From 1631c3c09257f915670170b85ba443c19cb5ca84 Mon Sep 17 00:00:00 2001 From: vismishr Date: Wed, 13 May 2026 00:20:31 +0530 Subject: [PATCH 1/4] ci(arc-runners): add nightly CronJob to warm EFS-backed Go build cache Add a Kubernetes CronJob that runs at 2 AM UTC daily to populate the shared Go build cache on the EFS-backed PV. The job clones main, compiles all packages and test binaries, then syncs the build cache to the PV for runner pods to consume as a read-only mount. Part-of: CNTRLPLANE-3329 --- .../cache-warming-cronjob.yaml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 hack/github-actions-runner/cache-warming-cronjob.yaml diff --git a/hack/github-actions-runner/cache-warming-cronjob.yaml b/hack/github-actions-runner/cache-warming-cronjob.yaml new file mode 100644 index 00000000000..0e696145509 --- /dev/null +++ b/hack/github-actions-runner/cache-warming-cronjob.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: go-cache-warmer + namespace: arc-runners + labels: + app.kubernetes.io/component: cache-warmer + app.kubernetes.io/part-of: arc-runner-set +spec: + schedule: "0 2 * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + activeDeadlineSeconds: 3600 + backoffLimit: 1 + template: + spec: + restartPolicy: Never + containers: + - name: cache-warmer + image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest + command: + - /bin/bash + - -c + - | + set -euo pipefail + + echo "=== Cloning openshift/hypershift main branch ===" + git clone --depth 1 --branch main https://github.com/openshift/hypershift.git /tmp/hypershift + cd /tmp/hypershift + + echo "=== Compiling all packages ===" + go build ./... + + echo "=== Compiling all test binaries ===" + go test -c -o /dev/null ./... 2>/dev/null || true + + echo "=== Syncing build cache to PV ===" + rm -rf /cache/go-build/* + cp -a "${GOCACHE}"/* /cache/go-build/ + + echo "=== Cache warming complete ===" + du -sh /cache/go-build/ + env: + - name: GOCACHE + value: /tmp/go-build-cache + - name: GOMODCACHE + value: /tmp/go-mod-cache + - name: HOME + value: /tmp + resources: + requests: + cpu: "4" + memory: "16Gi" + limits: + cpu: "4" + memory: "16Gi" + volumeMounts: + - name: go-cache + mountPath: /cache/go-build + volumes: + - name: go-cache + persistentVolumeClaim: + claimName: go-cache-pvc From 9dad273a76184944de1a22baeb7d9531efe38e76 Mon Sep 17 00:00:00 2001 From: vismishr Date: Wed, 13 May 2026 01:03:39 +0530 Subject: [PATCH 2/4] ci(arc-runners): replace destructive cache wipe with age-based cleanup Replace rm -rf of the entire cache directory with find -mtime +7 to prune entries older than 7 days. This prevents runners from seeing an empty or partial cache if they start during the nightly sync window. Stale entries are cleaned incrementally while fresh entries are overwritten in place by cp -a, keeping the cache always populated. --- hack/github-actions-runner/cache-warming-cronjob.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hack/github-actions-runner/cache-warming-cronjob.yaml b/hack/github-actions-runner/cache-warming-cronjob.yaml index 0e696145509..eb8abf1d08e 100644 --- a/hack/github-actions-runner/cache-warming-cronjob.yaml +++ b/hack/github-actions-runner/cache-warming-cronjob.yaml @@ -37,8 +37,11 @@ spec: echo "=== Compiling all test binaries ===" go test -c -o /dev/null ./... 2>/dev/null || true + echo "=== Cleaning stale cache entries (older than 7 days) ===" + find /cache/go-build -type f -mtime +7 -delete + find /cache/go-build -type d -empty -delete + echo "=== Syncing build cache to PV ===" - rm -rf /cache/go-build/* cp -a "${GOCACHE}"/* /cache/go-build/ echo "=== Cache warming complete ===" From c73ce253f3b47973d0de091d15db6ff3be7e00f5 Mon Sep 17 00:00:00 2001 From: vismishr Date: Wed, 13 May 2026 01:19:49 +0530 Subject: [PATCH 3/4] ci(arc-runners): add security context to cache warmer pod Add pod-level and container-level security contexts to harden the CronJob: runAsNonRoot, seccomp RuntimeDefault, drop all capabilities, and disallow privilege escalation. --- hack/github-actions-runner/cache-warming-cronjob.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hack/github-actions-runner/cache-warming-cronjob.yaml b/hack/github-actions-runner/cache-warming-cronjob.yaml index eb8abf1d08e..ee68a7d539b 100644 --- a/hack/github-actions-runner/cache-warming-cronjob.yaml +++ b/hack/github-actions-runner/cache-warming-cronjob.yaml @@ -18,9 +18,18 @@ spec: template: spec: restartPolicy: Never + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: cache-warmer image: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-gh-actions-runner:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL command: - /bin/bash - -c From ca1f7ee3bdb37d5fb5b52f00f873ef32edbc2789 Mon Sep 17 00:00:00 2001 From: vismishr Date: Wed, 13 May 2026 01:39:13 +0530 Subject: [PATCH 4/4] ci(arc-runners): skip mount root when pruning empty directories Add -mindepth 1 to prevent find from attempting to delete the /cache/go-build mount point itself when it is empty. --- hack/github-actions-runner/cache-warming-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/github-actions-runner/cache-warming-cronjob.yaml b/hack/github-actions-runner/cache-warming-cronjob.yaml index ee68a7d539b..e6cbd03af7c 100644 --- a/hack/github-actions-runner/cache-warming-cronjob.yaml +++ b/hack/github-actions-runner/cache-warming-cronjob.yaml @@ -48,7 +48,7 @@ spec: echo "=== Cleaning stale cache entries (older than 7 days) ===" find /cache/go-build -type f -mtime +7 -delete - find /cache/go-build -type d -empty -delete + find /cache/go-build -mindepth 1 -type d -empty -delete echo "=== Syncing build cache to PV ===" cp -a "${GOCACHE}"/* /cache/go-build/