docs: refactor README and AGENTS to current k3s behavior#31
Merged
Conversation
The file existed in the workloads/grafana directory but wasn't referenced in resources, so the OnionService CR for the public status dashboard was never applied. Adding it brings the onion address listed on onion.makeitwork.cloud (7m3fv4pd5m...onion) live again.
Also install kubectl in the CD sync job so the bootstrap Applications can actually be patched. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous job installed kubectl explicitly even though the tfroot-runner image already ships it (Containerfile). Drop the redundant setup step and target the actual scale set name (arc-tf) so the job dispatches to an in-cluster runner whose auto-mounted SA token authenticates kubectl directly — no Actions secrets needed. Renamed from ci.yml because this workflow lints and deploys; "ci" implies test-only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Creates an arc-tf-runner ServiceAccount in arc-runners and binds a Role in argocd that allows get+patch on applications.argoproj.io. The arc-tf scale set template now mounts this SA, so the in-cluster sync workflow's `kubectl patch application` runs against the API using the auto-mounted token. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
xnoto
added a commit
that referenced
this pull request
Apr 30, 2026
) ## Summary The previous `ignoreDifferences` rule on `AutoscalingRunnerSet` ignored the entire `/spec/template`, which masked legitimate changes like `serviceAccountName`. Result: even after `arc-tf-runner` was added in #31, runner pods kept spinning up under the chart's default `arc-tf-gha-rs-no-permission` SA and the sync workflow failed with `Forbidden` on `applications.argoproj.io`. This narrows the ignore to only `/spec/template/metadata/annotations` — the path the gha-runner-scale-set controller actually mutates with hash propagation. ## Test plan - [x] After ArgoCD syncs, `kubectl -n arc-runners get pods -o jsonpath='{..serviceAccountName}'` shows `arc-tf-runner` - [x] Push to `main` triggers `Sync ArgoCD` job and successfully patches the bootstrap Applications 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
README.mdandAGENTS.mdto describe the current k3s cluster, vanilla ArgoCD in theargocdnamespace, Cloudflare Tunnel + TunnelBindings for external traffic, and WARP-only domains for in-cluster TLS — without referencing prior platforms or migration history.kubectlin the CD sync job viaazure/setup-kubectl@v4so thekubectl patchcalls against the bootstrap Applications actually run.Test plan
maintriggers the sync job and successfully patchesbootstrap-secrets,gitops-operators,gitops-workloads🤖 Generated with Claude Code