feat: add renovate-bot cronjob

- Add new Kubernetes manifests for `renovate-bot` in `k8s-manifests/` directory
  - The Kubernetes manifests include a ConfigMap for `renovate-bot` configuration and a CronJob definition
  - The `renovate-bot` now runs as a Kubernetes CronJob scheduled daily
- Add new `start_renovate_bot.sh` script in `bin/` directory for manual job creation
- Update README and add new README.renovate

🤖

README.md

@@ -10,6 +10,7 @@
   * [loki](https://grafana.com/docs/loki/latest/)
   * [keel](https://keel.sh)
   * [reloader](https://github.com/stakater/Reloader)
+  * [removate-bot](https://github.com/renovatebot/renovate) (see [README.renovate.md](README.renovate.md))
 
 ## Installation (k3s + baseline)
 

README.renovate.md

@@ -0,0 +1,33 @@
+# Renovate Bot
+
+The baseline only applies the basic settings for renovate, but does not include any credentials or platform configuration.
+
+Create a new secret to provide the necessary settings:
+
+```
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: renovate-env
+  namespace: renovate
+type: Opaque
+stringData:
+  GITHUB_COM_TOKEN: 'your-github-token-here'
+  RENOVATE_PLATFORM: 'gitea'
+  RENOVATE_ENDPOINT: 'https://git.smsvc.net/'
+  RENOVATE_TOKEN: 'your-api-token-here'
+  LOG_LEVEL: info
+```
+
+You must set at least `RENOVATE_PLATFORM`, `RENOVATE_ENDPOINT` and `RENOVATE_TOKEN`.  
+You can set any configuration that can be set by environment variable (see References).
+
+---
+
+References:
+
+- [Supported Platforms](https://docs.renovatebot.com/modules/platform/)
+- [Self-Hosted configuration](https://docs.renovatebot.com/self-hosted-configuration/)
+- [GitHub.com token for release notes](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-release-notes)
+- [Log debug levels](https://docs.renovatebot.com/troubleshooting/#log-debug-levels)

bin/start_renovate_bot.sh

@@ -0,0 +1,74 @@
+#! /bin/bash
+
+## Author: Sebastian Mark
+## CC-BY-SA (https://creativecommons.org/licenses/by-sa/4.0/deed.de)
+## for civil use only
+
+## start renovate cronjob manually
+## Usage: start_renovate_bot.sh [--debug] [group/repo group/repo ...]
+
+set -e
+
+NS="renovate"
+CRONJOBNAME="renovate-bot"
+JOBNAME="renovate-bot-manual-$(openssl rand -hex 3)"
+
+TMPFILE=$(mktemp)
+
+## create a single job from cronjob
+kubectl -n $NS --dry-run=client create job $JOBNAME --from=cronjob/$CRONJOBNAME -o yaml >$TMPFILE
+
+## add debug env var
+if [[ "$1" == "--debug" ]]; then
+  kubectl patch --local -f $TMPFILE --type='json' --patch='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/containers/0/env/-",
+    "value": { "name": "LOG_LEVEL", "value": "debug"}
+  }
+  ]' -o yaml | sponge $TMPFILE
+  shift
+fi
+
+## limit job to passed repo(s)
+if [[ $# -gt 0 ]]; then
+  ## disable autodiscover
+  kubectl patch --local -f $TMPFILE --type='json' --patch='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/containers/0/args",
+    "value": ["--autodiscover=false"]
+  }
+  ]' -o yaml | sponge $TMPFILE
+
+  ## add each repo as single argument
+  for REPO in "$@"; do
+    kubectl patch --local -f $TMPFILE --type='json' --patch='[
+    {
+      "op": "add",
+      "path": "/spec/template/spec/containers/0/args/-",
+      "value": "'$REPO'"
+    }
+    ]' -o yaml | sponge $TMPFILE
+  done
+fi
+
+## create job
+kubectl -n $NS apply -f $TMPFILE
+rm $TMPFILE
+
+## wait for corrosponding pod to be ready
+PODNAME=$(kubectl -n $NS get pods --selector=job-name=$JOBNAME --no-headers -o custom-columns=":metadata.name")
+kubectl -n $NS wait --for=condition=Ready pod/$PODNAME --timeout=3m
+
+## show job logs
+echo "waiting for logs...."
+echo
+kubectl -n $NS logs -f job/$JOBNAME
+echo
+
+echo "saving log to /tmp/${JOBNAME}.log"
+kubectl -n $NS logs job/$JOBNAME &>/tmp/${JOBNAME}.log
+
+## remove job
+kubectl -n $NS delete job $JOBNAME

k8s-manifests/renovate-bot.jsonnet

@@ -0,0 +1,27 @@
+local app = import "../_templates/argocd_app.libsonnet";
+
+[
+app + {
+  chart:: "renovate",
+  repo:: "https://docs.renovatebot.com/helm-charts",
+  version:: "36.*",
+  values:: |||
+    fullnameOverride: "renovate-bot"
+    cronjob:
+      schedule: '@daily'
+      concurrencyPolicy: "Forbid"
+    existingSecret: "renovate-env"
+    renovate:
+      persistence:
+        cache:
+          enabled: true
+          storageSize: "128Mi"
+      config: |
+        {
+          "onboardingConfigFileName": ".renovaterc.json",
+          "onboardingConfig": {"extends":["local>infrastructure/renovate-config"]},
+          "autodiscover": true
+        }
+  |||
+}
+]