Renovating GitLab registries

I've already written a bit about using renovate to keep dependencies current using Renovate On Prem in Renovating GitLab Repos. This has been working well. However, there are a couple of twists that I figured I'd document in the event that people run into them.

For single-repositories with public dependencies, the default configuration works without much tweaking. As I mentioned in my previous article, there are a few nuances for dealing with git submodules and other dependency types that are served by gitlab.

I noticed this first with the git-submodules module, basically that it wasn't authenticating and thus wasn't able to determine updates for self-hosted submodules. Additionally, as I expanded use to other repositories, I noticed that checking gitlab-hosted helm charts (helm module) and gitlab-hosted docker containers (docker module) were also failing. In these cases, it is unclear (even with debugging on) whether the token auth was being used due to the prior hostMatch records or not. However, I was able to confirm that for the docker registries, at least I couldn't log in with a bearer token, and I'm assuming a similar problem was at play with the helm repository.

The fix in my configuration was a hostRules array with a set of hostMatch directives which are used to map the authentication mechanisms to specific hosts.

"hostRules": [
    { "matchHost": "{{ requiredEnv "CI_SERVER_HOST" }}", "token":"{{ requiredEnv "RENOVATE_GITLAB_TOKEN" }}" },
    { "matchHost": "{{ requiredEnv "CI_SERVER_HOST" }}", "hostType": "docker", "username": "token", "password":"{{ requiredEnv "RENOVATE_GITLAB_TOKEN" }}" },
    { "matchHost": "{{ requiredEnv "CI_SERVER_HOST" }}", "hostType": "helm", "username": "token", "password":"{{ requiredEnv "RENOVATE_GITLAB_TOKEN" }}" }

Originally, I'd expected that Renovate would create a default hostRule based on the server and gitlab token. However, even if that is the case for some items, it doesn't work for all of them. I've reported this as a shortcoming, as I would expect that to try the current token (basically what I'm forcing to happen here), but it does not.

These three lines effectively match the CI_SERVER_HOST (the gitlab server) for authentication by default to the RENOVATE_GITLAB_TOKEN using a bearer token (hence the use of token) and then override that for both the docker and helm repositories because they require username and password.

Warning this does store the token in a clear text configuration file instead of using Kubernetes Secrets.