fix(arc-runner-set): ignore controller-driven drift#11
Merged
Conversation
…rces The gha-runner-scale-set controller mutates AutoscalingListener and AutoscalingRunnerSet at runtime — values-hash / runner-spec-hash annotations and template fields shift on every reconcile. ArgoCD saw permanent drift and stayed OutOfSync. Add ignoreDifferences for those two kinds and turn on RespectIgnoreDifferences so the differences don't trigger sync.
5 tasks
xnoto
added a commit
that referenced
this pull request
Apr 30, 2026
…#25) ## Summary Single GitHub Actions runner-set running the rebuilt tfroot-runner image (based on \`ghcr.io/actions/actions-runner\`). No docker-in-docker, no nested \`container:\` blocks in caller workflows. Consumers move to \`runs-on: arc-tf\`. ### Removed (legacy summerwind ARC + dind plumbing) - \`operators/arc/dind-application.yaml\` — summerwind controller install - \`operators/arc/github-token-secret.yaml\` — its \`arc-dind-systems\` token - \`operators/arc/namespace.yaml\` — \`arc-dind-systems\` ns - \`operators/arc/ksops-arc-secrets.yaml\` — only listed the deleted token - \`workloads/arc/runner-application.yaml\` — old runner-set with \`docker:dind\` sidecar - \`workloads/arc/docker-daemon-config.yaml\` — dind registry-mirror config - \`workloads/arc/registry.yaml\` — internal docker-registry ns + SA + RB - \`workloads/arc/rbac.yaml\` — \`system:openshift:scc:privileged\` binding (the SCC ClusterRole doesn't exist on k3s) ### Added - \`workloads/arc/arc-tf-application.yaml\` — \`gha-runner-scale-set\` Helm Application, \`releaseName / runnerScaleSetName: arc-tf\`, \`image: ghcr.io/makeitworkcloud/tfroot-runner:latest\`. \`ignoreDifferences\` for the controller-mutated listener resources (same fix that was applied to the old generic runner-set in #11). ### Tidied - \`workloads/apps/arc-app.yaml\` — drop the OpenShift ImageStream \`ignoreDifferences\` block. - Both \`operators/arc/\` and \`workloads/arc/\` \`kustomization.yaml\` files trimmed to the surviving resources. ### Kept - \`operators/arc/arcsystem.yaml\` — the \`gha-runner-scale-set-controller\` Application (the new arc-tf runner-set depends on it). - \`workloads/arc/namespace.yaml\` — \`arc-runners\` ns reused for the new runner-set. - \`workloads/arc/github-token-secret.yaml\` + \`ksops-arc-secrets.yaml\` — \`arc-runner-github-token\` Secret reused as \`githubConfigSecret\`. ## Pairs with - images PR #6 (merged) — tfroot-runner image rebased onto \`ghcr.io/actions/actions-runner\`. - shared-workflows (incoming) — drop the nested \`container:\` block; default \`runs-on: arc-tf\`. - tfroot-libvirt (incoming) — caller switches from \`runs-on: arc-dind\` + \`container:\` to plain \`runs-on: arc-tf\`. ## Test plan - [x] After merge: \`kubectl -n arc-runners get autoscalingrunnerset arc-tf\` exists; listener pod registers with GitHub - [x] After merge: GitHub org → Actions → Runners shows an \`arc-tf\` runner set - [x] After merge: a job with \`runs-on: arc-tf\` spawns an ephemeral pod in arc-runners, runs to completion, pod terminates - [x] After merge: legacy \`arc-dind\` Application is pruned by gitops-operators; \`arc-dind-systems\` ns gone - [x] After merge: \`docker-registry\` ns gone (pruned) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`arc-runner-set` Application stayed permanently OutOfSync after merging because the gha-runner-scale-set controller mutates `AutoscalingListener` and `AutoscalingRunnerSet` at runtime — `actions.github.com/values-hash` and `actions.github.com/runner-spec-hash` annotations rotate on every reconcile, and the listener spec is regenerated from the source AutoscalingRunnerSet. ArgoCD saw permanent drift on the two CRD instances.
Add `ignoreDifferences` for those two kinds (`/metadata/annotations` and the runtime-mutated subspecs) plus the `RespectIgnoreDifferences=true` syncOption so selfHeal doesn't trigger on those paths.
Health was already `Healthy` — runners were online — so this is a cosmetic fix to clear OutOfSync, not a functional one.
Test plan
🤖 Generated with Claude Code