From 631143f9f86a3bb5ea4aa3783ff61b85faa9c619 Mon Sep 17 00:00:00 2001
From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com>
Date: Wed, 6 May 2026 17:12:49 +0200
Subject: [PATCH] feat: Add renovate-operator

---
 k8s-peterg/argocd/applications-peterg.yaml    | 19 +++++++++++++++
 .../renovate-operator/kustomization.yaml      | 18 +++++++++++++++
 k8s-peterg/renovate-operator/namespace.yaml   |  5 ++++
 k8s-peterg/renovate-operator/policies.yaml    | 17 ++++++++++++++
 .../renovate-operator/renovate-job.yaml       | 23 +++++++++++++++++++
 k8s-peterg/renovate-operator/secrets.yaml     | 22 ++++++++++++++++++
 k8s-peterg/renovate-operator/values.yaml      |  4 ++++
 7 files changed, 108 insertions(+)
 create mode 100644 k8s-peterg/renovate-operator/kustomization.yaml
 create mode 100644 k8s-peterg/renovate-operator/namespace.yaml
 create mode 100644 k8s-peterg/renovate-operator/policies.yaml
 create mode 100644 k8s-peterg/renovate-operator/renovate-job.yaml
 create mode 100644 k8s-peterg/renovate-operator/secrets.yaml
 create mode 100644 k8s-peterg/renovate-operator/values.yaml

diff --git a/k8s-peterg/argocd/applications-peterg.yaml b/k8s-peterg/argocd/applications-peterg.yaml
index 26d36ff..9822d88 100644
--- a/k8s-peterg/argocd/applications-peterg.yaml
+++ b/k8s-peterg/argocd/applications-peterg.yaml
@@ -99,3 +99,22 @@ spec:
       selfHeal: true
     syncOptions:
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-peterg/renovate-operator
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml
new file mode 100644
index 0000000..1f91397
--- /dev/null
+++ b/k8s-peterg/renovate-operator/kustomization.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: renovate-operator
+
+resources:
+  - namespace.yaml
+  - policies.yaml
+  - renovate-job.yaml
+  - secrets.yaml
+
+helmCharts:
+  - name: renovate-operator
+    repo: https://helm.mogenius.com/public
+    namespace: renovate-operator
+    releaseName: renovate-operator
+    version: "4.7.0"
+    valuesFile: values.yaml
diff --git a/k8s-peterg/renovate-operator/namespace.yaml b/k8s-peterg/renovate-operator/namespace.yaml
new file mode 100644
index 0000000..981aeee
--- /dev/null
+++ b/k8s-peterg/renovate-operator/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate-operator
diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml
new file mode 100644
index 0000000..2516fa9
--- /dev/null
+++ b/k8s-peterg/renovate-operator/policies.yaml
@@ -0,0 +1,17 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 192.168.0.0/16
+              - 172.16.0.0/12
diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml
new file mode 100644
index 0000000..6916f07
--- /dev/null
+++ b/k8s-peterg/renovate-operator/renovate-job.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: renovate-operator.mogenius.com/v1alpha1
+kind: RenovateJob
+metadata:
+  name: renovate
+  namespace: renovate-operator
+spec:
+  schedule: "*/15 * * * *"
+  provider:
+    name: forgejo
+    endpoint: https://code.peterg.nl/api/v1/
+  secretRef: renovate-operator-secrets
+  parallelism: 1
+  skipForks: true
+  extraEnv:
+    - name: LOG_LEVEL
+      value: debug
+    - name: RENOVATE_ONBOARDING
+      value: "true"
+    - name: RENOVATE_AUTODISCOVER
+      value: "true"
+    - name: RENOVATE_GIT_AUTHOR
+      value: "Renovate <renovate@peterg.nl>"
diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml
new file mode 100644
index 0000000..b8fc2f6
--- /dev/null
+++ b/k8s-peterg/renovate-operator/secrets.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: renovate-operator-secrets
+  namespace: renovate-operator
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: renovate-operator-secrets
+  data:
+    - secretKey: RENOVATE_TOKEN
+      remoteRef:
+        key: /secrets/managed/renovate/token
+        property: RENOVATE_TOKEN
+    - secretKey: GITHUB_COM_TOKEN
+      remoteRef:
+        key: /secrets/managed/renovate/token
+        property: GITHUB_COM_TOKEN
diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml
new file mode 100644
index 0000000..c55a4d1
--- /dev/null
+++ b/k8s-peterg/renovate-operator/values.yaml
@@ -0,0 +1,4 @@
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: false