← Back to Visual Guide Index

🤖 MintMaker & Renovate Workflow

How Automated Dependency Updates Create PRs in infra-deployments

🎯 What is MintMaker?

MintMaker is a Kubernetes operator that automates dependency updates for Konflux components. It uses Renovate (the popular dependency update tool) to scan for new container images and automatically creates Pull Requests in infra-deployments when new versions are available.

Think of it as: A robot that constantly watches for new component images and automatically updates infra-deployments manifests (across all Kustomize overlays) so your deployments stay current.

📚 Learn More: Understanding Kustomize Overlays | MintMaker Repo

Complete Workflow: From Image Build to PR

1
Component PR Merges
Time: 0 minutes
A developer's PR merges in a component repository (e.g., build-service). This is the starting point of the entire automated workflow.
Example: PR #1234 in konflux-ci/build-service
Title: Add support for new build platform
Status: ✅ Merged to main branch
2
Postsubmit CI Builds New Image
Duration: 10-15 minutes
After merge, the postsubmit CI job automatically builds a new container image and pushes it to quay.io with multiple tags.
# GitHub Actions or other CI builds and pushes image docker build -t quay.io/konflux-ci/build-service:main . docker push quay.io/konflux-ci/build-service:main # Multiple tags are created: :latest # Always points to latest main :main-abc123d # Branch + short commit SHA :sha-abc123def456789... # Full commit SHA :affd5b51b3d597ae73a84702e82da7df215915db # Actual example!
3
MintMaker Detects New Image
Wait Time: Up to 2 hours (scanning interval)
MintMaker runs Renovate on a schedule. When it scans, Renovate queries the quay.io registry API to check for new image tags. It compares the found tags with what's currently in infra-deployments manifests.
# Renovate scans quay.io registry GET https://quay.io/api/v1/repository/konflux-ci/build-service/tag/ # Returns all available tags { "tags": [ {"name": "latest", "manifest_digest": "sha256:..."}, {"name": "main-abc123d", "manifest_digest": "sha256:..."}, {"name": "affd5b51b3d597ae73a84702e82da7df215915db", ...} ] } # Compares with current infra-deployments/components/build-service/*/kustomization.yaml # Current: old456e # Latest: affd5b51b3d597ae73a84702e82da7df215915db ← NEW!
⏰ Scanning Schedule: MintMaker runs Renovate periodically (typically every 2 hours). This is why there's a delay between image push and PR creation - it waits for the next scan cycle!
4
Renovate Creates Git Branch
Duration: 1-2 minutes
Renovate clones infra-deployments, creates a new branch, and updates the image reference in the kustomization.yaml files for all environments (development, staging, production).
# Branch created by Renovate renovate/konflux-ci-build-service-affd5b51 # Files updated (REAL LOCATIONS in your workspace!): 📝 components/build-service/development/kustomization.yaml 📝 components/build-service/staging/base/kustomization.yaml 📝 components/build-service/production/base/kustomization.yaml # What changes: images: - name: quay.io/konflux-ci/build-service newName: quay.io/konflux-ci/build-service newTag: affd5b51b3d597ae73a84702e82da7df215915db ← UPDATED!
5
Renovate Opens Pull Request
Duration: < 1 minute
Renovate pushes the branch and creates a PR in infra-deployments with details about the update.

🎯 Real Example PR Structure

Title: Update konflux-ci/build-service Docker tag to affd5b51

Body:
This PR contains the following updates: | Package | Update | Change | |---------|--------|--------| | quay.io/konflux-ci/build-service | digest | `old456e` -> `affd5b51` | 🔗 Source PR: https://github.com/konflux-ci/build-service/pull/1234 📝 Commits included in this update: - abc123d - Add support for new build platform (@developer) - def456e - Fix build template validation (@developer) --- 📦 Updated in: development, staging, production 🤖 Automated by MintMaker/Renovate
Files Changed: 3 (dev, staging, prod kustomization.yaml)
Assignees: None (automated)
Labels: dependencies, automated
6
OpenShift CI Tests the PR
Duration: 1-1.5 hours
GitHub webhook triggers OpenShift CI (Prow). CI provisions a cluster, installs Konflux with the NEW image, and runs the complete E2E test suite to validate the update works.
# OpenShift CI workflow 1. Provision OpenShift 4.17 cluster on AWS 2. Clone infra-deployments at PR branch 3. Run bootstrap script with NEW build-service image 4. Run E2E tests (see separate visual guide!) 5. Report results back to GitHub PR # Tests validate: ✅ New image deploys successfully ✅ Build service API works ✅ Pipelines can be created ✅ Multi-platform builds function ✅ All integration points work
7
Human Review & Merge
Duration: Hours to days (human decision)
A human reviews the PR, checks test results, and merges if everything looks good. This is the only manual step in the entire workflow!
Review Checklist
✅ CI tests passed
✅ No breaking changes in commit messages
✅ Image tag looks correct
✅ All environments updated consistently

Action: Approve and Merge 🎉
8
ArgoCD Deploys to Clusters
Duration: 3-5 minutes per environment
After merge, ArgoCD (running in actual clusters) detects the manifest change and syncs the new image to development, then staging, then production environments.
# ArgoCD sync process 1. ArgoCD polls infra-deployments every 3 minutes 2. Detects: components/build-service/.../kustomization.yaml changed 3. Marks Application as "OutOfSync" 4. Automatically syncs (or waits for approval) 5. Kubernetes pulls new image: quay.io/konflux-ci/build-service@sha256:... 6. Performs rolling update of build-service pods 7. New pods start with updated image 8. Old pods terminate after new ones are healthy # Result: build-service is now running with your merged changes!

🔑 Key Facts & Timing

Complete Timeline Breakdown

Phase Duration Type
Image Build 10-15 minutes Automated
⏰ Wait for Scan Up to 2 hours Scheduled
PR Creation 1-2 minutes Automated
CI Testing 1-1.5 hours Automated
👤 Human Review Hours to days Manual
ArgoCD Deployment 3-5 minutes Automated
TOTAL (excluding review) 3-4 hours typical
💡 Why the 2-hour wait? MintMaker runs Renovate on a schedule (not continuously) to balance resource usage with freshness. This means your new image won't be detected immediately - it waits for the next scan cycle. This is intentional and expected!
🎯 What Gets Updated: Renovate updates ALL environments in one PR: development, staging, AND production. This ensures consistency across environments and reduces the number of PRs.
🔍 How Renovate Knows About Images: It reads the images: section in kustomization.yaml files. The newName field tells it which registry/repository to check, and it looks for newer newTag values.

📁 Real File Locations

🤖 MintMaker Operator Deployment

components/mintmaker/
base/ development/ staging/ production/

📝 Files Renovate Updates (build-service example)

components/build-service/development/kustomization.yaml ← Renovate updates
components/build-service/staging/base/kustomization.yaml ← And this
components/build-service/production/base/kustomization.yaml ← And this

🔄 What Changes in Each File

Each kustomization.yaml contains an images: section:

images: - name: quay.io/konflux-ci/build-service newName: quay.io/konflux-ci/build-service newTag: affd5b51b3d597... ← This line changes!
View MintMaker Source Code → Renovate Documentation →