {{- if .secretName }} 29 | secretName: {{ .secretName | quote }} 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | rules: 34 | {{- range $host, $paths := .Values.ingress.hosts }} 35 | - host: {{ $host | quote }} 36 | http: 37 | paths: 38 | {{- range $p := $paths.paths }} 39 | - path: {{ $p.path }} 40 | pathType: {{ $p.pathType }} 41 | backend: 42 | service: 43 | name: {{ $fullName }} 44 | port: 45 | {{- if $p.port }} 46 | {{ toYaml $p.port | nindent 18 }} 47 | {{- else }} 48 | name: http 49 | {{- end }} 50 | {{- end -}} 51 | {{- end }} 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "mend-renovate.fullname" . -}} 3 | apiVersion: networking.k8s.io/v1 4 | kind: Ingress 5 | metadata: 6 | name: {{ $fullName }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 10 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{- with .Values.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | {{- if .Values.ingress.ingressClassName }} 19 | ingressClassName: {{ .Values.ingress.ingressClassName }} 20 | {{- end }} 21 | {{- if .Values.ingress.tls }} 22 | tls: 23 | {{- range .Values.ingress.tls }} 24 | - hosts: 25 | {{- range .hosts }} 26 | - {{ . | quote }} 27 | {{- end }} 28 | {{- if .secretName }} 29 | secretName: {{ .secretName | quote }} 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | rules: 34 | {{- range $host, $paths := .Values.ingress.hosts }} 35 | - host: {{ $host | quote }} 36 | http: 37 | paths: 38 | {{- range $p := $paths.paths }} 39 | - path: {{ $p.path }} 40 | pathType: {{ $p.pathType }} 41 | backend: 42 | service: 43 | name: {{ $fullName }}-svc-server 44 | port: 45 | {{- if $p.port }} 46 | {{ toYaml $p.port | nindent 18 }} 47 | {{- else }} 48 | name: http 49 | {{- end }} 50 | {{- end -}} 51 | {{- end }} 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate Self-hosted App Documentation 2 | 3 | This repository provides documentation specific to the Mend Renovate Self-hosted Apps - Community Edition (Renovate CE) and Enterprise Edition (Renovate EE), and does not duplicate anything that is relevant and can be found in the [Renovate OSS repository](https://github.com/renovatebot/renovate). 4 | 5 | Mend Renovate Community Edition was formerly known as "Mend Renovate On-Premises". 6 | 7 | ## Supported platforms 8 | 9 | The following platforms are supported by Mend Renovate Community Edition and Enterprise Edition: 10 | - GitHub.com 11 | - GitHub Enterprise Server 12 | - GitLab Cloud 13 | - GitLab Enterprise Edition 14 | - Bitbucket Data Center 15 | 16 | ## Documentation contents 17 | 18 | 1. [Overview](./overview.md) 19 | 2. Installation ([Helm](./installation-helm.md)) 20 | 3. Getting Started 21 | - [Setup guide for GitHub](setup-for-github.md) 22 | - [Setup guide for GitLab](setup-for-gitlab.md) 23 | - [Setup guide for Bitbucket Data Center](setup-for-bitbucket-data-center.md) 24 | 4. Configuration 25 | - [Self-hosted App configuration options](configuration-options.md) 26 | - [Example Renovate CE Docker Compose](../examples/docker-compose/docker-compose-renovate-community.yml) 27 | - [Example Renovate EE Docker Compose](../examples/docker-compose/docker-compose-renovate-enterprise.yml) 28 | - [Configure PostgreSQL DB](configure-postgres-db.md) 29 | - [Configure TLS Communication](./tls.md) 30 | - [Configure Event Notifications](./events.md) 31 | 5. Migration ([Renovate On-Premises to Renovate Community](./migrating-to-renovate-ce.md)) 32 | 6. [APIs Documentation](./api.md) 33 | - [System APIs](api-system.md) 34 | - [Jobs APIs](api-jobs.md) 35 | - [Reporting APIs](api-reporting.md) 36 | 7. [Advanced topics](./advanced.md) 37 | -------------------------------------------------------------------------------- /examples/env/renovate-worker-config.env: -------------------------------------------------------------------------------- 1 | # Environment variables for Mend Renovate Enterprise Worker 2 | 3 | ## Mandatory Worker config 4 | 5 | MEND_RNV_SERVER_HOSTNAME=http://rnv-ee-server:8080 # The hostname of the Renovate Enterprise `server` container 6 | # MEND_RNV_SERVER_HOSTNAME=https://rnv-ee-server:8443 # Use `https` and port `8443` if using TLS to connect to the Server 7 | 8 | ## Optional Worker config 9 | 10 | # [S3 job log storage - eg. AWS/MinIO] 11 | # Note: S3 connection details are also required in the Server container. 12 | # MEND_RNV_LOG_HISTORY_S3=s3://job-logs # Persist job logs to S3 storage location. Format: s3:///dir1/dir2 (Also see `MEND_RNV_S3_FORCE_PATH_STYLE`.) 13 | # MEND_RNV_S3_FORCE_PATH_STYLE=true # Defaults to 'false'. Set to 'true' if the endpoint for your S3 storage must be used without manipulation - eg. connecting to MinIO S3. (See `MEND_RNV_LOG_HISTORY_S3`) 14 | 15 | # [TLS Communication (SSL/HTTPS)] 16 | # MEND_RNV_CLIENT_HTTPS_CONFIG={"ca":"file:///tls/local_ca.pem"} # TLS config (JSON format). Defines certificate authority for making HTTPS calls. 17 | # MEND_RNV_CLIENT_HTTPS_CONFIG_PATH=/tls/tls_worker_config.json # File for defining TLS certificate authority. Note: Ensure volume is set on Worker. 18 | # MEND_RNV_NODE_OPTIONS= # Define `NODE_OPTIONS` only for the `Renovate Enterprise worker`. 19 | 20 | # [Other Worker configuration] 21 | # MEND_RNV_WORKER_EXECUTION_TIMEOUT=60 # Sets the maximum execution duration of a Renovate CLI scan in minutes. Defaults is 60. 22 | # MEND_RNV_DISK_USAGE_WARN_THRESHOLD=70 # A numeric percentage threshold for disk storage warnings. Default is 70. 23 | # MEND_RNV_DISK_USAGE_FILTER=/dev/** # A comma-separated list of regex or glob patterns for matching device paths. Default is `/dev/**`. 24 | # MEND_RNV_SINGLE_JOB_WORKER=true # When set to 'true', a Worker machine will make exactly one attempt to fetch and run a job and then shut down. Default is 'false'. 25 | -------------------------------------------------------------------------------- /docs/migrating-to-renovate-ce.md: -------------------------------------------------------------------------------- 1 | # Migrating from Renovate On-Premises to Renovate Community Edition 2 | 3 | When migrating from Renovate On-Premises to Renovate Community Edition, you can continue to use the same Bot/User, with just a couple of modifications. 4 | 5 | ## Health Check 6 | 7 | If you are using a "health check" of the Renovate container then you should point it to `/health` in Renovate CE. 8 | 9 | ## Environment Variable Renaming 10 | 11 | Some existing environment variables have been renamed, and some new ones have been added. 12 | 13 | See the specific configuration instructions ([GitHub](setup-for-github.md), [GitLab](setup-for-gitlab.md), [Bitbucket](setup-for-bitbucket.md)) to learn more about the variables mentioned below. 14 | 15 | ### Environment Variable Key Migration 16 | 17 | | Renovate On-Premises | Renovate Community Edition | 18 | |------------------------|--| 19 | | ACCEPT_WHITESOURCE_TOS | MEND_RNV_ACCEPT_TOS | 20 | | LICENSE_KEY | MEND_RNV_LICENSE_KEY | 21 | | PORT | MEND_RNV_SERVER_PORT | 22 | | RENOVATE_PLATFORM | MEND_RNV_PLATFORM | 23 | | RENOVATE_ENDPOINT | MEND_RNV_ENDPOINT | 24 | | SCHEDULER_CRON | MEND_RNV_CRON_JOB_SCHEDULER | 25 | | WEBHOOK_SECRET | MEND_RNV_WEBHOOK_SECRET | 26 | 27 | ### Repository auto-discovery 28 | > [!WARNING] 29 | > The Renovate CLI `autodiscover` configuration option is disabled at the client level. 30 | Repository filtering should solely rely on server-side filtering using `MEND_RNV_AUTODISCOVER_FILTER`. 31 | 32 | ### Variables specific to GitHub instances 33 | | Renovate On-Premises EnvVars | Renovate Community Edition | 34 | |--|--| 35 | | GITHUB_APP_ID | MEND_RNV_GITHUB_APP_ID | 36 | | GITHUB_APP_KEY | MEND_RNV_GITHUB_APP_KEY | 37 | 38 | ### Variables specific to GitLab instances 39 | 40 | | Renovate On-Premises EnvVars | Renovate Community Edition | 41 | |--|--| 42 | | RENOVATE_TOKEN | MEND_RNV_GITLAB_PAT | 43 | -------------------------------------------------------------------------------- /examples/dockerfiles/pgadmin/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM dpage/pgadmin4:9.3 2 | 3 | # pgadmin server user attributes 4 | ARG P_USER=pgadmin 5 | ARG P_DOMAIN=mend.io 6 | ARG P_PASSWORD=admin 7 | 8 | # This allows connection information to be pre-loaded into the instance of pgAdmin in the container. 9 | # https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html#mapped-files-and-directories 10 | #{ 11 | # "Servers": { 12 | # "1": { 13 | # "Name": "Renovate-Pro", 14 | # "Group": "Servers", 15 | # "Port": 5432, 16 | # "Username": "admin", 17 | # "Host": "postgres-database", 18 | # "SSLMode": "prefer", 19 | # "PassFile": "/pgpass", 20 | # "MaintenanceDB": "postgres" 21 | # } 22 | # } 23 | #} 24 | ARG SERVERS='{"Servers":{"1":{"Name":"Renovate-Pro","Group":"Servers","Port":5432,"Username":"postgres","Host":"postgres-database","SSLMode":"prefer","PassFile":"/pgpass","MaintenanceDB":"postgres"}}}' 25 | 26 | # remote database password file 27 | # https://www.postgresql.org/docs/current/libpq-pgpass.html 28 | # hostname:port:database:username:password 29 | ARG PGPASS='postgres-database:5432:postgres:postgres:password' 30 | 31 | # pgadmin home dir 32 | ARG PGADMIN_DIR=/var/lib/pgadmin/storage/${P_USER}_${P_DOMAIN} 33 | 34 | # pgadmin required environment variables 35 | ENV PGADMIN_DEFAULT_EMAIL=${P_USER}@${P_DOMAIN} 36 | ENV PGADMIN_DEFAULT_PASSWORD=${P_PASSWORD} 37 | 38 | # Create postgres password file 39 | USER ${P_USER} 40 | RUN mkdir -p ${PGADMIN_DIR} 41 | RUN echo ${PGPASS} > ${PGADMIN_DIR}/pgpass 42 | 43 | # Disallow any access to the password file 44 | # https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html#mapped-files-and-directories 45 | USER root 46 | RUN chown -R 5050:5050 ${PGADMIN_DIR}/pgpass 47 | RUN chmod 0600 ${PGADMIN_DIR}/pgpass 48 | 49 | # Create server definitions file 50 | RUN echo ${SERVERS} > /pgadmin4/servers.json 51 | 52 | USER ${P_USER} 53 | ENTRYPOINT ["/entrypoint.sh"] 54 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "mend-renovate.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "mend-renovate.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "mend-renovate.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Expand the name of the default secret 36 | */}} 37 | {{- define "mend-renovate.secret-name" -}} 38 | {{- if .Values.renovate.existingSecret -}} 39 | {{- .Values.renovate.existingSecret -}} 40 | {{- else -}} 41 | {{- include "mend-renovate.name" . -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Expand the name of the npmrc secret 47 | */}} 48 | {{- define "mend-renovate.npmrc-secret-name" -}} 49 | {{- if .Values.renovate.npmrcExistingSecret -}} 50 | {{- .Values.renovate.npmrcExistingSecret -}} 51 | {{- else -}} 52 | {{- include "mend-renovate.name" . }}-npmrc 53 | {{- end -}} 54 | {{- end -}} 55 | 56 | {{/* 57 | Expand the name of the service account 58 | */}} 59 | {{- define "mend-renovate.service-account-name" -}} 60 | {{- if eq "string" (printf "%T" .Values.serviceAccount) -}} 61 | {{- .Values.serviceAccount -}} 62 | {{- else if .Values.serviceAccount.create -}} 63 | {{- include "mend-renovate.name" . }}-sa 64 | {{- else -}} 65 | {{- .Values.serviceAccount.existingName -}} 66 | {{- end -}} 67 | {{- end -}} 68 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if not .Values.license.mendRnvAcceptTos }} 2 | ERROR: You must accept the Mend Terms of Service in order to run Mend Renovate. 3 | Please read https://mend.io/terms-of-service/ and then: 4 | 5 | helm upgrade {{ .Release.Name }} \ 6 | --set license.mendRnvAcceptTos=y renovate/mend-renovate 7 | 8 | {{- else }} 9 | 10 | 1. Get the application URL by running these commands: 11 | {{- if .Values.ingress.enabled }} 12 | {{- range $host := .Values.ingress.hosts }} 13 | {{- range $.Values.ingress.paths }} 14 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} 15 | {{- end }} 16 | {{- end }} 17 | {{- else if contains "NodePort" .Values.service.type }} 18 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mend-renovate.fullname" . }}) 19 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 20 | echo http://$NODE_IP:$NODE_PORT 21 | {{- else if contains "LoadBalancer" .Values.service.type }} 22 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 23 | You can watch the status of by running 'kubectl get svc -w {{ include "mend-renovate.fullname" . }}' 24 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mend-renovate.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 25 | echo http://$SERVICE_IP:{{ .Values.service.ports.http }} 26 | {{- else if contains "ClusterIP" .Values.service.type }} 27 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mend-renovate.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 28 | echo "Visit http://127.0.0.1:8080 to use your application" 29 | kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 30 | {{- end }} 31 | {{- end }} 32 | 33 | 2. View log output of the renovate pod by running these commands: 34 | 35 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mend-renovate.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 36 | kubectl logs --namespace {{ .Release.Namespace }} $POD_NAME 37 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if not .Values.renovate.mendRnvAcceptTos }} 2 | ERROR: You must accept the Mend Terms of Service in order to run Mend Renovate. 3 | Please read https://mend.io/terms-of-service/ and then: 4 | 5 | helm upgrade {{ .Release.Name }} \ 6 | --set renovate.mendRnvAcceptTos=y renovate/mend-renovate 7 | 8 | {{- else }} 9 | 10 | 1. Get the application URL by running these commands: 11 | {{- if .Values.ingress.enabled }} 12 | {{- range $host := .Values.ingress.hosts }} 13 | {{- range $.Values.ingress.paths }} 14 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} 15 | {{- end }} 16 | {{- end }} 17 | {{- else if contains "NodePort" .Values.service.type }} 18 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mend-renovate.fullname" . }}) 19 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 20 | echo http://$NODE_IP:$NODE_PORT 21 | {{- else if contains "LoadBalancer" .Values.service.type }} 22 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 23 | You can watch the status of by running 'kubectl get svc -w {{ include "mend-renovate.fullname" . }}' 24 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mend-renovate.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 25 | echo http://$SERVICE_IP:{{ .Values.service.ports.http }} 26 | {{- else if contains "ClusterIP" .Values.service.type }} 27 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mend-renovate.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 28 | echo "Visit http://127.0.0.1:8080 to use your application" 29 | kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80 30 | {{- end }} 31 | {{- end }} 32 | 33 | 2. View log output of the renovate pod by running these commands: 34 | 35 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mend-renovate.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 36 | kubectl logs --namespace {{ .Release.Namespace }} $POD_NAME 37 | -------------------------------------------------------------------------------- /docs/prometheus-metrics.md: -------------------------------------------------------------------------------- 1 | # Prometheus metrics 2 | 3 | A number of default metrics are exposed by Node.JS. 4 | 5 | Additionally, the following custom metrics are exposed: 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 21 | 24 | 27 | 49 | 50 | 51 | 54 | 57 | 60 | 82 | 83 | 84 | 87 | 90 | 93 | 95 | 96 | 97 |
MetricTypeDescriptionComments
19 | mend_renovate_queue_size 20 | 22 | gauge 23 | 25 | Current size of various queue types. 26 | 28 | Contains a number of queue types: 29 | 30 |
    31 |
  • 32 | scheduledAll 33 |
    • 34 |
  • 35 | scheduledHot 36 |
    • 37 |
  • 38 | scheduledCold 39 |
    • 40 |
  • 41 | scheduledCapped 42 |
    • 43 |
  • 44 | requested 45 |
    • 46 |
47 | 48 |
52 | mend_renovate_queue_max_wait 53 | 55 | gauge 56 | 58 | Current age in seconds of the oldest entry in each queue type. 59 | 61 | Contains a number of queue types: 62 | 63 |
    64 |
  • 65 | scheduledAll 66 |
    • 67 |
  • 68 | scheduledHot 69 |
    • 70 |
  • 71 | scheduledCold 72 |
    • 73 |
  • 74 | scheduledCapped 75 |
    • 76 |
  • 77 | requested 78 |
    • 79 |
80 | 81 |
85 | mend_renovate_job_wait_time 86 | 88 | summary 89 | 91 | Total time taken for a job from being enqueued to execution. 92 | 94 |
98 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.renovate.npmrc (not .Values.renovate.npmrcExistingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "mend-renovate.npmrc-secret-name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ .Release.Name }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | data: 13 | .npmrc: {{ .Values.renovate.npmrc | b64enc | quote }} 14 | {{- end }} 15 | 16 | --- 17 | 18 | {{- if not .Values.renovate.existingSecret }} 19 | apiVersion: v1 20 | kind: Secret 21 | metadata: 22 | name: {{ include "mend-renovate.secret-name" . }} 23 | labels: 24 | app.kubernetes.io/name: {{ .Release.Name }} 25 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 26 | app.kubernetes.io/instance: {{ .Release.Name }} 27 | app.kubernetes.io/managed-by: {{ .Release.Service }} 28 | data: 29 | {{- if .Values.renovate.mendRnvLicenseKey }} 30 | mendRnvLicenseKey: {{ .Values.renovate.mendRnvLicenseKey | b64enc | quote }} 31 | {{- end}} 32 | {{- if .Values.renovate.mendRnvGitlabPat }} 33 | mendRnvGitlabPat: {{ .Values.renovate.mendRnvGitlabPat | b64enc | quote }} 34 | {{- end}} 35 | {{- if .Values.renovate.mendRnvGithubAppId }} 36 | mendRnvGithubAppId: {{ .Values.renovate.mendRnvGithubAppId | b64enc | quote }} 37 | {{- end}} 38 | {{- if .Values.renovate.mendRnvGithubAppKey }} 39 | mendRnvGithubAppKey: {{ .Values.renovate.mendRnvGithubAppKey | b64enc | quote }} 40 | {{- end}} 41 | {{- if .Values.renovate.mendRnvBitbucketPat }} 42 | mendRnvBitbucketPat: {{ .Values.renovate.mendRnvBitbucketPat | b64enc | quote }} 43 | {{- end}} 44 | {{- if .Values.renovate.mendRnvAdminToken }} 45 | mendRnvAdminToken: {{ .Values.renovate.mendRnvAdminToken | b64enc | quote }} 46 | {{- end}} 47 | {{- if .Values.renovate.githubComToken }} 48 | githubComToken: {{ .Values.renovate.githubComToken | b64enc | quote }} 49 | {{- end}} 50 | {{- if .Values.renovate.mendRnvWebhookSecret }} 51 | mendRnvWebhookSecret: {{ .Values.renovate.mendRnvWebhookSecret | b64enc | quote }} 52 | {{- end}} 53 | {{- if .Values.renovate.pipIndexUrl }} 54 | pipIndexUrl: {{ .Values.renovate.pipIndexUrl | b64enc | quote }} 55 | {{- end}} 56 | {{- if .Values.renovate.mendRnvServerApiSecret }} 57 | mendRnvServerApiSecret: {{ .Values.renovate.mendRnvServerApiSecret | b64enc | quote }} 58 | {{- end }} 59 | {{- if .Values.postgresql.password }} 60 | pgPassword: {{ .Values.postgresql.password | b64enc | quote }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /docs/configure-postgres-db.md: -------------------------------------------------------------------------------- 1 | # Postgres DB Configuration 2 | 3 | To configure renovate to use a PostgreSQL database, the following environment variables should be supplied to the Server containers (not required for Worker environment config). 4 | 5 | | Environment variable name | Description | 6 | |--------------------------------|---------------------------------------------------------------| 7 | | MEND_RNV_DATA_HANDLER_TYPE | Set to ‘postgresql’ to use a PostgreSQL database | 8 | | MEND_RNV_POSTGRES_SSL_PEM_PATH | The `.pem` file location in the container for SSL connection | 9 | | PGDATABASE | Name of the database instance. Eg. ‘postgres’ | 10 | | PGUSER | Postgres User name. Must have Create Schema permission. | 11 | | PGPASSWORD | Postgres User password | 12 | | PGHOST | Host name of the PostgreSQL instance | 13 | | PGPORT | Host Port for the PostgreSQL instance | 14 | 15 | **Note:** DB size is related to the number of repositories installed for Renovate. 16 | 17 | ## Example configuration 18 | 19 | Example configuration in a Docker Compose file is shown below. 20 | Swap out the values of PGXXX parameters for your own instances of the PostgreSQL database. 21 | 22 | ``` 23 | rnv-ee-server: 24 | restart: always 25 | image: ghcr.io/mend/renovate-ee-server 26 | depends_on: 27 | - postgres-database 28 | ports: 29 | - "8080" 30 | environment: 31 | MEND_RNV_DATA_HANDLER_TYPE: postgresql 32 | PGDATABASE: postgres 33 | PGUSER: postgres 34 | PGPASSWORD: password 35 | PGHOST: postgres-database 36 | PGPORT: 5432 37 | ``` 38 | 39 | Details of the PostgreSQL user, password, host and port must match your hosted instance of the Renovate PostgreSQL DB. 40 | This could be an externally managed PostgreSQL server, or an instance started inside your Docker Compose configuration. 41 | 42 | ## Spinning up a PostgreSQL DB container 43 | 44 | For convenience, you can spin up your own instance of a PostgreSQL DB, and an optional frontend Web UI. 45 | 46 | ### Docker Compose example 47 | 48 | An example of using a PostgreSQL DB server container with Docker Compose is shown below. 49 | 50 | ``` 51 | postgres-database: 52 | restart: always 53 | image: postgres:16.1-alpine3.17 54 | environment: 55 | POSTGRES_USER: postgres 56 | POSTGRES_PASSWORD: password 57 | ports: 58 | - "5432:5432" 59 | ``` 60 | 61 | ### Helm Charts example 62 | 63 | An example of using PostgreSQL in Helm Charts is available in the [Helm chart example](https://github.com/mend/renovate-ce-ee/tree/main/helm-charts/mend-renovate-ee). 64 | 65 | -------------------------------------------------------------------------------- /docs/api.md: -------------------------------------------------------------------------------- 1 | # Renovate API 2 | 3 | Renovate CE/EE exposes a REST API that you can use to interact programmatically with Renovate. 4 | 5 | ## Enabling and Authentication 6 | 7 | The APIs can be enabled by setting the `MEND_RNV_API_ENABLED: true` (renamed from `MEND_RNV_ADMIN_API_ENABLED`). 8 | You must also configure an API secret by setting the `MEND_RNV_API_SERVER_SECRET` (renamed from `MEND_RNV_SERVER_API_SECRET`) variable. 9 | 10 | Authentication is done via HTTP Auth, using the API secret as the password. 11 | For example if the secret is `renovateapi` then you would authenticate with: 12 | 13 | ``` 14 | Authorization: Bearer renovateapi 15 | or 16 | Authorization: renovateapi 17 | ``` 18 | 19 | ## Endpoints 20 | 21 | Endpoints are divided into different sections 22 | 23 | ### Health 24 | 25 | * `GET /health` 26 | 27 | Returns 200 if API is healthy. 28 | 29 | ### Prometheus Metrics 30 | 31 | * `GET /metrics` 32 | 33 | This endpoint exposes Prometheus-compatible metrics. 34 | 35 | Controlled by `MEND_RNV_API_ENABLE_PROMETHEUS_METRICS` (backward compatible with `MEND_RNV_PROMETHEUS_METRICS_ENABLED`) 36 | 37 | Full documentation can be found in [prometheus-metrics.md](./prometheus-metrics.md). 38 | 39 | ### System API Routes 40 | 41 | ``` 42 | GET /system/v1/status 43 | GET /system/v1/tasks/queue 44 | GET /system/v1/jobs/queue 45 | GET /system/v1/jobs/logs/:jobId 46 | POST /system/v1/jobs/add 47 | POST /system/v1/sync 48 | ``` 49 | 50 | Controlled by both: 51 | * `MEND_RNV_API_ENABLED: true` (backward compatible with `MEND_RNV_ADMIN_API_ENABLED`) 52 | * `MEND_RNV_API_ENABLE_SYSTEM: true` (backward compatible with `MEND_RNV_ADMIN_API_ENABLED`) 53 | 54 | 55 | See separate [System APIs documentation](api-system.md) for information about the System APIs. 56 | 57 | ### Jobs API Routes 58 | 59 | ``` 60 | POST /api/v1/repos/{org}/{repo}/-/jobs/run 61 | GET /api/v1/repos/{org}/{repo}/-/jobs/:jobId 62 | GET /api/v1/repos/{org}/{repo}/-/jobs 63 | ``` 64 | 65 | Controlled by both: 66 | * `MEND_RNV_API_ENABLED: true` (backward compatible with `MEND_RNV_ADMIN_API_ENABLED`) 67 | * `MEND_RNV_API_ENABLE_JOBS: true` (backward compatible with `MEND_RNV_ADMIN_API_ENABLED`) 68 | 69 | 70 | See separate [Job APIs documentation](api-jobs.md) for information about the Jobs APIs. 71 | 72 | 73 | ### Reporting APIs 74 | 75 | ``` 76 | GET /api/v1/orgs 77 | GET /api/v1/orgs/{org} 78 | GET /api/v1/orgs/{org}/-/repos 79 | 80 | GET /api/v1/repos/{org}/{repo} 81 | GET /api/v1/repos/{org}/{repo}/-/pulls 82 | GET /api/v1/repos/{org}/{repo}/-/dashboard 83 | 84 | GET /api/v1/orgs/-/libyears 85 | GET /api/v1/orgs/{org}/-/libyears 86 | GET /api/v1/repos/{org}/{repo}/-/libyears 87 | ``` 88 | 89 | Controlled by both: 90 | * `MEND_RNV_API_ENABLED: true` (backward compatible with `MEND_RNV_ADMIN_API_ENABLED`) 91 | * `MEND_RNV_API_ENABLE_REPORTING: true` (backward compatible with `MEND_RNV_REPORTING_ENABLED`) 92 | 93 | See separate [Reporting APIs documentation](api-reporting.md) for information about the Reporting APIs. 94 | -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-renovate-community.yml: -------------------------------------------------------------------------------- 1 | version: "3.4" 2 | 3 | ## Title: Renovate CE Basic 4 | ## Description: This example Docker Compose file starts a single container for Mend Renovate Community Edition. 5 | ## Details: Creates 1 x Mend Renovate CE container that acts as Server and Worker. Uses SQLite DB in filesystem. 6 | 7 | services: 8 | renovate-ce: 9 | # Check latest version here: https://github.com/mend/renovate-ce-ee/pkgs/container/renovate-ce 10 | image: ghcr.io/mend/renovate-ce: # Replace with a specific version number 11 | ports: 12 | # Note: Set MEND_RNV_SERVER_PORT to match internal port. (Defaults to 8080) 13 | - "80:8080" # "[external]:[internal]" Receive APIs and Webhooks on external port 14 | env_file: 15 | # Import required settings for Mend Renovate Self-hosted 16 | - ../env/mend-renovate.env # Provide a license key and accept the Terms of Service 17 | # Choose an env file that matches your Git repository 18 | - ../env/github.env 19 | # - ../env/gitlab.env 20 | # - ../env/bitbucket.env 21 | # Import optional settings for Renovate CE 22 | # - ../env/renovate-server-config.env # Set 'MEND_RNV_SERVER_HOSTNAME' to match server container (ie. http://rnv-ee-server:8080) 23 | # - ../env/renovate-core.env # Set Renovate CLI configuration options. (ie. `RENOVATE_REPOSITORY_CACHE=enabled`) 24 | # Postgres DB config 25 | # - ../env/postgres-db.env # Import Postgres config if using PostgreSQL DB 26 | # MinIO S3 storage 27 | # - ../env/minio.env 28 | environment: 29 | LOG_LEVEL: debug # Defaults to 'info' 30 | # LOG_FORMAT: json # Defaults to 'pretty'. Use 'json' when importing logs to reporting tool (eg. Splunk). 31 | MEND_RNV_REQUEST_LOGGER_ENABLED: true # Set to 'true' to log all incoming API requests to DEBUG logger. Defaults to 'false'. 32 | # API settings 33 | MEND_RNV_ADMIN_API_ENABLED: true # Enable incoming API calls. Must set `MEND_RNV_SERVER_API_SECRET` (Hint: check the mend-renovate.env file). 34 | MEND_RNV_REPORTING_ENABLED: true # Set to 'true' to enable Reporting APIs. (Set `RENOVATE_REPOSITORY_CACHE` on Worker for PR data) 35 | # If persisting Job logs or DB, set the following environment variables and enable volume mounts for /logs and /db 36 | MEND_RNV_LOG_HISTORY_DIR: /logs # Persist Renovate job logs. Enable volume mount for /logs 37 | MEND_RNV_SQLITE_FILE_PATH: /db/renovate-db.sqlite # Persist database to file. Enable volume mount for /db. 38 | # Renovate CLI configuration options 39 | RENOVATE_REPOSITORY_CACHE: # Enable repository cache to speed up subsequent jobs on a repo 40 | volumes: 41 | # Tip: Create folders in advance to avoid permission issues (ie. when Renovate CLI tries to write logs) 42 | - /tmp/renovate/job-logs:/logs # Unix version 43 | - /tmp/renovate/db:/db 44 | # - C:\tmp\renovate\job-logs:/logs # Windows version 45 | # - C:\tmp\renovate\db:/db 46 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "mend-renovate.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "mend-renovate.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "mend-renovate.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Expand the name of the license secret 36 | */}} 37 | {{- define "mend-renovate.license-secret-name" -}} 38 | {{- if .Values.license.existingSecret -}} 39 | {{- .Values.license.existingSecret -}} 40 | {{- else -}} 41 | {{- include "mend-renovate.name" . }}-license 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Expand the name of the server secret 47 | */}} 48 | {{- define "mend-renovate.server-secret-name" -}} 49 | {{- if .Values.renovateServer.existingSecret -}} 50 | {{- .Values.renovateServer.existingSecret -}} 51 | {{- else -}} 52 | {{- include "mend-renovate.name" . }}-server 53 | {{- end -}} 54 | {{- end -}} 55 | 56 | {{/* 57 | Expand the name of the worker secret 58 | */}} 59 | {{- define "mend-renovate.worker-secret-name" -}} 60 | {{- if .Values.renovateWorker.existingSecret -}} 61 | {{- .Values.renovateWorker.existingSecret -}} 62 | {{- else -}} 63 | {{- include "mend-renovate.name" . }}-worker 64 | {{- end -}} 65 | {{- end -}} 66 | 67 | {{/* 68 | Expand the name of the npmrc secret 69 | */}} 70 | {{- define "mend-renovate.npmrc-secret-name" -}} 71 | {{- if .Values.renovateWorker.npmrcExistingSecret -}} 72 | {{- .Values.renovateWorker.npmrcExistingSecret -}} 73 | {{- else -}} 74 | {{- include "mend-renovate.name" . }}-npmrc 75 | {{- end -}} 76 | {{- end -}} 77 | 78 | {{/* 79 | Expand the name of the server service account 80 | */}} 81 | {{- define "mend-renovate.server-service-account-name" -}} 82 | {{- if .Values.renovateServer.serviceAccount.create -}} 83 | {{- include "mend-renovate.name" . }}-server-sa 84 | {{- else -}} 85 | {{- .Values.renovateServer.serviceAccount.existingName -}} 86 | {{- end -}} 87 | {{- end -}} 88 | 89 | {{/* 90 | Expand the name of the worker service account 91 | */}} 92 | {{- define "mend-renovate.worker-service-account-name" -}} 93 | {{- if .Values.renovateWorker.serviceAccount.create -}} 94 | {{- include "mend-renovate.name" . }}-worker-sa 95 | {{- else -}} 96 | {{- .Values.renovateWorker.serviceAccount.existingName -}} 97 | {{- end -}} 98 | {{- end -}} 99 | -------------------------------------------------------------------------------- /docs/high-server-availability.md: -------------------------------------------------------------------------------- 1 | # Renovate EE High Availability Server 2 | 3 | Renovate Enterprise Edition allows scaling of Renovate Server containers, separately to the scaling of the Worker containers. Server redundancy provides high availability for the Renovate Server by reducing bottlenecks caused by large volumes of incoming Webhook and API requests. 4 | 5 | In order to allow multiple servers to access the one database, a requirement of the High Availability is that the DB be network accessible. The current implementation uses a PostgreSQL database. See the documentation for [PostgreSQL DB configuration](https://github.com/mend/renovate-ce-ee/blob/main/docs/configure-postgres-db.md) for further details. 6 | 7 | ## Technical Requirements 8 | 9 | ### Renovate EE feature only 10 | High Availability Server is a feature only available with Renovate Enterprise Edition. Contact Mend.io regarding licensing for [Renovate Enterprise](https://www.mend.io/renovate-enterprise/). 11 | 12 | ### Network Database - PostgreSQL 13 | With multiple Server containers requiring access to the information in the Renovate database, it is essential that the DB be available as a network database rather than residing only on a single Server container. 14 | The current implementation of the Renovate database for HA Server is PostgreSQL. When hosting Renovate EE with HA Server, a Postgres instance must be available and accessible to the Renovate Server pool. 15 | 16 | See the documentation for [PostgreSQL DB configuration](https://github.com/mend/renovate-ce-ee/blob/main/docs/configure-postgres-db.md) for further details. 17 | 18 | ## How it works 19 | **Summary: All Renovate Servers process incoming requests. The Primary server also runs cron jobs.** 20 | 21 | When multiple instances of the Renovate Server are running, all will be capable of processing incoming requests via Webhooks and API calls. 22 | One server will designate itself as the Primary server, and this server will also have the additional responsibility to run system cron jobs. (ie. App sync, Job scheduling, Log cleanup). 23 | 24 | ### Selecting the Primary Server 25 | 26 | On startup, each Renovate Server will check the database to see if a Primary server is already allocated. If not, it will allocate itself as the primary server and update the database to reflect it. 27 | Also, all Renovate Servers will perform the Primary check every 30 seconds. This provides faster failover if one of the servers goes down. 28 | 29 | You can check the container logs to see whether a server has taken the primary role. 30 | 31 | ### Load balancing the servers 32 | 33 | Incoming Webhooks for a GitHub App can only point to one URL. In order to spread the load over multiple servers, a load balancing system must be implemented. 34 | Note: Sample Docker Compose files contain examples of including an nginx load balance in the Docker environment, which will automatically handle routing the request to the servers. 35 | 36 | # Configuration 37 | 38 | ### Enabling Renovate HA Server 39 | High Availability Server means running more than one Renovate Server container instance. This is defined by the “replicas” property in the Docker Compose file or Helm Charts. See examples below. 40 | 41 | Docker Compose example 42 | ``` 43 | … 44 | rnv-ee-server: 45 | restart: always 46 | image: ghcr.io/mend/renovate-ee-server 47 | deploy: 48 | replicas: 2 49 | … 50 | ``` 51 | 52 | Example of Helm chart configuration (in values.yaml) 53 | ``` 54 | … 55 | renovateServer: 56 | image: 57 | repository: ghcr.io/mend/renovate-ee-server 58 | tag: 6.9.1 59 | pullPolicy: IfNotPresent 60 | 61 | # Number of renovate-ee-server (for SQLite only 1 replica is allowed) 62 | replicas: 2 63 | … 64 | ``` -------------------------------------------------------------------------------- /docs/advanced.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate Advanced Details 2 | 3 | ## Modules 4 | 5 | ### In-memory Database 6 | 7 | This database is used to keep track of installed repositories as well as the job queue. 8 | Naturally, it is cleared upon container restart and repopulated upon container start. 9 | 10 | ### Scheduler 11 | 12 | For GitHub, the scheduler: 13 | 14 | - Queries the GitHub server for a list of organization or account App installations 15 | - Obtains a list of all installed repositories for each installation 16 | - Randomizes the list and adds them all to the database's job queue 17 | 18 | For GitLab, the scheduler: 19 | 20 | - Queries the GitLab server for a list of repositories that the bot account has Developer or greater access rights to 21 | - Randomizes the list and adds them all to the database's job queue 22 | 23 | It runs according to its configured `cron` schedule, which defaults to running on the hour. 24 | 25 | ### Webhook Handler 26 | 27 | The webhook handler listens for events from the VCS server and adds or updates jobs in the job queue if the criteria are met. 28 | 29 | An example criterion is if someone edits the `renovate.json` in `main` branch - this would trigger a high priority job. 30 | 31 | To ensure that one repository doesn't get queued up multiple times, the database enforces a rule that each repository can be queued at most once at a time. 32 | Therefore if the repository already exists in the job queue (e.g. due to the hourly scheduler) and then a higher priority job reason comes up, then the existing entry in the job queue will have its priority updated in order to get processed earlier. 33 | 34 | ### Worker 35 | 36 | The worker runs on an endless loop where it queries the DB for the next job (sorted by priority) and processes whatever repository it is given. 37 | If the job queue is empty, it sleeps for a second before retrying. 38 | 39 | If the Mend Renovate server receives a SIGINT (e.g. maybe you are upgrading it and want to restart it with a newer image), then the worker will attempt to finish whatever job it is currently processing before shutting down gracefully. 40 | Therefore it is recommended to supply a long timeout value (e.g. 60+ seconds) to Docker in order to allow the worker to finish what it's working on. 41 | 42 | Here is an except showing the relative priority of job types: 43 | 44 | ```json 45 | { 46 | "hourly": 10, 47 | "manual-pr-close": 20, 48 | "automerge": 30, 49 | "main-commit": 40, 50 | "renovate-config-commit": 40, 51 | "installed": 50, 52 | "repositories-added": 60, 53 | "manual-pr-merge": 70, 54 | "closed-pr-rename": 80, 55 | "pr-update": 90, 56 | "onboarding-update": 100, 57 | "dependency-dashboard": 110, 58 | "rebase-request": 120, 59 | "api-request": 130 60 | } 61 | ``` 62 | 63 | Note: For consistency, the abbreviation `pr` is used in the job queue for both GitHub and GitLab, even though GitLab uses the term "Merge Request" instead of "Pull Request". 64 | 65 | In other words, the highest priority job is when someone commits an update to the config in an onboarding PR, and the lowest priority jobs are the ones added by the scheduler. 66 | The above job types have been sorted in order of how quickly users would expect to receive feedback. 67 | Because onboarding is an interactive process, it needs the most responsiveness. 68 | 69 | ## Horizontal Scaling 70 | 71 | The current architecture of Mend Renovate CE is monolithic in order to keep things simple and maximize maintainability. 72 | Accordingly, there is a 1:1 relationship between the worker and the job queue, meaning that only one job can be processed at a time. 73 | 74 | Renovate EE is designed with Horizontal scalability in mind. It separates the components into a server/worker architecture that can scale independently on different containers/machines. 75 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.renovateWorker.npmrc (not .Values.renovateWorker.npmrcExistingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "mend-renovate.npmrc-secret-name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ .Release.Name }} 9 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | data: 13 | .npmrc: {{ .Values.renovateWorker.npmrc | b64enc | quote }} 14 | {{- end }} 15 | 16 | --- 17 | 18 | {{- if not .Values.license.existingSecret }} 19 | apiVersion: v1 20 | kind: Secret 21 | metadata: 22 | namespace: {{ .Release.Namespace }} 23 | name: {{ include "mend-renovate.license-secret-name" . }} 24 | labels: 25 | app.kubernetes.io/name: {{ .Release.Name }} 26 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 27 | app.kubernetes.io/instance: {{ .Release.Name }} 28 | app.kubernetes.io/managed-by: {{ .Release.Service }} 29 | data: 30 | {{- if .Values.license.mendRnvLicenseKey }} 31 | mendRnvLicenseKey: {{ .Values.license.mendRnvLicenseKey | b64enc | quote }} 32 | {{- end}} 33 | {{- end}} 34 | 35 | --- 36 | 37 | {{- if not .Values.renovateServer.existingSecret }} 38 | apiVersion: v1 39 | kind: Secret 40 | metadata: 41 | namespace: {{ .Release.Namespace }} 42 | name: {{ include "mend-renovate.server-secret-name" . }} 43 | labels: 44 | app.kubernetes.io/name: {{ .Release.Name }} 45 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 46 | app.kubernetes.io/instance: {{ .Release.Name }} 47 | app.kubernetes.io/managed-by: {{ .Release.Service }} 48 | data: 49 | {{- if .Values.renovateServer.mendRnvGitlabPat }} 50 | mendRnvGitlabPat: {{ .Values.renovateServer.mendRnvGitlabPat | b64enc | quote }} 51 | {{- end}} 52 | {{- if .Values.renovateServer.mendRnvGithubAppId }} 53 | mendRnvGithubAppId: {{ .Values.renovateServer.mendRnvGithubAppId | b64enc | quote }} 54 | {{- end}} 55 | {{- if .Values.renovateServer.mendRnvGithubAppKey }} 56 | mendRnvGithubAppKey: {{ .Values.renovateServer.mendRnvGithubAppKey | b64enc | quote }} 57 | {{- end}} 58 | {{- if .Values.renovateServer.mendRnvBitbucketPat }} 59 | mendRnvBitbucketPat: {{ .Values.renovateServer.mendRnvBitbucketPat | b64enc | quote }} 60 | {{- end}} 61 | {{- if .Values.renovateServer.mendRnvAdminToken }} 62 | mendRnvAdminToken: {{ .Values.renovateServer.mendRnvAdminToken | b64enc | quote }} 63 | {{- end}} 64 | {{- if .Values.renovateServer.mendRnvWebhookSecret }} 65 | mendRnvWebhookSecret: {{ .Values.renovateServer.mendRnvWebhookSecret | b64enc | quote }} 66 | {{- end}} 67 | {{- if .Values.renovateServer.mendRnvServerApiSecret }} 68 | mendRnvServerApiSecret: {{ .Values.renovateServer.mendRnvServerApiSecret | b64enc | quote }} 69 | {{- end }} 70 | {{- if .Values.postgresql.password }} 71 | pgPassword: {{ .Values.postgresql.password | b64enc | quote }} 72 | {{- end }} 73 | {{- end }} 74 | 75 | --- 76 | 77 | {{- if not .Values.renovateWorker.existingSecret }} 78 | apiVersion: v1 79 | kind: Secret 80 | metadata: 81 | namespace: {{ .Release.Namespace }} 82 | name: {{ include "mend-renovate.worker-secret-name" . }} 83 | labels: 84 | app.kubernetes.io/name: {{ .Release.Name }} 85 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 86 | app.kubernetes.io/instance: {{ .Release.Name }} 87 | app.kubernetes.io/managed-by: {{ .Release.Service }} 88 | data: 89 | {{- if .Values.renovateWorker.githubComToken }} 90 | githubComToken: {{ .Values.renovateWorker.githubComToken | b64enc | quote }} 91 | {{- end}} 92 | {{- if .Values.renovateWorker.pipIndexUrl }} 93 | pipIndexUrl: {{ .Values.renovateWorker.pipIndexUrl | b64enc | quote }} 94 | {{- end}} 95 | {{- end }} 96 | -------------------------------------------------------------------------------- /docs/api-system.md: -------------------------------------------------------------------------------- 1 | # System APIs 2 | 3 | Enabling system APIs is done by setting both `MEND_RNV_API_ENABLED: true` and `MEND_RNV_API_ENABLE_SYSTEM: true` (both are backward compatible with `MEND_RNV_API_ENABLED`) 4 | 5 | ### Queue status 6 | 7 | `GET /system/v1/jobs/queue` 8 | 9 | Returns the current status of the job queue, including number of pending jobs. 10 | 11 | `GET /system/v1/tasks/queue` 12 | 13 | Returns the current status of the task queue, including number of pending tasks. 14 | Generally speaking, tasks are internal implementation details, such as syncing. 15 | As end-user you usually do not need to worry about tasks. 16 | This API is exposed primarily to help you troubleshoot if something is going wrong. 17 | 18 | ### Sync and jobs 19 | 20 | `POST /system/v1/sync` 21 | 22 | Triggers an immediate repository sync against the platform/server. 23 | Normally you don't need this endpoint. 24 | But it can be useful if you think Renovate's internal state has become out of sync: for example when a new repository is missing. 25 | 26 | `POST /system/v1/jobs/add` 27 | 28 | This endpoint allows adding a new job to the queue. 29 | The request body must contain a single repository: 30 | 31 | ```json 32 | { "repository": "some-org/some-repo" } 33 | ``` 34 | 35 | ### Status 36 | 37 | `GET /system/v1/status` 38 | 39 | Return the current status of the service since boot time. This information includes job history, job queue size, in-progress jobs, scheduler status, webhook status, Renovate version, and more. All timestamps in the response body are in UTC. 40 | 41 | 42 | ### Logs 43 | 44 | #### Get Job Logs by JobID 45 | 46 | API: [GET] /system/v1/jobs/logs/{jobId} 47 | 48 | **Description:** Returns the job logs for the specified JobID 49 | 50 | Note: This returns the same as [Get Job Logs by Repo](#get-job-logs-by-repo) with JobID variation, but conveniently does not require the {org}/{repo} in the API endpoint. 51 | 52 | **Example:** Fetch job logs for JobID `5a3572bf-49fe-42bb-a066-ff1146fe83d1` 53 | 54 | [GET] http://my.renovate.server.com/system/v1/jobs/logs/5a3572bf-49fe-42bb-a066-ff1146fe83d1 55 | 56 | ```json 57 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","config":{},"msg":"File config","time":"2024-05-13T12:41:58.139Z","v":0} 58 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","config":{},"msg":"CLI config","time":"2024-05-13T12:41:58.143Z","v":0} 59 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","config":{},"msg":"Env config","time":"2024-05-13T12:41:58.152Z","v":0} 60 | {"......many rows removed......"} 61 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","repository":"my-org/my-repo","hosts":[],"msg":"dns cache","time":"2024-05-13T12:42:29.346Z","v":0} 62 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":30,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","repository":"my-org/my-repo","cloned":false,"durationMs":29063,"msg":"Repository finished","time":"2024-05-13T12:42:29.348Z","v":0} 63 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","msg":"Checking file package cache for expired items","time":"2024-05-13T12:42:29.351Z","v":0} 64 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","msg":"Verifying and cleaning cache: /tmp/renovate/cache/renovate/renovate-cache-v1","time":"2024-05-13T12:42:29.521Z","v":0} 65 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","msg":"Deleted 0 of 29 file cached entries in 840ms","time":"2024-05-13T12:42:30.193Z","v":0} 66 | ``` -------------------------------------------------------------------------------- /examples/tls/README.md: -------------------------------------------------------------------------------- 1 | # Instructions for using TLS communication for Renovate EE with Docker Compose files 2 | 3 | ### Contents 4 | 5 | 6 | * [1. Generate local certificate keys and files](#1-generate-local-certificate-keys-and-files) 7 | * [Example certificate generation file (cert.conf)](#example-certificate-generation-file-certconf) 8 | * [Example script for generating local certificates (cert_create.sh)](#example-script-for-generating-local-certificates-cert_createsh-) 9 | * [2. Update Docker Compose configuration](#2-update-docker-compose-configuration) 10 | 11 | 12 | ## 1. Generate local certificate keys and files 13 | - Create a file `cert.conf` to hold certificate configuration. ([See example](#example-certificate-generation-file-certconf)) 14 | - Create file `cert_create.sh` and run from a command prompt with OpenSSL installed. ([See example](#example-script-for-generating-local-certificates-cert_createsh-)) 15 | 16 | - Running the script will generate three files: 17 | - local_ca.pem 18 | - local_server.key 19 | - local_server.pem 20 | 21 | - Reference these files in the TLS configuration: 22 | - tls_server_config.json (key: local_server.key, cert: local_server.pem) 23 | - tls_worker_config.json (ca: local_ca.pem) 24 | 25 | ### Example certificate generation file (cert.conf) 26 | ``` 27 | [ local_san ] 28 | keyUsage = digitalSignature, nonRepudiation, keyEncipherment 29 | extendedKeyUsage = serverAuth 30 | subjectKeyIdentifier = hash 31 | authorityKeyIdentifier = keyid,issuer 32 | subjectAltName = @local_san_subject 33 | basicConstraints = CA:FALSE 34 | 35 | [ local_san_subject ] 36 | # Valid local addresses 37 | DNS.1 = localhost 38 | DNS.2 = 127.0.0.1 39 | DNS.3 = ::1 40 | DNS.4 = test.local 41 | DNS.5 = api.localhost 42 | DNS.6 = rnv-ee-server 43 | ## Example local IPs for testing 44 | # IP.1 = 192.168.1.100 45 | # IP.2 = 192.168.1.101 46 | ``` 47 | 48 | ### Example script for generating local certificates (cert_create.sh) 49 | ```sh 50 | #!/bin/sh 51 | 52 | # inspired by https://gist.github.com/nathanielks/88e7827a653e8696021ed436481b42dc 53 | # 54 | 55 | common_name="localhost" 56 | 57 | # Step 1: Generate a 4096-bit private key for the Certificate Authority (CA) 58 | openssl genrsa -out local_ca.key 4096 59 | 60 | # Step 2: Create a self-signed CA certificate valid for 1000 days 61 | openssl req -x509 -new -nodes -key local_ca.key -days 1000 -sha256 \ 62 | -subj "/CN=$common_name" -out local_ca.pem 63 | 64 | # Step 3: Generate a 2048-bit private key for the server 65 | openssl genrsa -out local_server.key 2048 66 | 67 | # Step 4: Create a Certificate Signing Request (CSR) for the server 68 | openssl req -new -subj "/CN=$common_name" -key local_server.key -out local_server.csr 69 | 70 | # Step 5: Sign the CSR with the local CA, using extensions from cert.conf 71 | openssl x509 -req -sha256 -CAcreateserial \ 72 | -CA local_ca.pem \ 73 | -CAkey local_ca.key \ 74 | -days 1000 \ 75 | -extfile cert.conf \ 76 | -extensions local_san \ 77 | -in local_server.csr \ 78 | -out local_server.pem 79 | 80 | # Step 6: Clean up sensitive intermediate files 81 | rm local_ca.key 82 | rm local_ca.srl 83 | rm local_server.csr 84 | chmod 600 local_server.key # Restrict server key permissions for better security 85 | ``` 86 | 87 | ## 2. Update Docker Compose configuration 88 | 89 | Update the Docker Compose examples as follows: 90 | 91 | Ensure that the `tls` directory is mounted in both the SERVER and WORKER configurations: 92 | - volumes: 93 | - `//examples/tls:/tls` # Linux version 94 | - `C:\\examples\tls:/tls` # Windows version 95 | 96 | Add/update the following environment variables: 97 | - SERVER 98 | - `MEND_RNV_SERVER_HTTPS_PORT: 8443` 99 | - `MEND_RNV_SERVER_HTTPS_CONFIG_PATH: /tls/tls_server_config.json` 100 | - WORKER 101 | - `MEND_RNV_SERVER_HOSTNAME: https://rnv-ee-server:8443` 102 | - `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH: /tls/tls_worker_config.json` 103 | -------------------------------------------------------------------------------- /examples/env/renovate-server-config.env: -------------------------------------------------------------------------------- 1 | # Mend Renovate Self-hosted Application settings 2 | # For details, see [Configuration Options](https://github.com/mend/renovate-ce-ee/blob/main/docs/configuration-options.md) 3 | 4 | ## Server listener settings 5 | # MEND_RNV_SERVER_PORT=8080 # The port on which the server listens for webhooks and api requests. Defaults to 8080. Note: Must match Server internal port. 6 | # TLS Communication (HTTPS/SSL) 7 | # MEND_RNV_SERVER_HTTPS_PORT=8443 # Required for secure communication. Defaults to 8443. Note: Ensure 'MEND_RNV_SERVER_HOSTNAME' is updated (eg. https://rnv-ee-server:8443). 8 | # MEND_RNV_HTTP_SERVER_DISABLED=true # Set to 'true' to ensure that non-secure requests are rejected. 9 | # MEND_RNV_SERVER_HTTPS_CONFIG= # TLS config (JSON format) 10 | # MEND_RNV_SERVER_HTTPS_CONFIG_PATH=/tls/tls_server_config.json # File for defining TLS config. Note: Ensure volume is set on Server. 11 | 12 | ## API settings 13 | # MEND_RNV_ADMIN_API_ENABLED=true # Enable incoming API calls. Must set `MEND_RNV_SERVER_API_SECRET` (Hint: check the mend-renovate.env file). 14 | # MEND_RNV_REQUEST_LOGGER_ENABLED=true # Set to 'true' to log all incoming API requests to DEBUG logger. Defaults to 'false'. 15 | 16 | ## Database settings 17 | # MEND_RNV_SQLITE_FILE_PATH=/db/renovate-db.sqlite # Persist database to file. Defaults to '/tmp/database.sqlite'. Enable volume mount if not using '/tmp'. 18 | 19 | ## App Sync behavior 20 | # MEND_RNV_SYNC_ON_STARTUP=false # Defaults to true. Defines if App Sync will be performed when the server starts. 21 | # MEND_RNV_SYNC_MODE=batch # [GitHub only] Defaults to 'bulk'. Options: bulk,batch. Set to 'batch' to process one org at a time. 22 | # MEND_RNV_CRON_APP_SYNC="0 0,4,8,12,16,20 * * *" # Accepts a 5-part cron schedule. Defaults to every 4 hours. Increase frequency when system hooks not available (ie. GitLab and Bitbucket Cloud) 23 | 24 | ## Job Scheduling behavior 25 | # MEND_RNV_ENQUEUE_JOBS_ON_STARTUP=disabled # Defaults to 'discovered'. Options: 'enabled','disabled','discovered' 26 | # MEND_RNV_AUTODISCOVER_FILTER=org1/*, org2/test* # Renovate will only run on these repos 27 | # MEND_RNV_CRON_JOB_SCHEDULER_ALL=off # Default Hourly for CE. Options: off,always,{cron} (ie. '0 * * * *' = every hour on the hour) 28 | 29 | ## Job log storage 30 | # [Store job logs on the filesystem] 31 | # MEND_RNV_LOG_HISTORY_DIR=/logs # Persist Renovate job logs - organized by org/rep/timestamp. Enable volume mount! 32 | # MEND_RNV_LOG_HISTORY_CLEANUP_CRON="0 0 * * *" # Optional. Specifies a 5-part cron schedule. Defaults to midnight. 33 | # MEND_RNV_LOG_HISTORY_TTL_DAYS=30 # The number of days to save log files. Defaults to 30. 34 | # [Store job logs in S3 bucket - eg. AWS/MinIO] 35 | # Note: S3 connection details are also required in the Worker container. 36 | # MEND_RNV_LOG_HISTORY_S3=s3://job-logs # Persist job logs to S3 storage location. Format: s3:///dir1/dir2 (Also see `MEND_RNV_S3_FORCE_PATH_STYLE`.) 37 | # MEND_RNV_S3_FORCE_PATH_STYLE=true # Defaults to 'false'. Set to 'true' if the endpoint for your S3 storage must be used without manipulation - eg. connecting to MinIO S3. (See `MEND_RNV_LOG_HISTORY_S3`) 38 | 39 | ####---------------------------------------#### 40 | #### Enterprise only configuration options #### 41 | ####---------------------------------------#### 42 | 43 | # MEND_RNV_REPORTING_ENABLED=true # Defaults to 'false'. Set to 'true' to enable Reporting APIs. (Set `RENOVATE_REPOSITORY_CACHE` on Worker for PR data) 44 | 45 | # MEND_RNV_MERGE_CONFIDENCE_ENDPOINT=https://developer.mend.io/ # Defines the API endpoint used to retrieve Merge Confidence data. Defaults to https://developer.mend.io/ 46 | # MEND_RNV_MC_TOKEN=auto # The authentication token required when using Merge Confidence Workflows. Set this to 'auto' (default), or provide the value of a merge confidence API token. 47 | 48 | # MEND_RNV_VERSION_CHECK_INTERVAL=60 # Defaults to 60. Escalation period (minutes) for mismatching Server/Worker versions. 49 | 50 | # Job scheduling - Options: off,always,{cron} (ie. '0 * * * *' = every hour on the hour) 51 | # MEND_RNV_CRON_JOB_SCHEDULER_HOT=off # Default Hourly - Active repos [new, activated] 52 | # MEND_RNV_CRON_JOB_SCHEDULER_COLD=off # Default Daily - Semi-active repos [onboarded, onboarding, failed] 53 | # MEND_RNV_CRON_JOB_SCHEDULER_CAPPED=off # Default Weekly - Blocked repos [resource-limit, timeout] 54 | # MEND_RNV_CRON_JOB_SCHEDULER_ALL=off # Default Monthly for EE - All enabled repos [not disabled] 55 | -------------------------------------------------------------------------------- /docs/events.md: -------------------------------------------------------------------------------- 1 | # Event-driven notifications 2 | 3 | Renovate EE supports event-driven notifications via its **workers**. When enabled, Renovate CLI log messages at `INFO` 4 | level and above will be submitted to the predefined Kafka broker. 5 | 6 | ## Environment variables for configuring event notifications to Kafka 7 | 8 | The following is a list of configuration variables for using TLS communication. 9 | 10 | | Configuration variable | Brief description | 11 | |----------------------------------------------|---------------------------------------------------------------| 12 | | `MEND_RNV_KAFKA_TOPIC_NAME` | The Kafka topic to which messages are submitted. | 13 | | `MEND_RNV_KAFKA_TOPIC_CONFIG` | Topic configuration for Kafka producer. | 14 | | `MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG` | Global configuration for the Kafka producer. | 15 | | `MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG_PATH` | Path to a global producer configuration file. | 16 | | `MEND_RNV_KAFKA_PARTITION_KEY_CANDIDATES` | List of keys whose values will be used as Kafka message keys. | 17 | 18 | See below for detailed descriptions and examples. 19 | 20 | # Configuration details 21 | 22 | To enable event-driven configuration, either `MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG` or 23 | `MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG_PATH` must be configured. If both are provided, the former will take precedence. 24 | Renovate EE uses the `node-rdkafka`[^1] library, which is a wrapper around `librdkafka`[^2]. 25 | 26 | All the configuration options described below should be set on the Renovate EE worker end. 27 | 28 | **`MEND_RNV_KAFKA_TOPIC_NAME`**: The Kafka topic to which messages are submitted. Default: "mend-renovate-ee". 29 | 30 | > [!IMPORTANT] 31 | > Topics need to be manually created. If the topic defined does not exist at startup, the worker will terminate. 32 | 33 | **`MEND_RNV_KAFKA_TOPIC_CONFIG`**: Optional. A Kafka producer topic configuration. Expects a JSON string representation 34 | of `node-rdkafka`' s [producer topic config interface](https://github.com/Blizzard/node-rdkafka/blob/23a403d4ee26e2b34449e10dd96f193aea78d4ed/config.d.ts#L987-L1074). 35 | 36 | **`MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG`**: A global configuration for the Kafka producer. Expects a JSON string 37 | representation of the `librdkafka` [global configuration properties](https://github.com/confluentinc/librdkafka/blob/6d8ce88c6a2d02881e6c93f405c4518dcec9570a/CONFIGURATION.md). 38 | 39 | Minimal configuration example: 40 | 41 | ``` 42 | MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG='{"metadata.broker.list": "kafka:9093"}' 43 | ``` 44 | 45 | > [!TIP] 46 | > Both `MEND_RNV_KAFKA_TOPIC_CONFIG` and `MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG` support dynamically loading file or 47 | > base64-based content. 48 | > To load the content of a file into a given configuration option, set its value to `file://`. 49 | > To encode data in base64 for a given configuration option, set its value to `base64://`. 50 | 51 | **`MEND_RNV_KAFKA_PRODUCER_GLOBAL_CONFIG_PATH`**: A path to a global producer configuration file. Expects a JSON 52 | representation of the `librdkafka` [global configuration properties](https://github.com/confluentinc/librdkafka/blob/6d8ce88c6a2d02881e6c93f405c4518dcec9570a/CONFIGURATION.md). 53 | 54 | **`MEND_RNV_KAFKA_PARTITION_KEY_CANDIDATES`**: Optional. A comma-separated list of keys whose values will be used as 55 | Kafka message keys. The value of the first key found in the message will be used as the Kafka key. If none of the keys 56 | are present in the message, `null` will be used as the Kafka key. 57 | 58 | If this is not set, all messages will be submitted with a `null` Kafka key. 59 | 60 | For example, consider the following setting: 61 | 62 | `MEND_RNV_KAFKA_PARTITION_KEY_CANDIDATES= no_such_key, repository` 63 | 64 | For a message to be submitted: 65 | 66 | ```json 67 | { 68 | "level": 30, 69 | "name": "renovate", 70 | "hostname": "e323075dc9c9", 71 | "pid": 30, 72 | "repository": "org_name/repo", 73 | "logContext": "9cd9202d-372d-4662-9c70-28ae4d0a24da", 74 | "renovateVersion": "39.185.4", 75 | "time": "2025-03-19T09:14:39.847Z", 76 | "v": 0, 77 | "msg": "Repository started", 78 | "org": "org_name" 79 | } 80 | ``` 81 | 82 | the Kafka key used to submit this message will be `org_name/repo`. 83 | 84 | [^1]: https://github.com/Blizzard/node-rdkafka 85 | [^2]: https://github.com/confluentinc/librdkafka 86 | -------------------------------------------------------------------------------- /examples/README.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate - Example Configuration Files 2 | 3 | To get started with Mend Renovate Community Edition or Enterprise Edition, you can use the examples provided in this repository. 4 | 5 | There are Docker Compose files created for: 6 | - Mend Renovate Community Edition 7 | - Mend Renovate Enterprise Edition 8 | 9 | See the [helm-charts](../helm-charts) folder for examples of using Helm Charts. 10 | 11 | ## Example Docker Compose files 12 | 13 | ### Mend Renovate Community Edition 14 | 15 | | File | Description | Containers created | 16 | |---------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| 17 | | [renovate-ce-github.yml](docker-compose/renovate-ce-github.yml) | Starts a single container for Mend Renovate Community Edition. |
  • 1 x Mend Renovate CE container
    • | 18 | | [renovate-ce-postgres.yml](docker-compose/renovate-ce-postgres.yml) | Starts a single container for Mend Renovate Community Edition.
  • Uses network accessible PostgreSQL DB


    • Requires additional files:
  • [pgAdmin Dockerfile](dockerfiles/pgadmin/Dockerfile)
    • |
  • 1 x Mend Renovate CE
  • Postgres DB
  • Postgres Web UI (pgAdmin)
    • | 19 | 20 | ### Mend Renovate Enterprise Edition 21 | 22 | | File | Description | Containers created | 23 | |-----------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| 24 | | [renovate-ee-simple.yml](docker-compose/renovate-ee-simple.yml) | Starts containers for Mend Renovate Enterprise Edition.
  • Runs a single Server with multiple Worker containers.
  • Uses internal SQLite DB. |
  • 1 x Renovate EE Server
  • 2 x Renovate EE Workers
    • | 25 | | [renovate-ee-server-ha-postgres.yml](docker-compose/renovate-ee-server-ha-postgres.yml) | Starts containers for Mend Renovate Enterprise Edition.
  • Runs with multiple Server containers.
  • Uses network accessible PostgreSQL DB
  • APIs enabled
  • Job logs written to mounted volume


    • Requires additional files:
  • [NGINX conf file](conf/nginx.conf)
  • [pgAdmin Dockerfile](dockerfiles/pgadmin/Dockerfile) |
  • 2 x Renovate EE Servers
  • 2 x Renovate EE Workers
  • NGINX load balancer (for Servers)
  • Postgres DB
  • Postgres Web UI (pgAdmin)
    • | 26 | 27 | ## Example Env files 28 | 29 | Instead of having all Server and Worker environment variables defined in the Docker Compose files, variables can be defined in separate env files and referenced from the Docker Compose file in the 'env_file' section. 30 | One primary reason to do this is to separate license keys and access tokens from the other files that are committed to source code. 31 | Another reason is to manage swapping between different running environments and targets. 32 | 33 | The [env directory](env) provides some templates for environment variables required to run Mend Renovate and connect to the supported platforms.
    34 | Check the [docs directory](../docs) for information about additional variables and options. 35 | 36 | ### Env file templates 37 | 38 | | File | Description | 39 | |-------------------|----------------------------------------------------------------------------------------------| 40 | | mend-renovate.env | Env vars associated with the Mend Renovate application. Includes License key and API secret. | 41 | | github.env | Env vars for connecting Mend Renovate to a Renovate App on GitHub | 42 | | gitlab.env | Env vars for connecting Mend Renovate to a Renovate Bot user account on GitLab | -------------------------------------------------------------------------------- /examples/docker-compose/docker-compose-renovate-enterprise.yml: -------------------------------------------------------------------------------- 1 | ## Title: Renovate Enterprise Docker Compose 2 | ## Description: This example Docker Compose file starts containers for Mend Renovate Enterprise Edition. 3 | 4 | ## Scaling Server and Worker instances after initial deployment 5 | # Note: Server instances can not scale unless using a network database (eg. Postgres) and a load balancer (eg. nginx) 6 | # To increase or decrease Server or Worker instances, run the following command (replace values as appropriate): 7 | # $ docker-compose -f .yml up --scale rnv-ee-server=3 --scale rnv-ee-worker=4 -d --no-recreate 8 | # Note: Always specify both Server and Worker scaling. Whichever is unspecified will be re-scaled to its original value. 9 | ## Receiving Webhooks 10 | # To receive webhooks, create a publicly accessible endpoint for the Renovate Server (eg. ngrok http 80) 11 | # If using multiple servers, point have the ngrok server forward traffic to the load balancer port (eg. ngrok http 4000) 12 | 13 | services: 14 | 15 | ## Renovate Server 16 | rnv-ee-server: 17 | # Check latest version here: https://github.com/mend/renovate-ce-ee/pkgs/container/renovate-ee-server 18 | image: ghcr.io/mend/renovate-ee-server: # Replace with a specific version number 19 | deploy: 20 | replicas: 1 # Define the number of Server containers to run 21 | # Note: For multiple Server instances, use a network database (eg. Postgres) and a load balancer (eg. nginx) 22 | # Do not assign an external port if using multiple servers (eg. ports: "8080") 23 | ports: 24 | # Set MEND_RNV_SERVER_PORT to match internal port. (Defaults to 8080) 25 | - "80:8080" # "[external]:[internal]" Receive APIs and Webhooks on external port 26 | env_file: 27 | # Import required settings for Mend Renovate Self-hosted 28 | - ../env/mend-renovate.env # Provide a license key and accept the Terms of Service 29 | # Choose an env file that matches your Git repository 30 | - ../env/github.env 31 | # - ../env/gitlab.env 32 | # - ../env/bitbucket-server.env 33 | # Import optional settings for Renovate Server 34 | # - ../env/renovate-server-config.env 35 | # Postgres DB config 36 | # - ../env/postgres-db.env # Import Postgres config if using PostgreSQL DB 37 | # MinIO S3 storage 38 | # - ../env/minio.env # Ensure the configuration is also in the Worker containers 39 | environment: 40 | LOG_LEVEL: debug # Defaults to 'info' 41 | # LOG_FORMAT: json # Defaults to 'pretty'. Use 'json' when importing logs to reporting tool (eg. Splunk). 42 | MEND_RNV_REQUEST_LOGGER_ENABLED: true # Set to 'true' to log all incoming API requests to DEBUG logger. Defaults to 'false'. 43 | # API settings 44 | MEND_RNV_ADMIN_API_ENABLED: true # Enable incoming API calls. Must set `MEND_RNV_SERVER_API_SECRET` (Hint: check the mend-renovate.env file). 45 | MEND_RNV_REPORTING_ENABLED: true # Set to 'true' to enable Reporting APIs. (Set `RENOVATE_REPOSITORY_CACHE` on Worker for PR data) 46 | # If persisting Job logs or DB, set the following environment variables and enable volume mounts for /logs and /db 47 | MEND_RNV_LOG_HISTORY_DIR: /logs # Persist Renovate job logs. Enable volume mount for /logs 48 | MEND_RNV_SQLITE_FILE_PATH: /db/renovate-ee.sqlite # Persist database to file. Enable volume mount for /db. 49 | volumes: 50 | # Enable volumes if persisting the application database or Renovate job logs. Also mount /logs volume on the Worker. 51 | # Tip: Create folders in advance to avoid permission issues (ie. when Renovate CLI tries to write logs) 52 | - /tmp/renovate/job-logs:/logs # Unix version 53 | - /tmp/renovate/db:/db 54 | # - C:\tmp\renovate\job-logs:/logs # Windows version 55 | # - C:\tmp\renovate\db:/db 56 | 57 | ## Renovate Worker 58 | rnv-ee-worker: 59 | # Check latest version here: https://github.com/mend/renovate-ce-ee/pkgs/container/renovate-ee-worker 60 | image: ghcr.io/mend/renovate-ee-worker: # Replace with a specific version number 61 | deploy: 62 | replicas: 2 # Define the number of Worker containers to run 63 | depends_on: 64 | - rnv-ee-server 65 | env_file: 66 | # Import required settings for Mend Renovate Self-hosted 67 | - ../env/mend-renovate.env 68 | # Choose an env file that matches your Git repository 69 | - ../env/github.env 70 | # - ../env/gitlab.env 71 | # - ../env/bitbucket-server.env 72 | # Import optional settings for Renovate Worker 73 | # - ../env/renovate-worker-config.env # Set 'MEND_RNV_SERVER_HOSTNAME' to match server container (ie. http://rnv-ee-server:8080) 74 | # - ../env/renovate-core.env # Set Renovate CLI configuration options. (ie. `RENOVATE_REPOSITORY_CACHE=enabled`) 75 | # MinIO S3 storage 76 | # - ../env/minio.env # Ensure the configuration is also in the Server containers 77 | # Event notifications to Kafka 78 | # - ../env/event-notifications.env 79 | environment: 80 | LOG_LEVEL: debug # Defaults to 'info' 81 | # LOG_FORMAT: json # Defaults to 'pretty'. Use 'json' when importing logs to reporting tool (eg. Splunk). 82 | # Server hostname and port 83 | # Note: If using multiple servers, use the URL of load balancer (ie. http://nginx:4000). Also check ngrok config. 84 | MEND_RNV_SERVER_HOSTNAME: http://rnv-ee-server:8080 # The hostname of the Renovate Enterprise Server container 85 | # If persisting Job logs, set the following environment variable and enable volume mounts for /logs 86 | MEND_RNV_LOG_HISTORY_DIR: /logs # Persist Renovate job logs. Enable volume mount for /logs 87 | # Renovate CLI configuration options 88 | RENOVATE_REPOSITORY_CACHE: enabled # Repo cache is required for using some Enterprise reporting APIs. 89 | volumes: 90 | - /tmp/renovate/job-logs:/logs # Unix version 91 | # - C:\tmp\renovate\job-logs:/logs # Windows version 92 | -------------------------------------------------------------------------------- /docs/setup-for-github.md: -------------------------------------------------------------------------------- 1 | # Set up Mend Renovate Self-hosted App for GitHub 2 | 3 | ## Create and Configure the GitHub App (bot) 4 | 5 | Before running Mend Renovate, you need to provision it as an App on GitHub, and retrieve the ID + private key provided. 6 | 7 | If you're running a self-hosted instance of GitHub Enterprise, it is suggested to name the app "Renovate" so that it shows up as easily recognizable as "renovate[bot]" in Pull Requests. 8 | If you're running against `github.com` then the name Renovate is already taken by the hosted Mend Renovate app, so you will need something else like "YourCompany Renovate". 9 | 10 | The App requires the following permissions: 11 | 12 | - Repository permissions 13 | - Administration: Read-only 14 | - Checks: Read & write 15 | - Commit statuses: Read & write 16 | - Contents: Read & write 17 | - Dependabot alerts: Read-only (optional) 18 | - Issues: Read & write 19 | - Metadata: Read-only 20 | - Pull Requests: Read & write 21 | - Workflows: Read & write 22 | - Organization permissions 23 | - Members: Read-only 24 | 25 | The App should also subscribe to the following webhook events: 26 | 27 | - Security Advisory 28 | - Check run 29 | - Check suite 30 | - Issues 31 | - Pull request 32 | - Push 33 | - Repository 34 | - Status 35 | 36 | Description, Homepage, User authorization callback URL, and Setup URL are all unimportant so you may set them to whatever you like. 37 | 38 | The Mend Renovate webhook listener binds to port 8080 by default, however it will bind to `process.env.PORT` instead if that is defined. 39 | Note: The Mend Renovate image takes care of exposing port 8080 of the container, so if you change this port then you will need to take care of any exposing/mapping of ports yourself. 40 | In the [Docker Compose example config](https://github.com/mend/renovate-cc-ee/tree/main/examples/), the default port 8080 is used and then mapped to port 80 on the host. 41 | 42 | For the Webhook URL field, point it to `/webhook` on port 80 (or whatever port you mapped to) of the server that you will run Mend Renovate on, e.g. http://1.2.3.4/webhook 43 | Be sure to enter a webhook secret too. 44 | If you don't care about the value, then enter 'renovate' as that is the default secret that the webhook handler process uses. 45 | 46 | You can use the [Renovate icon](https://docs.renovatebot.com/assets/images/logo.png) for the app/bot if you desire. 47 | 48 | ## Run Mend Renovate Self-hosted App 49 | 50 | You can run Mend Renovate Self-hosted App from a Docker command line prompt, or by using a Docker Compose file. Examples are provided in the links below. 51 | 52 | **Example Docker Compose files:** 53 | 54 | - [Mend Renovate Community Edition](../examples/docker-compose/docker-compose-renovate-community.yml) 55 | - [Mend Renovate Enterprise Edition](../examples/docker-compose/docker-compose-renovate-enterprise.yml) 56 | 57 | > [!NOTE] 58 | > 59 | > Some configuration of environment variables will be required inside the Docker Compose files. 60 | > 61 | > Essential configuration options are shown below. For a full list of configurable variables, see [Configuration Options](configuration-options.md). 62 | 63 | ## Configure Environment Variables 64 | 65 | ### Essential Configuration for Mend Renovate Server 66 | 67 | **`MEND_RNV_ACCEPT_TOS`**: Set this environment variable to `y` to consent to [Mend's Terms of Service](https://www.mend.io/terms-of-service/). 68 | 69 | **`MEND_RNV_LICENSE_KEY`**: Provide a valid license key for Renovate Community Edition or Enterprise Edition 70 | 71 | > [!Note] 72 | > 73 | > To run Renovate Community Edition with **up to 10 repositories**, you can use this unregistered license key: 74 | > 75 | > `eyJsaW1pdCI6IjEwIn0=.30440220457941b71ea8eb345c729031718b692169f0ce2cf020095fd328812f4d7d5bc1022022648d1a29e71d486f89f27bdc8754dfd6df0ddda64a23155000a61a105da2a1` 76 | > 77 | > For a free license key for an **unrestricted number of repositories** on Renovate Community Edition, register with the form on the [Renovate Community Edition web page](https://www.mend.io/mend-renovate-community/). 78 | > 79 | > For an Enterprise license key, contact Mend at http://mend.io. 80 | 81 | **`MEND_RNV_PLATFORM`**: Set this to `github`. 82 | 83 | **`MEND_RNV_ENDPOINT`**: [GitHub Enterprise Server only] This is the API endpoint for your GitHub Enterprise installation. Include the trailing slash. 84 | 85 | **`MEND_RNV_SERVER_PORT`**: The port on which the server listens for webhooks and api requests. Defaults to 8080. 86 | 87 | **`MEND_RNV_GITHUB_APP_ID`**: The GitHub App ID of the provisioned Renovate app on GitHub. 88 | 89 | **`MEND_RNV_GITHUB_APP_KEY`**: The private key of the Renovate app on GitHub. Alternatively, use `MEND_RNV_GITHUB_PEM_FILE_PATH`. 90 | 91 | **`MEND_RNV_GITHUB_PEM_FILE_PATH`**: The file path for a GitHub app key PEM file. Defaults to `/usr/src/app/renovate.private-key.pem`. Alternatively, use `MEND_RNV_GITHUB_APP_KEY`. 92 | 93 | **`MEND_RNV_ADMIN_API_ENABLED`**: Set to 'true' to enable Admin APIs. Defaults to 'false'. 94 | 95 | **`MEND_RNV_SERVER_API_SECRET`**: Required if Admin APIs are enabled, or if running Enterprise Edition. 96 | 97 | **`MEND_RNV_WEBHOOK_SECRET`**: Must match the secret sent by the GitHub webhooks. Defaults to 'renovate'. 98 | 99 | **`GITHUB_COM_TOKEN`**: [GitHub Enterprise Server only] A Personal Access Token for a user account on github.com (note: _not_ an account on your GitHub Enterprise instance). 100 | 101 | **Additional Configuration options** 102 | 103 | For further details and a list of all available options, see the [Configuration Options](configuration-options.md) page. 104 | 105 | ### Renovate CLI Configuration 106 | 107 | Renovate CLI functionality can be configured using environment variables (e.g. `RENOVATE_XXXXXX`) or via a `config.js` file mounted to `/usr/src/app/config.js` inside the Mend Renovate container. 108 | 109 | **npm Registry** 110 | 111 | If using your own npm registry, you may find it easiest to update your Docker Compose file to include a volume that maps an `.npmrc` file to `/home/ubuntu/.npmrc`. The RC file should contain `registry=...` with the registry URL your company uses internally. This will allow Renovate to find shared configs and other internally published packages. 112 | -------------------------------------------------------------------------------- /docs/overview.md: -------------------------------------------------------------------------------- 1 | # Mend Renovate Self-hosted Apps - Community Edition and Enterprise Edition 2 | 3 | ## Overview 4 | 5 | Mend Renovate Self-hosted Apps (Community Edition and Enterprise Edition) are commercial offerings of Renovate for self-hosted users, such as those running on GitHub, GitLab or Bitbucket Data Center. 6 | 7 | Essentially, it is an alternative to running the `renovate` CLI tool, with the following additions: 8 | 9 | - Stateful job queue for prioritization of job importance 10 | - Embedded job scheduler to remove the need to set up and monitor `cron` 11 | - Webhook listener to enable dynamic reactions to repository events 12 | - Administration APIs for probing the system state or triggering jobs 13 | 14 | ## Features of Mend Renovate Self-hosted App 15 | 16 | #### Job scheduler 17 | 18 | The Docker containers for Mend Renovate Self-hosted App contain a built-in job scheduler that defaults to enqueing all repositories once per hour. 19 | This saves the need for configuring and monitoring any external `cron` process. 20 | 21 | #### Webhook handler 22 | 23 | Mend Renovate Self-hosted App also supports a webserver to listen for system webhooks received from the SCM (GitHub, GitLab, Bitbucket). 24 | 25 | In particular, it checks webhooks for: 26 | 27 | - Projects it has just been added to 28 | - Commits to `main` branch for "important" files such as `package.json` and `renovate.json` 29 | - Any commits made to Renovate's branches 30 | - Closing or merging of Renovate PRs 31 | 32 | Each of the above results in a job being enqueued for the relevant repository, so that the bot will appear responsive to users. 33 | 34 | #### Priority job queue 35 | 36 | Priority-based queuing is essential for providing a responsive experience for bot users. 37 | For example, if a user makes an update to the config in an onboarding PR, they ideally want to see the results immediately. 38 | By assigning onboarding updates the highest priority in the queue, the bot's update to the onboarding PR can proceed as the very next job, even if many others were in the queue already. 39 | 40 | In general, job priority is based on the probability that a user may be "waiting" for the bot to do something. 41 | That's why onboarding updates are highest priority, and other high priority updates include merging of Renovate PRs because that very often results in other PRs needing updates or rebasing afterwards. 42 | 43 | ## Architecture 44 | 45 | Logically, Mend Renovate consists of four components: 46 | 47 | 1. In-memory DB/state 48 | - Used for storing the job queue and a list of known installations and repositories 49 | - Can be persisted to file and interrogated by SQL tools 50 | 2. Scheduler 51 | - Runs according to a `cron` schedule (defaults to hourly) 52 | - Retrieves a list of all installed repositories and adds them to the job queue 53 | 3. Webhook Handler 54 | - Listens for webhook events from GitHub/GitLab, on path `/webhook` 55 | - Adds high priority jobs to the job queue if event conditions are met (e.g. a merged or closed Renovate PR, an update to an existing Renovate PR, a commit to `renovate.json` in `main` branch, etc) 56 | 4. Worker 57 | - A wrapper on Renovate CLI, it runs non-stop, retrieving the highest priority job (repository) from the queue one at a time 58 | 59 | All four components run within a shared container. 60 | As with Renovate CLI, it can also be configured to interact with an external Redis server as an alternative to the default disk-based cache. 61 | 62 | ## Downloading 63 | 64 | The Docker images for Mend Renovate Self-hosted App are available via GitHub Container Registry (ghcr.io) 65 | 66 | Use of the images are in accordance with the [Mend Terms of Service](https://www.mend.io/terms-of-service/). 67 | 68 | - Community Edition: [mend/renovate-ce](https://ghcr.io/mend/renovate-ce). 69 | 70 | - Enterprise Edition: 71 | Enterprise Edition uses two separate Docker images: The Server image, and the Worker image. 72 | - Server image: [mend/renovate-ee-server](https://ghcr.io/mend/renovate-ee-server) 73 | - Worker image: [mend/renovate-ee-worker](https://ghcr.io/mend/renovate-ee-worker) 74 | 75 | ## Versioning 76 | 77 | Mend Renovate Self-hosted Apps have their own versioning and release schedule, independent of Renovate CLI versioning. 78 | 79 | Additionally, it is intended that Mend Renovate Self-hosted Apps will have a slower release cadence than Renovate CLI in order to provide greater stability for Enterprise use. 80 | 81 | Specifically, use of SemVer for Mend Renovate Self-hosted Apps: 82 | 83 | **Major**: Used only for breaking changes 84 | 85 | **Minor**: Used for feature additions and any bug fixes considered potentially unstable 86 | 87 | **Patch**: Used only for bug fixes that are considered to be stabilizing 88 | 89 | i.e. we do not want to ever "break" anyone with a patch release, or have behavior change. 90 | 91 | Renovate CLI feature releases (i.e. minor version bumps in Renovate CLI) will therefore only be incorporated into minor releases of Mend Renovate. 92 | 93 | Typically, multiple Renovate CLI feature releases will be rolled up into a single Mend Renovate release, and release notes will be embedded so that you do not need to look them up separately. 94 | 95 | ## Releasing and Upgrading 96 | 97 | The release cadence of Mend Renovate is not fixed, as it will be determined largely by the importance and stability of new Renovate CLI features, which will typically be tested using the hosted Renovate GitHub App first. 98 | 99 | When a new version of Mend Renovate is pushed to GHCR, Release Notes will be added to this [github.com/mend/renovate-ce-ee](https://github.com/mend/renovate-ce-ee) repository. 100 | 101 | Naturally, it is recommended that you use Renovate itself for detecting and updating Mend Renovate versions if you are using a Docker Compose file internally for running Mend Renovate. 102 | 103 | ## Running Mend Renovate Self-hosted App 104 | 105 | See the Setup Guides to get started with Mend Renovate Self-hosted App 106 | - [Setup guide for GitHub](setup-for-github.md) 107 | - [Setup guide for GitLab](setup-for-gitlab.md) 108 | - [Setup guide for Bitbucket Data Center](setup-for-bitbucket-data-center.md) 109 | 110 | Examples using Docker Compose can be found at in the [examples directory](../examples). 111 | 112 | ## Testing Mend Renovate Self-hosted App 113 | 114 | Request `/health` on your IP address hosting the deployment to check if it is running correctly. 115 | 116 | For further testing, use the [Admin APIs](./api.md) to: 117 | - check the status of the server 118 | - see the contents of the Job and Task queues 119 | - perform an App sync 120 | - run a job 121 | 122 | It is recommended not to expose the API endpoint to the internet as it could leak information about private repository names. 123 | -------------------------------------------------------------------------------- /docs/api-jobs.md: -------------------------------------------------------------------------------- 1 | # Job APIs 2 | 3 | Enabling jobs APIs is done by setting both `MEND_RNV_API_ENABLED: true` and `MEND_RNV_API_ENABLE_JOBS: true` (both are backward compatible with `MEND_RNV_API_ENABLED`) 4 | 5 | Job Logs APIs provide a summary of and content for the Job Logs generated by the Renovate CLI. 6 | 7 | The Run Job API schedules a Renovate job to run against a given repository. 8 | 9 | ## Available Job APIs 10 | 11 | The list below describes the available Job Logs APIs. Follow the links on the API names for full details. 12 | 13 | - [List Jobs by Repo](#list-jobs-by-repo) ← Lists all jobs for a given repo 14 | - [Get Job Logs by Repo](#get-job-logs-by-repo) ← Fetch job logs for a given repo (latest, or by JobID) 15 | - [Get Job Logs by JobID](#get-job-logs-by-jobid) ← Fetch job logs by Job ID 16 | - [Run Job on a Repo](#run-job-on-a-repo) ← Run a Renovate job against a given repo 17 | 18 | ## Enable Job Logs APIs 19 | 20 | Job Logs APIs are enabled with Renovate Admin APIs, which is off by default. 21 | 22 | Authentication is done via HTTP Auth, using the API secret as the password. 23 | For example if the secret is `renovateapi` then you would authenticate by adding the following request header: 24 | 25 | ``` 26 | Authorization: Bearer renovateapi 27 | or 28 | Authorization: renovateapi 29 | ``` 30 | 31 | ## Job Logs API URLs 32 | 33 | See the table below for a list of Job Logs API URL formats. 34 | 35 | | API | URL format | Query parameters | 36 | |-------------------------------------------------|-----------------------------------------------------------|---------------------------------| 37 | | [List Jobs by Repo](#list-jobs-by-repo) | [GET] /api/v1/repos/{org}/{repo}/-/jobs | limit (default=100, max=10,000) | 38 | | [Get Job Logs by Repo](#get-job-logs-by-repo) | [GET] /api/v1/repos/{org}/{repo}/-/jobs/ | | 39 | | [Run Job on a Repo](#run-job-on-a-repo) | [POST] /api/v1/repos/{org}/{repo}/-/jobs/run | | 40 | 41 | ## Details of Job Logs APIs 42 | 43 | ### List Jobs by Repo 44 | 45 | API: [GET] /api/v1/repos/{org}/{repo}/-/jobs 46 | 47 | query parameters: 48 | - limit 49 | - Max = 10,000 50 | - Default = 100 51 | 52 | Pagination is not supported. Results are sorted with most recent job first. 53 | 54 | **Description:** Lists all known Job Logs for a given repo 55 | 56 | **Example:** Fetch job list for repo `my-org/my-repo` 57 | 58 | [GET] http://my.renovate.server.com/api/v1/repos/my-org/my-repo/-/jobs (Note: no trailing slash!) 59 | 60 | ```json 61 | [ 62 | { 63 | "jobId": "5a3572bf-49fe-42bb-a066-ff1146fe83d1", 64 | "reason": "api-request", 65 | "addedAt": "2024-05-13 12:41:49.760008", 66 | "startedAt": "2024-05-13 12:41:51.443102", 67 | "completedAt": "2024-05-13 12:42:32.807422", 68 | "logLocation": "S3://job-logs/my-org/my-repo/5a3572bf-49fe-42bb-a066-ff1146fe83d1.log.gz", 69 | "status": "success" 70 | }, 71 | { 72 | "jobId": "fccefbdc-de1e-49b7-bd9a-bfe530ee7547", 73 | "reason": "repositories-added", 74 | "addedAt": "2024-05-13 09:01:20.227617", 75 | "startedAt": "2024-05-13 09:01:25.735557", 76 | "completedAt": "2024-05-13 09:03:22.818254", 77 | "logLocation": "S3://job-logs/my-org/my-repo/fccefbdc-de1e-49b7-bd9a-bfe530ee7547.log.gz", 78 | "status": "success", 79 | "artifactErrors": { 80 | "renovate/husky-8.x": [ 81 | { 82 | "stderr": "npm ERR! code ETARGET\nnpm ERR! notarget No matching version found for nanoid@3.31.4.\nnpm ERR! notarget In most cases you or one of your dependencies are requesting\nnpm ERR! notarget a package version that doesn't exist.\n\nnpm ERR! A complete log of this ru", 83 | "lockFile": "package-lock.json" 84 | } 85 | ] 86 | } 87 | } 88 | ] 89 | ``` 90 | 91 | ### Get Job Logs by Repo 92 | 93 | API: [GET] /api/v1/repos/{org}/{repo}/-/jobs/ 94 | 95 | **Description:** Get the contents of a single job log for a given repo 96 | 97 | Options: 98 | - "latest" - returns the most recent job logs for the given repo 99 | - {jobId} - returns the job logs for the specified jobId 100 | - Note: this variation returns the same as [Get Job Logs by JobID](#get-job-logs-by-jobid) 101 | 102 | **Example 1:** Fetch latest job logs for repo `my-org/my-repo` 103 | 104 | [GET] http://my.renovate.server.com/api/v1/repos/my-org/my-repo/-/jobs/latest 105 | 106 | **Example 2:** Fetch job logs for JobID `5a3572bf-49fe-42bb-a066-ff1146fe83d1` in repo `my-org/my-repo` 107 | 108 | [GET] http://my.renovate.server.com/api/v1/repos/my-org/my-repo/-/jobs/5a3572bf-49fe-42bb-a066-ff1146fe83d1 109 | 110 | **Sample output:** 111 | 112 | ```json 113 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","config":{},"msg":"File config","time":"2024-05-13T12:41:58.139Z","v":0} 114 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","config":{},"msg":"CLI config","time":"2024-05-13T12:41:58.143Z","v":0} 115 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","config":{},"msg":"Env config","time":"2024-05-13T12:41:58.152Z","v":0} 116 | {"......many rows removed......"} 117 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","repository":"my-org/my-repo","hosts":[],"msg":"dns cache","time":"2024-05-13T12:42:29.346Z","v":0} 118 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":30,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","repository":"my-org/my-repo","cloned":false,"durationMs":29063,"msg":"Repository finished","time":"2024-05-13T12:42:29.348Z","v":0} 119 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","msg":"Checking file package cache for expired items","time":"2024-05-13T12:42:29.351Z","v":0} 120 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","msg":"Verifying and cleaning cache: /tmp/renovate/cache/renovate/renovate-cache-v1","time":"2024-05-13T12:42:29.521Z","v":0} 121 | {"name":"renovate","hostname":"271939e11491","pid":21,"level":20,"logContext":"5a3572bf-49fe-42bb-a066-ff1146fe83d1","msg":"Deleted 0 of 29 file cached entries in 840ms","time":"2024-05-13T12:42:30.193Z","v":0} 122 | ``` 123 | 124 | 125 | ### Run Job on a Repo 126 | 127 | API: [POST] /api/v1/repos/{org}/{repo}/-/jobs/run 128 | 129 | **Description:** Schedules a job to run Renovate on the given repository 130 | -------------------------------------------------------------------------------- /docs/setup-for-gitlab.md: -------------------------------------------------------------------------------- 1 | # Set up Mend Renovate Self-hosted App for GitLab 2 | 3 | ## Configure Renovate Bot Account on GitLab 4 | 5 | Two main parts to Bot setup: 6 | 7 | 1. **Create the Renovate Bot user account** on GitLab - and get the **PAT** 8 | 9 | Personal Access Token (PAT) for the user account will used by your Renovate server for interacting with your repos on GitLab. 10 | 11 | 2. **Create Webhooks** to respond to activity on the repo. 12 | 13 | Without webhooks, Renovate jobs will run only on the configured schedule, or by API call. 14 | Jobs triggered by webhooks jump the queue, and are scheduled to run as soon as possible. 15 | 16 | ### Step 1a: Renovate Bot user Account 17 | 18 | In GitLab, the "Renovate Bot" is not an App or Plugin; it's a GitLab user account that's been given the right permissions on the repository. 19 | 20 | Create a GitLab user account to act as the "Renovate Bot". 21 | 22 | > [!NOTE] 23 | > 24 | > You should use a dedicated "bot account" for Renovate, instead of using someone's personal user account. 25 | > 26 | > Apart from reducing the chance of conflicts, it is better for teams if the actions they see from Renovate are clearly marked as coming from a dedicated bot account and not from a teammate's account, which could be confusing at times. 27 | > e.g. Did the bot automerge that PR, or did a human do it? 28 | 29 | #### Self-hosted GitLab: 30 | - If you are running your own instance of GitLab, it's suggested to name the account "Renovate Bot" with username "renovate-bot". 31 | 32 | #### GitLab Cloud: 33 | - If your repos are on GitLab.com, create a new user account on GitLab cloud. 34 | You will need a globally unique name for the bot, for instance "yourcompany-renovate". 35 | 36 | ### Step 1b: Generate a Personal Access Token (PAT) 37 | 38 | Once the account is created, [create a Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) for the new Renovate user account. 39 | 40 | Assign the following permissions: 41 | * `api` 42 | * `read_user` 43 | * `write_repository` 44 | 45 | Keep the PAT handy for the Configuration of the Renovate Self-Hosted App to set `MEND_RNV_GITLAB_PAT`. 46 | 47 | ### Step 2: Add Webhooks 48 | 49 | Webhooks allow GitLab to ping your Renovate server whenever an activity occurs on the designated repositories or groups. 50 | Activities like a new commit, a merged PR, a change to a package file, etc will trigger Renovate to run a new job on that repo. 51 | Renovate can also respond to checkbox activities in PRs and the Dependency Dashboard. 52 | 53 | > [!NOTE] 54 | > 55 | > You can still run Renovate without webhooks. 56 | > - Renovate Jobs will run on a schedule, which is highly configurable. 57 | > - The Admin APIs can be used to trigger App Sync and to run a Renovate job on a single repo. 58 | 59 | You can enable webhooks on your GitLab repos manually, or with automation. 60 | 61 | #### Option: Automatic webhook creation 62 | 63 | When enabled, will automatically install webhooks for all new repos that are enabled with Renovate. Attempts are made to remove webhooks when repos are uninstalled. 64 | 65 | > [!NOTE] 66 | > 67 | > Currently, if you add the configuration for Webhooks later to an existing setup, webhooks will not be added to repositories already registered in Renovates DB. 68 | > 69 | > As a workaround, you can uninstall and reinstall repos that you want to add webhooks to. Alternatively, if you delete the database, all repos will be freshly re-installed and webhooks will be created for them. ([Issue #762](https://github.com/mend/renovate-ce-ee/issues/762)) 70 | 71 | Webhook installation requires an admin user account that has `Maintainer` access to the repos. 72 | 73 | > [!WARNING] 74 | > 75 | > Automatic webhook creation works for GitLab v17.1 and higher. 76 | > Using the automatic webhook creation on versions lower than v17.1 can cause unexpected results, including the creation of multiple identical webhooks. 77 | 78 | > [!NOTE] 79 | > 80 | > This admin account used for webhooks can be the repo owner account, or it can be another account that has more limited access to the repos. 81 | > 82 | > The Renovate user account can be used, but it would require an upgrade in minimum permissions (from `Developer` to `Maintainer`) on the repos it manages webhooks on. 83 | 84 | To enable automatic webhook creation: 85 | 86 | Set `MEND_RNV_WEBHOOK_URL`: 87 | - DO NOT use this feature on GitLab versions lower than v17.1! 88 | - When set, webhooks will be installed on repos when Renovate is enabled. 89 | - Set the webhook URL to point to the Renovate server url followed by `/webhook`. (e.g. `http://renovate.yourcompany.com:8080/webhook` or `https://1.2.3.4/webhook`) 90 | 91 | Set `MEND_RNV_ADMIN_TOKEN`: [Optional] 92 | - Could be repo owner account, or special high-privilege account. 93 | - Defaults to the primary Renovate user PAT when not provided. 94 | - Important: Webhooks will be only installed on repos that the account has at least `Maintainer` access to. 95 | 96 | #### Option: Manually add webhooks 97 | 98 | Add a **Group webhook** to each GitLab Group that you want webhooks triggered on. 99 | - This is an easy way to cover webhooks for all repos in the group. 100 | - Webhooks coming from Repositories that haven't enabled Renovate will be ignored. 101 | 102 | You can add **Repo webhooks** to each individual repo that you want webhooks enabled for. 103 | - This might be suitable if you are only installing Renovate on a small number of repos or don't have access to Group webhooks. 104 | - A good option if you want fine-grained control over which repos trigger webhooks to your Renovate server. 105 | 106 | > [!WARNING] 107 | > 108 | > Avoid using **Server hooks** because there they will not trigger `Issues events`, such as using checkboxes in the Dependency Dashboard issue. 109 | 110 | **Set webhook properties as shown below:** 111 | 112 | ![GitLab webhook details](images/gitlab_webhook_details.png) 113 | 114 | ##### URL 115 | - Set the webhook URL to point to the Renovate server url followed by `/webhook`. (e.g. `http://renovate.yourcompany.com:8080/webhook` or `https://1.2.3.4/webhook`) 116 | 117 | ##### Name (Optional) 118 | - You can set a name for the webhook: ie. "renovate" 119 | 120 | > [!TIP] 121 | > 122 | > Renovate's webhook listener binds to port 8080 inside its container, but you can map it (using Docker) to whatever external port you require, including port 80. 123 | 124 | ##### Secret token 125 | - Set the webhook secret to the same value configured for `MEND_RNV_WEBHOOK_SECRET` (defaults to `renovate`) 126 | 127 | ##### Trigger 128 | - Set event triggers for: 129 | * `Push events` (All branches) 130 | * `Issues events` 131 | * `Merge request events` 132 | 133 | ![GitLab webhook triggers](images/gitlab_webhook_triggers.png) 134 | 135 | ##### SSL Verification 136 | 137 | - Disable SSL verification unless required by your server 138 | 139 | ## Run Mend Renovate Self-hosted App 140 | 141 | You can run Mend Renovate Self-hosted App from a Docker command line prompt, or by using a Docker Compose file. Examples are provided in the links below. 142 | 143 | **Example Docker Compose files:** 144 | 145 | - [Mend Renovate Community Edition](../examples/docker-compose/docker-compose-renovate-community.yml) 146 | - [Mend Renovate Enterprise Edition](../examples/docker-compose/docker-compose-renovate-enterprise.yml) 147 | 148 | > [!NOTE] 149 | > 150 | > Some configuration of environment variables will be required inside the Docker Compose files. 151 | > 152 | > Essential configuration options are shown below. For a full list of configurable variables, see [Configuration Options](configuration-options.md). 153 | 154 | ## Configure Environment Variables 155 | 156 | ### Essential Configuration for Mend Renovate Sever 157 | 158 | **`MEND_RNV_ACCEPT_TOS`**: Set this environment variable to `y` to consent to [Mend's Terms of Service](https://www.mend.io/terms-of-service/). 159 | 160 | **`MEND_RNV_LICENSE_KEY`**: Provide a valid license key for Renovate Community Edition or Enterprise Edition 161 | 162 | > [!Note] 163 | > 164 | > To run Renovate Community Edition with **up to 10 repositories**, you can use this unregistered license key: 165 | > 166 | > `eyJsaW1pdCI6IjEwIn0=.30440220457941b71ea8eb345c729031718b692169f0ce2cf020095fd328812f4d7d5bc1022022648d1a29e71d486f89f27bdc8754dfd6df0ddda64a23155000a61a105da2a1` 167 | > 168 | > For a free license key for an **unrestricted number of repositories** on Renovate Community Edition, register with the form on the [Renovate Community Edition web page](https://www.mend.io/mend-renovate-community/). 169 | > 170 | > For an Enterprise license key, contact Mend at http://mend.io. 171 | 172 | **`MEND_RNV_PLATFORM`**: Set this to `gitlab`. 173 | 174 | **`MEND_RNV_ENDPOINT`**: This is the API endpoint for your GitLab host. e.g. like `https://gitlab.company.com/api/v4/`. Include the trailing slash. 175 | 176 | **`MEND_RNV_SERVER_PORT`**: The port on which the server listens for webhooks and api requests. Defaults to 8080. 177 | 178 | **`MEND_RNV_GITLAB_PAT`**: Personal Access Token (PAT) for the GitLab bot account. 179 | 180 | **`MEND_RNV_ADMIN_API_ENABLED`**: Set to 'true' to enable Admin APIs. Defaults to 'false'. 181 | 182 | **`MEND_RNV_SERVER_API_SECRET`**: Required if Admin APIs are enabled, or if running Enterprise Edition. 183 | 184 | **`MEND_RNV_WEBHOOK_SECRET`**: Must match the secret sent by the GitLab webhooks. Defaults to 'renovate'. 185 | 186 | **`MEND_RNV_WEBHOOK_URL`**: [Optional] Set to the URL of your webhook handler to enable automatic webhook creation. (eg. `http://renovate.yourcompany.com:8080/webhook`) 187 | 188 | **`MEND_RNV_ADMIN_TOKEN`**: [Optional] Used when automatically adding webhooks. Provide a PAT for a user with `Maintainer` access to repos. 189 | 190 | **`GITHUB_COM_TOKEN`**: A Personal Access Token for a user account on github.com 191 | 192 | **Additional Configuration options** 193 | 194 | For further details and a list of all available options, see the [Configuration Options](configuration-options.md) page. 195 | 196 | ### Renovate CLI Configuration 197 | 198 | Renovate CLI functionality can be configured using environment variables (e.g. `RENOVATE_XXXXXX`) or via a `config.js` file mounted to `/usr/src/app/config.js` inside the Mend Renovate container. 199 | 200 | **npm Registry** 201 | 202 | If using your own npm registry, you may find it easiest to update your Docker Compose file to include a volume that maps an `.npmrc` file to `/home/ubuntu/.npmrc`. The RC file should contain `registry=...` with the registry URL your company uses internally. This will allow Renovate to find shared configs and other internally published packages. 203 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/worker-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "mend-renovate.fullname" . }}-worker 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 8 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | {{- with .Values.renovateWorker.labels.deployment }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | replicas: {{ .Values.renovateWorker.replicas }} 16 | selector: 17 | matchLabels: 18 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app: {{ include "mend-renovate.name" . }}-worker 21 | strategy: 22 | type: Recreate 23 | template: 24 | metadata: 25 | labels: 26 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 27 | app.kubernetes.io/instance: {{ .Release.Name }} 28 | app: {{ include "mend-renovate.name" . }}-worker 29 | {{- with .Values.renovateWorker.labels.pods }} 30 | {{- toYaml . | nindent 8 }} 31 | {{- end }} 32 | annotations: 33 | checksum/config.jsFileConfigMap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 34 | checksum/shardedExtraConfigMaps: {{ include (print $.Template.BasePath "/extra-configmaps.yaml") . | sha256sum }} 35 | checksum/extraConfigMaps: {{ include (print $.Template.BasePath "/worker-extra-configmaps.yaml") . | sha256sum }} 36 | {{- with .Values.renovateWorker.annotations }} 37 | {{- toYaml . | nindent 8 }} 38 | {{- end }} 39 | spec: 40 | automountServiceAccountToken: {{ .Values.renovateWorker.automountServiceAccountToken | default false }} 41 | {{- with .Values.renovateWorker.podSecurityContext }} 42 | securityContext: {{- toYaml . | nindent 8 }} 43 | {{- end }} 44 | terminationGracePeriodSeconds: {{ .Values.renovateWorker.terminationGracePeriodSeconds }} 45 | {{- if or .Values.renovateWorker.serviceAccount.create .Values.renovateWorker.serviceAccount.existingName }} 46 | serviceAccountName: {{ include "mend-renovate.worker-service-account-name" . }} 47 | {{- end }} 48 | {{- with .Values.renovateWorker.initContainers }} 49 | initContainers: {{- toYaml . | nindent 8 }} 50 | {{- end }} 51 | containers: 52 | - name: {{ .Chart.Name }}-worker 53 | image: "{{ .Values.renovateWorker.image.repository }}:{{ .Values.renovateWorker.image.version }}" 54 | imagePullPolicy: {{ .Values.renovateWorker.image.pullPolicy }} 55 | {{- with .Values.renovateWorker.containerSecurityContext }} 56 | securityContext: {{- toYaml . | nindent 12 }} 57 | {{- end }} 58 | {{- if or .Values.renovateWorker.extraEnvFromConfigMaps .Values.renovateWorker.extraEnvFromSecrets }} 59 | envFrom: 60 | {{- with .Values.renovateWorker.extraEnvFromConfigMaps }} 61 | {{- range . }} 62 | - configMapRef: 63 | name: {{ .name }} 64 | {{- end }} 65 | {{- end }} 66 | {{- with .Values.renovateWorker.extraEnvFromSecrets }} 67 | {{- range . }} 68 | - secretRef: 69 | name: {{ .name }} 70 | {{- end }} 71 | {{- end }} 72 | {{- end }} 73 | env: 74 | {{- with .Values.renovateWorker.extraEnvVars }} 75 | {{- toYaml . | nindent 12 }} 76 | {{- end }} 77 | - name: MEND_RNV_SERVER_HOSTNAME 78 | {{- $httpsPort:= "" }} 79 | {{- $scheme := "http" }} 80 | {{- if or .Values.renovateWorker.mendRnvClientHttpsConfig .Values.renovateWorker.mendRnvClientHttpsConfigPath}} 81 | {{- $httpsPort = print ":" .Values.service.ports.https }} 82 | {{- $scheme = "https" }} 83 | {{- end}} 84 | value: "{{ $scheme }}://{{ include "mend-renovate.fullname" . }}-svc-server{{ $httpsPort }}" 85 | {{- if or .Values.renovateServer.mendRnvServerApiSecret .Values.renovateServer.existingSecret }} 86 | - name: MEND_RNV_SERVER_API_SECRET 87 | valueFrom: 88 | secretKeyRef: 89 | name: {{ include "mend-renovate.server-secret-name" . }} 90 | key: mendRnvServerApiSecret 91 | {{- end }} 92 | 93 | {{- if .Values.license.mendRnvAcceptTos }} 94 | - name: MEND_RNV_ACCEPT_TOS 95 | value: {{ .Values.license.mendRnvAcceptTos | quote }} 96 | {{- end }} 97 | {{- if or .Values.license.mendRnvLicenseKey .Values.license.existingSecret }} 98 | - name: MEND_RNV_LICENSE_KEY 99 | valueFrom: 100 | secretKeyRef: 101 | name: {{ include "mend-renovate.license-secret-name" . }} 102 | key: mendRnvLicenseKey 103 | {{- end }} 104 | {{- if .Values.renovateWorker.mendRnvWorkerCleanup }} 105 | - name: MEND_RNV_WORKER_CLEANUP 106 | value: {{ .Values.renovateWorker.mendRnvWorkerCleanup | quote }} 107 | {{- end }} 108 | {{- if .Values.renovateWorker.mendRnvWorkerCleanupDirs }} 109 | - name: MEND_RNV_WORKER_CLEANUP_DIRS 110 | value: {{ .Values.renovateWorker.mendRnvWorkerCleanupDirs | quote }} 111 | {{- end }} 112 | {{- if .Values.renovateWorker.mendRnvDiskUsageWarnThreshold }} 113 | - name: MEND_RNV_DISK_USAGE_WARN_THRESHOLD 114 | value: {{ .Values.renovateWorker.mendRnvDiskUsageWarnThreshold | quote }} 115 | {{- end }} 116 | {{- if .Values.renovateWorker.mendRnvDiskUsageFilter }} 117 | - name: MEND_RNV_DISK_USAGE_FILTER 118 | value: {{ .Values.renovateWorker.mendRnvDiskUsageFilter | quote }} 119 | {{- end }} 120 | {{- if .Values.renovateWorker.mendRnvExitInactiveCount }} 121 | - name: MEND_RNV_EXIT_INACTIVE_COUNT 122 | value: {{ .Values.renovateWorker.mendRnvExitInactiveCount | quote }} 123 | {{- end }} 124 | {{- if .Values.renovateWorker.mendRnvWorkerNodeArgs }} 125 | - name: RENOVATE_NODE_ARGS 126 | value: {{ .Values.renovateWorker.mendRnvWorkerNodeArgs | quote }} 127 | {{- end }} 128 | 129 | {{- if or .Values.renovateWorker.githubComToken .Values.renovateWorker.existingSecret }} 130 | - name: GITHUB_COM_TOKEN 131 | valueFrom: 132 | secretKeyRef: 133 | name: {{ include "mend-renovate.worker-secret-name" . }} 134 | key: githubComToken 135 | optional: true 136 | {{- end }} 137 | {{- if or .Values.renovateWorker.pipIndexUrl .Values.renovateWorker.existingSecret }} 138 | - name: PIP_INDEX_URL 139 | valueFrom: 140 | secretKeyRef: 141 | name: {{ include "mend-renovate.worker-secret-name" . }} 142 | key: pipIndexUrl 143 | optional: true 144 | {{- end }} 145 | {{- if .Values.renovateWorker.mendRnvWorkerExecutionTimeout }} 146 | - name: MEND_RNV_WORKER_EXECUTION_TIMEOUT 147 | value: {{ .Values.renovateWorker.mendRnvWorkerExecutionTimeout | quote }} 148 | {{- end }} 149 | {{- if .Values.renovateWorker.mendRnvDisableGlobalAgent }} 150 | - name: MEND_RNV_DISABLE_GLOBAL_AGENT 151 | value: {{ .Values.renovateWorker.mendRnvDisableGlobalAgent | quote }} 152 | {{- end }} 153 | {{- if .Values.renovateWorker.mendRnvEnableHttp2 }} 154 | - name: MEND_RNV_ENABLE_HTTP2 155 | value: {{ .Values.renovateWorker.mendRnvEnableHttp2 | quote }} 156 | {{- end }} 157 | {{- if .Values.renovateWorker.mendRnvClientHttpsConfig }} 158 | - name: MEND_RNV_CLIENT_HTTPS_CONFIG 159 | value: {{ toJson .Values.renovateWorker.mendRnvClientHttpsConfig | quote }} 160 | {{- end }} 161 | {{- if .Values.renovateWorker.mendRnvClientHttpsConfigPath }} 162 | - name: MEND_RNV_CLIENT_HTTPS_CONFIG_PATH 163 | value: {{ .Values.renovateWorker.mendRnvClientHttpsConfigPath | quote}} 164 | {{- end }} 165 | {{- if .Values.renovateWorker.noNodeTlsVerify }} 166 | - name: NODE_TLS_REJECT_UNAUTHORIZED 167 | value: '0' 168 | {{- end }} 169 | {{- if .Values.renovateWorker.noGitTlsVerify }} 170 | - name: GIT_SSL_NO_VERIFY 171 | value: 'true' 172 | {{- end }} 173 | {{- if .Values.renovateWorker.renovateUserAgent }} 174 | - name: RENOVATE_USER_AGENT 175 | value: {{ .Values.renovateWorker.renovateUserAgent | quote }} 176 | {{- end }} 177 | {{- if .Values.renovateWorker.logLevel }} 178 | - name: LOG_LEVEL 179 | value: {{ .Values.renovateWorker.logLevel | quote }} 180 | {{- end }} 181 | {{- if .Values.renovateWorker.logFormat }} 182 | - name: LOG_FORMAT 183 | value: {{ .Values.renovateWorker.logFormat | quote }} 184 | {{- end }} 185 | ports: 186 | - name: ee-worker 187 | containerPort: 8080 188 | protocol: TCP 189 | {{- with .Values.renovateWorker.livenessProbe }} 190 | livenessProbe: 191 | {{- toYaml . | nindent 12 }} 192 | {{- end }} 193 | {{- with .Values.renovateWorker.readinessProbe }} 194 | readinessProbe: 195 | {{- toYaml . | nindent 12 }} 196 | {{- end }} 197 | resources: 198 | {{- toYaml .Values.renovateWorker.resources | nindent 12 }} 199 | volumeMounts: 200 | - name: {{ .Release.Name }}-config-js-volume 201 | readOnly: true 202 | mountPath: /usr/src/app/config.js 203 | subPath: config.js 204 | {{- if .Values.renovateWorker.npmrc }} 205 | - name: {{ .Release.Name }}-npmrc-volume 206 | readOnly: true 207 | mountPath: /home/ubuntu/.npmrc 208 | subPath: .npmrc 209 | {{- end }} 210 | {{- if not .Values.renovateWorker.disableCacheVolume }} 211 | - name: {{ .Release.Name }}-cache-volume 212 | readOnly: false 213 | mountPath: /tmp/renovate 214 | {{- end }} 215 | {{- with .Values.renovateWorker.extraVolumeMounts }} 216 | {{- toYaml . | nindent 12 }} 217 | {{- end }} 218 | {{- with .Values.renovateWorker.nodeSelector }} 219 | nodeSelector: 220 | {{- toYaml . | nindent 8 }} 221 | {{- end }} 222 | {{- if .Values.renovateWorker.imagePullSecrets }} 223 | imagePullSecrets: 224 | - name: {{ .Values.renovateWorker.imagePullSecrets }} 225 | {{- end }} 226 | volumes: 227 | - name: {{ .Release.Name }}-config-js-volume 228 | configMap: 229 | name: {{ include "mend-renovate.fullname" . }}-config-js 230 | {{- if or .Values.renovateWorker.npmrc .Values.renovateWorker.npmrcExistingSecret }} 231 | - name: {{ .Release.Name }}-npmrc-volume 232 | secret: 233 | secretName: {{ include "mend-renovate.npmrc-secret-name" . }} 234 | {{- end }} 235 | {{- if not .Values.renovateWorker.disableCacheVolume }} 236 | - name: {{ .Release.Name }}-cache-volume 237 | {{- if .Values.dataPersistence.enabled }} 238 | persistentVolumeClaim: 239 | claimName: {{ .Values.dataPersistence.existingClaim | default (printf "%s-data" (include "mend-renovate.fullname" .)) }} 240 | {{- else if .Values.dataInMemory.enabled }} 241 | emptyDir: 242 | medium: Memory 243 | {{- else }} 244 | emptyDir: { } 245 | {{- end }} 246 | {{- end }} 247 | {{- with .Values.renovateWorker.extraVolumes }} 248 | {{- toYaml . | nindent 8 }} 249 | {{- end }} 250 | {{- with .Values.renovateWorker.affinity }} 251 | affinity: 252 | {{- toYaml . | nindent 8 }} 253 | {{- end }} 254 | {{- with .Values.renovateWorker.tolerations }} 255 | tolerations: 256 | {{- toYaml . | nindent 8 }} 257 | {{- end }} 258 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ce/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: ghcr.io/mend/renovate-ce 3 | tag: 13.1.0 4 | useFull: true 5 | pullPolicy: IfNotPresent 6 | 7 | nameOverride: "" 8 | fullnameOverride: "" 9 | 10 | renovate: 11 | # Additional env vars 12 | extraEnvVars: [ ] 13 | 14 | # You must accept the Mend Terms of Service to use the image. 15 | # Please read https://www.mend.io/terms-of-service/ 16 | # Set this value to 'y' to consent. 17 | mendRnvAcceptTos: 18 | 19 | # Provide a valid license key for Renovate Community Edition. 20 | # Use this key for up to 10 repos: eyJsaW1pdCI6IjEwIn0=.30440220457941b71ea8eb345c729031718b692169f0ce2cf020095fd328812f4d7d5bc1022022648d1a29e71d486f89f27bdc8754dfd6df0ddda64a23155000a61a105da2a1 21 | # For a free unrestricted repo Community Edition license key register at https://www.mend.io/renovate-community/ 22 | mendRnvLicenseKey: 23 | 24 | # Which platform Mend Renovate will connect to. 25 | # valid values: "bitbucket-server", "github" or "gitlab" 26 | mendRnvPlatform: 27 | 28 | # API endpoint, include trailing slash. Examples: https://api.github.com/, https://gitlab.com/api/v4/ 29 | mendRnvEndpoint: 30 | 31 | # Personal Access Token for bot account (GitLab only) 32 | mendRnvGitlabPat: 33 | 34 | # The GitHub App ID provided when you provisioned the Mend Renovate app. Force string format by quoting value. 35 | mendRnvGithubAppId: 36 | 37 | # Optional: The GitHub bot user ID that can be found by calling `https://api.github.com/users/{appName}[bot]` under the `id` key. 38 | # Force string format by quoting value. 39 | mendRnvGithubBotUserId: 40 | 41 | # A string representation of the private key provided by GitHub Enterprise when you provisioned Mend Renovate 42 | mendRnvGithubAppKey: 43 | 44 | # Renovate Bot user account (Bitbucket "User" access only) 45 | mendRnvBitbucketUser: 46 | 47 | # BitBucket access token for the bot user 48 | mendRnvBitbucketPat: 49 | 50 | # Optional: The URL of the Renovate Server plus '/webhook' suffix. 51 | # Must be accessible to receive incoming calls from BitBucket Data Center. 52 | mendRnvWebhookURL: 53 | 54 | # Optional: A token used for searching/adding/removing repository webhooks. 55 | # required if MEND_RNV_WEBHOOK_URL is set. 56 | mendRnvAdminToken: 57 | 58 | # Optional: Provide a path to persist the SQLite database (eg. '/db/renovate-ce.sqlite', where 'db' is defined as a volume) 59 | # If you set cachePersistence.enabled to true, the default value for this setting will persist the SQLite database automatically 60 | mendRnvSqliteFilePath: '/tmp/renovate/renovate-ce.sqlite' 61 | 62 | # Optional: Set User Agent Mend Renovate-ce will use to query the registries, Defaults to 'mend-renovate' 63 | mendRnvUserAgent: 64 | 65 | # Required if Admin APIs are enabled. 66 | mendRnvServerApiSecret: 67 | 68 | # Optional: Set to 'true' to enable Admin APIs. Defaults to 'false'. 69 | # 70 | # deprecated: use mendRnvApiEnabled instead. 71 | mendRnvAdminApiEnabled: 72 | 73 | # Optional: Set to 'true' to enable APIs. Defaults to 'false'. 74 | mendRnvApiEnabled: 75 | 76 | # Optional: Set to 'true' to enable system APIs. Defaults to 'false'. 77 | mendRnvSystemApiEnabled: 78 | 79 | # Optional: Set to 'true' to enable jobs APIs. Defaults to 'false'. 80 | mendRnvJobsApiEnabled: 81 | 82 | # Optional: Set to 'true' to enable Reporting APIs. Defaults to 'false'. 83 | # 84 | # deprecated: use mendRnvReportingApiEnabled instead. 85 | mendRnvReportingEnabled: 86 | 87 | # Optional: Set to 'true' to enable Reporting APIs. Defaults to 'false'. 88 | mendRnvReportingApiEnabled: 89 | 90 | # Optional, defaults to 'renovate' 91 | mendRnvWebhookSecret: 92 | 93 | # Optional: Controls whether to enqueue webhook based jobs for disabled repositories. 94 | # Accepted values: 95 | # "full": Always enqueue jobs. 96 | # "minimal": Don’t enqueue jobs for disabled repositories. Default. 97 | # 98 | # Note: Scheduled and API based jobs will still be triggered for these repositories. 99 | mendRnvWebhookSkipDisabledRepoJobs: 100 | 101 | # Personal Access Token for github.com (used for retrieving changelogs) 102 | githubComToken: 103 | 104 | # PIP index url to get packages from. Will be mounted as a secret 105 | pipIndexUrl: 106 | 107 | # Existing secret with secret values with the following keys: 108 | # mendRnvLicenseKey: 109 | # mendRnvGitlabPat: 110 | # mendRnvGithubAppId: 111 | # mendRnvGithubAppKey: 112 | # mendRnvWebhookSecret: 113 | # mendRnvServerApiSecret: 114 | # githubComToken: 115 | # pipIndexUrl: 116 | existingSecret: 117 | 118 | # Optional, defaults to '0 * * * *' (hourly) 119 | mendRnvCronJobSchedulerAll: 120 | 121 | # Optional, defaults to '0 0,4,8,12,16,20 * * *' (every 4 hours) 122 | mendRnvCronAppSync: 123 | 124 | # defaults to 'true' 125 | mendRnvSyncOnStartup: 126 | 127 | # defaults to 'bulk' 128 | # GitHub users only: can be set to 'batch' 129 | mendRnvSyncMode: 130 | 131 | # Optional. Format: s3://bucket/dir1/dir2. Defines S3 storage location for saving job logs 132 | mendRnvLogHistoryS3: 133 | 134 | # Optional, a string of a comma separated values. (e.g. `org1/*, org2/test*, org2/test*`). Same behavior as Renovate cli 'autodiscoverFilter' feature 135 | # Warning: The Renovate CLI 'autodiscover' configuration option is disabled. 136 | # Repository filtering should solely rely on server-side filtering using 'mendRnvAutoDiscoverFilter'. 137 | mendRnvAutoDiscoverFilter: 138 | 139 | # Optional. Accepted values: 'enabled', 'discovered', and 'disabled'. Defaults to 'discovered'. 140 | mendRnvEnqueueJobsOnStartup: 141 | 142 | # Optional. Specify a directory path to save Renovate job log files. 143 | # It is recommended to use an external volume to preserve history. 144 | mendRnvLogHistoryDir: 145 | 146 | # Optional: The number of days to save log files. Defaults to 30. 147 | mendRnvLogHistoryTTLDays: 148 | 149 | # Optional: Specifies a 5-part cron schedule. Defaults to `0 0 * * *` (every midnight). 150 | # This cron job cleans up log history in the directory defined by `mendRnvLogHistoryDir`. 151 | # It deletes any log file that exceeds the `mendRnvLogHistoryTTLDays` value. 152 | mendRnvLogHistoryCleanupCron: 153 | 154 | # Optional. valid values: 'disabled', 'enabled', 'managed' and default to unset (see documentation) 155 | mendRnvForksProcessing: 156 | 157 | # Optional: Sets the maximum execution duration of a Renovate CLI scan in minutes. Defaults to 60. 158 | mendRnvWorkerExecutionTimeout: 159 | 160 | # optional: valid values are 'off', 'always', a cron (example: '0 0 * * *' daily at midnight) 161 | mendRnvWorkerCleanup: off 162 | 163 | # defaults to: '/tmp/renovate/cache, /tmp/renovate/repos, /home/ubuntu' 164 | # Note: setting this value will override the default value 165 | mendRnvWorkerCleanupDirs: 166 | 167 | # optional: A numeric percentage threshold for disk storage warnings. The default to 70 168 | # note: setting the value to zero "0" will turn off this feature 169 | mendRnvDiskUsageWarnThreshold: 170 | 171 | # optional: A comma-separated list of regex or glob patterns for matching device paths. Default is /dev/** 172 | mendRnvDiskUsageFilter: 173 | 174 | # optional: mainly added to allow support for the '--security-revert=CVE-2023-46809' value 175 | mendRnvWorkerNodeArgs: 176 | 177 | # Optional. Set to 'true' to enable Prometheus /metrics endpoint. Defaults to 'false'. 178 | mendRnvPrometheusMetricsEnabled: 179 | 180 | # Optional. Set to 'true' to disable GlobalProxyAgent. Defaults to 'false'. 181 | mendRnvDisableGlobalAgent: 182 | 183 | # Optional. Set to 'true' to enable HTTP/2 support. Defaults to 'false'. 184 | mendRnvEnableHttp2: 185 | 186 | # Optional. Set to 'true' to ensure that non-secure requests are rejected. 187 | mendRnvHttpServerDisabled: 188 | 189 | # TLS server config (YAML format, stringified to JSON in template). 190 | # Takes precedence over 'mendRnvServerHttpsConfigPath'. 191 | # 192 | # https://github.com/mend/renovate-ce-ee/blob/main/docs/tls.md#https-server-configuration 193 | mendRnvServerHttpsConfig: 194 | # SNIConfig: 195 | # domain1.com: 196 | # key: "file:///path/to/key.pem" # or "base64://..." or plain string 197 | # cert: "file:///path/to/cert.pem" # or "base64://..." or plain string 198 | # baseConfig: 199 | # key: "file:///default/key.pem" 200 | # cert: "file:///default/cert.pem" 201 | # maxVersion: "TLSv1.3", 202 | # minVersion: "TLSv1.2" 203 | 204 | # Path to the TLS server config. 205 | mendRnvServerHttpsConfigPath: 206 | 207 | # Self-hosted renovate configuration file, will be mounted as a config map 208 | config: | 209 | module.exports = { 210 | // Enter self-hosted configuration options here. 211 | // https://docs.renovatebot.com/self-hosted-configuration/ 212 | } 213 | 214 | # # Npmrc file. Will be mounted as a secret 215 | # npmrc: | 216 | # //registry.npmjs.org/:_authToken=xxxxxx 217 | 218 | # Existing secret with npmrc configuration with key: 219 | # .npmrc: 220 | npmrcExistingSecret: 221 | 222 | # Disable NodeJS SSL verify (do not use for production) 223 | noNodeTlsVerify: false 224 | 225 | # Disable GIT SSL verify (do not use for production) 226 | noGitTlsVerify: false 227 | 228 | # Set User Agent Mend Renovate will use to query the registries 229 | # defaults to https://github.com/renovatebot/renovate 230 | renovateUserAgent: 231 | 232 | # Set log level, defaults to 'info'. Allowed values: fatal, error, warn, info, debug, trace 233 | logLevel: info 234 | 235 | # Set log format, defaults to pretty format. Allowed values: undefined or 'json' 236 | logFormat: json 237 | 238 | postgresql: 239 | # if to use PostgreSQL, if set to 'false' SQLite will be used instead 240 | enabled: false 241 | host: 242 | port: 243 | database: 244 | user: 245 | password: 246 | 247 | 248 | disableCacheVolume: false 249 | 250 | ## Cache Persistence Parameters 251 | ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ 252 | ## 253 | cachePersistence: 254 | ## Enable persistence using Persistent Volume Claims 255 | enabled: false 256 | ## Persistent Volume storage class 257 | ## If defined, storageClassName: 258 | ## If set to "-", storageClassName: "", which disables dynamic provisioning 259 | ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner 260 | storageClass: "" 261 | ## @param Persistent Volume access modes 262 | accessModes: 263 | - ReadWriteOnce 264 | ## Persistent Volume size 265 | size: 1Gi 266 | ## The name of an existing PVC to use for persistence 267 | existingClaim: "" 268 | 269 | ## Cache in Memory 270 | ## ref: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir 271 | ## cachePersistence.enabled takes precedence, make sure its disabled 272 | ## 273 | cacheInMemory: 274 | ## Place the cache in memory (tmpfs) 275 | enabled: false 276 | 277 | service: 278 | type: ClusterIP 279 | ports: 280 | http: 80 281 | https: 443 282 | annotations: { } 283 | # cloud.google.com/load-balancer-type: "Internal" 284 | labels: { } 285 | 286 | ingress: 287 | enabled: false 288 | 289 | # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName 290 | # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress 291 | # ingressClassName: nginx 292 | 293 | annotations: { } 294 | # kubernetes.io/tls-acme: "true" 295 | hosts: 296 | { } 297 | # mend-renovate.local: 298 | # paths: 299 | # - path: "/" 300 | # pathType: ImplementationSpecific 301 | tls: [ ] 302 | # - secretName: mend-renovate-tls 303 | # hosts: 304 | # - mend-renovate.local 305 | 306 | serviceAccount: 307 | create: false 308 | existingName: 309 | annotations: { } 310 | 311 | resources: { } 312 | 313 | annotations: { } 314 | 315 | labels: 316 | deployment: { } 317 | pods: { } 318 | 319 | nodeSelector: { } 320 | 321 | tolerations: [ ] 322 | 323 | affinity: { } 324 | 325 | podSecurityContext: { } 326 | # runAsNonRoot: true 327 | # seccompProfile: 328 | # type: RuntimeDefault 329 | 330 | containerSecurityContext: { } 331 | # allowPrivilegeEscalation: false 332 | # readOnlyRootFilesystem: true 333 | # capabilities: 334 | # drop: 335 | # - ALL 336 | 337 | initContainers: [ ] 338 | 339 | # name of the image pull secret 340 | imagePullSecrets: "" 341 | 342 | # This allows renovate to finish running for a repo and then gracefully exit 343 | terminationGracePeriodSeconds: 60 344 | 345 | livenessProbe: 346 | initialDelaySeconds: 2 347 | httpGet: 348 | path: /health 349 | port: http 350 | periodSeconds: 10 351 | timeoutSeconds: 1 352 | failureThreshold: 3 353 | successThreshold: 1 354 | 355 | readinessProbe: 356 | httpGet: 357 | path: /health 358 | port: http 359 | periodSeconds: 10 360 | timeoutSeconds: 1 361 | failureThreshold: 3 362 | successThreshold: 1 363 | 364 | # Extra ConfigMaps to be created by the chart 365 | # These are full Kubernetes ConfigMap definitions 366 | extraConfigMaps: [ ] 367 | # - apiVersion: v1 368 | # kind: ConfigMap 369 | # metadata: 370 | # name: my-extra-config-map 371 | # data: 372 | # MY_ENV_VAR: "my-value" 373 | # ANOTHER_VAR: "123" 374 | 375 | # List of ConfigMaps to be loaded as environment variables 376 | # Ref: https://kubernetes.io/docs/concepts/configuration/configmap/#using-configmaps-as-environment-variables 377 | extraEnvFromConfigMaps: [ ] 378 | # - name: my-extra-config 379 | 380 | # List of Secrets to be loaded as environment variables 381 | # Ref: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables 382 | extraEnvFromSecrets: [ ] 383 | # - name: my-extra-secret 384 | 385 | extraVolumes: [ ] 386 | # - name: secrets-store-inline 387 | # csi: 388 | # driver: secrets-store.csi.k8s.io 389 | # readOnly: true 390 | # volumeAttributes: 391 | # secretProviderClass: "some-secret-store" 392 | # - name: my-extra-config-map-volume 393 | # configMap: 394 | # name: my-extra-config 395 | 396 | extraVolumeMounts: [ ] 397 | # - name: secrets-store-inline 398 | # mountPath: "/mnt/secrets-store" 399 | # readOnly: true 400 | # - name: my-extra-config-map-volume 401 | # mountPath: /path 402 | -------------------------------------------------------------------------------- /docs/tls.md: -------------------------------------------------------------------------------- 1 | # HTTPS Configuration 2 | 3 | 4 | * [HTTPS Configuration](#https-configuration) 5 | * [Environment variables for configuring TLS communication](#environment-variables-for-configuring-tls-communication) 6 | * [Configuring Server-Worker TLS communication](#configuring-server-worker-tls-communication) 7 | * [Server Configuration](#server-configuration) 8 | * [Worker Configuration](#worker-configuration) 9 | * [HTTPS Server Configuration](#https-server-configuration) 10 | * [HTTPS Client Configuration](#https-client-configuration) 11 | * ['ServerHttpsOptions' details and examples](#serverhttpsoptions-details-and-examples) 12 | * ['ClientHttpsOptions' details and examples](#clienthttpsoptions-details-and-examples) 13 | * [Node.js runtime configuration](#nodejs-runtime-configuration) 14 | 15 | 16 | ## Environment variables for configuring TLS communication 17 | 18 | The following is a list of configuration variables for using TLS communication. 19 | 20 | | Configuration variable | Brief description | 21 | |-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| 22 | | `MEND_RNV_SERVER_HOSTNAME` | Define the URL for accessing the Server with HTTPS protocol. | 23 | | `MEND_RNV_SERVER_HTTPS_PORT` | Required for secure communication. Defaults to 8443. Note: Ensure `MEND_RNV_SERVER_HOSTNAME` is updated in Worker (eg. https://rnv-ee-server:8443). | 24 | | `MEND_RNV_HTTP_SERVER_DISABLED` | Set to 'true' to ensure that non-secure requests are rejected. | 25 | | `MEND_RNV_SERVER_HTTPS_CONFIG` | TLS server config (JSON format). Takes precedence over `MEND_RNV_SERVER_HTTPS_CONFIG_PATH`. | 26 | | `MEND_RNV_SERVER_HTTPS_CONFIG_PATH` | File for defining TLS server config. Note: Ensure volume is defined. | 27 | | `MEND_RNV_CLIENT_HTTPS_CONFIG` | TLS client config (JSON format). Takes precedence over `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH`. | 28 | | `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH` | File for defining TLS client config. Note: Ensure volume is defined. | 29 | 30 | See below for detailed descriptions and examples. 31 | 32 | Also, refer to the [TLS examples](../examples/tls) directory for examples of Server and Worker config and instructions to create local keys and certificates. 33 | 34 | ## Configuring Server-Worker TLS communication 35 | 36 | To configure Renovate Enterprise Worker to use TLS communication with the Renovate Enterprise Server, set the following configuration variables as show below. 37 | 38 | > [!NOTE] 39 | > Ensure that any files referenced in the configuration have the volumes correctly mapped in the container. 40 | 41 | ### Server Configuration 42 | 43 | - `MEND_RNV_SERVER_HTTPS_PORT` - [Optional] Defaults to 8443 44 | - `MEND_RNV_HTTP_SERVER_DISABLED` - [Optional] Set to 'true' to disable non-secure (HTTP) connections 45 | - `MEND_RNV_SERVER_HTTPS_CONFIG` - Define the TLS server configuration (JSON format) 46 | - `MEND_RNV_SERVER_HTTPS_CONFIG_PATH` - Path to TLS server configuration file 47 | 48 | Note: `MEND_RNV_SERVER_HTTPS_CONFIG` takes precedence over `MEND_RNV_SERVER_HTTPS_CONFIG_PATH` 49 | 50 | ### Worker Configuration 51 | 52 | - `MEND_RNV_SERVER_HOSTNAME` - Ensure hostname is configured to use "https" protocol and the HTTPS port defined in the Server by `MEND_RNV_SERVER_HTTPS_PORT` (eg. https://rnv-ee-server:8443) 53 | - `MEND_RNV_CLIENT_HTTPS_CONFIG` - Define the TLS client configuration (JSON format) 54 | - `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH` - Path to TLS client configuration file 55 | 56 | Note: `MEND_RNV_CLIENT_HTTPS_CONFIG` takes precedence over `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH` 57 | 58 | ## HTTPS Server Configuration 59 | 60 | All `Renovate CE/EE` services can be configured to create an `HTTPS` server for secure inbound traffic. 61 | 62 | The `HTTPS` server is configured through a `JSON` configuration passed via the environment. 63 | This configuration is resolved and applied when creating the `Node.js` `HTTPS` server. 64 | 65 | Available configurations: 66 | 67 | - `MEND_RNV_SERVER_HTTPS_PORT` - [Optional] Defaults to `'8443'`. 68 | 69 | - `MEND_RNV_HTTP_SERVER_DISABLED` - [Optional] Set to `true` to ensure that non-secure (`HTTP`) requests are rejected. 70 | 71 | - `MEND_RNV_SERVER_HTTPS_CONFIG` - A `JSON` string of type `ServerHttpsOptions` ([See details and examples](#serverhttpsoptions-details-and-examples)) 72 | 73 | - `MEND_RNV_SERVER_HTTPS_CONFIG_PATH` - A path to a `JSON` file containing `ServerHttpsOptions` ([See details and examples](#serverhttpsoptions-details-and-examples)) 74 | 75 | > [!IMPORTANT] 76 | > To enable `HTTPS`, at least one of `MEND_RNV_SERVER_HTTPS_CONFIG` or `MEND_RNV_SERVER_HTTPS_CONFIG_PATH` must be 77 | > defined. 78 | > If both are provided, the configuration from `MEND_RNV_SERVER_HTTPS_CONFIG` takes precedence. 79 | 80 | ## HTTPS Client Configuration 81 | 82 | All `Renovate CE/EE` services can have their `HTTPS` client configured. The client is used when making secure outbound calls. 83 | 84 | To configure the HTTPS Client, provide one of the following: 85 | 86 | - `MEND_RNV_CLIENT_HTTPS_CONFIG` - An `JSON` string of type `ClientHttpsOptions` ([See details and examples](#clienthttpsoptions-details-and-examples)) 87 | 88 | - `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH` - A path to a `JSON` file containing `ClientHttpsOptions` ([See details and examples](#clienthttpsoptions-details-and-examples)) 89 | 90 | In most cases, the Renovate Enterprise Worker's client needs to be configured only if the Renovate Enterprise Server is using self-signed certificates. 91 | In this case, the Worker's client will require the corresponding `'ca'` to authenticate the server. For example: `MEND_RNV_CLIENT_HTTPS_CONFIG={"ca":"file:///path/to/self/signed/ca.pem"}` 92 | 93 | > [!NOTE] 94 | > The `Node.js` runtime uses a [hardcoded, statically compiled](https://github.com/nodejs/node/blob/v22.x/src/node_root_certs.h) 95 | > list of default trusted Certificate Authorities. 96 | 97 | > [!CAUTION] 98 | > Setting the Certificate Authority (`ca`) will override the default Certificate 99 | > Authorities ([from Mozilla](https://wiki.mozilla.org/CA/Included_Certificates)) used by the `Node.js` runtime. which 100 | > may cause issues with secure connections or certificate validation for public servers. 101 | 102 | ## 'ServerHttpsOptions' details and examples 103 | 104 | The `ServerHttpsOptions` Object accepts configuration options that can be passed via `JSON`, as defined 105 | in [tls.createServer()](https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreateserveroptions-secureconnectionlistener), [tls.createSecureContext()](https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreatesecurecontextoptions) 106 | and [http.createServer()](https://nodejs.org/docs/latest-v22.x/api/http.html#httpcreateserveroptions-requestlistener). 107 | 108 | ```typescript 109 | type ServerHttpsConfig = { 110 | SNIConfig?: Record; 111 | baseConfig?: ServerHttpsOptions; 112 | }; 113 | ``` 114 | - **`SNIConfig`** (optional) – A `JSON` object mapping server names to their specific `HTTPS` configurations, enabling 115 | `Server Name Indication (SNI)`. 116 | 117 | The `SNIConfig` is used to construct an `SNICallback` – _"A function that is called if the client supports the SNI TLS 118 | extension"_[^1]. 119 | 120 | - The `SNICallback` handles requests that match a server name specified in the `SNIConfig`, using the corresponding 121 | `ServerHttpsOptions` for that server name. 122 | - A request that doesn't match any server name will be rejected. 123 | 124 | 125 | - **`baseConfig`** (optional) – A `JSON` object containing the default `HTTPS` configuration applied when no `SNI` is 126 | configured 127 | or when serving a client 128 | that doesn't support the `SNI TLS extension`. 129 | 130 | > [!IMPORTANT] 131 | > At least one of `SNIConfig` or `baseConfig` must be configured. 132 | 133 | > [!TIP] 134 | > To load the content of a file into a given configuration option, set its value to `"file://"`. 135 | 136 | > [!TIP] 137 | > To encode data in base64 for a given configuration option, set its value to `"base64://"`. 138 | 139 | > [!WARNING] 140 | > Inline secrets must be escaped properly, e.g., newlines. 141 | 142 | ### Example Server Config 1 143 | 144 | File based configuration, file based secrets, `SNI` only: 145 | 146 | `MEND_RNV_SERVER_HTTPS_CONFIG_PATH=/path/to/config.json` 147 | 148 | `/path/to/config.json`: 149 | 150 | ```json 151 | { 152 | "SNIConfig": { 153 | "domain1.com": { 154 | "key": "file:///path/to/key1.pem", 155 | "cert": ["file:///path/to/cert1.pem"] 156 | }, 157 | "domain2.com": { 158 | "key": "file:///path/to/key2.pem", 159 | "cert": "file:///path/to/cert2.pem" 160 | } 161 | }, 162 | "baseConfig": { 163 | "maxVersion": "TLSv1.3", 164 | "minVersion": "TLSv1.2" 165 | } 166 | } 167 | ``` 168 | 169 | ### Example Server Config 2 170 | 171 | File based configuration, file based secrets, `SNI` support with fallback: 172 | 173 | `MEND_RNV_SERVER_HTTPS_CONFIG_PATH=/path/to/config.json` 174 | 175 | `/path/to/config.json`: 176 | 177 | ```json 178 | { 179 | "SNIConfig": { 180 | "domain1.com": { 181 | "key": "file:///path/to/key1.pem", 182 | "cert": "file:///path/to/cert1.pem" 183 | } 184 | }, 185 | "baseConfig": { 186 | "key": "file:///path/to/default/key.pem", 187 | "cert": "file:///path/to/default/cert.pem", 188 | "maxVersion": "TLSv1.3", 189 | "minVersion": "TLSv1.2" 190 | } 191 | } 192 | ``` 193 | 194 | ### Example Server Config 3 195 | 196 | File based configuration, base64 encoded secrets, `SNI` disabled: 197 | `MEND_RNV_SERVER_HTTPS_CONFIG_PATH=/path/to/config.json` 198 | 199 | `/path/to/config.json`: 200 | 201 | ```json 202 | { 203 | "baseConfig": { 204 | "key": "base64://", 205 | "cert": "base64://", 206 | "maxVersion": "TLSv1.3", 207 | "minVersion": "TLSv1.2" 208 | } 209 | } 210 | ``` 211 | 212 | ### Example Server Config 4 213 | 214 | String based configuration equivalent to Example 3: 215 | 216 | `MEND_RNV_SERVER_HTTPS_CONFIG={"baseConfig":{"key":"base64://","cert":"base64://","maxVersion":"TLSv1.3","minVersion":"TLSv1.2"}}` 217 | 218 | ## 'ClientHttpsOptions' details and examples 219 | 220 | ```typescript 221 | type ClientHttpsOptions = { 222 | // If not false, the server certificate is verified against the list of supplied CAs. Default: true. 223 | // 224 | // For more details, refer to the Node.js documentation on the 'rejectUnauthorized' option in: 225 | // https://nodejs.org/docs/latest-v22.x/api/tls.html#tlsconnectoptions-callback 226 | rejectUnauthorized?: boolean | undefined; 227 | 228 | // Optionally override the trusted CA certificates. 229 | // Default is to trust the well-known CAs curated by Mozilla. 230 | // Mozilla's CAs are completely replaced when CAs are explicitly specified using this option. 231 | // 232 | // For more details, refer to the Node.js documentation on the 'ca' option in: 233 | // https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreatesecurecontextoptions 234 | ca?: string | string[] | undefined; 235 | 236 | // Cert chains in PEM format. One cert chain should be provided per private key. 237 | // 238 | // For more details, refer to the Node.js documentation on the 'cert' option in: 239 | // https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreatesecurecontextoptions 240 | cert?: string | string[] | undefined; 241 | 242 | // Private keys in PEM format 243 | // 244 | // For more details, refer to the Node.js documentation on the 'key' option in: 245 | // https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreatesecurecontextoptions 246 | key?: string | string[] | undefined; 247 | 248 | // Shared passphrase used for a single private key and/or a PFX. 249 | // 250 | // For more details, refer to the Node.js documentation on the 'passphrase' option in: 251 | // https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreatesecurecontextoptions 252 | passphrase?: string | undefined; 253 | 254 | // PFX or PKCS12 encoded private key and certificate chain. 255 | // pfx is an alternative to providing key and cert individually. 256 | // 257 | // For more details, refer to the Node.js documentation on the 'pfx' option in: 258 | // https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreatesecurecontextoptions 259 | pfx?: string | string[] | { buf: string; passphrase?: string }[] | undefined; 260 | }; 261 | ``` 262 | 263 | > [!NOTE] 264 | > The `key` + `cert` or `pfx` are required for the client only if the server is configured with`rejectUnauthorized=true` 265 | > and `requestCert=true` (Mutual TLS authentication/mTLS). 266 | 267 | ### Example Client Config 1 268 | 269 | File based configuration: 270 | 271 | `MEND_RNV_CLIENT_HTTPS_CONFIG_PATH=/path/to/config.json` 272 | 273 | `/path/to/config.json`: 274 | 275 | ```json 276 | { 277 | "ca": "file:///path/to/cert_auth.pem" 278 | } 279 | ``` 280 | 281 | ### Example Client Config 2 282 | 283 | String based configuration equivalent to Example 1: 284 | 285 | `MEND_RNV_CLIENT_HTTPS_CONFIG={"ca": "file:///path/to/cert_auth.pem"}` 286 | 287 | 288 | # Node.js runtime configuration 289 | 290 | The `Node.js` runtime can be configured either individually for the wrapper or globally for both the wrapper and the 291 | wrapped `Node.js` application via the following environment variables: 292 | 293 | `NODE_OPTIONS` - Globally define the `NODE_OPTIONS` for both the wrapper `Renovate Enterprise worker/Renovate CE` and the 294 | wrapped `Renovate CLI`. 295 | 296 | `MEND_RNV_NODE_OPTIONS` - Define `NODE_OPTIONS` only for the `Renovate Enterprise worker` or `Renovate CE` wrappers. 297 | 298 | `RENOVATE_NODE_OPTIONS` - Define `NODE_OPTIONS` individually for the `Renovate CLI`. 299 | 300 | [^1]: https://nodejs.org/docs/latest-v22.x/api/tls.html#tlscreateserveroptions-secureconnectionlistener 301 | -------------------------------------------------------------------------------- /docs/setup-for-bitbucket-data-center.md: -------------------------------------------------------------------------------- 1 | # Set up Mend Renovate Self-hosted App for Bitbucket Data Center 2 | 3 | ## Configure Renovate Bot Account on Bitbucket Data Center 4 | 5 | ### 1.a. Configure Renovate Bot User Account 6 | 7 | The following configuration instructions are to be performed on Bitbucket Data Center by a user account with “Admin” or “System admin” global permissions on Bitbucket Data Center. 8 | 9 | - Log in to Bitbucket Data Center with admin user (eg. http://localhost:7990)
    10 | Note: Bitbucket Admin user permissions - Must be at least “Admin” to create a new user account.
    11 | Also, only repo admins can add the Renovate Bot user and webhooks. 12 | 13 | - Navigate to the User settings page in Administration (Settings → Accounts/Users)
    14 | eg. http://localhost:7990/admin/users 15 | 16 | ![bb-admin-users.png](images/bb-admin-users.png) 17 | 18 | - Click “Create user” to create an account for the Renovate Bot user. (eg. http://localhost:7990/admin/users?create) 19 | 20 | We recommend calling the account “Renovate Bot”. 21 | - Username: “renovate-bot” 22 | - Full name: “Renovate Bot” 23 | 24 | ![bb-create-user.png](images/bb-create-user.png) 25 | 26 | - Note: The Renovate Bot user will be the author of Renovate pull requests. 27 | 28 | ![bb-renovate-bot.png](images/bb-renovate-bot.png) 29 | 30 | - Give the Renovate Bot user basic Bitbucket user access (only required so a HTTP Token can be created through the UI) 31 | - Under Global permissions, in the User Access section, click into the table header bar (where it says “Add Users”) and search for the Renovate Bot user. 32 | - Leave the access level at “Bitbucket User”. 33 | - Press “Add” 34 | 35 | ![bb-user-access-1.png](images/bb-user-access-1.png) 36 | 37 | - The end results should be a Renovate Bot user with “Bitbucket User” access only. 38 | 39 | ![bb-user-access-2.png](images/bb-user-access-2.png) 40 | 41 |
    42 | Note: It is essential that the Renovate Bot user does NOT have Admin or System admin access. Because Bitbucket Admin and System admin users have full access to all projects and repos, there will be no way to control which repos Renovate will run against, and so Renovate will run against all repos. When the Renovate Bot user has only basic user access, administrators can control which repos run with Renovate by adding the Renovate Bot user to specific repos. 43 |
    44 | 45 | # Stage 1b: Fetch HTTP Access Token for the Renovate Bot user 46 | 47 | Once the Renovate Bot user account is created, log in to Bitbucket with the Renovate User account to fetch an HTTP access token for it. This will be used as the `MEND_RNV_BITBUCKET_PAT` in the Renovate CE/EE configuration. 48 | It will be used by Renovate OSS CLI to connect to repos on Bitbucket that the Renovate User has access to. 49 | 50 | - Log in to Bitbucket as the Renovate User
    51 | http://localhost:7990/login 52 | 53 | **_Don’t use the Admin user account!_** 54 | - If logged in as an Admin user account, log out of Bitbucket first. 55 | - Alternatively, open a new web browser in incognito mode. _(Ctrl+Shift+N from a web browser)_ 56 | 57 | ![bb-log-in.png](images/bb-log-in.png) 58 | 59 | - Go to the Account management page (eg. http://localhost:7990/account) 60 | 61 | You can expand the menu on the user profile icon (top right of page) and click “Manage account”. 62 | 63 | ![bb-manage-account.png](images/bb-manage-account.png) 64 | 65 | - Navigate to the HTTP access tokens page 66 | 67 | - Press “Create token” to create a new HTTP access token 68 | 69 | ![bb-access-token.png](images/bb-access-token.png) 70 | 71 | - Create an HTTP access token (with `Repository Write` permission) 72 | - Token name: Can be anything (eg. “Renovate User PAT”) 73 | - Permissions: 74 | - Project permissions: `Project read` 75 | - Repository permissions: `Repository write` 76 | 77 | ![bb-new-token.png](images/bb-new-token.png) 78 | 79 | - Copy the token and store it for later use.
    80 | This will be used as the `MEND_RNV_BITBUCKET_PAT` in the Renovate CE/EE configuration. 81 | 82 |
    83 | 84 | # Stage 2: Install Renovate CE/EE Application Server 85 | 86 | ## Configure the Docker files / Helm charts 87 | Fetch the example docker-compose file or Helm chart configuration files and edit accordingly. 88 | Example files available here: 89 | - Docker files (Renovate CE / Renovate EE) 90 | - Helm charts (Renovate CE / Renovate EE) 91 | 92 | Edit the docker files / helm chart values to provide the required environment variables. 93 | Refer to [Configurations Options](configuration-options.md) for a full list of Renovate CE/EE server variables. 94 | 95 | #### Bitbucket Data Center Connection details 96 | 97 | # Install Renovate Bot and Webhooks on BitBucket project or repository 98 | 99 | ## Stage 3a: Install Renovate Bot on Repositories(/Projects) 100 | 101 | ### Overview 102 | Add the Renovate Bot user to any repo (or project) you want Renovate to run on. 103 | Needs “Repository Write” permission so that it can create pull requests on the repo. 104 | 105 | ### How it works 106 | Renovate will run scans and create PRs on repositories in which the Renovate Bot user has Write access. 107 | So, to install Renovate on a repository, add the Renovate Bot user to the Repository permissions for the repositories or projects you want it installed on. 108 | 109 | ### Permissions required to install the Renovate Bot user 110 | This must be done by a user with Repository Admin permission to the specific repository being added. 111 | Note: Any Bitbucket user with global permissions of Admin or System admin has full access to every project and repository. 112 | 113 | ### Note: 114 | - Adding the Renovate Bot user to a **project** will install Renovate on **all repositories** in the project (current and future). 115 | - Giving the Renovate Bot user `global Admin` user access will install Renovate on **all repositories** on Bitbucket Data Center. 116 | 117 | ### How to add Renovate Bot to a Repository 118 | 119 | - Navigate to the Repository Settings page for a specific repository.
    120 | Repo → Repository Settings → Repository permissions 121 | 122 | Repo settings page: http://localhost:7990/projects/PROJ1/repos/repo-1/permissions 123 | ![bb-repo-permissions.png](images/bb-repo-permissions.png) 124 | 125 | - Click the “Add user or group” button (Top right corner) 126 | 127 | - Add the Renovate Bot user with permission: Repository Write
    128 | Note: The Renovate Bot user needs write permission so it can create pull requests on the repository. 129 | 130 | ![bb-add-user.png](images/bb-add-user.png) 131 | 132 | Now the Renovate Bot is installed on the repo. 133 | 134 | The Renovate server will detect the new repo on the next App Sync. 135 | 136 | ### Run App Sync to detect new repositories 137 | 138 | **App Sync on schedule** 139 | 140 | App Sync runs on a schedule, which defaults to every 4 hours. 141 | To update the schedule, set the EnvVar MEND_RNV_CRON_APP_SYNC on the Renovate Server. 142 | Accepts a 5-part cron schedule. Defaults to `0 */4* * * *` (every 4 hours, on the hour). 143 | 144 | **Force App Sync via API call** 145 | 146 | To trigger the sync immediately, call the sync API (/api/sync) using a tool like Postman. 147 | Requires 148 | 149 | Note: To run APIs, ensure Renovate Server has EnvVar `MEND_RNV_ADMIN_API_ENABLED=true` 150 | 151 | ``` 152 | [POST] http:///api/sync 153 | Authorization: 154 | ``` 155 | 156 | ![bb-postman-sync.png](images/bb-postman-sync.png) 157 | 158 |
    159 | 160 | ## Stage 3b: Add Webhooks to Repositories(/Projects) 161 | 162 | Webhooks enable a message to be sent from the Bitbucket repository to the Renovate server to trigger a Renovate job on a repository when important files have changed (ie. package files, Renovate config files). 163 | 164 | Webhooks can be enabled at the project level or at the repository level. 165 | 166 | Note: Only a Bitbucket user with Admin or System Admin global permissions can create web hooks on a project or repository. 167 | Create webhooks via the Bitbucket UI 168 | 169 | **To create a webhook on a repository:** 170 | 171 | - Navigate to the repository in which you want to add a webhook 172 | 173 | - Go to the Repository settings and the Webhooks settings page (under Workflow menu)
    174 | [Repo → Repository Settings → Webhooks]
    175 | http://localhost:7990/projects/PROJ1/repos/repo-1/settings 176 | 177 | ![bb-repo-webhooks.png](images/bb-repo-webhooks.png) 178 | 179 | - Click “Create webhook” to open the Create webhook page 180 | 181 | ![bb-create-webhook-1.png](images/bb-create-webhook-1.png) 182 | 183 | **Provide the following values for the webhook:** 184 | - Name: Can be anything. Duplicates are allowed. 185 | - URL: The URL of the Renovate Server plus “/webhook”. Must be accessible to receive incoming calls from the Bitbucker server. 186 | - Status: Active (true) 187 | - Secret: Must match the value in `MEND_RNV_WEBHOOK_SECRET`. (Defaults to ‘renovate’) 188 | - Authentication: None 189 | - SSL/TLS: (Do not skip certificate verification) 190 | - Events: 191 | - Project: Modified (Only available when creating Project webhooks) 192 | - Repository: Push, Modified 193 | - Pull request: Modified 194 | 195 | ![bb-create-webhook-2.png](images/bb-create-webhook-2.png) 196 | 197 | - Click “Save” to finish creating the webhook 198 | 199 | Webhooks will now be triggered when relevant events occur on the repository. 200 | Renovate jobs will automatically run on the triggering repository as required. 201 | 202 | ### Create webhooks via the Bitbucket API 203 | 204 | Run Bitbucket API to create webhooks on repositories and projects. 205 | 206 | **Permissions** 207 | 208 | Only Bitbucket users with Admin or System admin global permissions can create webhooks on projects or repositories. 209 | To create a webhook using the Bitbucket APIs, the APIs must pass an HTTP access token as a Bearer Authorization token in the API header. 210 | 211 | #### Fetch the Authorization Bearer token 212 | 213 | - Log in to Bitbucket as a user with Admin or System admin global permissions 214 | - Navigate to the HTTP access tokens page
    215 | http://localhost:7990/plugins/servlet/access-tokens/users/admin/manage 216 | 217 | ![bb-admin-token.png](images/bb-admin-token.png) 218 | 219 | - Press “Create token” to create the Bearer token required for calling Bitbucket Data Center webhook APIs. 220 | 221 | Note: 222 | - To create **project** webhooks, the HTTP access token must have `Project Admin` permissions.
    223 | - To create **repository** webhooks, the HTTP access token must have `Repository Admin` permissions. (Project Admin not required.) 224 | 225 | ![bb-create-admin-token.png](images/bb-create-admin-token.png) 226 | 227 | - Click “Create” to finish creating the access token 228 | - Copy the access token when it is presented. Store it for use when calling Bitbucket Admin APIs. 229 | 230 | ### Create Repository webhooks via Bitbucket API 231 | 232 | ``` 233 | [POST] - http:///rest/api/latest/projects//repos//webhooks 234 | 235 | Authorization: Bearer 236 | ``` 237 | 238 | Body: (raw - JSON) 239 | ```json 240 | { 241 | "name": "renovate", 242 | "url": "https:///webhook", 243 | "configuration": { "secret": "renovate" }, ← Must match MEND_RNV_WEBHOOK_SECRET 244 | "events": [ 245 | "repo:refs_changed", 246 | "repo:modified", 247 | "pr:modified" 248 | ], 249 | "active": true, 250 | "statistics": {}, 251 | "scopeType": "repository", 252 | "sslVerificationRequired": false 253 | } 254 | ``` 255 | 256 | ### Create Project webhooks via Bitbucket API 257 | 258 | ``` 259 | POST http:///rest/api/latest/projects//webhooks 260 | 261 | Authorization: Bearer 262 | ``` 263 | 264 | Body: (raw - JSON) 265 | ```json 266 | { 267 | "name": "renovate", 268 | "url": "https:///webhook", 269 | "configuration": { "secret": "renovate" }, ← Must match MEND_RNV_WEBHOOK_SECRET 270 | "events": [ 271 | "pr:modified", ← Optional: Add this if you want ALL repos on the project to trigger 272 | "repo:refs_changed", ← Optional: Add this if you want ALL repos on the project to trigger 273 | "repo:modified", ← Optional: Add this if you want ALL repos on the project to trigger 274 | "project:modified" 275 | ], 276 | "active": true, 277 | "statistics": {}, 278 | "scopeType": "repository", 279 | "sslVerificationRequired": false 280 | } 281 | ``` 282 | 283 | **Provide the following values:** 284 | - name: Can be anything. Duplicate names are allowed. 285 | - url: The URL and port of the Renovate Server. 286 | - Note: Ensure ports are open to receiving incoming calls from Bitbucket Data Center. 287 | - secret: The Webhook secret defined in the MEND_RNV_WEBHOOK_SECRET environment variable on the Renovate Server. 288 | 289 | ### Allow Renovate CE/EE to create Repository webhooks via Bitbucket API 290 | 291 | By setting the values of the two environment variables `MEND_RNV_WEBHOOK_URL` and `MEND_RNV_ADMIN_TOKEN` 292 | the server will manage the repositories webhooks automatically 293 | 294 | 295 | Notes: `MEND_RNV_ADMIN_TOKEN` 296 | 1. Recommended to use a different token than the token for Renovate bot user 297 | 2. This admin token is only used for searching/adding and removing of webhooks on repository level 298 | 299 | ## Run Mend Renovate Self-hosted App 300 | 301 | You can run Mend Renovate Self-hosted App from a Docker command line prompt, or by using a Docker Compose file. Examples are provided in the links below. 302 | 303 | **Example Docker Compose files:** 304 | 305 | - [Mend Renovate Community Edition](../examples/docker-compose/renovate-ce-github.yml) 306 | - [Mend Renovate Enterprise Edition](../examples/docker-compose/renovate-ee-simple.yml) 307 | 308 | > [!NOTE] 309 | > 310 | > Some configuration of environment variables will be required inside the Docker Compose files. 311 | > 312 | > Essential configuration options are shown below. For a full list of configurable variables, see [Configuration Options](configuration-options.md). 313 | 314 | ## Configure Environment Variables 315 | 316 | ### Essential Configuration for Mend Renovate Sever 317 | 318 | **`MEND_RNV_ACCEPT_TOS`**: Set this environment variable to `y` to consent to [Mend's Terms of Service](https://www.mend.io/terms-of-service/). 319 | 320 | **`MEND_RNV_LICENSE_KEY`**: Provide a valid license key for Renovate Community Edition or Enterprise Edition 321 | 322 | > [!Note] 323 | > 324 | > To run Renovate Community Edition with **up to 10 repositories**, you can use this unregistered license key: 325 | > 326 | > `eyJsaW1pdCI6IjEwIn0=.30440220457941b71ea8eb345c729031718b692169f0ce2cf020095fd328812f4d7d5bc1022022648d1a29e71d486f89f27bdc8754dfd6df0ddda64a23155000a61a105da2a1` 327 | > 328 | > For a free license key for an **unrestricted number of repositories** on Renovate Community Edition, register with the form on the [Renovate Community Edition web page](https://www.mend.io/mend-renovate-community/). 329 | > 330 | > For an Enterprise license key, contact Mend at http://mend.io. 331 | 332 | **`MEND_RNV_PLATFORM`**: Set this to `bitbucket-server`. 333 | 334 | **`MEND_RNV_ENDPOINT`**: This is the API endpoint for your BitBucket Data Center installation. Include the trailing slash. 335 | 336 | **`MEND_RNV_SERVER_PORT`**: The port on which the server listens for webhooks and api requests. Defaults to 8080. 337 | 338 | **`MEND_RNV_BITBUCKET_USER`**: Renovate Bot user account (“Bitbucket User” access only) 339 | 340 | **`MEND_RNV_BITBUCKET_PAT`**: BitBucket access token for the bot user `MEND_RNV_BITBUCKET_USER` 341 | 342 | **`MEND_RNV_WEBHOOK_URL`**: Optional: The URL of the Renovate Server plus '/webhook'. Must be accessible to receive incoming calls from the BitBucket Data Center. 343 | 344 | **`MEND_RNV_ADMIN_TOKEN`**: Optional: A token used for searching/add/removing repository webhooks. Required if `MEND_RNV_WEBHOOK_URL` is set. 345 | 346 | **`MEND_RNV_ADMIN_API_ENABLED`**: Set to 'true' to enable Admin APIs. Defaults to 'false'. 347 | 348 | **`MEND_RNV_SERVER_API_SECRET`**: Required if Admin APIs are enabled, or if running Enterprise Edition. 349 | 350 | **`MEND_RNV_WEBHOOK_SECRET`**: Must match the secret sent by the Bitbucket webhooks. Defaults to 'renovate'. 351 | 352 | **`GITHUB_COM_TOKEN`**: A Personal Access Token for a user account on github.com 353 | 354 | **Additional Configuration options** 355 | 356 | For further details and a list of all available options, see the [Configuration Options](configuration-options.md) page. 357 | 358 | ### Renovate CLI Configuration 359 | 360 | Renovate CLI functionality can be configured using environment variables (e.g. `RENOVATE_XXXXXX`) or via a `config.js` file mounted to `/usr/src/app/config.js` inside the Mend Renovate container. 361 | 362 | **npm Registry** 363 | 364 | If using your own npm registry, you may find it easiest to update your Docker Compose file to include a volume that maps an `.npmrc` file to `/home/ubuntu/.npmrc`. The RC file should contain `registry=...` with the registry URL your company uses internally. This will allow Renovate to find shared configs and other internally published packages. 365 | -------------------------------------------------------------------------------- /helm-charts/mend-renovate-ee/templates/server-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "mend-renovate.fullname" . }}-server 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 8 | helm.sh/chart: {{ include "mend-renovate.chart" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | {{- with .Values.renovateServer.labels.deployment }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | replicas: {{ .Values.renovateServer.replicas }} 16 | selector: 17 | matchLabels: 18 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app: {{ include "mend-renovate.name" . }}-server 21 | strategy: 22 | type: Recreate 23 | template: 24 | metadata: 25 | labels: 26 | app.kubernetes.io/name: {{ include "mend-renovate.name" . }} 27 | app.kubernetes.io/instance: {{ .Release.Name }} 28 | app: {{ include "mend-renovate.name" . }}-server 29 | {{- with .Values.renovateServer.labels.pods }} 30 | {{- toYaml . | nindent 8 }} 31 | {{- end }} 32 | annotations: 33 | checksum/shardedExtraConfigMaps: {{ include (print $.Template.BasePath "/extra-configmaps.yaml") . | sha256sum }} 34 | checksum/extraConfigMaps: {{ include (print $.Template.BasePath "/server-extra-configmaps.yaml") . | sha256sum }} 35 | {{- with .Values.renovateServer.annotations }} 36 | {{- toYaml . | nindent 8 }} 37 | {{- end }} 38 | spec: 39 | automountServiceAccountToken: {{ .Values.renovateServer.automountServiceAccountToken | default false }} 40 | {{- with .Values.renovateServer.podSecurityContext }} 41 | securityContext: {{- toYaml . | nindent 8 }} 42 | {{- end }} 43 | terminationGracePeriodSeconds: {{ .Values.renovateServer.terminationGracePeriodSeconds }} 44 | {{- if or .Values.renovateServer.serviceAccount.create .Values.renovateServer.serviceAccount.existingName }} 45 | serviceAccountName: {{ include "mend-renovate.server-service-account-name" . }} 46 | {{- end }} 47 | {{- with .Values.renovateServer.initContainers }} 48 | initContainers: {{- toYaml . | nindent 8 }} 49 | {{- end }} 50 | containers: 51 | - name: {{ .Chart.Name }}-server 52 | image: "{{ .Values.renovateServer.image.repository }}:{{ .Values.renovateServer.image.version }}" 53 | imagePullPolicy: {{ .Values.renovateServer.image.pullPolicy }} 54 | {{- with .Values.renovateServer.containerSecurityContext }} 55 | securityContext: {{- toYaml . | nindent 12 }} 56 | {{- end }} 57 | {{- if or .Values.renovateServer.extraEnvFromConfigMaps .Values.renovateServer.extraEnvFromSecrets }} 58 | envFrom: 59 | {{- with .Values.renovateServer.extraEnvFromConfigMaps }} 60 | {{- range . }} 61 | - configMapRef: 62 | name: {{ .name }} 63 | {{- end }} 64 | {{- end }} 65 | {{- with .Values.renovateServer.extraEnvFromSecrets }} 66 | {{- range . }} 67 | - secretRef: 68 | name: {{ .name }} 69 | {{- end }} 70 | {{- end }} 71 | {{- end }} 72 | env: 73 | {{- with .Values.renovateServer.extraEnvVars }} 74 | {{- toYaml . | nindent 12 }} 75 | {{- end }} 76 | {{- if .Values.license.mendRnvAcceptTos }} 77 | - name: MEND_RNV_ACCEPT_TOS 78 | value: {{ .Values.license.mendRnvAcceptTos | quote }} 79 | {{- end }} 80 | {{- if or .Values.license.mendRnvLicenseKey .Values.license.existingSecret }} 81 | - name: MEND_RNV_LICENSE_KEY 82 | valueFrom: 83 | secretKeyRef: 84 | name: {{ include "mend-renovate.license-secret-name" . }} 85 | key: mendRnvLicenseKey 86 | {{- end }} 87 | {{- if .Values.renovateServer.mendRnvPlatform }} 88 | - name: MEND_RNV_PLATFORM 89 | value: {{ .Values.renovateServer.mendRnvPlatform | quote }} 90 | {{- end }} 91 | {{- if .Values.renovateServer.mendRnvEndpoint }} 92 | - name: MEND_RNV_ENDPOINT 93 | value: {{ .Values.renovateServer.mendRnvEndpoint | quote }} 94 | {{- end }} 95 | # GitLab 96 | {{- if or .Values.renovateServer.mendRnvGitlabPat .Values.renovateServer.existingSecret }} 97 | - name: MEND_RNV_GITLAB_PAT 98 | valueFrom: 99 | secretKeyRef: 100 | name: {{ include "mend-renovate.server-secret-name" . }} 101 | key: mendRnvGitlabPat 102 | optional: true 103 | {{- end }} 104 | # GitHub 105 | {{- if or .Values.renovateServer.mendRnvGithubAppId .Values.renovateServer.existingSecret }} 106 | - name: MEND_RNV_GITHUB_APP_ID 107 | valueFrom: 108 | secretKeyRef: 109 | name: {{ include "mend-renovate.server-secret-name" . }} 110 | key: mendRnvGithubAppId 111 | optional: true 112 | {{- end }} 113 | {{- if or .Values.renovateServer.mendRnvGithubBotUserId }} 114 | - name: MEND_RNV_GITHUB_BOT_USER_ID 115 | value: {{ .Values.renovateServer.mendRnvGithubBotUserId | quote }} 116 | {{- end }} 117 | {{- if or .Values.renovateServer.mendRnvGithubAppKey .Values.renovateServer.existingSecret }} 118 | - name: MEND_RNV_GITHUB_APP_KEY 119 | valueFrom: 120 | secretKeyRef: 121 | name: {{ include "mend-renovate.server-secret-name" . }} 122 | key: mendRnvGithubAppKey 123 | optional: true 124 | {{- end }} 125 | # BitBucket 126 | {{- if or .Values.renovateServer.mendRnvBitbucketUser }} 127 | - name: MEND_RNV_BITBUCKET_USER 128 | value: {{ .Values.renovateServer.mendRnvBitbucketUser | quote }} 129 | {{- end }} 130 | {{- if or .Values.renovateServer.mendRnvBitbucketPat .Values.renovateServer.existingSecret }} 131 | - name: MEND_RNV_BITBUCKET_PAT 132 | valueFrom: 133 | secretKeyRef: 134 | name: {{ include "mend-renovate.server-secret-name" . }} 135 | key: mendRnvBitbucketPat 136 | optional: true 137 | {{- end }} 138 | # PostgrSQL database 139 | {{- if .Values.postgresql.enabled }} 140 | - name: MEND_RNV_DATA_HANDLER_TYPE 141 | value: postgresql 142 | - name: PGDATABASE 143 | value: {{ .Values.postgresql.database | quote }} 144 | - name: PGUSER 145 | value: {{ .Values.postgresql.user | quote }} 146 | - name: PGPORT 147 | value: {{ .Values.postgresql.port | quote }} 148 | - name: PGHOST 149 | value: {{ .Values.postgresql.host | quote }} 150 | {{- end }} 151 | {{- if or .Values.postgresql.enabled .Values.renovateServer.existingSecret }} 152 | - name: PGPASSWORD 153 | valueFrom: 154 | secretKeyRef: 155 | name: {{ include "mend-renovate.server-secret-name" . }} 156 | key: pgPassword 157 | optional: true 158 | {{- end }} 159 | 160 | {{- if or .Values.renovateServer.mendRnvAdminToken .Values.renovateServer.existingSecret }} 161 | - name: MEND_RNV_ADMIN_TOKEN 162 | valueFrom: 163 | secretKeyRef: 164 | name: {{ include "mend-renovate.server-secret-name" . }} 165 | key: mendRnvAdminToken 166 | optional: true 167 | {{- end }} 168 | {{- if .Values.renovateServer.mendRnvWebhookURL }} 169 | - name: MEND_RNV_WEBHOOK_URL 170 | value: {{ .Values.renovateServer.mendRnvWebhookURL | quote }} 171 | {{- end }} 172 | {{- if .Values.renovateServer.mendRnvSqliteFilePath }} 173 | - name: MEND_RNV_SQLITE_FILE_PATH 174 | value: {{ .Values.renovateServer.mendRnvSqliteFilePath | quote }} 175 | {{- end }} 176 | {{- if or .Values.renovateServer.mendRnvWebhookSecret .Values.renovateServer.existingSecret }} 177 | - name: MEND_RNV_WEBHOOK_SECRET 178 | valueFrom: 179 | secretKeyRef: 180 | name: {{ include "mend-renovate.server-secret-name" . }} 181 | key: mendRnvWebhookSecret 182 | optional: true 183 | {{- end }} 184 | {{- if .Values.renovateServer.mendRnvWebhookSkipDisabledRepoJobs }} 185 | - name: MEND_RNV_WEBHOOK_DISABLED_REPOS_HANDLING 186 | value: {{ .Values.renovateServer.mendRnvWebhookSkipDisabledRepoJobs | quote }} 187 | {{- end }} 188 | {{- if .Values.renovateServer.mendRnvCronJobSchedulerHot }} 189 | - name: MEND_RNV_CRON_JOB_SCHEDULER_HOT 190 | value: {{ .Values.renovateServer.mendRnvCronJobSchedulerHot | quote }} 191 | {{- end }} 192 | {{- if .Values.renovateServer.mendRnvCronJobSchedulerCold }} 193 | - name: MEND_RNV_CRON_JOB_SCHEDULER_COLD 194 | value: {{ .Values.renovateServer.mendRnvCronJobSchedulerCold | quote }} 195 | {{- end }} 196 | {{- if .Values.renovateServer.mendRnvCronJobSchedulerCapped }} 197 | - name: MEND_RNV_CRON_JOB_SCHEDULER_CAPPED 198 | value: {{ .Values.renovateServer.mendRnvCronJobSchedulerCapped | quote }} 199 | {{- end }} 200 | {{- if .Values.renovateServer.mendRnvCronJobSchedulerAll }} 201 | - name: MEND_RNV_CRON_JOB_SCHEDULER_ALL 202 | value: {{ .Values.renovateServer.mendRnvCronJobSchedulerAll | quote }} 203 | {{- end }} 204 | {{- if .Values.renovateServer.mendRnvCronAppSync }} 205 | - name: MEND_RNV_CRON_APP_SYNC 206 | value: {{ .Values.renovateServer.mendRnvCronAppSync | quote }} 207 | {{- end }} 208 | {{- if .Values.renovateServer.mendRnvSyncOnStartup }} 209 | - name: MEND_RNV_SYNC_ON_STARTUP 210 | value: {{ .Values.renovateServer.mendRnvSyncOnStartup | quote }} 211 | {{- end }} 212 | {{- if .Values.renovateServer.mendRnvSyncMode }} 213 | - name: MEND_RNV_SYNC_MODE 214 | value: {{ .Values.renovateServer.mendRnvSyncMode | quote }} 215 | {{- end }} 216 | {{- if .Values.renovateServer.mendRnvMergeConfidenceToken }} 217 | - name: MEND_RNV_MC_TOKEN 218 | value: {{ .Values.renovateServer.mendRnvMergeConfidenceToken | quote }} 219 | {{- end }} 220 | {{- if .Values.renovateServer.mendRnvMergeConfidenceEndpoint }} 221 | - name: MEND_RNV_MERGE_CONFIDENCE_ENDPOINT 222 | value: {{ .Values.renovateServer.mendRnvMergeConfidenceEndpoint | quote }} 223 | {{- end }} 224 | {{- if .Values.renovateServer.mendRnvLogHistoryS3 }} 225 | - name: MEND_RNV_LOG_HISTORY_S3 226 | value: {{ .Values.renovateServer.mendRnvLogHistoryS3 | quote }} 227 | {{- end }} 228 | {{- if .Values.renovateServer.mendRnvAutoDiscoverFilter }} 229 | - name: MEND_RNV_AUTODISCOVER_FILTER 230 | value: {{ .Values.renovateServer.mendRnvAutoDiscoverFilter | quote }} 231 | {{- end }} 232 | {{- if .Values.renovateServer.mendRnvEnqueueJobsOnStartup }} 233 | - name: MEND_RNV_ENQUEUE_JOBS_ON_STARTUP 234 | value: {{ .Values.renovateServer.mendRnvEnqueueJobsOnStartup | quote }} 235 | {{- end }} 236 | {{- if .Values.renovateServer.mendRnvUserAgent }} 237 | - name: MEND_RNV_USER_AGENT 238 | value: {{ .Values.renovateServer.mendRnvUserAgent | quote }} 239 | {{- end }} 240 | {{- if .Values.renovateServer.mendRnvLogHistoryDir }} 241 | - name: MEND_RNV_LOG_HISTORY_DIR 242 | value: {{ .Values.renovateServer.mendRnvLogHistoryDir }} 243 | {{- end }} 244 | {{- if .Values.renovateServer.mendRnvLogHistoryTTLDays }} 245 | - name: MEND_RNV_LOG_HISTORY_TTL_DAYS 246 | value: {{ .Values.renovateServer.mendRnvLogHistoryTTLDays | quote }} 247 | {{- end }} 248 | {{- if .Values.renovateServer.mendRnvLogHistoryCleanupCron }} 249 | - name: MEND_RNV_LOG_HISTORY_CLEANUP_CRON 250 | value: {{ .Values.renovateServer.mendRnvLogHistoryCleanupCron }} 251 | {{- end }} 252 | {{- if .Values.renovateServer.mendRnvLibYearsMVRefreshCron }} 253 | - name: MEND_RNV_CRON_LIBYEARS_MV_REFRESH 254 | value: {{ .Values.renovateServer.mendRnvLibYearsMVRefreshCron | quote }} 255 | {{- end }} 256 | {{- if .Values.renovateServer.mendRnvForksProcessing }} 257 | - name: MEND_RENOVATE_FORKS_PROCESSING 258 | value: {{ .Values.renovateServer.mendRnvForksProcessing }} 259 | {{- end }} 260 | {{- if .Values.renovateServer.mendRnvHttpServerDisabled }} 261 | - name: MEND_RNV_HTTP_SERVER_DISABLED 262 | value: {{ .Values.renovateServer.mendRnvHttpServerDisabled | quote}} 263 | {{- end }} 264 | {{- if .Values.renovateServer.mendRnvServerHttpsConfig }} 265 | - name: MEND_RNV_SERVER_HTTPS_CONFIG 266 | value: {{ toJson .Values.renovateServer.mendRnvServerHttpsConfig | quote}} 267 | {{- end }} 268 | {{- if .Values.renovateServer.mendRnvServerHttpsConfigPath }} 269 | - name: MEND_RNV_SERVER_HTTPS_CONFIG_PATH 270 | value: {{ .Values.renovateServer.mendRnvServerHttpsConfigPath | quote}} 271 | {{- end }} 272 | {{- if .Values.renovateServer.logLevel }} 273 | - name: LOG_LEVEL 274 | value: {{ .Values.renovateServer.logLevel | quote }} 275 | {{- end }} 276 | {{- if .Values.renovateServer.logFormat }} 277 | - name: LOG_FORMAT 278 | value: {{ .Values.renovateServer.logFormat | quote }} 279 | {{- end }} 280 | {{- if .Values.renovateServer.mendRnvPrometheusMetricsEnabled }} 281 | - name: MEND_RNV_API_ENABLE_PROMETHEUS_METRICS 282 | value: {{ .Values.renovateServer.mendRnvPrometheusMetricsEnabled | quote }} 283 | {{- end }} 284 | {{- if or .Values.renovateServer.mendRnvServerApiSecret .Values.renovateServer.existingSecret }} 285 | - name: MEND_RNV_SERVER_API_SECRET 286 | valueFrom: 287 | secretKeyRef: 288 | name: {{ include "mend-renovate.server-secret-name" . }} 289 | key: mendRnvServerApiSecret 290 | {{- end }} 291 | {{- if or .Values.renovateServer.mendRnvApiEnabled .Values.renovateServer.mendRnvAdminApiEnabled }} 292 | - name: MEND_RNV_API_ENABLED 293 | value: {{ (coalesce .Values.renovateServer.mendRnvApiEnabled .Values.renovateServer.mendRnvAdminApiEnabled) | quote }} 294 | {{- end }} 295 | {{- if or .Values.renovateServer.mendRnvReportingApiEnabled .Values.renovateServer.mendRnvReportingEnabled }} 296 | - name: MEND_RNV_API_ENABLE_REPORTING 297 | value: {{ (coalesce .Values.renovateServer.mendRnvReportingApiEnabled .Values.renovateServer.mendRnvReportingEnabled) | quote }} 298 | {{- end }} 299 | {{- if or .Values.renovateServer.mendRnvSystemApiEnabled .Values.renovateServer.mendRnvAdminApiEnabled }} 300 | - name: MEND_RNV_API_ENABLE_SYSTEM 301 | value: {{ (coalesce .Values.renovateServer.mendRnvSystemApiEnabled .Values.renovateServer.mendRnvAdminApiEnabled) | quote }} 302 | {{- end }} 303 | {{- if or .Values.renovateServer.mendRnvJobsApiEnabled .Values.renovateServer.mendRnvAdminApiEnabled }} 304 | - name: MEND_RNV_API_ENABLE_JOBS 305 | value: {{ (coalesce .Values.renovateServer.mendRnvJobsApiEnabled .Values.renovateServer.mendRnvAdminApiEnabled) | quote }} 306 | {{- end }} 307 | {{- if .Values.renovateServer.mendRnvDisableGlobalAgent }} 308 | - name: MEND_RNV_DISABLE_GLOBAL_AGENT 309 | value: {{ .Values.renovateServer.mendRnvDisableGlobalAgent | quote }} 310 | {{- end }} 311 | {{- if .Values.renovateServer.mendRnvEnableHttp2 }} 312 | - name: MEND_RNV_ENABLE_HTTP2 313 | value: {{ .Values.renovateServer.mendRnvEnableHttp2 | quote }} 314 | {{- end }} 315 | ports: 316 | - name: ee-server 317 | containerPort: 8080 318 | protocol: TCP 319 | - name: ee-server-https 320 | containerPort: 8443 321 | protocol: TCP 322 | {{- with .Values.renovateServer.livenessProbe }} 323 | livenessProbe: 324 | {{- toYaml . | nindent 12 }} 325 | {{- end }} 326 | {{- with .Values.renovateServer.readinessProbe }} 327 | readinessProbe: 328 | {{- toYaml . | nindent 12 }} 329 | {{- end }} 330 | resources: 331 | {{- toYaml .Values.renovateServer.resources | nindent 12 }} 332 | volumeMounts: 333 | - name: {{ .Release.Name }}-database-volume 334 | mountPath: /database 335 | {{- with .Values.renovateServer.extraVolumeMounts }} 336 | {{- toYaml . | nindent 12 }} 337 | {{- end }} 338 | {{- with .Values.renovateServer.nodeSelector }} 339 | nodeSelector: 340 | {{- toYaml . | nindent 8 }} 341 | {{- end }} 342 | {{- if .Values.renovateServer.imagePullSecrets }} 343 | imagePullSecrets: 344 | - name: {{ .Values.renovateServer.imagePullSecrets }} 345 | {{- end }} 346 | volumes: 347 | - name: {{ .Release.Name }}-database-volume 348 | {{- if .Values.dataPersistence.enabled }} 349 | persistentVolumeClaim: 350 | claimName: {{ .Values.dataPersistence.existingClaim | default (printf "%s-data" (include "mend-renovate.fullname" .)) }} 351 | {{- else if .Values.dataInMemory.enabled }} 352 | emptyDir: 353 | medium: Memory 354 | {{- else }} 355 | emptyDir: { } 356 | {{- end }} 357 | {{- with .Values.renovateServer.extraVolumes }} 358 | {{- toYaml . | nindent 8 }} 359 | {{- end }} 360 | {{- with .Values.renovateServer.affinity }} 361 | affinity: 362 | {{- toYaml . | nindent 8 }} 363 | {{- end }} 364 | {{- with .Values.renovateServer.tolerations }} 365 | tolerations: 366 | {{- toYaml . | nindent 8 }} 367 | {{- end }} 368 | --------------------------------------------------------------------------------