Running the arc-runners inside the same cluster as Argo CD
One of the benefits of using self-hosted runners (compared to GitHub-hosted runners) is that you can re-use Argo CD’s access credentials from the host cluster.
In other words, if your arc-runner pod runs inside the same cluster as Argo CD, you can run kubectl get secrets -n argocd from inside your pipeline and access the secrets from the host cluster, and then use them form argocd-diff-preview.
Example:
This example is meant for inspiration. You can structure it in many different ways.
name:Diff Previewon:pull_request:branches:-"main"jobs:diff-preview-prod:name:Diff Previewruns-on:your-arc-runnerpermissions:contents:readpull-requests:writesteps:-uses:actions/checkout@v4with:path:pull-requestfetch-depth:0-uses:actions/checkout@v4with:ref:mainpath:main-uses:azure/setup-kubectl@v4id:install# Get secret from the host cluster and apply it to the ephemeral local cluster (for the diff preview) ⬇️⬇️⬇️⬇️⬇️⬇️⬇️⬇️⬇️-name:Get secretsrun:|kubectl config view || truekubectl get secrets -n argocd || truemkdir -p secrets# Get the secrets from the host clusterkubectl get secrets -n argocd -o json -l argocd.argoproj.io/secret-type > argocd-secrets.json# Clean up the secretsjq '{apiVersion: "v1",kind: "List",items: [.items[] | del(.metadata.annotations,.metadata.creationTimestamp,.metadata.ownerReferences,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.managedFields) | .metadata.namespace = "argocd"]}' argocd-secrets.json > processed-secrets.json# Split into individual filescounter=1jq -c '.items[]' processed-secrets.json | while IFS= read -r line; doif [ -n "$line" ]; thenecho "$line" | jq '.' > "secrets/manifest-$(printf "%03d" $counter).json"counter=$((counter + 1))fidone# Clean up temporary filesrm -f argocd-secrets.json processed-secrets.json-name:Generate Diffrun:|docker run \--network=host \-v /var/run/docker.sock:/var/run/docker.sock \-v $(pwd)/main:/base-branch \-v $(pwd)/pull-request:/target-branch \-v $(pwd)/secrets:/secrets \-v $(pwd)/output:/output \-e TARGET_BRANCH=refs/pull/${{ github.event.number }}/merge \-e REPO=${{ github.repository }} \dagandersen/argocd-diff-preview:v0.1.16-name:Post diff as commentrun:|gh pr comment ${{ github.event.number }} --repo ${{ github.repository }} --body-file output/diff.md --edit-last || \gh pr comment ${{ github.event.number }} --repo ${{ github.repository }} --body-file output/diff.mdenv:GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}
CIDR collision
When using Action Runner Controller (ARC) to run self-host your GitHub Actions Runners. You need to ensure that the Service and Pod CIDRs of the kind cluster created by argocd-diff-preview don't overlap with your host cluster's CIDRs.
The default CIDRs are:
Service
CIDR
Service
10.96.0.0/16
Pod
10.244.0.0/16
To configure kind:
Create a file in your repo, for instance hack/kind.yaml, with the following content: