Skip to content

feat(arc): replace dind runner with arc-tf scale set on tfroot-runner#25

Merged
xnoto merged 1 commit intomainfrom
feat/arc-tf-deprecate-dind
Apr 30, 2026
Merged

feat(arc): replace dind runner with arc-tf scale set on tfroot-runner#25
xnoto merged 1 commit intomainfrom
feat/arc-tf-deprecate-dind

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Single GitHub Actions runner-set running the rebuilt tfroot-runner image (based on `ghcr.io/actions/actions-runner`). No docker-in-docker, no nested `container:` blocks in caller workflows. Consumers move to `runs-on: arc-tf`.

Removed (legacy summerwind ARC + dind plumbing)

  • `operators/arc/dind-application.yaml` — summerwind controller install
  • `operators/arc/github-token-secret.yaml` — its `arc-dind-systems` token
  • `operators/arc/namespace.yaml` — `arc-dind-systems` ns
  • `operators/arc/ksops-arc-secrets.yaml` — only listed the deleted token
  • `workloads/arc/runner-application.yaml` — old runner-set with `docker:dind` sidecar
  • `workloads/arc/docker-daemon-config.yaml` — dind registry-mirror config
  • `workloads/arc/registry.yaml` — internal docker-registry ns + SA + RB
  • `workloads/arc/rbac.yaml` — `system:openshift:scc:privileged` binding (the SCC ClusterRole doesn't exist on k3s)

Added

  • `workloads/arc/arc-tf-application.yaml` — `gha-runner-scale-set` Helm Application, `releaseName / runnerScaleSetName: arc-tf`, `image: ghcr.io/makeitworkcloud/tfroot-runner:latest`. `ignoreDifferences` for the controller-mutated listener resources (same fix that was applied to the old generic runner-set in fix(arc-runner-set): ignore controller-driven drift #11).

Tidied

  • `workloads/apps/arc-app.yaml` — drop the OpenShift ImageStream `ignoreDifferences` block.
  • Both `operators/arc/` and `workloads/arc/` `kustomization.yaml` files trimmed to the surviving resources.

Kept

  • `operators/arc/arcsystem.yaml` — the `gha-runner-scale-set-controller` Application (the new arc-tf runner-set depends on it).
  • `workloads/arc/namespace.yaml` — `arc-runners` ns reused for the new runner-set.
  • `workloads/arc/github-token-secret.yaml` + `ksops-arc-secrets.yaml` — `arc-runner-github-token` Secret reused as `githubConfigSecret`.

Pairs with

  • images PR fix: drop OLM artifacts blocking gitops-operators sync on k3s #6 (merged) — tfroot-runner image rebased onto `ghcr.io/actions/actions-runner`.
  • shared-workflows (incoming) — drop the nested `container:` block; default `runs-on: arc-tf`.
  • tfroot-libvirt (incoming) — caller switches from `runs-on: arc-dind` + `container:` to plain `runs-on: arc-tf`.

Test plan

  • After merge: `kubectl -n arc-runners get autoscalingrunnerset arc-tf` exists; listener pod registers with GitHub
  • After merge: GitHub org → Actions → Runners shows an `arc-tf` runner set
  • After merge: a job with `runs-on: arc-tf` spawns an ephemeral pod in arc-runners, runs to completion, pod terminates
  • After merge: legacy `arc-dind` Application is pruned by gitops-operators; `arc-dind-systems` ns gone
  • After merge: `docker-registry` ns gone (pruned)

🤖 Generated with Claude Code

@xnoto
feat(arc): replace dind runner with arc-tf scale set on tfroot-runner
8642b53 
Single GitHub Actions runner-set running the rebuilt tfroot-runner image
(based on ghcr.io/actions/actions-runner) — no docker-in-docker, no
nested `container:` block in caller workflows. Consumers use
`runs-on: arc-tf`.

Removed:
- operators/arc/dind-application.yaml — legacy summerwind controller
- operators/arc/github-token-secret.yaml — its arc-dind-systems token
- operators/arc/namespace.yaml — arc-dind-systems ns
- operators/arc/ksops-arc-secrets.yaml — only listed the deleted token
- workloads/arc/runner-application.yaml — old runner-set with dind sidecar
- workloads/arc/docker-daemon-config.yaml — dind registry-mirror config
- workloads/arc/registry.yaml — internal docker-registry ns + SA + RB
- workloads/arc/rbac.yaml — system:openshift:scc:privileged binding
  (the SCC ClusterRole doesn't exist on k3s anyway)

Added:
- workloads/arc/arc-tf-application.yaml — gha-runner-scale-set Helm
  Application, releaseName/runnerScaleSetName: arc-tf, image:
  ghcr.io/makeitworkcloud/tfroot-runner:latest. ignoreDifferences for
  the listener resources the controller mutates at runtime, mirroring
  what was needed for the previous arc-runner-set.

Tidied:
- workloads/apps/arc-app.yaml — drop the OpenShift ImageStream
  ignoreDifferences block (no ImageStreams on k3s).
- operators/arc/kustomization.yaml — only references arcsystem.yaml now.
- workloads/arc/kustomization.yaml — only namespace + arc-tf Application
  + ksops generator (PAT secret retained, just renamed conceptually).
@xnoto xnoto self-assigned this Apr 30, 2026
@xnoto xnoto merged commit 65666d9 into main Apr 30, 2026
2 checks passed
@xnoto xnoto deleted the feat/arc-tf-deprecate-dind branch April 30, 2026 04:51
@xnoto xnoto mentioned this pull request Apr 30, 2026
Merged
xnoto added a commit that referenced this pull request Apr 30, 2026
@xnoto
chore(arc-tf): drop ineffective listener-resource workarounds (#27)
56a6d77 
## Summary

Revert the additions from #26 — they didn't actually resolve the
OutOfSync state, which structurally needs a cluster-wide
\`resourceTrackingMethod\` change to fix and is functionally cosmetic.
Keep only the AutoscalingRunnerSet \`ignoreDifferences\` entry that
prevents selfHeal from thrashing on controller-driven annotation churn.

### Removed (from #26)

- \`ServerSideApply=true\` syncOption
- \`Role\` / \`RoleBinding\` \`ignoreDifferences\` entries

### Removed (cleanup, was originally added in #25)

- \`AutoscalingListener\` \`ignoreDifferences\` entry — the chart
doesn't render that kind at all, so there's nothing for ArgoCD to drift
from

### Kept

- \`AutoscalingRunnerSet\` \`ignoreDifferences\` for
\`/metadata/annotations\` and \`/spec/template\` (chart-rendered, does
see real drift)
- \`RespectIgnoreDifferences=true\` syncOption

## Comment in the manifest now documents the cosmetic OutOfSync as
accepted.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xnoto xnoto

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto