Patrick de Ruiter
906d000e8e
All checks were successful
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 36s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 31s
Code Quality & Security Scan / TFLint (push) Successful in 21s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Terraform Validate (push) Successful in 32s
Code Quality & Security Scan / SonarQube Scan (push) Successful in 42s
Code Quality & Security Scan / Terraform Plan (push) Successful in 1m22s
Code Quality & Security Scan / Terraform Apply (push) Successful in 1m57s
Updated comprehensive documentation across README, QUICKSTART, and MIGRATION_GUIDE to clarify that Renovate credentials are stored in HashiCorp Vault, not passed as Terraform variables. Changes to README.md: - Added detailed Vault setup section in Gitea Bot Setup - Documented all 5 required keys in secret/renovate path - Added vault kv put example with all required fields - Added token regeneration instructions - Clarified prerequisites to include Vault secret requirements - Emphasized CRITICAL nature of Vault storage Changes to QUICKSTART.md: - Added comprehensive Step 3: Store Credentials in Vault - Included complete vault kv put command with all keys - Added verification steps with expected output - Listed common mistakes to avoid (missing username, wrong endpoint, etc.) - Updated Step 4 to clarify tfvars only needs Vault auth - Renumbered subsequent steps (5-9) - Added environment variable verification in Step 6 - Added troubleshooting steps for authentication errors Changes to MIGRATION_GUIDE.md: - Clearly separated Vault-stored config from Terraform variables - Added vault kv put example in New Required Configuration section - Updated migration steps to include Vault credential storage - Clarified that renovate_endpoint and renovate_token are NOT tfvars - Listed all 5 required Vault keys with descriptions These changes address the authentication failures caused by: - Missing renovate_username in environment variables - Confusion about where credentials should be stored - Token regeneration without updating Vault All documentation now consistently emphasizes the Vault-first approach and provides clear, copy-paste-ready commands for proper setup.
8.8 KiB
8.8 KiB
Migration Guide: Ansible EDA to Renovate
This document provides guidance for migrating from the previous Ansible EDA module to the new Renovate bot module.
Overview
This module has been completely repurposed from deploying Ansible Event-Driven Automation to deploying a Renovate bot for automated dependency updates. This is a breaking change and requires careful migration planning.
Key Changes
1. Module Purpose
Before: Ansible Event-Driven Automation (EDA) server for webhook-based automation After: Renovate bot for automated dependency updates
2. Docker Image
Before: quay.io/ansible/ansible-rulebook:latest
After: renovate/renovate:latest
3. Volumes
Before:
ansible-eda-rulebooks- Rulebook storageansible-eda-logs- Log storage
After:
renovate-config- Configuration storagerenovate-cache- Cache for improved performance
4. State File Path
Before: home/docker/ansible-eda/ansible-eda.tfstate
After: home/docker/renovate/renovate.tfstate
5. Variable Changes
Removed Variables
eda_image→ Userenovate_imageinsteadwebhook_port→ Not needed for Renovaterulebook_command→ Replaced by environment variablesupload_example_rulebook→ Useupload_config_fileinsteadcpu_limit→ Removed (can be added back if needed)
New Required Configuration (Stored in Vault)
CRITICAL: The following values are NOT Terraform variables. They must be stored in HashiCorp Vault at path secret/renovate:
renovate_platform- Must be "gitea"renovate_endpoint- Gitea API endpoint (e.g.,https://gitea.example.com/api/v1/)renovate_token- Gitea personal access token for the botrenovate_git_author- Git commit author (e.g., "Renovate Bot bot@example.com")renovate_username- Bot username (e.g., "renovate-bot")
Store in Vault using:
vault kv put secret/renovate \
renovate_platform="gitea" \
renovate_endpoint="https://gitea.example.com/api/v1/" \
renovate_token="YOUR_GITEA_TOKEN" \
renovate_git_author="Renovate Bot <renovate-bot@example.com>" \
renovate_username="renovate-bot"
New Optional Variables (Terraform)
github_com_token- Optional GitHub.com token for changelog fetchingrestart_policy- Container restart policy (default: "unless-stopped")upload_config_file- Upload config.js template (default: true)renovate_autodiscover- Enable auto-discovery (default: true)renovate_onboarding_config- Onboarding configuration JSONlog_level- Logging level (default: "info")extra_env_vars- Additional environment variables
6. Configuration Files
Before: example-rulebook.yml (YAML-based rulebooks)
After:
config.js.tpl- Renovate configuration templateexample-renovate.json- Repository-level configurationexample-gitea-workflow.yaml- CI/CD workflow example
Migration Steps
Option 1: Fresh Deployment (Recommended)
This is the safest approach if you don't need to preserve the existing infrastructure.
-
Backup Current State (if needed):
# Backup current state file terraform state pull > ansible-eda-backup.tfstate -
Destroy Old Infrastructure:
# Navigate to the module directory cd /path/to/terraform-docker-renovate # Destroy existing resources terraform destroy -
Store Renovate Credentials in Vault:
# Authenticate to Vault export VAULT_ADDR="https://your-vault-server:8200" vault login -method=approle role_id=YOUR_ROLE_ID secret_id=YOUR_SECRET_ID # Store Renovate credentials vault kv put secret/renovate \ renovate_platform="gitea" \ renovate_endpoint="https://gitea.example.com/api/v1/" \ renovate_token="YOUR_GITEA_TOKEN" \ renovate_git_author="Renovate Bot <renovate-bot@example.com>" \ renovate_username="renovate-bot" # Verify vault kv get secret/renovate -
Update Configuration:
- Update
terraform.tfvarswith only Vault credentials - Remove old EDA-specific variables
- Do NOT add
renovate_endpointorrenovate_tokento tfvars (they're in Vault)
- Update
-
Initialize and Deploy:
# Reinitialize (backend path has changed) terraform init -reconfigure # Plan and apply terraform plan terraform apply
Option 2: Side-by-Side Deployment
If you want to keep Ansible EDA running while testing Renovate:
-
Copy the Module:
cp -r terraform-docker-renovate terraform-docker-renovate-backup -
Deploy in New Location:
- Create a new module instance with a different
container_name - Use a different state file path
- Test Renovate functionality
- Create a new module instance with a different
-
Clean Up Old Deployment:
- Once satisfied, destroy the old Ansible EDA deployment
- Remove the backup module
Configuration Updates
terraform.tfvars
Before:
domain = "bsdserver.nl"
role_id = "xxx"
secret_id = "xxx"
After:
# Renovate Configuration
domain = "bsdserver.nl"
role_id = "xxx"
secret_id = "xxx"
# Gitea Configuration
renovate_endpoint = "https://gitea.bsdserver.nl/api/v1/"
renovate_token = "your-token-here"
renovate_git_author = "Renovate Bot <renovate-bot@bsdserver.nl>"
renovate_username = "renovate-bot"
Module Call
Before:
module "ansible_eda" {
source = "./terraform-docker-eda"
domain = "bsdserver.nl"
container_name = "ansible-eda"
eda_image = "quay.io/ansible/ansible-rulebook:latest"
webhook_port = 5000
role_id = var.vault_role_id
secret_id = var.vault_secret_id
}
After:
module "renovate" {
source = "./terraform-docker-renovate"
domain = "bsdserver.nl"
container_name = "renovate"
renovate_image = "renovate/renovate:latest"
renovate_endpoint = "https://gitea.bsdserver.nl/api/v1/"
renovate_token = var.renovate_token
role_id = var.vault_role_id
secret_id = var.vault_secret_id
}
Gitea Setup Requirements
Before deploying, ensure you have:
-
Created a Renovate Bot User in Gitea:
- Username:
renovate-bot(or your preference) - Full name: "Renovate Bot"
- Email:
renovate-bot@bsdserver.nl
- Username:
-
Generated a Personal Access Token with scopes:
repo(Read and Write)user(Read)issue(Read and Write) - Gitea ≥ 1.20.0organization(Read) - Gitea ≥ 1.20.0
-
Added Bot to Repositories:
- Add as collaborator to repositories you want to manage
- Or enable
renovate_autodiscover = trueto find all accessible repos
Post-Migration Tasks
After successful deployment:
-
Verify Container Status:
docker ps | grep renovate docker logs renovate -f -
Test Repository Configuration:
- Add
renovate.jsonto a test repository - Wait for Renovate to create an onboarding PR
- Review and merge the onboarding PR
- Add
-
Monitor Logs:
docker logs renovate -f -
Configure Scheduling:
- Set up cron job or Gitea Actions workflow
- See
files/example-gitea-workflow.yaml
Troubleshooting
State File Issues
If you encounter state file conflicts:
# Reinitialize with new backend configuration
terraform init -reconfigure
# Or migrate state if needed
terraform init -migrate-state
Container Won't Start
Check logs for authentication issues:
docker logs renovate
Common issues:
- Invalid Gitea endpoint (must end with
/api/v1/) - Incorrect or expired token
- Network connectivity to Gitea instance
Volume Migration
If you need to preserve any data (unlikely for this transition):
# Copy data from old volume to new
docker run --rm \
-v ansible-eda-rulebooks:/source:ro \
-v renovate-config:/dest \
alpine sh -c "cp -a /source/. /dest/"
Rollback Procedure
If you need to rollback to Ansible EDA:
-
Restore from Backup:
# Restore backup of terraform-docker-renovate module rm -rf terraform-docker-renovate cp -r terraform-docker-renovate-backup terraform-docker-renovate -
Destroy Renovate Resources:
terraform destroy -
Restore State:
terraform state push ansible-eda-backup.tfstate -
Redeploy:
terraform apply
Additional Resources
- Renovate Documentation
- Gitea Platform Configuration
- Self-Hosting Renovate
- Module README.md for complete documentation
Support
For issues or questions:
- Review the comprehensive README.md
- Check Renovate logs:
docker logs renovate - Consult the Renovate documentation
- Review the CHANGELOG.md for all changes