diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md index 6f0aa32..624c509 100644 --- a/MIGRATION_GUIDE.md +++ b/MIGRATION_GUIDE.md @@ -43,21 +43,35 @@ This module has been completely repurposed from deploying Ansible Event-Driven A - `upload_example_rulebook` → Use `upload_config_file` instead - `cpu_limit` → Removed (can be added back if needed) -#### New Required Variables +#### New Required Configuration (Stored in Vault) +**CRITICAL**: The following values are NOT Terraform variables. They must be stored in HashiCorp Vault at path `secret/renovate`: + +- `renovate_platform` - Must be "gitea" - `renovate_endpoint` - Gitea API endpoint (e.g., `https://gitea.example.com/api/v1/`) - `renovate_token` - Gitea personal access token for the bot +- `renovate_git_author` - Git commit author (e.g., "Renovate Bot ") +- `renovate_username` - Bot username (e.g., "renovate-bot") -#### New Optional Variables +**Store in Vault using:** +```bash +vault kv put secret/renovate \ + renovate_platform="gitea" \ + renovate_endpoint="https://gitea.example.com/api/v1/" \ + renovate_token="YOUR_GITEA_TOKEN" \ + renovate_git_author="Renovate Bot " \ + renovate_username="renovate-bot" +``` -- `renovate_platform` - Git platform (default: "gitea") -- `renovate_git_author` - Git commit author -- `renovate_username` - Bot username -- `renovate_autodiscover` - Enable auto-discovery -- `renovate_onboarding_config` - Onboarding configuration -- `github_com_token` - Optional GitHub.com token -- `restart_policy` - Container restart policy -- `upload_config_file` - Upload config.js template +#### New Optional Variables (Terraform) + +- `github_com_token` - Optional GitHub.com token for changelog fetching +- `restart_policy` - Container restart policy (default: "unless-stopped") +- `upload_config_file` - Upload config.js template (default: true) +- `renovate_autodiscover` - Enable auto-discovery (default: true) +- `renovate_onboarding_config` - Onboarding configuration JSON +- `log_level` - Logging level (default: "info") +- `extra_env_vars` - Additional environment variables ### 6. Configuration Files @@ -88,10 +102,28 @@ This is the safest approach if you don't need to preserve the existing infrastru terraform destroy ``` -3. **Update Configuration**: - - Update `terraform.tfvars` with new variables - - Add `renovate_endpoint` and `renovate_token` +3. **Store Renovate Credentials in Vault**: + ```bash + # Authenticate to Vault + export VAULT_ADDR="https://your-vault-server:8200" + vault login -method=approle role_id=YOUR_ROLE_ID secret_id=YOUR_SECRET_ID + + # Store Renovate credentials + vault kv put secret/renovate \ + renovate_platform="gitea" \ + renovate_endpoint="https://gitea.example.com/api/v1/" \ + renovate_token="YOUR_GITEA_TOKEN" \ + renovate_git_author="Renovate Bot " \ + renovate_username="renovate-bot" + + # Verify + vault kv get secret/renovate + ``` + +4. **Update Configuration**: + - Update `terraform.tfvars` with only Vault credentials - Remove old EDA-specific variables + - Do NOT add `renovate_endpoint` or `renovate_token` to tfvars (they're in Vault) 4. **Initialize and Deploy**: ```bash diff --git a/QUICKSTART.md b/QUICKSTART.md index 1abe51b..03d2f07 100644 --- a/QUICKSTART.md +++ b/QUICKSTART.md @@ -29,28 +29,74 @@ This is a quick reference for getting Renovate up and running with Gitea. - ☑️ `user` (Read) - ☑️ `issue` (Read and Write) - ☑️ `organization` (Read) -5. Generate and **save the token securely** +5. Click **Generate Token** +6. **IMMEDIATELY COPY THE TOKEN** - You won't be able to see it again! +7. Save the token securely - you'll need it for the next step -## Step 3: Configure terraform.tfvars +## Step 3: Store Credentials in HashiCorp Vault -Edit `terraform.tfvars` and update: +**CRITICAL**: This module retrieves all Renovate configuration from Vault, NOT from Terraform variables. -```hcl -# Renovate Configuration -domain = "bsdserver.nl" -role_id = "your-vault-role-id" -secret_id = "your-vault-secret-id" +```bash +# Set your Vault address +export VAULT_ADDR="https://your-vault-server:8200" -# Gitea Configuration -renovate_endpoint = "https://gitea.bsdserver.nl/api/v1/" -renovate_token = "your-gitea-token-from-step-2" -renovate_git_author = "Renovate Bot " -renovate_username = "renovate-bot" +# Authenticate to Vault using AppRole +vault login -method=approle \ + role_id=YOUR_VAULT_ROLE_ID \ + secret_id=YOUR_VAULT_SECRET_ID + +# Store all Renovate credentials in Vault +vault kv put secret/renovate \ + renovate_platform="gitea" \ + renovate_endpoint="https://gitea.bsdserver.nl/api/v1/" \ + renovate_token="YOUR_TOKEN_FROM_STEP_2" \ + renovate_git_author="Renovate Bot " \ + renovate_username="renovate-bot" + +# IMPORTANT: Verify the secrets were stored correctly +vault kv get secret/renovate ``` -**Important**: Replace `your-gitea-token-from-step-2` with the actual token from Step 2. +**Expected output:** +``` +====== Data ====== +Key Value +--- ----- +renovate_platform gitea +renovate_endpoint https://gitea.bsdserver.nl/api/v1/ +renovate_token +renovate_git_author Renovate Bot +renovate_username renovate-bot +``` -## Step 4: Deploy Renovate +**⚠️ Common Mistakes to Avoid:** +- ❌ Endpoint without trailing `/api/v1/` +- ❌ Forgetting the `renovate_username` key +- ❌ Using wrong Vault path (must be `secret/renovate`) +- ❌ Token with insufficient scopes + +**If you need to update the token later:** +```bash +vault kv patch secret/renovate renovate_token="NEW_TOKEN_HERE" +``` + +## Step 4: Configure terraform.tfvars + +Edit `terraform.tfvars` and update only these values: + +```hcl +# Vault Authentication (required) +role_id = "your-vault-role-id" +secret_id = "your-vault-secret-id" + +# Optional: Domain configuration +domain = "bsdserver.nl" +``` + +**Note**: `renovate_endpoint`, `renovate_token`, `renovate_git_author`, and `renovate_username` are NOT Terraform variables - they come from Vault! + +## Step 5: Deploy Renovate ```bash # Initialize Terraform @@ -65,22 +111,39 @@ terraform apply Type `yes` when prompted to confirm. -## Step 5: Verify Deployment +## Step 6: Verify Deployment ```bash # Check container is running docker ps | grep renovate -# View logs +# View logs (watch for errors) docker logs renovate -f + +# Check environment variables are set correctly +docker exec renovate env | grep RENOVATE ``` -Look for messages like: +**Expected environment variables:** +- ✅ `RENOVATE_PLATFORM=gitea` +- ✅ `RENOVATE_ENDPOINT=https://gitea.bsdserver.nl/api/v1/` +- ✅ `RENOVATE_TOKEN=` +- ✅ `RENOVATE_GIT_AUTHOR=Renovate Bot ` +- ✅ `RENOVATE_USERNAME=renovate-bot` +- ✅ `RENOVATE_AUTODISCOVER=true` + +**Look for SUCCESS messages in logs:** - ✅ "Platform: gitea" - ✅ "Autodiscovering repositories" - ✅ "Repository: owner/repo" -## Step 6: Add Renovate to a Test Repository +**❌ If you see authentication errors:** +1. Verify the token is correct in Vault: `vault kv get secret/renovate` +2. Check the token hasn't expired in Gitea +3. Verify all 5 required keys are in Vault (especially `renovate_username`) +4. Ensure the endpoint URL ends with `/api/v1/` + +## Step 7: Add Renovate to a Test Repository 1. Navigate to a test repository in Gitea 2. Add `renovate-bot` as a collaborator with **Write** access @@ -98,7 +161,7 @@ Look for messages like: 4. Commit and push -## Step 7: Wait for Onboarding PR +## Step 8: Wait for Onboarding PR Within a few minutes (depends on your container restart schedule), Renovate will: @@ -108,7 +171,7 @@ Within a few minutes (depends on your container restart schedule), Renovate will **Review and merge the onboarding PR** to activate Renovate. -## Step 8: Configure Scheduling (Optional) +## Step 9: Configure Scheduling (Optional) Choose one of these methods: diff --git a/README.md b/README.md index 376eded..c42fec8 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ Before using this module, ensure you have: 7. **HashiCorp Vault**: Running instance with: - AppRole authentication enabled - DNS credentials stored at `secret/dns` + - Renovate credentials stored at `secret/renovate` (see Vault Setup section) - Role ID and Secret ID for authentication 8. **MinIO/S3 Backend**: For Terraform state storage 9. **DNS Server**: Supporting dynamic updates (TSIG authentication) - optional @@ -92,9 +93,43 @@ In your Gitea instance: - `user` (Read) - `issue` (Read and Write) - `organization` (Read) -5. Save the token securely - you'll need it for the `renovate_token` variable +5. **IMPORTANT**: Copy the token immediately - you won't be able to see it again +6. Save the token securely - you'll need it for Vault storage (next step) -### 3. Configure Repository Access +### 3. Store Credentials in Vault + +**CRITICAL**: All Renovate configuration must be stored in Vault at `secret/renovate` before deploying this module. + +```bash +# Authenticate to Vault +export VAULT_ADDR="https://your-vault-server:8200" +vault login -method=approle role_id=YOUR_ROLE_ID secret_id=YOUR_SECRET_ID + +# Store Renovate credentials in Vault +vault kv put secret/renovate \ + renovate_platform="gitea" \ + renovate_endpoint="https://gitea.example.com/api/v1/" \ + renovate_token="YOUR_GITEA_TOKEN_FROM_STEP_2" \ + renovate_git_author="Renovate Bot " \ + renovate_username="renovate-bot" + +# Verify the secrets are stored correctly +vault kv get secret/renovate +``` + +**Required Keys in `secret/renovate`:** +- `renovate_platform` - Must be "gitea" +- `renovate_endpoint` - Your Gitea API endpoint (must end with `/api/v1/`) +- `renovate_token` - The Personal Access Token from Step 2 +- `renovate_git_author` - Git commit author for Renovate PRs +- `renovate_username` - The Gitea username of the bot account + +**Note**: If you regenerate the Gitea token, you must update it in Vault: +```bash +vault kv patch secret/renovate renovate_token="NEW_TOKEN_HERE" +``` + +### 4. Configure Repository Access For each repository you want Renovate to manage: