docs: adding support for privateKey sample

[roe-pinhas]

Hello,

Im having trouble adding my custom private key to the container, my setup:

secrets:
  GITHUB_COM_TOKEN: "TOKEN"
  RENOVATE_PLATFORM: "gitlab"
  RENOVATE_TOKEN: "TOKEN"

extraVolumes:
  - name: private-key
    hostPath:
      path: /path/to/renovate/renovate-private-key.asc

extraVolumeMounts:
  - name: private-key
    mountPath: /tmp/renovate-private-key.asc

renovate:
  config: |
    {
      "platform": "gitlab",
      "endpoint": "https://gitlab.example.com/api/v4",
      "onboarding": true,
      "token": "TOKEN",
      "autodiscover": "false",
      "printConfig": true,
      "privateKeyPath": "/tmp/renovate-private-key.asc",
      "logLevel": "trace",
      "updateInternalDeps": true,
      "onboardingConfig": {
        "extends": [
          "local>gitlab/project/renovate-config"
        ]
      },
      "repositories": [
        "my-repo-test"
      ]
    }

while this solution works on my local machine I cannot deploy it on our live cluster since I will need to upload the private key to all the nodes and that's not secure/scalable.

so far Ive tried this options:
Adding the private key to the secret section replacing newlines with \n characters for each line-
secrets:
RENOVATE_PRIVATE_KEY: "-----BEGIN PGP PRIVATE KEY BLOCK-----\n......"

tried also to add it w/o the /n and it also not working

Both cases were printed the error:
"error": {
"validationError": "Failed to decrypt field npmrc. Please re-encrypt and try again.",
"message": "config-validation",

What is the best approach here to add the private key?

[viceice]

make sure the key isn't rpotected by a passphrase

• Add gitPrivateKeyPassphrase config option renovate#12566

[viceice]

You should add the private key to a kubernetes secret and mount it as file or environment var

[roe-pinhas]

@viceice Thanks for the reply, its not protected by passphrase and indeed its working if I mount it as a file using the volumeMounts. However the current chart doesnt support adding the file as a secret file, but instead its only supported to add the file as an environment var. When Ive attempted to do it like this its failed (I assume the issue is with the format of the file vs the env var).
Adding out of the box support for this specific file can help make the chart ready for a secure self hosted solution, what do you think?

[viceice]

you should manually create a kubernetes secret and reference it from extraVolumes:

extraVolumes:
  - name: private-key
    secret:
      secretName: renovate-private-key

[roe-pinhas]

That did the trick, thanks

[viceice]

Reopen to track docs update to incluse the sample

[viceice]

should be added here:

https://github.com/renovatebot/helm-charts/tree/main/charts/renovate#redis

helm-charts/charts/renovate/README.md.gotmpl

Line 47 in 9a7f134

## Redis