Skip to content

renovate

Metadata

Field Value
Service renovate
Purpose Self-hosted dependency bot that opens update PRs against the dev branch so every change passes CI before reaching production
Criticality Tier 2
Owner Platform owner
Clusters local
Namespace renovate
Exposure none
Stateful no
Backup class none
RPO / RTO N/A — redeploys from Git in minutes
Last reviewed 2026-06-30

1. Service Overview

Renovate runs as a scheduled CronJob and scans this repository for outdated container images and dependencies. It opens pull requests against the dev branch, where the Forgejo CI validation gateway (make check) runs before any merge to main. This keeps the production-deployed manifests on local up to date while preserving the validation gate.

Summary

If Renovate is unavailable, dependency updates stop arriving automatically. Existing services keep running; operators fall back to manual image bumps.

Dependencies

Dependency Type Why it matters
GitHub external Hosts the scanned repository and receives the PRs
Forgejo CI external Validation gateway on dev that gates each update PR before main
Fleet GitOps Reconciles main to the local cluster after a PR merges

2. Architecture Diagram

[CronJob renovate (weekly)]
   -> scans arnaudmut/k8s on GitHub
   -> opens PR against dev
        -> Forgejo CI runs make check
        -> merge to main
             -> Fleet reconciles local cluster

3. Deployment Specifications

Item Value
Source path renovate/base and renovate/overlays/local
Deployment model Kustomize plus Fleet bundle
Namespace renovate
Workload kind CronJob
Image renovate/renovate:43.249.5 (pinned in overlay)
Schedule 30 5 * * 1 (weekly Monday, Europe/Paris)
RBAC None; ServiceAccount token automount disabled
Probes None (one-shot batch Job per run)
Config files base/kustomization.yaml, base/renovate-configmap.yaml, overlays/local/kustomization.yaml, fleet.yaml

Cluster mapping

Cluster Overlay path Notes
local renovate/overlays/local Production cluster that runs Renovate

4. Configuration Guide

Environment variables

Variable Source Purpose Secret?
RENOVATE_TOKEN Secret renovate-env GitHub PAT used to read repos and open PRs yes
LOG_LEVEL CronJob env Logging verbosity (info) no
RENOVATE_BASE_DIR CronJob env Writable workspace mounted from emptyDir no
RENOVATE_CONFIG_FILE CronJob env Path to the mounted config.json no

ConfigMaps

Resource Path Purpose
renovate-config renovate/base/renovate-configmap.yaml Non-secret Renovate settings: scope, schedule, package rules

Renovate behavior (config.json)

  • platform: github, repositories: ["arnaudmut/k8s"].
  • baseBranchPatterns: ["dev"] — every PR targets dev and must pass CI.
  • enabledManagers: Fleet, Helm values, Helm v3, Kubernetes, and Kustomize.
  • includePaths: base/, overlays/local/, fleet.yaml, and kustomization.yaml files.
  • minimumReleaseAge: 3 days.
  • Major updates disabled by default; reviewed manually.
  • Kubernetes/Fleet manifest updates are grouped.
  • Renovate self-updates its own image tag through the same Kubernetes manifest rule.

Secrets management

  • Secret name: renovate-env in namespace renovate.
  • Required keys: RENOVATE_TOKEN.
  • Source of truth: gitignored overlays/local/.renovate.env from .renovate.env.example.
  • Rotation trigger: operator-initiated, suspected compromise, or GitHub token expiry.
  • Recovery note: recreate renovate-env before the next scheduled run; Renovate cannot open PRs without it.

5. Access Protocols

Path URL or endpoint Audience Auth TLS terminates at
GitHub API api.github.com Renovate pod only GitHub PAT GitHub
Dashboard Renovate Dependency Dashboard issue in GitHub Operators GitHub GitHub

Renovate has no inbound exposure. It only makes outbound calls to GitHub.

6. Operations and Observability

  • Primary health indicators: CronJob last successful Job, job history, and pod logs.
  • Dashboards or alerts: the Renovate Dependency Dashboard issue in GitHub; shared cluster job monitoring.
  • Log locations: kubectl -n renovate logs -l app.kubernetes.io/name=renovate.
  • Known failure modes: missing or expired RENOVATE_TOKEN, GitHub rate limit, invalid config.json, image pull failure.

7. Backup and Recovery Notes

  • Backup method: none required. All configuration is in Git; the only out-of-band artifact is the GitHub token.
  • Restore prerequisites: repository, renovate-env Secret with a valid token, and Fleet reconciliation.
  • Backup gap: the GitHub token is not backed up by the cluster; rotate and recreate it if lost.
  • Related runbook: ../runbooks/renovate.md

8. Release and Change Notes

  • Current deployed app version: renovate/renovate:43.249.5.
  • Current chart version: N/A.
  • Last significant change: rewrote Renovate to target only the local cluster, pin the image, route PRs through dev/CI, and move the token into a gitignored Secret.
  • Rollback reference: revert the renovate/ Git changes; recreate renovate-env if a token rotation happened.