From 3c909f055b3e29dae7690c4dede1ed0026763ac8 Mon Sep 17 00:00:00 2001 From: Leo <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 23 Jun 2026 18:41:32 +0200 Subject: [PATCH 1/4] feat(renovate): source vendor-ee bitnami images from published datasource Add the bitnami-*-camunda custom datasources (per-image JSON published by camunda-deployment-references: complete upstream tag list, credential-free, with newDigest) and a customManager that opts images in via a '# renovate: datasource=custom.bitnami--camunda' annotation. Wire it for vendor-ee/postgresql and vendor-ee/elasticsearch in the 8.9 enterprise values and disable their docker/helm-values tracking so they are not bumped twice. Draft: replicate to 8.7/8.8 once validated. Depends on camunda/infraex-common-config#508 and camunda/camunda-deployment-references#2765. --- .github/renovate.json5 | 58 +++++++++++++++++++ .../values-enterprise.yaml | 4 ++ 2 files changed, 62 insertions(+) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index d8c15389bbd..d4629155f1a 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -63,8 +63,52 @@ defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-tf-rosa/rosa_versions.txt', format: 'plain', }, + // Bitnami Premium image tags published by camunda-deployment-references, one + // self-contained JSON per image whose releases carry {version, newDigest}. + // Complete upstream tag list (incl. pre-Nov-2025 tags), no registry creds. + // Opt in per image with a '# renovate: datasource=custom.bitnami--camunda' + // annotation in values-enterprise.yaml (see customManagers). + 'bitnami-postgresql-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_postgresql.json', + format: 'json', + }, + 'bitnami-os-shell-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_os-shell.json', + format: 'json', + }, + 'bitnami-postgres-exporter-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_postgres-exporter.json', + format: 'json', + }, + 'bitnami-elasticsearch-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_elasticsearch.json', + format: 'json', + }, + 'bitnami-elasticsearch-exporter-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_elasticsearch-exporter.json', + format: 'json', + }, + 'bitnami-keycloak-config-cli-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_keycloak-config-cli.json', + format: 'json', + }, + 'bitnami-keycloak-camunda': { + defaultRegistryUrlTemplate: 'https://camunda.github.io/camunda-deployment-references/bitnami_keycloak.json', + format: 'json', + }, }, packageRules: [ + // vendor-ee/postgresql and vendor-ee/elasticsearch in the 8.9 enterprise values + // are sourced from the bitnami-*-camunda custom datasources (see customManagers); + // disable the docker/helm-values tracking for them so they are not bumped twice. + // NOTE (draft): replicate to 8.7/8.8 once their values are annotated too. + { + description: 'Bitnami enterprise images tracked via custom datasource, not docker.', + matchManagers: ['helm-values'], + matchFileNames: ['charts/camunda-platform-8.9/values-enterprise.yaml'], + matchPackageNames: ['/vendor-ee/(postgresql|elasticsearch)$/'], + enabled: false, + }, { description: 'Major updates require manual review to prevent breaking changes.', matchUpdateTypes: ['major'], @@ -381,6 +425,20 @@ ], versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}', }, + // Bitnami Premium image tags sourced from the camunda-deployment-references + // custom datasources (complete upstream list, credential-free). Opt in per + // image with '# renovate: datasource=custom.bitnami--camunda depName= versioning=docker'. + { + customType: 'regex', + fileMatch: [ + 'values-enterprise\\.yaml$', + ], + matchStrings: [ + '# renovate: datasource=(?custom\\.bitnami-[^\\s]+?) depName=(?[^\\s]+?)(?: versioning=(?[^\\s]+?))?\\s*?tag: (?\\S+)', + ], + datasourceTemplate: '{{{datasource}}}', + versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}docker{{/if}}', + }, // This regex manager is used to update the image digests in the values-digest.yaml files. { customType: 'regex', diff --git a/charts/camunda-platform-8.9/values-enterprise.yaml b/charts/camunda-platform-8.9/values-enterprise.yaml index 133745ffc9f..f507b47ab2f 100644 --- a/charts/camunda-platform-8.9/values-enterprise.yaml +++ b/charts/camunda-platform-8.9/values-enterprise.yaml @@ -28,6 +28,7 @@ identityPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=docker tag: 18.4.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -65,6 +66,7 @@ identityKeycloak: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=docker tag: 18.4.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -87,6 +89,7 @@ webModelerPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=docker tag: 18.4.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -109,6 +112,7 @@ elasticsearch: image: registry: registry.camunda.cloud repository: vendor-ee/elasticsearch + # renovate: datasource=custom.bitnami-elasticsearch-camunda depName=elasticsearch versioning=docker tag: 8.19.16 pullSecrets: - name: registry-camunda-cloud From 2315b2d568ca87c2db36ebb96b9e18638e06d55b Mon Sep 17 00:00:00 2001 From: Leo <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:53:34 +0200 Subject: [PATCH 2/4] fix(renovate): use bitnami regex versioning, drop elasticsearch wiring A renovate dry-run against the published feed showed 'versioning=docker' does not update across the '-debian-12-rN' revision; use the regex versioning for the vendor-ee/postgresql annotations. Drop the vendor-ee/elasticsearch wiring: the chart pins a plain tag (8.19.x) while the feed uses '-debian-12-rN', so it needs separate handling. --- .github/renovate.json5 | 11 +++++++---- charts/camunda-platform-8.9/values-enterprise.yaml | 7 +++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index d4629155f1a..015e1113ef5 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -98,15 +98,18 @@ }, }, packageRules: [ - // vendor-ee/postgresql and vendor-ee/elasticsearch in the 8.9 enterprise values - // are sourced from the bitnami-*-camunda custom datasources (see customManagers); - // disable the docker/helm-values tracking for them so they are not bumped twice. + // vendor-ee/postgresql in the 8.9 enterprise values is sourced from the + // bitnami-postgresql-camunda custom datasource (see customManagers); disable + // the docker/helm-values tracking for it so it is not bumped twice. // NOTE (draft): replicate to 8.7/8.8 once their values are annotated too. + // vendor-ee/elasticsearch is intentionally NOT wired here: the chart pins a + // plain tag (e.g. 8.19.17) while the published feed uses the + // '-debian-12-rN' scheme, so it needs separate handling. { description: 'Bitnami enterprise images tracked via custom datasource, not docker.', matchManagers: ['helm-values'], matchFileNames: ['charts/camunda-platform-8.9/values-enterprise.yaml'], - matchPackageNames: ['/vendor-ee/(postgresql|elasticsearch)$/'], + matchPackageNames: ['/vendor-ee/postgresql$/'], enabled: false, }, { diff --git a/charts/camunda-platform-8.9/values-enterprise.yaml b/charts/camunda-platform-8.9/values-enterprise.yaml index f507b47ab2f..4c43020059f 100644 --- a/charts/camunda-platform-8.9/values-enterprise.yaml +++ b/charts/camunda-platform-8.9/values-enterprise.yaml @@ -28,7 +28,7 @@ identityPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql - # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=docker + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 18.4.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -66,7 +66,7 @@ identityKeycloak: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql - # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=docker + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 18.4.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -89,7 +89,7 @@ webModelerPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql - # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=docker + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 18.4.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -112,7 +112,6 @@ elasticsearch: image: registry: registry.camunda.cloud repository: vendor-ee/elasticsearch - # renovate: datasource=custom.bitnami-elasticsearch-camunda depName=elasticsearch versioning=docker tag: 8.19.16 pullSecrets: - name: registry-camunda-cloud From 6a50663e4ed477f0c77ff8108bb315d512b27dfc Mon Sep 17 00:00:00 2001 From: Leo <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:04:27 +0200 Subject: [PATCH 3/4] feat(renovate): wire vendor-ee/postgresql for 8.7 and 8.8 enterprise values Replicate the 8.9 wiring to the other supported chart versions: annotate the three vendor-ee/postgresql instances in 8.7 and 8.8 values-enterprise.yaml with the bitnami-postgresql-camunda custom datasource, and extend the helm-values disable rule so they are not bumped twice. 8.5/8.6 are intentionally excluded (renovate-disabled, out of support). --- .github/renovate.json5 | 15 +++++++++------ .../camunda-platform-8.7/values-enterprise.yaml | 3 +++ .../camunda-platform-8.8/values-enterprise.yaml | 3 +++ 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 015e1113ef5..89eb9a680a4 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -98,17 +98,20 @@ }, }, packageRules: [ - // vendor-ee/postgresql in the 8.9 enterprise values is sourced from the - // bitnami-postgresql-camunda custom datasource (see customManagers); disable - // the docker/helm-values tracking for it so it is not bumped twice. - // NOTE (draft): replicate to 8.7/8.8 once their values are annotated too. + // vendor-ee/postgresql in the 8.7/8.8/8.9 enterprise values is sourced from + // the bitnami-postgresql-camunda custom datasource (see customManagers); + // disable the docker/helm-values tracking for it so it is not bumped twice. // vendor-ee/elasticsearch is intentionally NOT wired here: the chart pins a - // plain tag (e.g. 8.19.17) while the published feed uses the + // plain tag (e.g. 8.19.16) while the published feed uses the // '-debian-12-rN' scheme, so it needs separate handling. { description: 'Bitnami enterprise images tracked via custom datasource, not docker.', matchManagers: ['helm-values'], - matchFileNames: ['charts/camunda-platform-8.9/values-enterprise.yaml'], + matchFileNames: [ + 'charts/camunda-platform-8.7/values-enterprise.yaml', + 'charts/camunda-platform-8.8/values-enterprise.yaml', + 'charts/camunda-platform-8.9/values-enterprise.yaml', + ], matchPackageNames: ['/vendor-ee/postgresql$/'], enabled: false, }, diff --git a/charts/camunda-platform-8.7/values-enterprise.yaml b/charts/camunda-platform-8.7/values-enterprise.yaml index 7a17ef18821..bb892ca2fbc 100644 --- a/charts/camunda-platform-8.7/values-enterprise.yaml +++ b/charts/camunda-platform-8.7/values-enterprise.yaml @@ -28,6 +28,7 @@ identityPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 15.18.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -58,6 +59,7 @@ identityKeycloak: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 15.18.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -81,6 +83,7 @@ postgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 14.23.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud diff --git a/charts/camunda-platform-8.8/values-enterprise.yaml b/charts/camunda-platform-8.8/values-enterprise.yaml index 496df2f758d..4245ed3e880 100644 --- a/charts/camunda-platform-8.8/values-enterprise.yaml +++ b/charts/camunda-platform-8.8/values-enterprise.yaml @@ -28,6 +28,7 @@ identityPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 15.18.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -65,6 +66,7 @@ identityKeycloak: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 15.18.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud @@ -87,6 +89,7 @@ webModelerPostgresql: image: registry: registry.camunda.cloud repository: vendor-ee/postgresql + # renovate: datasource=custom.bitnami-postgresql-camunda depName=postgresql versioning=regex:^(?\d+)\.(?\d+)\.(?\d+)(-(?debian-\d+)-r(?\d+))?$ tag: 14.23.0-debian-12-r2 pullSecrets: - name: registry-camunda-cloud From 4916cb41891070e58f9a10f5375668ebf25e5f08 Mon Sep 17 00:00:00 2001 From: Leo <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:12:48 +0200 Subject: [PATCH 4/4] docs(renovate): align bitnami datasource comments with real usage Address Copilot review on #6435: - datasource block: clarify only 'version' is consumed; custom json datasources do not maintain the feed's 'newDigest' (values pin tags). - customManager: example uses versioning=regex (not docker), with the reason docker versioning can't order across the '-debian-12-rN' suffix. --- .github/renovate.json5 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 89eb9a680a4..d5123b0918d 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -64,7 +64,9 @@ format: 'plain', }, // Bitnami Premium image tags published by camunda-deployment-references, one - // self-contained JSON per image whose releases carry {version, newDigest}. + // self-contained JSON per image. Only the 'version' field is used here; the + // feed also carries 'newDigest', but custom json datasources do not consume or + // maintain digest pins (these values pin tags, not digests). // Complete upstream tag list (incl. pre-Nov-2025 tags), no registry creds. // Opt in per image with a '# renovate: datasource=custom.bitnami--camunda' // annotation in values-enterprise.yaml (see customManagers). @@ -433,7 +435,9 @@ }, // Bitnami Premium image tags sourced from the camunda-deployment-references // custom datasources (complete upstream list, credential-free). Opt in per - // image with '# renovate: datasource=custom.bitnami--camunda depName= versioning=docker'. + // image with '# renovate: datasource=custom.bitnami--camunda depName= + // versioning=regex:...'. Bitnami '-debian-12-rN' tags require regex + // versioning; docker versioning does not order across the '-rN' build suffix. { customType: 'regex', fileMatch: [