diff --git a/apps/github-runner/github-runner.yaml b/apps/github-runner/github-runner.yaml index 40748d7..26a0555 100644 --- a/apps/github-runner/github-runner.yaml +++ b/apps/github-runner/github-runner.yaml @@ -24,6 +24,8 @@ # expire after 1h — use a fine-grained PAT with admin:org_hook scope # or a re-registration script. See docs/infrastructure/ # self-hosted-runner-fleet.md §Security. +# Until that item exists and the Secret contains key "credential", this +# deployment intentionally stays at replicas: 0. # # Security model: # - No ClusterRole / ClusterRoleBinding — runner has no K8s API access. @@ -53,13 +55,18 @@ metadata: # 1Password secret sync — creates github-runner-token K8s Secret. # Fields expected in the 1Password item: # credential — GitHub runner registration token (or PAT for re-reg script) -# Item path: IAmWorkin vault > "GitHub Runner Registration Token" -# Operator MUST create this item before the Deployment will start cleanly. +# Item path convention: vaults/IAmWorkin/items/ +# Current required title: "GitHub Runner Registration Token" +# Operator MUST create this item before replicas can be raised above 0. apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: github-runner-token namespace: github-runner + annotations: + flowercore.io/operator-action: "Create IAmWorkin item 'GitHub Runner Registration Token' with field 'credential'." + flowercore.io/replica-gate: "Keep Deployment replicas at 0 until github-runner-token Secret exists with key credential." + flowercore.io/provisioning-status: "awaiting-operator-secret-provisioning" labels: app.kubernetes.io/component: credentials app.kubernetes.io/part-of: flowercore @@ -100,6 +107,8 @@ kind: Deployment metadata: name: github-runner namespace: github-runner + annotations: + flowercore.io/replica-gate: "Scale to 1 only after the 1Password item exists and github-runner-token has key credential." labels: app.kubernetes.io/name: github-runner app.kubernetes.io/component: runner @@ -111,6 +120,9 @@ spec: # one pod at a time. Each pod re-registers as an ephemeral runner after # completing a job (EPHEMERAL=true restarts the container, not the pod, # so the PVC stays attached between jobs). + # Intentionally 0 while the GitHub runner token item is absent. Follow-up + # PR should set replicas: 1 only after operator provisioning and Secret + # sync verification. replicas: 0 selector: matchLabels: