From 80dac2acbd4fa2bd8f0e43018fab632b8f468a84 Mon Sep 17 00:00:00 2001
From: Sebastian Mark <smark@posteo.net>
Date: Sat, 29 Jul 2023 15:38:29 +0200
Subject: [PATCH] feat: add renovate-bot

---
 README.md                  |  1 +
 README.renovate.md         | 33 +++++++++++++++++
 bin/start_renovate_bot.sh  | 74 ++++++++++++++++++++++++++++++++++++++
 manifests/renovate-bot.yml | 45 +++++++++++++++++++++++
 4 files changed, 153 insertions(+)
 create mode 100644 README.renovate.md
 create mode 100755 bin/start_renovate_bot.sh
 create mode 100644 manifests/renovate-bot.yml

diff --git a/README.md b/README.md
index 30c5f2f..047b0bf 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,7 @@
 
 * [ara-server](https://ara.recordsansible.org/)
 * [c19d](https://gitlab.com/smsvc/c19d/)
+* [removate-bot](https://github.com/renovatebot/renovate) (see [README.renovate.md](README.renovate.md))
 
 ## Installation
 
diff --git a/README.renovate.md b/README.renovate.md
new file mode 100644
index 0000000..28bd983
--- /dev/null
+++ b/README.renovate.md
@@ -0,0 +1,33 @@
+# Renovate Bot
+
+The baseline only applies the basic settings for renovate, but does not include any credentials or platform configuration.
+
+Create a new secret to provide the necessary settings:
+
+```
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: renovate-env
+  namespace: renovate
+type: Opaque
+stringData:
+  GITHUB_COM_TOKEN: 'your-github-token-here'
+  RENOVATE_PLATFORM: 'gitea'
+  RENOVATE_ENDPOINT: 'https://git.smsvc.net/'
+  RENOVATE_TOKEN: 'your-api-token-here'
+  LOG_LEVEL: info
+```
+
+You must set at least `RENOVATE_PLATFORM`, `RENOVATE_ENDPOINT` and `RENOVATE_TOKEN`.  
+You can set any configuration that can be set by environment variable (see References).
+
+---
+
+References:
+
+- [Supported Platforms](https://docs.renovatebot.com/modules/platform/)
+- [Self-Hosted configuration](https://docs.renovatebot.com/self-hosted-configuration/)
+- [GitHub.com token for release notes](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-release-notes)
+- [Log debug levels](https://docs.renovatebot.com/troubleshooting/#log-debug-levels)
diff --git a/bin/start_renovate_bot.sh b/bin/start_renovate_bot.sh
new file mode 100755
index 0000000..544a3ca
--- /dev/null
+++ b/bin/start_renovate_bot.sh
@@ -0,0 +1,74 @@
+#! /bin/bash
+
+## Author: Sebastian Mark
+## CC-BY-SA (https://creativecommons.org/licenses/by-sa/4.0/deed.de)
+## for civil use only
+
+## start renovate cronjob manually
+## Usage: start_renovate_bot.sh [--debug] [group/repo group/repo ...]
+
+set -e
+
+NS="renovate"
+CRONJOBNAME="renovate-bot"
+JOBNAME="renovate-bot-manual-$(openssl rand -hex 3)"
+
+TMPFILE=$(mktemp)
+
+## create a single job from cronjob
+kubectl -n $NS --dry-run=client create job $JOBNAME --from=cronjob/$CRONJOBNAME -o yaml >$TMPFILE
+
+## add debug env var
+if [[ "$1" == "--debug" ]]; then
+  kubectl patch --local -f $TMPFILE --type='json' --patch='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/containers/0/env/-",
+    "value": { "name": "LOG_LEVEL", "value": "debug"}
+  }
+  ]' -o yaml | sponge $TMPFILE
+  shift
+fi
+
+## limit job to passed repo(s)
+if [[ $# -gt 0 ]]; then
+  ## disable autodiscover
+  kubectl patch --local -f $TMPFILE --type='json' --patch='[
+  {
+    "op": "add",
+    "path": "/spec/template/spec/containers/0/args",
+    "value": ["--autodiscover=false"]
+  }
+  ]' -o yaml | sponge $TMPFILE
+
+  ## add each repo as single argument
+  for REPO in "$@"; do
+    kubectl patch --local -f $TMPFILE --type='json' --patch='[
+    {
+      "op": "add",
+      "path": "/spec/template/spec/containers/0/args/-",
+      "value": "'$REPO'"
+    }
+    ]' -o yaml | sponge $TMPFILE
+  done
+fi
+
+## create job
+kubectl -n $NS apply -f $TMPFILE
+rm $TMPFILE
+
+## wait for corrosponding pod to be ready
+PODNAME=$(kubectl -n $NS get pods --selector=job-name=$JOBNAME --no-headers -o custom-columns=":metadata.name")
+kubectl -n $NS wait --for=condition=Ready pod/$PODNAME --timeout=3m
+
+## show job logs
+echo "waiting for logs...."
+echo
+kubectl -n $NS logs -f job/$JOBNAME
+echo
+
+echo "saving log to /tmp/${JOBNAME}.log"
+kubectl -n $NS logs job/$JOBNAME &>/tmp/${JOBNAME}.log
+
+## remove job
+kubectl -n $NS delete job $JOBNAME
diff --git a/manifests/renovate-bot.yml b/manifests/renovate-bot.yml
new file mode 100644
index 0000000..9172a47
--- /dev/null
+++ b/manifests/renovate-bot.yml
@@ -0,0 +1,45 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-bot
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: "https://docs.renovatebot.com/helm-charts"
+    chart: "renovate"
+    targetRevision: "36.*"
+    helm:
+      values: |
+        fullnameOverride: "renovate-bot"
+        cronjob:
+          schedule: '@daily'
+          concurrencyPolicy: "Forbid"
+        existingSecret: "renovate-env"
+        renovate:
+          persistence:
+            cache:
+              enabled: true
+              storageSize: "128Mi"
+          config: |
+            {
+              "onboardingConfigFileName": ".renovaterc.json",
+              "onboardingConfig": {"extends":["local>infrastructure/renovate-config"]},
+              "autodiscover": true
+            }
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: renovate
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 5m