- Sun 23 April 2023
- server admin
- Gaige B. Paulsen
- #server admin, #renovate, #gitlab
I've already written a bit about using renovate to keep dependencies current using Renovate On Prem in Renovating GitLab Repos. This has been working well. However, there are a couple of twists that I figured I'd document in the event that people run into them.
For single-repositories with public dependencies, the default configuration works without much tweaking. As I mentioned in my previous article, there are a few nuances for dealing with git submodules and other dependency types that are served by gitlab.
I noticed this first with the git-submodules module, basically that it wasn't
authenticating and thus wasn't able to determine updates for self-hosted submodules.
Additionally, as I expanded use to other repositories, I noticed that checking
gitlab-hosted helm charts (helm module) and gitlab-hosted docker containers
(docker module) were also failing. In these cases, it is unclear (even with
debugging on) whether the token auth was being used due to the prior hostMatch
records or not. However, I was able to confirm that for the docker registries, at least
I couldn't log in with a bearer token, and I'm assuming a similar problem was at play
with the helm repository.
The fix in my configuration was a hostRules array with a
set of hostMatch directives which are used to
map the authentication mechanisms to specific hosts.
"hostRules": [
{ "matchHost": "{{ requiredEnv "CI_SERVER_HOST" }}", "token":"{{ requiredEnv "RENOVATE_GITLAB_TOKEN" }}" },
{ "matchHost": "{{ requiredEnv "CI_SERVER_HOST" }}", "hostType": "docker", "username": "token", "password":"{{ requiredEnv "RENOVATE_GITLAB_TOKEN" }}" },
{ "matchHost": "{{ requiredEnv "CI_SERVER_HOST" }}", "hostType": "helm", "username": "token", "password":"{{ requiredEnv "RENOVATE_GITLAB_TOKEN" }}" }
]
Originally, I'd expected that Renovate would create a default hostRule
based on the server and gitlab token. However, even if that is
the case for some items, it doesn't work for all of them.
I've reported this as a shortcoming, as I would
expect that to try the current token (basically what I'm forcing to happen here), but
it does not.
These three lines effectively match the CI_SERVER_HOST (the
gitlab server) for authentication by default to the RENOVATE_GITLAB_TOKEN
using a bearer token (hence the use of token) and then override
that for both the docker and helm repositories because they
require username and password.
Warning this does store the token in a clear text configuration file instead of using Kubernetes Secrets.