From e2fbc6eb774991f03907e58aa45e453746ab9db5 Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 30 Apr 2026 08:58:41 -0600 Subject: [PATCH] fix(arc): narrow AutoscalingRunnerSet ignoreDifferences ignoring /spec/template wholesale also masks spec.template.spec changes like serviceAccountName, so the new arc-tf-runner SA never reached the runner pods and they kept booting under the chart's default arc-tf-gha-rs-no-permission SA. Restrict the ignore to the annotation paths the controller actually mutates so template spec changes sync. Co-Authored-By: Claude Opus 4.7 (1M context) --- workloads/arc/arc-tf-application.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/workloads/arc/arc-tf-application.yaml b/workloads/arc/arc-tf-application.yaml index dfcfecd..8f86999 100644 --- a/workloads/arc/arc-tf-application.yaml +++ b/workloads/arc/arc-tf-application.yaml @@ -36,9 +36,10 @@ spec: - name: runner image: ghcr.io/makeitworkcloud/tfroot-runner:latest command: ["/home/runner/run.sh"] - # The gha-runner-scale-set controller mutates AutoscalingRunnerSet at runtime - # (hash annotations propagate down through spec.template); ignore those drifts - # so selfHeal doesn't thrash on every reconcile. The dynamically-created + # The gha-runner-scale-set controller propagates hash annotations into + # AutoscalingRunnerSet metadata and spec.template.metadata; ignore only those + # paths so selfHeal doesn't thrash, but spec.template.spec changes + # (serviceAccountName, image, etc.) still sync. The dynamically-created # listener resources (AutoscalingListener + paired Role/RoleBinding) are # cosmetically reported as OutOfSync because the chart doesn't render them # and ArgoCD's label-based tracking still claims them — Health stays correct @@ -48,7 +49,7 @@ spec: kind: AutoscalingRunnerSet jsonPointers: - /metadata/annotations - - /spec/template + - /spec/template/metadata/annotations syncPolicy: automated: prune: true