Running Renovate in Kubernetes with GitOps
Auto Detect your new Container and Helm Chart Updates with Renovate, FluxCD, and GitOps.
Running Renovate in Kubernetes with GitOps
In this post, you’ll learn how to deploy Renovate Bot in Kubernetes to scan your FluxCD manifests and HelmRelease resources, detect new Docker image tags and Helm chart versions, and automatically create Pull Requests in your GitOps repository.
✅ Why Renovate?
Renovate is an open-source tool for automated dependency management. In a GitOps environment, it enables:
- Detecting new container image versions in your deployments.
- Updating Helm charts defined in Flux manifests (
HelmRelease). - Creating pull requests with changes and a Dependency Dashboard.
🚀 Installing in Kubernetes with Helm
Renovate provides an official Helm chart. You can run it as a CronJob to perform daily scans.
First, create the HelmRepository for Renovate:
1
2
3
4
5
6
7
8
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: renovate
namespace: monitoring
spec:
interval: 1h
url: https://renovatebot.github.io/helm-charts
Then here you have your renovate HelmRelease. In this example i am using a GitHub repo, and for that, you will need a GitHub Token. That token is inside the secret renovate-secret as RENOVATE_TOKEN name. Also you can enable redis and a persistence volume as cache. Configure your User and Repo in “repositories”: [“YourUser/YourRepo”]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: renovate
namespace: monitoring
spec:
interval: 1h
chart:
spec:
chart: renovate
version: 41.37.4
sourceRef:
kind: HelmRepository
name: renovate
values:
cronjob:
schedule: "0 3 * * *" # Runs daily at 03:00 AM
redis:
enabled: true
envFrom:
- secretRef:
name: renovate-secret # Contains RENOVATE_TOKEN
renovate:
config: |
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"platform": "github",
"token": "${RENOVATE_TOKEN}",
"repositories": ["YourUser/YourRepo"],
"extends": ["config:recommended"],
"enabledManagers": ["kubernetes", "flux"],
"flux": {
"fileMatch": ["cluster/.+\\.ya?ml$"]
},
"kubernetes": {
"fileMatch": ["cluster/.+\\.ya?ml$"]
},
"dependencyDashboard": true,
"branchConcurrentLimit": 5,
"prConcurrentLimit": 5,
"baseBranchPatterns": ["master"],
"automerge": false
}
persistence:
cache:
enabled: true
storageClass: "longhorn"
storageSize: "512Mi"
👉When our Job runs for the first time (we can force it manually), we will go to our repo and we will find a PR that we must accept so that Renovate can scan our repo and create the PRs. In the future runs we will see our Issues DashBoard and the first PRs
Instead of relying on complex regex rules, Renovate now supports flux natively: “enabledManagers”: [“kubernetes”, “flux”] This allows it to detect:
- HelmRelease (chart.spec.chart and version)
- OCIRepository
- GitRepository
It also continues to support Kubernetes resources like Deployments, DaemonSets, etc., for Container images.
🚀Renovate creates an issue called Dependency Dashboard, where you can:
- See the list of detected updates.
- Force creation of PRs manually.
- Aprobe the PRs
👉Final Result
With this setup:
✅FluxCD + Renovate + GitOps → Always up-to-date manifests.
✅Renovate automatically opens PRs for Docker images and Helm charts.
✅Everything is managed through the Dependency Dashboard.
🚀 Enjoy!