github app auth flow with renovate charts

Question

github app auth flow with renovate charts

Closed this issue 2 years ago · 4 comments

hi guys,

I'm currently working on a self-hosted renovate setup with github using github app for auth. the installation access token is only valid for 1 hour. so I need an auth flow.

for this I have the following config so far:

# https://artifacthub.io/packages/helm/renovate/renovate?modal=values
existingSecret: renovate
cronjob:
  schedule: "*/10 * * * *" # every 10 minutes
  concurrencyPolicy: Forbid
  initContainers:
    - name: github-app-installation-token
      image: node:16.17.1-alpine3.15
      command: |
        - /bin/sh
        - -c
        - |
          echo $GITHUB_PEM_FILE > private.pem && \
          npx github-app-installation-token \
            --appId $GITHUB_APP_ID \
            --installationId $GITHUB_INSTALLATION_ID \
            --privateKeyLocation private.pem > /shared/token
      volumeMounts:
        - mountPath: /shared
          name: shared
renovate:
  config: |
    {
      "autodiscover": true,
      "platform": "github",
      "endpoint": "https://api.github.com/",
      "username": "examplebot[bot]",
      "gitAuthor": "12345678+examplebot[bot]@users.noreply.github.com",
      "dryRun": "full",
      "printConfig": true
    }
extraVolumeMounts:
  - mountPath: /shared
    name: shared
extraVolumes:
  - name: shared
    emptyDir: {}

now I want to pass the token to renovate (f.e. RENOVATE_TOKEN=$(cat /shared/token))
but this is currently not possible or did I miss something?

Thanks for any help, best J.

Answer 1 · 2022-10-20T06:34:42.000Z

you can do this if you generate the renovate config.js from init container

or use a config.js to read the token from your generated file.

Answer 2 · 2022-10-20T08:04:01.000Z

you can do this if you generate the renovate config.js from init container

you would have to rebuild the init container image every time you want to change the config in that top scenario.

or use a config.js to read the token from your generated file.

is there documentation on how you would do the above?

Answer 3 · 2022-10-20T08:40:31.000Z

here is something similar

#237 (comment)

you can read a file like this

const fs = require('fs');

const  token = fs.readFileSync('/shared/token', 'utf8');

module.exports = {
  token,
  hostRules: [
    {
       matchHost: 'https://ghcr.io',
       token,
    },
  ],
  ...
};

Answer 4 · 2022-10-21T09:38:08.000Z

here is something similar

* [Self-Hosted-Renovate: Env. Secrets usage in config.js #237 (comment)](https://github.com/renovatebot/helm-charts/discussions/237#discussioncomment-3009195)

you can read a file like this

const fs = require('fs');

const  token = fs.readFileSync('/shared/token', 'utf8');

module.exports = {
  token,
  hostRules: [
    {
       matchHost: 'https://ghcr.io',
       token,
    },
  ],
  ...
};

thanks for this followed the dynamic config route and removed the inline config and it worked.