Merge branch 'main' into feat/amazon-eks-grafana-stack

ruzickap · web-flow · commit fa677906b933 · 2025-11-24T14:50:32.000+01:00
diff --git a/.github/renovate-pr.json5 b/.github/renovate-pr.json5
@@ -1,26 +1,69 @@
 {
+  /**
+   * Renovate Configuration
+   *
+   * This configuration file defines how Renovate handles dependency updates for repositories.
+   * Renovate is a bot that automatically creates pull requests to update dependencies.
+   *
+   * Documentation: https://docs.renovatebot.com/configuration-options/
+   */
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  branchPrefix: "renovate-pr/",
+
+  // # keep-sorted start block=yes
+  branchPrefix: "chore/renovate-pr/",
   customDatasources: {
     "grafana-dashboards": {
       defaultRegistryUrlTemplate: "https://grafana.com/api/dashboards/{{packageName}}",
       format: "json",
       transformTemplates: ['{"releases":[{"version": $string(revision)}]}'],
     },
   },
-  customManagers: [
+  // Keep the extends started with ":" at the end of the list to allow overriding
+  extends: [
+    "config:recommended", // Renovate's recommended configuration preset
+    "docker:pinDigests", // Pin Docker image digests for security
+    "helpers:pinGitHubActionDigestsToSemver", // Pin GitHub Actions to specific versions with semantic versioning
+    "security:openssf-scorecard", // Add OpenSSF Scorecard security insights
+    ":disableDependencyDashboard", // Don't create dependency dashboard issues
+    ":disableRateLimiting", // Disable rate limiting for faster updates
+    ":docker", // Enable Docker container updates
+    ":enableVulnerabilityAlertsWithLabel(security)", // Add security label to vulnerability alerts
+    ":pinSkipCi", // Pin dependencies and skip CI for pin-only updates
+  ],
+  packageRules: [
     {
-      customType: "regex",
+      automerge: true,
+      commitBody: "[skip ci]",
+      description: "Automerge all without running any tests",
+      ignoreTests: true,
+      matchPackagePatterns: ["*"],
+    },
+  ],
+  prCommitsPerRunLimit: 500,
+  prConcurrentLimit: 500,
+  prHourlyLimit: 500,
+  // This allows Renovate to detect and update dependencies that aren't in standard package files
+  regexManagers: [
+    {
+      // Template for extracting version numbers from custom patterns
       extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",
+
+      // File types to scan for custom dependency patterns
       fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"],
+
+      // Regex pattern to match custom dependency declarations
+      // Format: # renovate: datasource=<source> depName=<name> [versioning=<type>] [extractVersion=<regex>] [registryUrl=<url>]
+      // Example: # renovate: datasource=github-releases depName=helm/helm versioning=semver
       matchStrings: [
         '# renovate: datasource=(?<datasource>.+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.*[=:]\\s*"?(?<currentValue>.+?)"?\\s',
       ],
+
+      // Default to semantic versioning unless specified otherwise
       versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
     },
     {
-      customType: "regex",
       datasourceTemplate: "custom.grafana-dashboards",
+      customType: "regex",
       fileMatch: ["\\.md$"],
       matchStrings: [
         '# renovate: depName="(?<depName>.*)"\\n\\s+gnetId:\\s+(?<packageName>.*?)\\n\\s+revision:\\s+(?<currentValue>.*)',
@@ -38,29 +81,5 @@
       ],
     },
   ],
-  // Keep the extends started with ":" at the end of the list to allow overriding
-  extends: [
-    "config:recommended",
-    "docker:pinDigests",
-    "helpers:pinGitHubActionDigestsToSemver",
-    "security:openssf-scorecard",
-    ":disableDependencyDashboard",
-    ":disableRateLimiting",
-    ":docker",
-    ":enableVulnerabilityAlertsWithLabel(security)",
-    ":pinSkipCi",
-  ],
-  packageRules: [
-    {
-      automerge: true,
-      commitBody: "[skip ci]",
-      description: "Automerge all without running any tests",
-      ignoreTests: true,
-      matchPackagePatterns: ["*"],
-    },
-  ],
-  prConcurrentLimit: 500,
-  prHourlyLimit: 500,
-  prCommitsPerRunLimit: 500,
-  branchConcurrentLimit: 500,
+  // # keep-sorted end
 }
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -1,33 +1,56 @@
 {
+  /**
+   * Renovate Configuration
+   *
+   * This configuration file defines how Renovate handles dependency updates for repositories.
+   * Renovate is a bot that automatically creates pull requests to update dependencies.
+   *
+   * Documentation: https://docs.renovatebot.com/configuration-options/
+   */
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
   // # keep-sorted start block=yes
+  "git-submodules": {
+    enabled: true,
+  },
+  automerge: true,
+  automergeType: "branch",
+  branchPrefix: "chore/renovate/",
   customDatasources: {
     "grafana-dashboards": {
       defaultRegistryUrlTemplate: "https://grafana.com/api/dashboards/{{packageName}}",
       format: "json",
       transformTemplates: ['{"releases":[{"version": $string(revision)}]}'],
     },
   },
+  // Base Configuration Presets
   // Keep the extends started with ":" at the end of the list to allow overriding
   extends: [
-    "config:recommended",
-    "docker:pinDigests",
-    "helpers:pinGitHubActionDigestsToSemver",
-    "security:openssf-scorecard",
-    ":disableDependencyDashboard",
-    ":disableRateLimiting",
-    ":docker",
-    ":enableVulnerabilityAlertsWithLabel(security)",
-    ":pinSkipCi",
+    "config:recommended", // Renovate's recommended configuration preset
+    "docker:pinDigests", // Pin Docker image digests for security
+    "helpers:pinGitHubActionDigestsToSemver", // Pin GitHub Actions to specific versions with semantic versioning
+    "security:openssf-scorecard", // Add OpenSSF Scorecard security insights
+    ":disableDependencyDashboard", // Don't create dependency dashboard issues
+    ":disableRateLimiting", // Disable rate limiting for faster updates
+    ":docker", // Enable Docker container updates
+    ":enableVulnerabilityAlertsWithLabel(security)", // Add security label to vulnerability alerts
+    ":pinSkipCi", // Pin dependencies and skip CI for pin-only updates
   ],
   // ignore chirpy dependencies
   // https://renovatebot.com/docs/configuration-options/#ignoredeps
   ignorePaths: ["_posts/**"],
+  // Pull Request Labeling
   labels: [
     "renovate",
     "renovate/{{replace '.*/' '' depName}}",
     "renovate/{{updateType}}",
   ],
+  // Lock File Maintenance
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["before 6am on Sunday"],
+  },
+  // Package-specific Update Rules
   packageRules: [
     {
       description: "Disable auto-merge for major updates",
@@ -65,16 +88,23 @@
   ],
   prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}",
   rebaseWhen: "behind-base-branch",
-  // Custom version extraction
+  // This allows Renovate to detect and update dependencies that aren't in standard package files
   regexManagers: [
     {
-      description: "Regular expressions inside md, YAML, Dockerfile or entrypoint.sh looking for '# renovate:' comments",
-      customType: "regex",
+      // Template for extracting version numbers from custom patterns
       extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",
+
+      // File types to scan for custom dependency patterns
       fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"],
+
+      // Regex pattern to match custom dependency declarations
+      // Format: # renovate: datasource=<source> depName=<name> [versioning=<type>] [extractVersion=<regex>] [registryUrl=<url>]
+      // Example: # renovate: datasource=github-releases depName=helm/helm versioning=semver
       matchStrings: [
         '# renovate: datasource=(?<datasource>.+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.*[=:]\\s*"?(?<currentValue>.+?)"?\\s',
       ],
+
+      // Default to semantic versioning unless specified otherwise
       versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
     },
     {
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Initialize CodeQL
         # Does not support arm64
diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml
@@ -16,7 +16,7 @@ jobs:
   commit-check:
     runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/pr-slack-notification.yml b/.github/workflows/pr-slack-notification.yml
@@ -58,7 +58,7 @@ jobs:
     if: ${{ startsWith(github.event.pull_request.html_url, 'https') || startsWith(github.event.issue.pull_request.html_url, 'https') }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Retrieve Slack message timestamp from cache
         id: slack-timestamp
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -48,7 +48,7 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
     permissions: write-all
     steps:
-      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+      - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0
         id: app-token
         with:
           app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           # Disable credential persistence for security
           persist-credentials: false
diff --git a/AGENTS.md b/AGENTS.md
@@ -21,6 +21,7 @@ and maintainability across all contributions.
         - [Example](#example)
     - [Branching](#branching)
     - [Pull Requests](#pull-requests)
+  - [EKS Cluster Access](#eks-cluster-access)
   - [Quality \& Best Practices](#quality--best-practices)
 
 ## Markdown Files
@@ -97,6 +98,19 @@ Resolves: #123
 - **Description** - Include clear explanation of changes and motivation
 - **Link issues** - Reference related issues using keywords (Fixes, Closes, Resolves)
 
+## EKS Cluster Access
+
+When accessing the Kubernetes cluster, execute the following command **once**
+at the beginning of the session:
+
+```bash
+eval "$(mise run a)"
+```
+
+This command sets up the necessary environment variables and configuration
+for Kubernetes cluster access. It should be run only once per session before
+any Kubernetes-related operations.
+
 ## Quality & Best Practices
 
 - Pass pre-commit hooks
diff --git a/_posts/2023/2023-06-06-my-favourite-krew-plugins-kubectl.md b/_posts/2023/2023-06-06-my-favourite-krew-plugins-kubectl.md
@@ -17,7 +17,6 @@ Links:
 
 - [Suman Chakraborty's Post](https://www.linkedin.com/posts/schakraborty007_opensource-kubernetes-k8s-activity-7038698712470089728-ADeV)
 - [Top 15 Kubectl plugins for security engineers](https://sysdig.com/blog/top-15-kubectl-plugins-for-security-engineers)
-- [Kubernetes: Krew plugins manager, and useful kubectl plugins list](https://devpress.csdn.net/cicd/62ec6d5c89d9027116a10eb0.html)
 - [Making Kubernetes Operations Easy with kubectl Plugins](https://martinheinz.dev/blog/58)
 
 ## Requirements
diff --git a/_posts/2025/2025-02-01-eks-auto-cert-manager-velero.md b/_posts/2025/2025-02-01-eks-auto-cert-manager-velero.md
@@ -321,14 +321,14 @@ and modify its [default values](https://github.com/vmware-tanzu/helm-charts/blob
 
 ```bash
 # renovate: datasource=helm depName=velero registryUrl=https://vmware-tanzu.github.io/helm-charts
-VELERO_HELM_CHART_VERSION="8.3.0"
+VELERO_HELM_CHART_VERSION="11.1.1"
 
 helm repo add --force-update vmware-tanzu https://vmware-tanzu.github.io/helm-charts
 cat > "${TMP_DIR}/${CLUSTER_FQDN}/helm_values-velero.yml" << EOF
 initContainers:
   - name: velero-plugin-for-aws
     # renovate: datasource=docker depName=velero/velero-plugin-for-aws extractVersion=^(?<version>.+)$
-    image: velero/velero-plugin-for-aws:v1.11.1
+    image: velero/velero-plugin-for-aws:v1.13.0
     volumeMounts:
       - mountPath: /target
         name: plugins
@@ -881,7 +881,7 @@ Back up the certificate before deleting the cluster (in case it was renewed):
 {% raw %}
 
 ```sh
-if [[ "$(kubectl get --raw /api/v1/namespaces/cert-manager/services/cert-manager:9402/proxy/metrics | awk '/certmanager_http_acme_client_request_count.*acme-v02\.api.*finalize/ { print $2 }')" -gt 0 ]]; then
+if [[ "$(kubectl get --raw /api/v1/namespaces/cert-manager/services/cert-manager:9402/proxy/metrics | awk '/certmanager_http_acme_client_request_count.*acme-v02\.api.*finalize/ { print $2 }')" -gt 0 ]] && [[ -n "$(velero get backups -o json | jq -e --arg today "$(date +%Y-%m-%d)" '.items[] | select(.status.startTimestamp | startswith($today))')" ]]; then
   velero backup create --labels letsencrypt=production --ttl 2160h --from-schedule velero-monthly-backup-cert-manager-production
 fi
 ```
