cleanup syncroot

Author: mirkoSekulic

.github/workflows/deploy-runner-org-sync.yaml

@@ -68,7 +68,7 @@ jobs:
         run: docker push ${{ steps.vars.outputs.image-repo }}
 
       - name: patch base with image tag
-        working-directory: src/runner-org-sync/infra/kustomize
+        working-directory: src/runner-org-sync/infra/kustomize/base
         run: |
           export IMAGE="${{ steps.vars.outputs.image-repo }}"
           export IMAGE_TAG="${{ steps.vars.outputs.short-sha }}"

infra/studio/syncroot/base/runner-org-sync.yaml

@@ -26,28 +26,10 @@ spec:
     kind: OCIRepository
     name: runner-org-sync
     namespace: default
-  path: ./
+  path: ./${ENVIRONMENT}
   prune: true
   timeout: 1m
   postBuild:
-    # These variables are double-substituted: the outer syncroot Kustomization
-    # (provisioned in altinn-studio-infra/provisioning/studio-flux-syncroot.tf)
-    # resolves ${...} on the right-hand sides first, then this inner
-    # Kustomization applies the resolved values to the kustomize manifests
-    # pulled from the OCI artifact above.
     substitute:
       ENVIRONMENT: ${ENVIRONMENT}
       RUNNER_ORG_SYNC_ENTRA_CLIENT_ID: ${RUNNER_ORG_SYNC_ENTRA_CLIENT_ID}
-      # The kustomize manifests in src/runner-org-sync/infra/kustomize also
-      # reference these two; they must be sourced from somewhere before this
-      # Kustomization can reconcile cleanly. Three options:
-      #   1. Add to studio-flux-syncroot.tf's postBuild.substitute (alongside
-      #      ENTRA_CLIENT_ID). Best for values Terraform already knows
-      #      (KEYVAULT_NAME = azurerm_key_vault.kv.name).
-      #   2. Hardcode literal values here. Best for stable per-env values
-      #      with no Terraform counterpart.
-      #   3. Move the runner-org-sync resource to per-env syncroot overlays
-      #      (infra/studio/syncroot/{dev,staging,prod}/) so each env can
-      #      patch its own values.
-      # RUNNER_ORG_SYNC_KEYVAULT_NAME: ???
-      # RUNNER_ORG_SYNC_ORGS: ???

infra/studio/syncroot/dev/kustomization.yaml

@@ -2,21 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
-
-# Per-env substitutions for the runner-org-sync Flux Kustomization. KV name
-# follows the cluster-wide convention altinn-studio-<env>-kv. ORGS lists the
-# whitelist runner-org-sync uses to filter the CDN. Add an entry here when
-# onboarding a new dev-tier org.
-patches:
-  - target:
-      group: kustomize.toolkit.fluxcd.io
-      version: v1
-      kind: Kustomization
-      name: runner-org-sync
-    patch: |-
-      - op: add
-        path: /spec/postBuild/substitute/RUNNER_ORG_SYNC_KEYVAULT_NAME
-        value: altinn-studio-dev-kv
-      - op: add
-        path: /spec/postBuild/substitute/RUNNER_ORG_SYNC_ORGS
-        value: ttd

infra/studio/syncroot/prod/kustomization.yaml

@@ -17,21 +17,3 @@ patches:
       metadata:
         name: altinn-altinity-agents
         namespace: default
-
-  # Per-env substitutions for the runner-org-sync Flux Kustomization. KV
-  # name follows the cluster-wide convention altinn-studio-<env>-kv. ORGS
-  # lists the whitelist runner-org-sync uses to filter the CDN; this list
-  # must agree with the prod entry of runners in
-  # charts/gitea-org-runner-config/values.yaml.
-  - target:
-      group: kustomize.toolkit.fluxcd.io
-      version: v1
-      kind: Kustomization
-      name: runner-org-sync
-    patch: |-
-      - op: add
-        path: /spec/postBuild/substitute/RUNNER_ORG_SYNC_KEYVAULT_NAME
-        value: altinn-studio-prod-kv
-      - op: add
-        path: /spec/postBuild/substitute/RUNNER_ORG_SYNC_ORGS
-        value: ttd,brg,dsb,ssb,ksdigi,pat,dibk,skm,sfvt

infra/studio/syncroot/staging/kustomization.yaml

@@ -17,20 +17,3 @@ patches:
       metadata:
         name: altinn-altinity-agents
         namespace: default
-
-  # Per-env substitutions for the runner-org-sync Flux Kustomization. KV
-  # name follows the cluster-wide convention altinn-studio-<env>-kv. ORGS
-  # lists the whitelist runner-org-sync uses to filter the CDN. Add an
-  # entry here when onboarding a new staging-tier org.
-  - target:
-      group: kustomize.toolkit.fluxcd.io
-      version: v1
-      kind: Kustomization
-      name: runner-org-sync
-    patch: |-
-      - op: add
-        path: /spec/postBuild/substitute/RUNNER_ORG_SYNC_KEYVAULT_NAME
-        value: altinn-studio-staging-kv
-      - op: add
-        path: /spec/postBuild/substitute/RUNNER_ORG_SYNC_ORGS
-        value: ttd

src/runner-org-sync/README.md

@@ -7,7 +7,7 @@ runners running in the Studio cluster.
 ## What it does
 
 Each scheduled run (cadence configured by `spec.schedule` in
-`infra/kustomize/cronjob.yaml`):
+`infra/kustomize/base/cronjob.yaml`):
 
 1. Loads the **admin** Gitea PAT from Azure Key Vault (via Workload Identity),
    or from a local env var override for development.
@@ -96,7 +96,7 @@ Three distinct credentials, three storage strategies:
 ### KEDA wiring
 
 The `TriggerAuthentication/keda-gitea-auth` lives in
-`infra/kustomize/triggerauthentication.yaml` — ships with this service so
+`infra/kustomize/base/triggerauthentication.yaml` — ships with this service so
 the Secret writer and the auth ref are deployed atomically. Three names
 must agree across this folder and the workload chart: