Running Renovate Bot on Nomad
Earlier this year we decided to test Renovate to manage automated dependency updates in our self-hosted GitLab environment. Being able to run Renovate in our own environment and configure it to our needs made a lot of sense. Since we run our internal tooling on a Nomad cluster, we had to configure a Nomad job for Renovate.
Since Renovate needs to run periodically, deploying it as a cron job in Nomad made sense. Thankfully, it does not take much to configure a Nomad job to behave like a cron job and run periodically by adding the following lines to the job configuration:
periodic {
cron = "@hourly"
prohibit_overlap = true
}
This will instruct Nomad to run the job hourly and also make sure that the job execution will wait until previous instances of this job have been completed.
Other than that, it is needed to configure a Nomad job, group, and task to run the official Renovate Docker image and configure it via some environment variables. Secrets are not hardcoded but read from our central Vault instance:
job "renovatebot.batch" {
datacenters = ["dc1"]
type = "batch"
meta {
Container_OS = "Renovate"
}
vault {
policies = ["default"]
change_mode = "signal"
change_signal = "SIGUSR1"
}
periodic {
cron = "@hourly"
prohibit_overlap = true
}
group "renovatebot" {
count = 1
task "renovate" {
driver = "docker"
template {
data = <<EOH
RENOVATE_AUTODISCOVER=true
RENOVATE_ENDPOINT=https://gitlab.loc/api/v4/
RENOVATE_GIT_AUTHOR=Renovate Bot <renovate@gitlab.loc>
RENOVATE_PLATFORM=gitlab
RENOVATE_TOKEN={{ with secret "renovatebot" }}{{ .Data.data.gitlab_token }}{{ end }}
RENOVATE_AUTOMERGE=false
RENOVATE_HOST_RULES={{ with secret "renovatebot" }}{{ .Data.data.host_rules }}{{ end }}
GITHUB_COM_TOKEN={{ with secret "renovatebot" }}{{ .Data.data.github_token }}{{ end }}
EOH
destination = "secrets/.env"
env = true
}
config {
image = "renovate/renovate:latest"
}
resources {
memory = 2048
memory_max = 4096
}
}
}
}
The deployment happens via a GitLab CI job which will run terraform to interact with the Nomad cluster:
deploy:prod:
stage: deploy
image: hashicorp/terraform:light
only:
- tags
environment:
name: production
script:
- terraform --version
- terraform init
- terraform validate
- terraform plan -out "planfile"
- terraform apply -input=false "planfile"
allow_failure: false
Each time we create a new tag in GitLab, the deployment pipeline will run and deploy the job on our Nomad cluster. Every hour Renovate bot will run on any of our Nomad clients and check all assigned GitLab repositories for dependency upgrades.