Patrick de Ruiter
77e6102b0c
All checks were successful
Code Quality & Security Scan / TFLint (push) Successful in 19s
Code Quality & Security Scan / Terraform Destroy (push) Has been skipped
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 28s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 41s
Code Quality & Security Scan / Terraform Validate (push) Successful in 36s
Code Quality & Security Scan / SonarQube Scan (push) Successful in 41s
Code Quality & Security Scan / Terraform Plan (push) Successful in 1m20s
Code Quality & Security Scan / Terraform Apply (push) Successful in 1m18s
Comprehensive documentation cleanup to align with current implementation and remove outdated/confusing content. DELETED: - SUMMARY.md - Historical migration document from Ansible EDA to Renovate (migration is complete, document no longer needed) UPDATED README.md Variables Section: - Split into "Terraform Variables" and "Vault-Stored Configuration" sections - Removed 5 incorrectly documented variables that are actually stored in Vault: * renovate_platform, renovate_endpoint, renovate_token * renovate_git_author, renovate_username - Added missing variable documentation: * dns_servers (list of DNS servers for hostname resolution) * vault_skip_tls_verify (skip TLS verification for Vault) - Fixed log_level default value: "info" → "debug" (matches variables.tf) - Added clear explanation that Vault keys are NOT Terraform variables - Added reference to "Store Credentials in Vault" section UPDATED QUICKSTART.md Troubleshooting: - Added DNS resolution error troubleshooting section - Documents ENOTFOUND errors and how to resolve them - Provides diagnostic commands (dig @DNS_SERVER hostname) - Shows how to configure dns_servers variable - Explains hostname verification (git.bsdserver.nl vs gitea.bsdserver.nl) - Provides alternative solution (use IP address instead of hostname) These changes ensure documentation accurately reflects: - Current implementation (Vault-based credential storage) - All available configuration options (including dns_servers) - Correct default values - Clear separation between TF vars and Vault-stored config - Complete troubleshooting guidance for common issues
8.6 KiB
8.6 KiB
Renovate Quick Start Guide
This is a quick reference for getting Renovate up and running with Gitea.
Prerequisites Checklist
- Gitea instance running and accessible
- Docker host accessible via TCP
- Traefik network exists (
docker network ls | grep traefik_network) - HashiCorp Vault with AppRole authentication
- DNS server configured (optional, for CNAME records)
Step 1: Create Renovate Bot User in Gitea
- Log into your Gitea instance
- Create a new user:
- Username:
renovate-bot - Email:
renovate-bot@bsdserver.nl - Full Name:
Renovate Bot
- Username:
- Complete the registration
Step 2: Generate Personal Access Token
- Log in as
renovate-bot - Navigate to: Settings → Applications → Generate New Token
- Token name:
Renovate Token - Select these scopes:
- ☑️
repo(Read and Write) - ☑️
user(Read) - ☑️
issue(Read and Write) - ☑️
organization(Read)
- ☑️
- Click Generate Token
- IMMEDIATELY COPY THE TOKEN - You won't be able to see it again!
- Save the token securely - you'll need it for the next step
Step 3: Store Credentials in HashiCorp Vault
CRITICAL: This module retrieves all Renovate configuration from Vault, NOT from Terraform variables.
# Set your Vault address
export VAULT_ADDR="https://your-vault-server:8200"
# Authenticate to Vault using AppRole
vault login -method=approle \
role_id=YOUR_VAULT_ROLE_ID \
secret_id=YOUR_VAULT_SECRET_ID
# Store all Renovate credentials in Vault
vault kv put secret/renovate \
renovate_platform="gitea" \
renovate_endpoint="https://gitea.bsdserver.nl/api/v1/" \
renovate_token="YOUR_TOKEN_FROM_STEP_2" \
renovate_git_author="Renovate Bot <renovate-bot@bsdserver.nl>" \
renovate_username="renovate-bot"
# IMPORTANT: Verify the secrets were stored correctly
vault kv get secret/renovate
Expected output:
====== Data ======
Key Value
--- -----
renovate_platform gitea
renovate_endpoint https://gitea.bsdserver.nl/api/v1/
renovate_token <your-token>
renovate_git_author Renovate Bot <renovate-bot@bsdserver.nl>
renovate_username renovate-bot
⚠️ Common Mistakes to Avoid:
- ❌ Endpoint without trailing
/api/v1/ - ❌ Forgetting the
renovate_usernamekey - ❌ Using wrong Vault path (must be
secret/renovate) - ❌ Token with insufficient scopes
If you need to update the token later:
vault kv patch secret/renovate renovate_token="NEW_TOKEN_HERE"
Step 4: Configure terraform.tfvars
Edit terraform.tfvars and update only these values:
# Vault Authentication (required)
role_id = "your-vault-role-id"
secret_id = "your-vault-secret-id"
# Optional: Domain configuration
domain = "bsdserver.nl"
Note: renovate_endpoint, renovate_token, renovate_git_author, and renovate_username are NOT Terraform variables - they come from Vault!
Step 5: Deploy Renovate
# Initialize Terraform
terraform init
# Review the plan
terraform plan
# Deploy
terraform apply
Type yes when prompted to confirm.
Step 6: Verify Deployment
# Check container is running
docker ps | grep renovate
# View logs (watch for errors)
docker logs renovate -f
# Check environment variables are set correctly
docker exec renovate env | grep RENOVATE
Expected environment variables:
- ✅
RENOVATE_PLATFORM=gitea - ✅
RENOVATE_ENDPOINT=https://gitea.bsdserver.nl/api/v1/ - ✅
RENOVATE_TOKEN=<your-token> - ✅
RENOVATE_GIT_AUTHOR=Renovate Bot <renovate-bot@bsdserver.nl> - ✅
RENOVATE_USERNAME=renovate-bot - ✅
RENOVATE_AUTODISCOVER=true
Look for SUCCESS messages in logs:
- ✅ "Platform: gitea"
- ✅ "Autodiscovering repositories"
- ✅ "Repository: owner/repo"
❌ If you see authentication errors:
- Verify the token is correct in Vault:
vault kv get secret/renovate - Check the token hasn't expired in Gitea
- Verify all 5 required keys are in Vault (especially
renovate_username) - Ensure the endpoint URL ends with
/api/v1/
❌ If you see DNS resolution errors (ENOTFOUND):
- The container cannot resolve your Gitea hostname
- Check DNS resolution from Docker host:
dig @192.168.2.2 git.bsdserver.nl - Configure DNS servers in your deployment:
- Add to
terraform.tfvars:dns_servers = ["192.168.2.2"] - Or set in pipeline:
TF_VAR_dns_servers='["192.168.2.2"]'
- Add to
- Verify the hostname is correct (e.g.,
git.bsdserver.nlnotgitea.bsdserver.nl) - Alternative: Use IP address in Vault endpoint instead of hostname
Step 7: Add Renovate to a Test Repository
- Navigate to a test repository in Gitea
- Add
renovate-botas a collaborator with Write access - Create a new file
renovate.jsonin the repository root:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"assignees": ["@yourusername"],
"labels": ["renovate"],
"dependencyDashboard": true
}
- Commit and push
Step 8: Wait for Onboarding PR
Within a few minutes (depends on your container restart schedule), Renovate will:
- Scan the repository
- Create an "onboarding" pull request
- The PR will explain what Renovate will do
Review and merge the onboarding PR to activate Renovate.
Step 9: Configure Scheduling (Optional)
Choose one of these methods:
Option A: Cron Job
# Add to crontab (runs daily at 2 AM)
crontab -e
# Add this line:
0 2 * * * docker restart renovate
Option B: Gitea Actions
Create .gitea/workflows/renovate.yaml in a repository:
name: Renovate
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Trigger Renovate
run: docker restart renovate || true
Common Issues
Container Won't Start
Check: Endpoint URL format
# Should end with /api/v1/
docker logs renovate | grep -i endpoint
Fix: Update renovate_endpoint in terraform.tfvars to include /api/v1/
No PRs Being Created
Check: Token permissions
docker logs renovate | grep -i "401\|403\|unauthorized"
Fix: Regenerate token with correct scopes (see Step 2)
Bot Can't Access Repositories
Check: Bot user is added as collaborator
- Go to repository Settings → Collaborators
- Add
renovate-botwith Write access
Or: Enable autodiscovery
- Set
renovate_autodiscover = trueinterraform.tfvars
What Happens Next?
Once activated, Renovate will:
- 🔍 Scan repositories for dependencies
- 📊 Create a dependency dashboard issue
- 🔄 Monitor for updates to:
- Docker images
- Terraform modules and providers
- npm packages
- pip packages
- And many more...
- 🚀 Create PRs when updates are available
- ✅ Auto-merge (if configured) when CI passes
Example Repository Types
Docker Compose Repository
Add this to renovate.json:
{
"extends": ["config:recommended"],
"docker-compose": {
"enabled": true
}
}
Terraform Repository
Add this to renovate.json:
{
"extends": ["config:recommended"],
"terraform": {
"enabled": true
}
}
Python Repository
Add this to renovate.json:
{
"extends": ["config:recommended"],
"pip_requirements": {
"enabled": true
}
}
Useful Commands
# View container logs
docker logs renovate -f
# Check last 100 lines
docker logs renovate --tail 100
# Restart Renovate (triggers a new run)
docker restart renovate
# Check config file
docker exec renovate cat /usr/src/app/config.js
# View container environment
docker exec renovate env | grep RENOVATE
# Check volumes
docker volume ls | grep renovate
Next Steps
- ✅ Add Renovate to more repositories
- ✅ Configure auto-merge rules
- ✅ Set up dependency dashboards
- ✅ Configure scheduling
- ✅ Monitor PRs and merge updates
- ✅ Integrate with CI/CD pipelines
Getting Help
- 📖 README.md: Comprehensive documentation
- 🔄 MIGRATION_GUIDE.md: Detailed migration steps
- 📝 CHANGELOG.md: Version history
- 🌐 Renovate Docs: https://docs.renovatebot.com/
- 🔗 Gitea Platform: https://docs.renovatebot.com/modules/platform/gitea/
Quick Tips
- Start Small: Test on one repository first
- Review PRs: Don't auto-merge everything initially
- Use Labels: Tag Renovate PRs for easy filtering
- Schedule Wisely: Avoid peak hours
- Monitor Logs: Check for errors regularly
- Pin Versions: Use semantic versioning, not
latest
That's it! You now have Renovate automatically managing dependencies across your repositories. 🎉