gitlabazure-container-registryrenovate

Renovate how to filter out image prefix containing registry URL when trying to match images in private Azure Container Registry


I use the integrated Renovate bot in Gitlab to scan my Gitlab repository on dependent image updates. The bot scans the images used in my docker-compose.yml and looks at my private Azure Container Registry (ACR) if there are any dependent image updates. Currently this fails, as the image name used in my docker-compose.yml is not the same as the image name in my ACR. Renovate states that it cannot find my package. How do I solve this?

I know I have to usepackageRules and customManagers, but don't really understand how my renovate.json should look like implementing this.

Current setup

docker-compose.yml:

services:
  prometheus:
    image: <ACR_URL>/<TEAM>/prometheus:0.0.1

ACR image name: <TEAM>/prometheus

Renovate bot logging:

{
  "depName": "<ACR_URL>/<TEAM>/prometheus",
  "currentValue": "0.0.1",
  "replaceString": "<ACR_URL>/<TEAM>/prometheus:0.0.1",
  "autoReplaceStringTemplate": "{{depName}}{{#if newValue}}:{{newValue}}{{/if}}{{#if newDigest}}@{{newDigest}}{{/if}}",
  "datasource": "docker",
  "updates": [],
  "packageName": "<ACR_URL>/<TEAM>/prometheus",
  "versioning": "docker",
  "warnings": [
    {
     "topic": "<ACR_URL>/<TEAM>/prometheus",
     "message": "Failed to look up docker package <ACR_URL>/<TEAM>/prometheus"
    }
  ]
},

This is my current renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ],
  "baseBranches": [
    "main"
  ],
   "hostRules": [
    {
      "matchHost": "$ACR_URL",
      "username": "$ACR_USER",
      "password": "$ACR_TOKEN"
    }
  ],
  "packageRules": [
    {
      "groupName": "all non-major dependencies",
      "groupSlug": "all-minor-patch",
      "matchPackagePatterns": [
        "*"
      ],
      "registryUrls": [
        "$ACR_URL"
      ]
    }
  ]
}

Working Renovate Configuration

Example .gitlab-ci.yml

image: renovate/renovate:37.382

stages:
  - renovate

variables:
  RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate
  RENOVATE_ENDPOINT: $CI_API_V4_URL
  RENOVATE_EXTRA_FLAGS: --autodiscover=true
  RENOVATE_HOST_RULES: | 
    [
      {
        "matchHost": "github.com", 
        "token": "$GITHUB_TOKEN"
      },
      {
        "matchHost": "gitlab.<ENDPOINT>.com", 
        "token": "$GITLAB_ACCESS_TOKEN", 
        "authType": "Bearer"
      },
      {
        "matchHost": "$ACR_URL", 
        "password": "$ACR_TOKEN", 
        "username": "$ACR_USER"
      }
    ]
  RENOVATE_ONBOARDING: "true"
  RENOVATE_OPTIMIZE_FOR_DISABLED: "true"
  RENOVATE_PLATFORM: gitlab
  RENOVATE_REPOSITORY_CACHE: "true"
  LOG_LEVEL: debug

.matrix:
  parallel:
    matrix:
      - RENOVATE_AUTODISCOVER_FILTER: /<PARENT>/<SUBGROUPA>/.*/
      - RENOVATE_AUTODISCOVER_FILTER: /<PARENT>/<SUBGROUPB>/<PROJECT>/

cache:
  key: ${CI_COMMIT_REF_SLUG}-renovate
  paths:
    - $CI_PROJECT_DIR/renovate

run_renovate:
  stage: renovate
  resource_group: production
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
  script:
    - renovate $RENOVATE_EXTRA_FLAGS
  extends: .matrix

renovate:
  stage: renovate
  script:
    - renovate --dry-run $RENOVATE_EXTRA_FLAGS
  extends: .matrix

With example renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ],
  "baseBranches": [
    "main"
  ],
  "packageRules": [
    {
      "groupName": "all non-major dependencies",
      "matchPackagePatterns": [
        "*"
      ],
      "matchUpdateTypes": [
        "minor",
        "patch"
      ]
    },
    {
      "groupName": "all major dependencies",
      "matchPackagePatterns": [
        "*"
      ],
      "matchUpdateTypes": ["major"]
    }
  ],
  "pre-commit": {
    "enabled": true
  }
}



Solution

  • Working Renovate Configuration

    Example .gitlab-ci.yml

    image: renovate/renovate:37.382
    
    stages:
      - renovate
    
    variables:
      RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate
      RENOVATE_ENDPOINT: $CI_API_V4_URL
      RENOVATE_EXTRA_FLAGS: --autodiscover=true
      RENOVATE_HOST_RULES: | 
        [
          {
            "matchHost": "github.com", 
            "token": "$GITHUB_TOKEN"
          },
          {
            "matchHost": "gitlab.<ENDPOINT>.com", 
            "token": "$GITLAB_ACCESS_TOKEN", 
            "authType": "Bearer"
          },
          {
            "matchHost": "$ACR_URL", 
            "password": "$ACR_TOKEN", 
            "username": "$ACR_USER"
          }
        ]
      RENOVATE_ONBOARDING: "true"
      RENOVATE_OPTIMIZE_FOR_DISABLED: "true"
      RENOVATE_PLATFORM: gitlab
      RENOVATE_REPOSITORY_CACHE: "true"
      LOG_LEVEL: debug
    
    .matrix:
      parallel:
        matrix:
          - RENOVATE_AUTODISCOVER_FILTER: /<PARENT>/<SUBGROUPA>/.*/
          - RENOVATE_AUTODISCOVER_FILTER: /<PARENT>/<SUBGROUPB>/<PROJECT>/
    
    cache:
      key: ${CI_COMMIT_REF_SLUG}-renovate
      paths:
        - $CI_PROJECT_DIR/renovate
    
    run_renovate:
      stage: renovate
      resource_group: production
      rules:
        - if: '$CI_PIPELINE_SOURCE == "schedule"'
      script:
        - renovate $RENOVATE_EXTRA_FLAGS
      extends: .matrix
    
    renovate:
      stage: renovate
      script:
        - renovate --dry-run $RENOVATE_EXTRA_FLAGS
      extends: .matrix
    

    With example renovate.json:

    {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
        "config:recommended"
      ],
      "baseBranches": [
        "main"
      ],
      "packageRules": [
        {
          "groupName": "all non-major dependencies",
          "matchPackagePatterns": [
            "*"
          ],
          "matchUpdateTypes": [
            "minor",
            "patch"
          ]
        },
        {
          "groupName": "all major dependencies",
          "matchPackagePatterns": [
            "*"
          ],
          "matchUpdateTypes": ["major"]
        }
      ],
      "pre-commit": {
        "enabled": true
      }
    }