Hello!
Following the official manual, I am running helm chart:
helm install --generate-name --set renovate.config='\{\"token\":\"...\"\}' renovate/renovate
But each time gets a very unclear error: exec /usr/local/bin/docker-entrypoint.sh: exec format error when pod trying to start.
What I am doing wrong?

My understanding is that renovatebot can leverage some cache to speed up execution and make fewer requests to external service but helm charts has no support for a persistent volume that would allow to persist this cache across execution.

I should be able to create the PV outside of the chart and then using extraVolume(Mount)?s, but this kind of workflow is always clunky. It would be great being able to declare a persistent volume as something like as follow and have it automatically mounted.

  persistentVolume:
    enabled: true
    accessModes:
      - ReadWriteOnce
    size: xxGi
    storageClass: "xxx"

Perhaps baseDir / cacheDir could be automatically set, but it seems perfectly acceptable having to make such configuration.

This chart currently uses redis.auth.usePassword to disable authentication in redis, but the correct property name seems to be redis.auth.enabled.

Is it possible to use external redis by providing host, port and password?

needs some small changes

renovate did update kindest node images to wrong minor versions

hi guys,

I'm currently working on a self-hosted renovate setup with github using github app for auth. the installation access token is only valid for 1 hour. so I need an auth flow.

for this I have the following config so far:

# https://artifacthub.io/packages/helm/renovate/renovate?modal=values
existingSecret: renovate
cronjob:
  schedule: "*/10 * * * *" # every 10 minutes
  concurrencyPolicy: Forbid
  initContainers:
    - name: github-app-installation-token
      image: node:16.17.1-alpine3.15
      command: |
        - /bin/sh
        - -c
        - |
          echo $GITHUB_PEM_FILE > private.pem && \
          npx github-app-installation-token \
            --appId $GITHUB_APP_ID \
            --installationId $GITHUB_INSTALLATION_ID \
            --privateKeyLocation private.pem > /shared/token
      volumeMounts:
        - mountPath: /shared
          name: shared
renovate:
  config: |
    {
      "autodiscover": true,
      "platform": "github",
      "endpoint": "https://api.github.com/",
      "username": "examplebot[bot]",
      "gitAuthor": "12345678+examplebot[bot]@users.noreply.github.com",
      "dryRun": "full",
      "printConfig": true
    }
extraVolumeMounts:
  - mountPath: /shared
    name: shared
extraVolumes:
  - name: shared
    emptyDir: {}

now I want to pass the token to renovate (f.e. RENOVATE_TOKEN=$(cat /shared/token))
but this is currently not possible or did I miss something?

Thanks for any help, best J.

https://github.com/karlkfi/kubexit

seems to be simpler than the current shell scripts.

Allow mounting additional volumes to be mounted and used for additional dynamic generated config files.

this depends on #119

Since Renovate can be configured to use Redis for caching, I think it would be helpful to provide an optional Redis deployment and service that would be able to maintain its cache across different instantiations of the main CronJob.

I think a configuration block similar to this would work

redis:
  enabled: false
  annotations: {}
  labels: {}
  image:
    repository: redis
    tag: "6"
    pullPolicy: IfNotPresent

I'd be happy to make a PR to implement this.

Allows to require additional files and merge configs on runtime.

We should stop testing Kubernetes v1.18 and v1.19, they are EOL and only available on AWS.

GCE has only v1.20 and v1.21
Azure has v1.19 to v1.23 (v1.19 will EOL end of this year)

ref

• #137
• #177

/cc @JamieMagee

I think we should stop testing kubernetes versions below 1.18 to save ci build time.

Is anybody using renovate on such old version

Unfortunately, this PR broke deployment with ArgoCD, as it only tells Helm that batch/v1 is available (by specifying --api-versions batch/v1 as an argument to helm template). This results in the "You must have atleast batch/v1beta1 to use CronJob" error.

I don't know if this should be fixed here, but this chart is the only one I know that has this problem. Would it be fine to only check for batch/v1beta1 or batch/v1 respectively instead of batch/v1/CronJob?

Originally posted by @timoschwarzer in #144 (comment)

either dynamicly generate a /etc/docker/daemon.json or allow extraVolumeMounts for the dind sidecar to manually mount a daemon.json

We have a requirement to run all pods/container with a read-only root file system (dictated by Azure Policy) to make sure the integrity of the image. This is usually done by setting readOnlyRootFilesystem property to true on container's securityContext. It would be nice if the security context would be supported out of the box.

batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob

https://kubernetes.io/docs/reference/using-api/deprecation-guide/#cronjob-v125

Inorder to have k8s automatically cleanup old job runs it would be nice if the renovate helm chart supported specifying ttlSecondsAfterFinished

the field was beta in k8s 1.21 and ga in 1.23

Ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

After #62, it's clear that ci-values.yaml isn't a complete enough test to validate the chart. We should extend this so that we test a more thorough range of setups.

I think we should split the chart version from the renovate image version to more easily push chart updates.

We can then simply publish semver compliant versions.
Everybody can override the renovate version if required.

/cc @JamieMagee @rarkins

If you like or dislike this to be done please vote for this issue with 👍 of 👎 emoji

If you set: .Values.renovate.persistence.cache.enabled but not any of these: https://github.com/renovatebot/helm-charts/blob/main/charts/renovate/templates/cronjob.yaml#L95

You end up with broken YAML because the volumes key isn't created for persistence.

values.yaml to reproduce:

renovate:
  persistence:
    cache: 
      enabled: false
      storageSize: 40Gi

Hi,

we use the helm chart to run a Self-Hosted renovate. At the moment we are working to integrate the access on our internal Artifactory to check for new Images, but we struggle a little bit with the configuration of the config.js file.

We configured the secrets block in the helm chart like this:

secrets:
  ARTIFACTORY_USER: XXXXXX
  ARTIFACTORY_PW: XXXXXX

The renovate-secret is still there and the secret variables are available in the POD and env. variables.

The renovate.json in the REPO looks like this:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "hostRules": [
    {
      "matchHost": "our-container-repo",
      "hostType": "docker",
      "username": "{{ secrets.ARTIFACTORY_USER }}",
      "password": "{{ secrets.ARTIFACTORY_PW }}"
    }
  ]
}

If we now start a Renovate run the secret variable is not used and it end with the following errror:

INFO: Repository has invalid config (repository=test-container)
       "error": {
         "validationSource": "config",
         "validationError": "Unknown secret name",
         "validationMessage": "The following secret name was not found in config: ARTIFACTORY_USER",
         "message": "config-validation",

We want to configure the module.export part in the config.js, but it's not working and the env variables are not used.
It end with json syntax errors or the "process.env.****" string is used as User/PW and the the env variable.

{
  "dryRun": false,
  "printConfig": false,
  "logLevel": "info",
  "requiredStatusChecks": null,
  "gitAuthor": "xxxxxxxxxxxxxxxxxxxxx",
  "platform": "github",
  "token": "xxxxxxxxxxxxxxxxxxx",
  "autodiscover": true,
  "endpoint": "https://xxxxxxxxxxxxxxxx/api/v3/",
  "autodiscoverFilter": "@(xxxxxxxxx|xxxxxxxxxxx)/*"
  "secrets": {
    "ARTIFACTORY_USER": "process.env.ARTIFACTORY_USER",
    "ARTIFACTORY_PW": "process.env.ARTIFACTORY_USER",
  }
}

If we use module.export:

DEBUG: Using RE2 as regex engine
DEBUG: Parsing configs
DEBUG: Checking for config file in /usr/src/app/config.json
FATAL: Could not parse config file 
        SyntaxError: JSON5: invalid character 'm' at 1:1
           at syntaxError (/usr/src/app/node_modules/json5/lib/parse.js:1083:17)
           at invalidChar (/usr/src/app/node_modules/json5/lib/parse.js:1028:12)
           at Object.value (/usr/src/app/node_modules/json5/lib/parse.js:287:15)
           at lex (/usr/src/app/node_modules/json5/lib/parse.js:78:42)
           at Object.parse (/usr/src/app/node_modules/json5/lib/parse.js:25:17)
           at getParsedContent (/usr/src/app/node_modules/renovate/lib/workers/global/config/parse/file.ts:20:20)
           at Object.getConfig (/usr/src/app/node_modules/renovate/lib/workers/global/config/parse/file.ts:52:14)
           at parseConfigs (/usr/src/app/node_modules/renovate/lib/workers/global/config/parse/index.ts:21:22)
           at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:108:14)
           at /usr/src/app/node_modules/renovate/lib/renovate.ts:16:22
}

Helm chart: renovate-32.9.3
Helm config:

cronjob:
  schedule: "@hourly"
  annotations: {}
  labels: {}
  concurrencyPolicy: "Forbid"
  failedJobsHistoryLimit: ""
  successfulJobsHistoryLimit: ""
  jobRestartPolicy: "Never"

pod:
  annotations: {}
  labels: {}

resources:
  requests:
    memory: 2Gi
  limits:
    memory: 2.5Gi

env:
  NODE_OPTIONS: "--max-old-space-size=2048"

renovate:
  # See https://docs.renovatebot.com/self-hosted-configuration
  config: |
    {
      "dryRun": false,
      "printConfig": false,
      "logLevel": "info",
      "requiredStatusChecks": null,
      "gitAuthor": "xxxxxxxxxxxxxxx",
      "platform": "github",
      "token": "xxxxxxxxxxxxxxx",
      "secrets": {
        "ARTIFACTORY_USER": "process.env.ARTIFACTORY_USER",
        "ARTIFACTORY_PW": "process.env.ARTIFACTORY_PW",
      },
      "autodiscover": true,
      "endpoint": "https://xxxxxxxxxxxxxxx/api/v3/",
      "autodiscoverFilter": "@(xxxxxxxxxxxxxxx)/*container"
    }

secrets:
  ARTIFACTORY_USER: xxxxxxxxxxxxxxx
  ARTIFACTORY_PW: xxxxxxxxxxxxxxx

We tried some different spellings and variants to configure it, but none was working.
The only working way was to add the User/PW directly in the config.js instead to use "process.env.ARTIFACTORY_*", but this is not really secure and we don't wont to use it.

Maybe, someone here know the answer :-)

Hi,

I noticed a lot of helm chart releases, that basically don't add new features besides a image tag change.

Isn't it better to keep the helmchart version the same when no changes to the chart have been done?

An enduser can use renovate to update the image tag in the values.

-- Thanks for your work!

renovatebot/renovate#12644 (comment)

We need to define RENOVATE_CONFIG_FILE=config,json, otherwise the next renovate major would break this chart.

/cc @JamieMagee

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• chore(deps): update kindest/node docker tag to v1.31.0

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update python docker tag to v3.12.5

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Hi,

I take my inpsiration from the renovate configuration of this repo for my own charts and found a bug when dealing with kindest/node image.

The regex in renovate.json should not have an additionnal space just after the comment character.

Another problem is that only patch updates should be applied as you want to launch different versions on Kubernetes and not the latest one.

Can I commit a PR?

Deployed using process below:

Added personal token (for RENOVATE_TOKEN) to a gitlab user with below permissions (read only for testing):

read_api, read_user, read_repository, read_registry

Applied below:

kubectl apply -f secret.yaml
helm upgrade --namespace renovate renovate renovate/renovate -f values.yaml --debug

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: renovate-env
  namespace: renovate
type: Opaque
stringData:
  RENOVATE_TOKEN: 'xxxxxxx'

Values (only changed values shown) (I found how to do it here #198 (comment)):

renovate:
  existingConfigFile: "/usr/src/app/config.js"

existingSecret: 'renovate-env'

extraConfigmaps:
  - name: config
    data:
      config.js: |
        module.exports = {
          platform: "gitlab",
          autodiscover: "true",
          secrets: {
            RENOVATE_TOKEN: process.env.RENOVATE_TOKEN
          }
        }

extraVolumes:
  - name: renovate-extra-config
    configMap:
      name: renovate-extra-config

extraVolumeMounts:
  - name: renovate-extra-config
    mountPath: /usr/src/app/config.js
    subPath: config.js

Error:

kubectl logs test-kc5zf -n renovate
 WARN: Config needs migrating
       "originalConfig": {
         "platform": "gitlab",
         "autodiscover": "true",
         "secrets": {"RENOVATE_TOKEN": "***********"}
       },
       "migratedConfig": {
         "platform": "gitlab",
         "autodiscover": true,
         "secrets": {"RENOVATE_TOKEN": "***********"}
       }
FATAL: Authentication failure
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 60,
           "logContext": "DCigCzk18VgMnevu9NUXL",
           "msg": "Authentication failure"
         }
       ]

Question:
Is the RENOVATE_TOKEN enough to get authenticated to Gitlab? How do I specify user for the RENOVATE_TOKEN?

GitHub codespaces make it easy to onboard new contributors. We should add the configuration necessary for a GitHub codespace, including all the tools necessary for development (helm, chart-testing, helm-docs, etc.)

Hello everyone!

Before moving on I will detail my stack:

Kubernetes
Helm
ArgoCD
Bitbucket-server
Private Nexus server

After setting up a basic working version of renovate and managing to get it to fetch updates from official registries I started fiddling with the configs.

First, I started by changing the default npm repo to my private one (nexus).

Following the documentation I set a config.json file on the repository like this:

{  
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base"],
  "automergeType": "pr",
  "rangeStrategy": "bump",
  "npmrc": "//some.wrong.url"
}

After this, I can confirm that the definition in the renovate.json config is being picked up by the bot:

DEBUG: Repo .npmrc file is ignored due to presence of config.npmrc (repository=abc/********)
       "npmrcFileName": ".npmrc"

The next objective would be to further discover how I can control dependency endpoint access (E.g. dependency A -> npm.js.org, dep B-> my.company.org)
However, at the end of the run, the statistics show that all my npm requests defaulted to npmjs.org, despite npm being overriden:

DEBUG: http statistics (repository=abc/*******)
       "hostStats": [
         "api.github.com, 130 requests, 2065ms request average, 0ms queue average",
         "auth.docker.io, 1 request, 1419ms request average, 1ms queue average",
         "git.***.*****.****, 68 requests, 69ms request average, 0ms queue average",
         "index.docker.io, 5 requests, 993ms request average, 0ms queue average",
         "registry.npmjs.org, 42 requests, 3933ms request average, 0ms queue average"
       ],
       "totalRequests": 246

Expected behavior: Error/warning due to invalid/unreacheable npm registry
Actual behavior: No error/warning messages, still resolves to npmjs.org despite npm manager url being overriden.

Am I doing something wrong? Can anyone provide me some clues on how to debug this behavior further?

Thank you in advance!

Hello,

Im having trouble adding my custom private key to the container, my setup:

secrets:
  GITHUB_COM_TOKEN: "TOKEN"
  RENOVATE_PLATFORM: "gitlab"
  RENOVATE_TOKEN: "TOKEN"

extraVolumes:
  - name: private-key
    hostPath:
      path: /path/to/renovate/renovate-private-key.asc

extraVolumeMounts:
  - name: private-key
    mountPath: /tmp/renovate-private-key.asc

renovate:
  config: |
    {
      "platform": "gitlab",
      "endpoint": "https://gitlab.example.com/api/v4",
      "onboarding": true,
      "token": "TOKEN",
      "autodiscover": "false",
      "printConfig": true,
      "privateKeyPath": "/tmp/renovate-private-key.asc",
      "logLevel": "trace",
      "updateInternalDeps": true,
      "onboardingConfig": {
        "extends": [
          "local>gitlab/project/renovate-config"
        ]
      },
      "repositories": [
        "my-repo-test"
      ]
    }

while this solution works on my local machine I cannot deploy it on our live cluster since I will need to upload the private key to all the nodes and that's not secure/scalable.

so far Ive tried this options:
Adding the private key to the secret section replacing newlines with \n characters for each line-
secrets:
RENOVATE_PRIVATE_KEY: "-----BEGIN PGP PRIVATE KEY BLOCK-----\n......"

tried also to add it w/o the /n and it also not working

Both cases were printed the error:
"error": {
"validationError": "Failed to decrypt field npmrc. Please re-encrypt and try again.",
"message": "config-validation",

What is the best approach here to add the private key?

We now can use the renovate slim image with DinD sidecar.

The downside is, that the DinD container needs privileged security context

So It would be nice to use to rootless DinD version, so we don't need a priviliged container.

Hey there, I've deployed the helm chart in our air-gapped on-prem cluster so that I can use renovate to manage helm chart dependencies against our private helm repositories and mirrors. That works fine when I use the "fat" renovate image and the option renovate config option binarySource to global (the default value install does not work, as there's no internet access thus tool installs failing).

I tried to use the dind option with binarySource: "docker" but had to scrape that as the docker daemon in the dind container tries to access docker.io for image pulls. As of now there is no option to modify the settings of the docker daemon inside the container, e.g. by providing a /etc/docker/daemon.json from a configmap or otherwise. If that would be possible, this would allow me to specify the internal docker registry mirror as a mirror to the docker daemon so that it would be able to grab the images.

Would appreciate it if this would be implemented - I could do it myself, too - just thought that a creating an issue first to get opinions would be good.

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

1. add new bool option slim: false
2. update imageTag to add slim suffix when slim:true
3. add binarySource=install to environment when slim:true
4. add CI tests

Which Renovate are you using?

Renovate Open Source Helm Chart

Which platform are you using?

GitLab self-hosted

Have you checked the logs? Don't forget to include them if relevant

2020-08-31T13:07:19.47585772Z INFO: Repository started (repository=tiago.sousa/sample-ruby-app) │
│ 2020-08-31T13:07:19.475891312Z "renovateVersion": "22.3.3" │
│ 2020-08-31T13:07:19.800262752Z WARN: Host error (repository=tiago.sousa/sample-ruby-app) │
│ 2020-08-31T13:07:19.800283853Z "hostType": "git", │
│ 2020-08-31T13:07:19.800286844Z "lookupName": undefined, │
│ 2020-08-31T13:07:19.800289075Z "err": { │
│ 2020-08-31T13:07:19.800291157Z "task": { │
│ 2020-08-31T13:07:19.8002933Z "concatStdErr": false, │
│ 2020-08-31T13:07:19.800295486Z "format": "utf-8", │
│ 2020-08-31T13:07:19.800297569Z "commands": [ │
│ 2020-08-31T13:07:19.800299465Z "clone", │
│ 2020-08-31T13:07:19.800301375Z "--depth=2", │
│ 2020-08-31T13:07:19.80030332Z "https://oauth2:redacted@redacted-hostname/tiago.sousa/sample-ruby-app.git", │
│ 2020-08-31T13:07:19.800305622Z "." │
│ 2020-08-31T13:07:19.800307535Z ] │
│ 2020-08-31T13:07:19.800309408Z }, │
│ 2020-08-31T13:07:19.800311308Z "message": "Cloning into '.'...\nremote: Git access over HTTP is not allowed\nfatal: unable to access 'https://redacted-hostname

What would you like to do?

I would like to be able to use an SSH key for git with the Helm chart but there doesn't seem to be a way to mount the .ssh directory that it expects. Any guidance on how may I be able to follow this approach while keeping the helm chart?
https://github.com/renovatebot/renovate/blob/master/docs/usage/self-hosting.md#kubernetes-for-gitlab-using-git-over-ssh

Helm v2 is obsolete, so we should update chart to v2 metadata to only support Helm v3

ref: https://helm.sh/docs/topics/v2_v3_migration/

helm repo add renovate https://docs.renovatebot.com/helm-charts
helm repo update
helm search repo renovate

Returns

renovate/renovate       23.66.0         23.66.0         Universal dependency update tool that fits into...

Edit: this seems to be due to ci failures. But I am still curious where the older charts are

Summary

Yesterday, Bitnami removed chart versions older than 6 months from the bitami Helm Chart index, which means the Bitnami Helm chart dependency for the Renovatebot helmchart is now no longer resolvable.

Quick Fix

Update the version of the Redis dependency, as renovate suggested ;)

I believe #61 to have caused my working values.yaml file to break. I've attached it below. Working with 23.31.2, the latest release before the PR got merged.

Error message:

Error: YAML parse error on renovate/templates/secret.yaml: error converting YAML to JSON: yaml: line 15: could not find expected ':'

Tried various combinations of YAML/JSON, but the error still persists. Did also look over the PR to see if I could catch the error, but was too much going on for me to notice anything.

Any advice?

cronjob:
  schedule: "0 */6 * * *"
  concurrencyPolicy: Forbid
  jobRestartPolicy: Never

secrets:
  GITHUB_COM_TOKEN: "$GITHUB_API_TOKEN"
  LOG_LEVEL: "debug"
  RENOVATE_AUTODISCOVER: "true"
  RENOVATE_ENDPOINT: ### URL ###
  RENOVATE_PLATFORM: "gitlab"
  RENOVATE_TOKEN: "$GITLAB_RENOVATE_USER"

renovate:
  config: |
    {
      "onboardingConfig": {
        "extends": ["config:base",":label(renovate)"]
      },
      "requireConfig": true
    }

Add optional configuration to include a Docker DIND sidecar in the renovate pod. This allowed binarySource to be set to docker

See renovatebot/renovate#8169 (reply in thread)

Hi,

I just saw that containerbaseDir in combination with persistence ist not working. I don't know if it should work since an emptyDir will be mounted inside a pvc. Maybe it also has something to do with fsGroup: 1000 which I had to setup. Otherwise the cache did not work at all.

Is this an issue or am I just deploying it wrong?

"stderr": "You don't have permission to create /tmp/renovate/cache/containerbase.\ncurl: (23) Failed writing received data to disk/application\nDownload failed: https://nodejs.org/dist/v18.14.0/node-v18.14.0-linux-x64.tar.xz\nbash: npm: command not found\n",

I am running in EKS with gp3 volumes.

Thanks.

Some supported values like nodeSelector are not documented.

Ref:

• #159

I have a mixed architecture cluster, this is a feature request to add a nodeSelector value to the chart to support assigning the job to an amd64 host.

The renovate.serviceAccountName referenced in charts/renovate/templates/_helpers.tpl requires a template in the chart which doesnt exist.

Add the missing ServiceAccount resource template, and set default for .Values.serviceAccount.create to false

https://helm.sh/docs/topics/charts/#schema-files

Since an upgrade in the last couple of days the renovate container doesn't start. I'm getting the following error in the log

/bin/bash: -c: line 2: syntax error: unexpected end of file

Describe of the pod

Containers:
  renovate:
    Container ID:  containerd://f1d3fa25506ddcec76919db3eeda6a7435152a4af7062008bb43cfe90ded63a8
    Image:         renovate/renovate:34.8.2-slim
    Image ID:      docker.io/renovate/renovate@sha256:5a93336aedcdec4790e76c4792c8e006c73e525c897e9ef381f794843579a005
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/bash
      -c
    Args:
      trap "touch /tmp/main-terminated" EXIT
      while true; do if [[ -f "/tmp/dind-started" ]]; then break; fi; sleep 1; donerenovate

    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Sat, 29 Oct 2022 17:33:25 +0200
      Finished:     Sat, 29 Oct 2022 17:33:25 +0200
    Ready:          False
    Restart Count:  0
    Environment:
      RENOVATE_CONFIG_FILE:  /usr/src/app/config.json
      GITHUB_COM_TOKEN:      XXXX
      RENOVATE_TOKEN:        XXXX
      DOCKER_HOST:           127.0.0.1:2376
      DOCKER_CERT_PATH:      /tmp/certs/client
      DOCKER_TLS_VERIFY:     true
    Mounts:
      /tmp from renovate-tmp-volume (rw)
      /usr/src/app/config.json from config-volume (rw,path="config.json")
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q9kdd (ro)
  renovate-dind:
    Container ID:  containerd://9dd3a597a28a8871387a0e89ac2606b8858084b4de027dda5be7b1a953ea6f90
    Image:         docker:20.10.21-dind
    Image ID:      docker.io/library/docker@sha256:7b7ef8858c96e95fba85cbfa0d216db700a62a3c0fcddaa7a8f3b01b40679f42
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -c
    Args:
      dockerd-entrypoint.sh &
      CHILD_PID=$!
      while ! (pgrep containerd); do sleep 1; done
      touch /tmp/dind-started
      (while true; do if [[ -f "/tmp/main-terminated" ]]; then kill $CHILD_PID; fi; sleep 1; done) &
      wait $CHILD_PID
      if [[ -f "/tmp/main-terminated" ]]; then exit 0; fi

    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sat, 29 Oct 2022 17:33:41 +0200
      Finished:     Sat, 29 Oct 2022 17:33:43 +0200
    Ready:          False
    Restart Count:  0
    Environment:
      DOCKER_TLS_CERTDIR:  /tmp/certs
    Mounts:
      /tmp from renovate-tmp-volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q9kdd (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  config-volume:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      renovate-config
    Optional:  false
  renovate-tmp-volume:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  kube-api-access-q9kdd:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s

Configured values are

    cronjob:
      concurrencyPolicy: Forbid
      schedule: 12 * * * *
    dind:
      enabled: true
    env:
      GITHUB_COM_TOKEN: XXXX
      RENOVATE_TOKEN: XXXX
    renovate:
      config: |
        {
          "platform": "gitea",
          "endpoint": "XXXX*,
          "gitAuthor": "XXX",
          "autodiscover": "false",
          "onboarding": "true",
          "onboardingBranch": "feature/BUILD_renovate",
          "branchPrefix": "feature/RENOVATE_",
          "repositories": [
            "XXX",
          ],
          "lockFileMaintenance": {
            "enabled": true,
            "schedule": null
          },
          "extends": [
            "workarounds:all"
          ]
        }

As reported originally here: renovatebot/renovate#13054

Copypaste from my comment here: renovatebot/renovate#13054 (comment):

I believe this could be related to:

config: Renovate will now fail if RENOVATE_CONFIG_FILE is specified without a file extension

(https://github.com/renovatebot/renovate/releases/tag/30.0.0)

This should have been fixed here: #170

But unfortunately the line introduced in that PR will not be evaluated because the whole env section is guarded by another if:

helm-charts/charts/renovate/templates/cronjob.yaml

Line 88 in 5e50b02

{{- if or .Values.redis.enabled .Values.renovate.existingConfigFile .Values.env .Values.dind.enabled }}

As a workaround, this can be specified in the values.yml

  env:
    RENOVATE_CONFIG_FILE: /usr/src/app/config.json

This is rather a straightforward request to provide the support to override hostname resolution with hostAliases as described here.

Example of how this could look like in cronjob:

...
spec:
  serviceAccountName: {{ include "renovate.serviceAccountName" . }}
  restartPolicy: {{ .Values.cronjob.jobRestartPolicy }}
{{- with .Values.hostAliases }}
  hostAliases:
    {{- toYaml . | nindent 12 }}
{{- end }}
...