fix(arc-tf): silence listener-resource drift via SSA + ignoreDifferences (#26)

xnoto · web-flow · commit c46b6f1929a7 · 2026-04-29T23:01:12.000-06:00
## Summary \`arc-tf\` Application has been showing OutOfSync because the gha-runner-scale-set controller dynamically creates an \`AutoscalingListener\` plus a paired \`Role\` / \`RoleBinding\` (named \`<release>-<hash>-listener\`) at runtime — none of which are in the chart's rendered output — and rotates hash annotations on them on every reconcile. Two parts to the fix: 1. **\`ServerSideApply=true\`** — ArgoCD respects field-manager separation. The controller's mutations on annotations don't get reverted, and ArgoCD doesn't try to manage fields it doesn't own. 2. **\`ignoreDifferences\`** extended to cover \`/metadata/annotations\` on the dynamically-created \`Role\` and \`RoleBinding\` kinds (was previously only \`AutoscalingListener\` + \`AutoscalingRunnerSet\`). ## Test plan - [x] After merge: \`arc-tf\` Application reaches Synced + Healthy and stays there across listener reconciles - [x] Runner pod still spawns / picks up jobs / terminates as before 🤖 Generated with [Claude Code](https://claude.com/claude-code)
diff --git a/workloads/arc/arc-tf-application.yaml b/workloads/arc/arc-tf-application.yaml
@@ -35,8 +35,11 @@ spec:
               - name: runner
                 image: ghcr.io/makeitworkcloud/tfroot-runner:latest
                 command: ["/home/runner/run.sh"]
-  # The gha-runner-scale-set controller mutates listener resources at runtime
-  # (hash annotations, autoscaling spec). Ignore those drifts.
+  # The gha-runner-scale-set controller creates the listener AutoscalingListener
+  # and a paired Role/RoleBinding at runtime (named `<release>-<hash>-listener`),
+  # then continually rotates hash annotations on them. None of these are in the
+  # chart's rendered output. Ignore field-level drift, and rely on ServerSideApply
+  # so ArgoCD doesn't try to manage fields the controller owns.
   ignoreDifferences:
     - group: actions.github.com
       kind: AutoscalingListener
@@ -48,9 +51,18 @@ spec:
       jsonPointers:
         - /metadata/annotations
         - /spec/template
+    - group: rbac.authorization.k8s.io
+      kind: Role
+      jsonPointers:
+        - /metadata/annotations
+    - group: rbac.authorization.k8s.io
+      kind: RoleBinding
+      jsonPointers:
+        - /metadata/annotations
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
     syncOptions:
+      - ServerSideApply=true
       - RespectIgnoreDifferences=true
