スケジュール無視

更新対象リポジトリのrenovate.json5のスケジュール設定を無視するには--schedule=""（または単に--schedule=）を使う

特定のmanagerのみ

特定のmanagerだけ対象にするには--enabled-managers=regexみたいにする

mikutas

Renovateはaws-sdkを使っている

AWS上のSelf-managed GitLabだと、CIでRenovateを動かすときインスタンスプロファイルのIAMロールに権限が足りていれば
Renovateに対しては特に何も設定しなくてもECRのイメージの更新確認ができる

mikutas

https://github.com/aws/aws-for-fluent-bit#guidance-on-consuming-versions
The best practice for consuming AWS for Fluent Bit is to check the AWS_FOR_FLUENT_BIT_STABLE_VERSION file and lock your prod deployments to that specific version tag.
values.yamlのイメージタグにstableと書かないでバージョン番号をはっきり書く

が、その番号をlatestではなくstableの範疇で更新させる
{
  "packageRules": [
    {
      "matchDepNames": ["public.ecr.aws/aws-observability/aws-for-fluent-bit"],
      "matchDatasources": ["docker"],
      "matchManagers": ["helm-values"],
      "enabled": false
    }
  ],
  "customManagers": [
    {
      "customType": "regex",
      "fileMatch": [
        "values\\.yaml"
      ],
      "matchStrings": [
        "public\\.ecr\\.aws\\/aws-observability\\/aws-for-fluent-bit:(?<currentValue>.*)"
      ],
      "datasourceTemplate": "custom.aws-for-fluent-bit-stable",
      "depNameTemplate": "public.ecr.aws/aws-observability/aws-for-fluent-bit"
    }
  ],
  "customDatasources": {
    "aws-for-fluent-bit-stable": {
      "defaultRegistryUrlTemplate": "https://raw.githubusercontent.com/aws/aws-for-fluent-bit/mainline/AWS_FOR_FLUENT_BIT_STABLE_VERSION",
      "format": "plain"
    }
  }
}
https://docs.renovatebot.com/modules/datasource/custom/
https://github.com/renovatebot/renovate/discussions/23286

mikutas

EKS AMIを更新

dataでrecommended（最新）を取って使っていたけどAMIリリースのタイミングによって本番で最初に新しいAMIが適用されたりしてdev->stg->prodの順を保証したかった

data "aws_ssm_parameter" "eks_ami_id" {
  # https://docs.aws.amazon.com/ja_jp/eks/latest/userguide/retrieve-ami-id.html
  name = "/aws/service/eks/optimized-ami/${var.cluster_version}/amazon-linux-2/recommended/image_id"
}

  "customManagers": [
    {
      "customType": "regex",
      "fileMatch": [".*\\.tf"],
      "matchStrings":
        [
          ".*amiFilter=(?<packageName>.*?)\n(.*currentImageName=(?<currentDigest>.*?)\n)?(.*\n)?.*?(?<depName>[a-zA-Z0-9-_:]*)[ ]*?[:|=][ ]*?[\"|']?(?<currentValue>ami-[a-z0-9]{17})[\"|']?.*"
        ],
      "datasourceTemplate": "aws-machine-image",
      "versioningTemplate": "aws-machine-image"
    }
  ],

resource "aws_launch_template" "foo" {
  # amiFilter=[{"Name":"owner-alias","Values":["amazon"]},{"Name":"name","Values":["amazon-eks-node-1.27-*"]}]
  # currentImageName=amazon-eks-node-1.27-v20230816
  image_id = "ami-065345b6ba37b05b6"
}

image_idの値だけでなく、コメントのcurrentImageNameの方も更新してくれる（matchStringsに含まれてる）

amiFilterのデバッグはaws ec2 describe-imagesでやる

aws ec2 describe-images --filter '[{"Name":"owner-alias","Values":["amazon"]},{"Name":"name","Values":["amazon-eks-node-1.27-*"]}]'

=の左辺は引用符で囲わないこと

locals {
  ami_id = {
    # amiFilter=[{"Name":"owner-alias","Values":["amazon"]},{"Name":"name","Values":["amazon-eks-node-1.27-*"]}]
    # currentImageName=amazon-eks-node-1.27-v20230919
    AL2_x86_64 = "ami-09f97dd1c9e12a629"
    # amiFilter=[{"Name":"owner-alias","Values":["amazon"]},{"Name":"name","Values":["amazon-eks-arm64-node-1.27-*"]}]
    # currentImageName=amazon-eks-arm64-node-1.27-v20230919
    AL2_ARM_64 = "ami-0a929dabc0dfad09f"
  }
}

https://regex101.com/r/bpCeRq/1

mikutas

al2023 かつ x86_64 なイメージを探す
レスポンスのJSONからImageId Name Descriptionだけ抽出する

aws ec2 describe-images --filter '[{"Name":"owner-alias","Values":["amazon"]},{"Name":"name","Values":["amazon-eks-node-al2023-x86_64-standard-1.28-*"]}]' | jq -r '.Images[] | {ImageId, Name, Description}'

mikutas

AWS Load Balancer ControllerのIAMポリシーを自動更新

data "http" "aws_lbc_policy" {
  # renovate: datasource=github-releases depName=aws-load-balancer-controller packageName=kubernetes-sigs/aws-load-balancer-controller
  url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json"
}

  "customManagers": [
    {
      "customType": "regex",
      "fileMatch": [
        "terraform\\/modules\\/irsa_aws_lbc\\/data\\.tf"
      ],
      "matchStrings": [
        "# renovate: datasource=(?<datasource>[a-z-]+?)(?: depName=(?<depName>.+?))? packageName=(?<packageName>.+?)?\\s.*kubernetes-sigs\\/aws-load-balancer-controller\\/(?<currentValue>.+?)\\/docs\\/install\\/iam_policy.json"
      ]
    }
  ]

mikutas

Renovateローカル実行時aws-vaultから一時クレデンシャルを渡す

aws-vault exec dev -- env | grep -E 'AWS_'| sed 's/AWS_/export AWS_/' >> .envrc

direnvを利用してRenovateに渡る想定

mikutas

presetを変更してテストしたいとき

diff --git a/renovate.json b/renovate.json
index f395a491f..54e5c73fc 100644
--- a/renovate.json
+++ b/renovate.json
@@ -5,7 +5,7 @@
     "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5",
     "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5",
     "github>argoproj/argo-cd//renovate-presets/fix/disable-all-updates.json5",
-    "github>argoproj/argo-cd//renovate-presets/devtool.json5",
+    "github>mikutas/argo-cd//renovate-presets/devtool.json5#renovate-gotestsum",
     "github>argoproj/argo-cd//renovate-presets/docs.json5"
   ]
 }

mikutas

aws_eks_clusterのversion

自分の場合main.tfに書いてあるからそこだけ調整するが
基本的にドキュメントの例をコピペで機能する

  # renovate: datasource=endoflife-date depName=amazon-eks versioning=loose
  cluster_version = "1.32"

  "customManagers": [
    {
      // https://docs.renovatebot.com/modules/datasource/endoflife-date/
      "customType": "regex",
      "description": "Update Kubernetes version for Amazon EKS in tfvars files",
      "fileMatch": [
        "main\\.tf$"
      ],
      "matchStrings": [
        "#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*?_version\\s*=\\s*\"(?<currentValue>.*)\""
      ],
      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{/if}}"
    }
  ]