renovate
| Field |
Value |
| Service |
renovate |
| Purpose |
Self-hosted dependency bot that opens update PRs against the dev branch so every change passes CI before reaching production |
| Criticality |
Tier 2 |
| Owner |
Platform owner |
| Clusters |
local |
| Namespace |
renovate |
| Exposure |
none |
| Stateful |
no |
| Backup class |
none |
| RPO / RTO |
N/A — redeploys from Git in minutes |
| Last reviewed |
2026-06-30 |
1. Service Overview
Renovate runs as a scheduled CronJob and scans this repository for outdated
container images and dependencies. It opens pull requests against the dev
branch, where the Forgejo CI validation gateway (make check) runs before any
merge to main. This keeps the production-deployed manifests on local
up to date while preserving the validation gate.
Summary
If Renovate is unavailable, dependency updates stop arriving automatically.
Existing services keep running; operators fall back to manual image bumps.
Dependencies
| Dependency |
Type |
Why it matters |
| GitHub |
external |
Hosts the scanned repository and receives the PRs |
| Forgejo CI |
external |
Validation gateway on dev that gates each update PR before main |
| Fleet |
GitOps |
Reconciles main to the local cluster after a PR merges |
2. Architecture Diagram
[CronJob renovate (weekly)]
-> scans arnaudmut/k8s on GitHub
-> opens PR against dev
-> Forgejo CI runs make check
-> merge to main
-> Fleet reconciles local cluster
3. Deployment Specifications
| Item |
Value |
| Source path |
renovate/base and renovate/overlays/local |
| Deployment model |
Kustomize plus Fleet bundle |
| Namespace |
renovate |
| Workload kind |
CronJob |
| Image |
renovate/renovate:43.249.5 (pinned in overlay) |
| Schedule |
30 5 * * 1 (weekly Monday, Europe/Paris) |
| RBAC |
None; ServiceAccount token automount disabled |
| Probes |
None (one-shot batch Job per run) |
| Config files |
base/kustomization.yaml, base/renovate-configmap.yaml, overlays/local/kustomization.yaml, fleet.yaml |
Cluster mapping
| Cluster |
Overlay path |
Notes |
| local |
renovate/overlays/local |
Production cluster that runs Renovate |
4. Configuration Guide
Environment variables
| Variable |
Source |
Purpose |
Secret? |
RENOVATE_TOKEN |
Secret renovate-env |
GitHub PAT used to read repos and open PRs |
yes |
LOG_LEVEL |
CronJob env |
Logging verbosity (info) |
no |
RENOVATE_BASE_DIR |
CronJob env |
Writable workspace mounted from emptyDir |
no |
RENOVATE_CONFIG_FILE |
CronJob env |
Path to the mounted config.json |
no |
ConfigMaps
| Resource |
Path |
Purpose |
renovate-config |
renovate/base/renovate-configmap.yaml |
Non-secret Renovate settings: scope, schedule, package rules |
Renovate behavior (config.json)
platform: github, repositories: ["arnaudmut/k8s"].
baseBranchPatterns: ["dev"] — every PR targets dev and must pass CI.
enabledManagers: Fleet, Helm values, Helm v3, Kubernetes, and Kustomize.
includePaths: base/, overlays/local/, fleet.yaml, and kustomization.yaml files.
minimumReleaseAge: 3 days.
- Major updates disabled by default; reviewed manually.
- Kubernetes/Fleet manifest updates are grouped.
- Renovate self-updates its own image tag through the same Kubernetes manifest rule.
Secrets management
- Secret name:
renovate-env in namespace renovate.
- Required keys:
RENOVATE_TOKEN.
- Source of truth: gitignored
overlays/local/.renovate.env from .renovate.env.example.
- Rotation trigger: operator-initiated, suspected compromise, or GitHub token expiry.
- Recovery note: recreate
renovate-env before the next scheduled run; Renovate cannot open PRs without it.
5. Access Protocols
| Path |
URL or endpoint |
Audience |
Auth |
TLS terminates at |
| GitHub API |
api.github.com |
Renovate pod only |
GitHub PAT |
GitHub |
| Dashboard |
Renovate Dependency Dashboard issue in GitHub |
Operators |
GitHub |
GitHub |
Renovate has no inbound exposure. It only makes outbound calls to GitHub.
6. Operations and Observability
- Primary health indicators:
CronJob last successful Job, job history, and pod logs.
- Dashboards or alerts: the Renovate Dependency Dashboard issue in GitHub; shared cluster job monitoring.
- Log locations:
kubectl -n renovate logs -l app.kubernetes.io/name=renovate.
- Known failure modes: missing or expired
RENOVATE_TOKEN, GitHub rate limit, invalid config.json, image pull failure.
7. Backup and Recovery Notes
- Backup method: none required. All configuration is in Git; the only out-of-band artifact is the GitHub token.
- Restore prerequisites: repository,
renovate-env Secret with a valid token, and Fleet reconciliation.
- Backup gap: the GitHub token is not backed up by the cluster; rotate and recreate it if lost.
- Related runbook: ../runbooks/renovate.md
8. Release and Change Notes
- Current deployed app version:
renovate/renovate:43.249.5.
- Current chart version: N/A.
- Last significant change: rewrote Renovate to target only the
local cluster, pin the image, route PRs through dev/CI, and move the token into a gitignored Secret.
- Rollback reference: revert the
renovate/ Git changes; recreate renovate-env if a token rotation happened.