diff --git a/docs/self-hosting.md b/docs/self-hosting.md index 602b61a86ecf7025ce71b244b5332d580d3f202b..5284bb0d87e972609ec216cb3db5899de80414f3 100644 --- a/docs/self-hosting.md +++ b/docs/self-hosting.md @@ -174,3 +174,133 @@ You should save and test out this script manually first, and add it to cron once See [deployment docs](https://github.com/renovatebot/renovate/blob/master/docs/deployment.md) for details. + +## Kubernetes for Gitlab, using Git over SSH + +This section describes how to use git binary with ssh for Gitlab, to avoid API shortcomings. + +You need to first create a ssh key, then add the public part to Gitlab (see this [guide](https://docs.gitlab.com/ee/ssh/)) + +Then, you need to create the secret to add the ssh key, and the following config to your container + +``` +host gitlab.com + HostName gitlab.com + StrictHostKeyChecking no + IdentityFile ~/.ssh/id_rsa + User git +``` + +To easily create the secret, you can do the following (see [docs](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-pod-with-ssh-keys)) + +``` +kubectl create secret generic ssh-key-secret --from-file=config=/path/to/config --from-file=id_rsa=/path/to/.ssh/id_rsa --from-file=id_rsa.pub=/path/to/.ssh/id_rsa.pub +``` + +It creates something like this + +``` +apiVersion: v1 +data: + config: aG9zdCBnaXRsYWIuY29tCiAgSG9zdE5hbWUgZ2l0bGFiLmNvbQogIFN0cmljdEhvc3RLZXlDaGVja2luZyBubwogIElkZW50aXR5RmlsZSB+Ly5zc2gvaWRfcnNhCiAgVXNlciBnaXQ= + id_rsa: <base64String> + id_rsa.pub: <base64String> +kind: Secret +metadata: + name: ssh-key-secret + namespace: <namespace> +``` + +Then you just need to add Git author, and mount volumes +The final configuration should look like something like this : + +``` +--- +apiVersion: v1 +kind: Namespace +metadata: + name: <namespace, for example renovate> + +--- +apiVersion: v1 +kind: Secret +metadata: + name: renovate-env + namespace: <namespace> +type: Opaque +stringData: + renovate-platform: 'gitlab' + renovate-endpoint: 'https://gitlab.com/api/v4' + renovate-token: <Gitlab Token> + github-token: <Github Token> + renovate-autodiscover: 'false' +--- +apiVersion: v1 +data: + config: aG9zdCBnaXRsYWIuY29tCiAgSG9zdE5hbWUgZ2l0bGFiLmNvbQogIFN0cmljdEhvc3RLZXlDaGVja2luZyBubwogIElkZW50aXR5RmlsZSB+Ly5zc2gvaWRfcnNhCiAgVXNlciBnaXQ= + id_rsa: <base64String> + id_rsa.pub: <base64String> +kind: Secret +metadata: + name: ssh-key-secret + namespace: <namespace> +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: renovate + namespace: <namespace> +spec: + schedule: '@hourly' + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + volumes: + - name: ssh-key-volume + secret: + secretName: ssh-key-secret + containers: + - name: renovate + # Update this to the latest available and then enable Renovate on the manifest + image: renovate/renovate:14.1.0 + volumeMounts: + - name: ssh-key-volume + readOnly: true + mountPath: "/home/ubuntu/.ssh" + args: + - <repository> + # Environment Variables + env: + - name: RENOVATE_GIT_AUTHOR + value: <Git Author, with format 'User <email@email.com>'> + - name: RENOVATE_GIT_FS + value: ssh + - name: RENOVATE_PLATFORM + valueFrom: + secretKeyRef: + key: renovate-platform + name: renovate-env + - name: RENOVATE_ENDPOINT + valueFrom: + secretKeyRef: + key: renovate-endpoint + name: renovate-env + - name: RENOVATE_TOKEN + valueFrom: + secretKeyRef: + key: renovate-token + name: renovate-env + - name: GITHUB_COM_TOKEN + valueFrom: + secretKeyRef: + key: github-token + name: renovate-env + - name: RENOVATE_AUTODISCOVER + valueFrom: + secretKeyRef: + key: renovate-autodiscover + name: renovate-env + restartPolicy: Never +```