Prepare 0.11.0 release (#3992 )

Create configurable metrics (#3975 )
Add events role permission to leader_election_role (#3988 )
2025-12-10 11:41:27 +00:00 · 2025-03-25 11:09:03 +01:00 · 2025-03-24 15:27:42 +01:00 · 2025-03-24 15:10:47 +01:00 · 2025-03-24 15:09:26 +01:00 · 2025-03-20 10:25:57 -04:00
230 changed files with 87820 additions and 20181 deletions
--- a/.github/actions/execute-assert-arc-e2e/action.yaml
+++ b/.github/actions/execute-assert-arc-e2e/action.yaml
@@ -47,7 +47,7 @@ runs:
        -d '{"ref": "main", "inputs": { "arc_name": "${{inputs.arc-name}}" } }'

    - name: Fetch workflow run & job ids
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
      id: query_workflow
      with:
        script: |
@@ -128,7 +128,7 @@ runs:

    - name: Wait for workflow to start running
      if: inputs.wait-to-running == 'true' && inputs.wait-to-finish == 'false'
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
      with:
        script: |
          function sleep(ms) {
@@ -156,7 +156,7 @@ runs:

    - name: Wait for workflow to finish successfully
      if: inputs.wait-to-finish == 'true'
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
      with:
        script: |
          // Wait 5 minutes and make sure the workflow run we triggered completed with result 'success'
@@ -188,15 +188,28 @@ runs:
          }
          core.setFailed(`The triggered workflow run didn't finish properly using ${{inputs.arc-name}}`)

+    - name: Gather listener logs
+      shell: bash
+      if: always()
+      run: |
+        LISTENER_POD="$(kubectl get autoscalinglisteners.actions.github.com -n arc-systems -o jsonpath='{.items[*].metadata.name}')"
+        kubectl logs $LISTENER_POD -n ${{inputs.arc-controller-namespace}}
+    
+    - name: Gather coredns logs
+      shell: bash
+      if: always()
+      run: |
+        kubectl logs deployments/coredns -n kube-system 
+
    - name: cleanup
      if: inputs.wait-to-finish == 'true'
      shell: bash
      run: |
        helm uninstall ${{ inputs.arc-name }} --namespace ${{inputs.arc-namespace}} --debug
-        kubectl wait --timeout=10s --for=delete AutoScalingRunnerSet -n ${{inputs.arc-name}} -l app.kubernetes.io/instance=${{ inputs.arc-name }}
+        kubectl wait --timeout=30s --for=delete AutoScalingRunnerSet -n ${{inputs.arc-namespace}} -l app.kubernetes.io/instance=${{ inputs.arc-name }}

-    - name: Gather logs and cleanup
+    - name: Gather controller logs
      shell: bash
      if: always()
      run: |
-        kubectl logs deployment/arc-gha-rs-controller -n ${{inputs.arc-controller-namespace}}
+        kubectl logs deployment/arc-gha-rs-controller -n ${{inputs.arc-controller-namespace}}
--- a/.github/actions/setup-arc-e2e/action.yaml
+++ b/.github/actions/setup-arc-e2e/action.yaml
@@ -27,7 +27,7 @@ runs:
  using: "composite"
  steps:
    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3
      with:
          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
          # BuildKit v0.11 which has a bug causing intermittent 
@@ -36,7 +36,7 @@ runs:
          driver-opts: image=moby/buildkit:v0.10.6

    - name: Build controller image
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v5
      with:
        file: Dockerfile
        platforms: linux/amd64
@@ -56,7 +56,7 @@ runs:

    - name: Get configure token
      id: config-token
-      uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
      with:
        application_id: ${{ inputs.app-id }}
        application_private_key: ${{ inputs.app-pk }}
--- a/.github/actions/setup-docker-environment/action.yaml
+++ b/.github/actions/setup-docker-environment/action.yaml
@@ -24,23 +24,23 @@ runs:
      shell: bash

    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v2
+      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3
      with:
        version: latest

    - name: Login to DockerHub
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != ''  }}
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
      with:
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}

    - name: Login to GitHub Container Registry
      if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != ''  }}
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ inputs.ghcr_username }}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,15 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
+    groups:
+      gomod:
+        patterns:
+          - "*"
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
--- a/.github/workflows/arc-publish-chart.yaml
+++ b/.github/workflows/arc-publish-chart.yaml
@@ -40,12 +40,12 @@ jobs:
      publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Set up Helm
-      uses: azure/setup-helm@v3.4
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
      with:
        version: ${{ env.HELM_VERSION }}

@@ -58,7 +58,7 @@ jobs:
      run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem

    # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
      with:
        python-version: '3.11'

@@ -134,7 +134,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      with:
        fetch-depth: 0

@@ -145,7 +145,7 @@ jobs:

    - name: Get Token
      id: get_workflow_token
-      uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+      uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
      with:
        application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
        application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
@@ -184,7 +184,7 @@ jobs:
    # this workaround is intended to move the index.yaml to the target repo
    # where the github pages are hosted
    - name: Checkout target repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      with:
        repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
        path: ${{ env.CHART_TARGET_REPO }}
--- a/.github/workflows/arc-publish.yaml
+++ b/.github/workflows/arc-publish.yaml
@@ -39,9 +39,9 @@ jobs:
    if: ${{ !startsWith(github.event.inputs.release_tag_name, 'gha-runner-scale-set-') }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'

@@ -73,7 +73,7 @@ jobs:

      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
--- a/.github/workflows/arc-release-runners.yaml
+++ b/.github/workflows/arc-release-runners.yaml
@@ -17,7 +17,7 @@ env:
  PUSH_TO_REGISTRIES: true
  TARGET_ORG: actions-runner-controller
  TARGET_WORKFLOW: release-runners.yaml
-  DOCKER_VERSION: 20.10.23
+  DOCKER_VERSION: 24.0.7

 concurrency:
  group: ${{ github.workflow }}
@@ -28,7 +28,7 @@ jobs:
    name: Trigger Build and Push of Runner Images
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Get runner version
        id: versions
        run: |
@@ -39,7 +39,7 @@ jobs:

      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
--- a/.github/workflows/arc-update-runners-scheduled.yaml
+++ b/.github/workflows/arc-update-runners-scheduled.yaml
@@ -21,7 +21,7 @@ jobs:
      container_hooks_current_version: ${{ steps.container_hooks_versions.outputs.container_hooks_current_version }}
      container_hooks_latest_version: ${{ steps.container_hooks_versions.outputs.container_hooks_latest_version }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: Get runner current and latest versions
        id: runner_versions
@@ -64,7 +64,7 @@ jobs:
          echo "CONTAINER_HOOKS_CURRENT_VERSION=${{ needs.check_versions.outputs.container_hooks_current_version }}"
          echo "CONTAINER_HOOKS_LATEST_VERSION=${{ needs.check_versions.outputs.container_hooks_latest_version }}"

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: PR Name
        id: pr_name
@@ -78,7 +78,7 @@ jobs:
        run: |
          RUNNER_MESSAGE="runner to v${RUNNER_LATEST_VERSION}"
          CONTAINER_HOOKS_MESSAGE="container-hooks to v${CONTAINER_HOOKS_LATEST_VERSION}"
-          
+
          PR_NAME="Updates:"
          if [ "$RUNNER_CURRENT_VERSION" != "$RUNNER_LATEST_VERSION" ]
          then
@@ -88,7 +88,7 @@ jobs:
          then
            PR_NAME="$PR_NAME $CONTAINER_HOOKS_MESSAGE"
          fi
-          
+
          result=$(gh pr list --search "$PR_NAME" --json number --jq ".[].number" --limit 1)
          if [ -z "$result" ]
          then
@@ -119,22 +119,26 @@ jobs:
      PR_NAME: ${{ needs.check_pr.outputs.pr_name }}

    steps:
-      - uses: actions/checkout@v3
-      
+      - uses: actions/checkout@v4
+
      - name: New branch
        run: git checkout -b update-runner-"$(date +%Y-%m-%d)"
-      
+
      - name: Update files
        run: |
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" runner/VERSION
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" runner/Makefile
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" Makefile
-          sed -i "s/$RUNNER_CURRENT_VERSION/$RUNNER_LATEST_VERSION/g" test/e2e/e2e_test.go
-          
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" runner/VERSION
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" runner/Makefile
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" Makefile
-          sed -i "s/$CONTAINER_HOOKS_CURRENT_VERSION/$CONTAINER_HOOKS_LATEST_VERSION/g" test/e2e/e2e_test.go
+          CURRENT_VERSION="${RUNNER_CURRENT_VERSION//./\\.}"
+          LATEST_VERSION="${RUNNER_LATEST_VERSION//./\\.}"
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go
+
+          CURRENT_VERSION="${CONTAINER_HOOKS_CURRENT_VERSION//./\\.}"
+          LATEST_VERSION="${CONTAINER_HOOKS_LATEST_VERSION//./\\.}"
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/VERSION
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" runner/Makefile
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" Makefile
+          sed -i "s/$CURRENT_VERSION/$LATEST_VERSION/g" test/e2e/e2e_test.go

      - name: Commit changes
        run: |
--- a/.github/workflows/arc-validate-chart.yaml
+++ b/.github/workflows/arc-validate-chart.yaml
@@ -40,13 +40,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}

@@ -67,7 +67,7 @@ jobs:
              --enable-optional-test container-security-context-readonlyrootfilesystem

      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

--- a/.github/workflows/arc-validate-runners.yaml
+++ b/.github/workflows/arc-validate-runners.yaml
@@ -24,7 +24,7 @@ jobs:
    name: runner / shellcheck
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: shellcheck
        uses: reviewdog/action-shellcheck@v1
        with:
@@ -45,7 +45,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Run tests
      run: |
--- a/.github/workflows/gha-e2e-tests.yaml
+++ b/.github/workflows/gha-e2e-tests.yaml
@@ -16,7 +16,7 @@ env:
  TARGET_ORG: actions-runner-controller
  TARGET_REPO: arc_e2e_test_dummy
  IMAGE_NAME: "arc-test-image"
-  IMAGE_VERSION: "0.7.0"
+  IMAGE_VERSION: "0.11.0"

 concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
@@ -33,7 +33,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -103,6 +103,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -122,7 +124,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -194,6 +196,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -213,7 +217,7 @@ jobs:
    env:
      WORKFLOW_FILE: arc-test-dind-workflow.yaml
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -284,6 +288,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -303,7 +309,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-kubernetes-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -383,6 +389,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -402,7 +410,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -484,6 +492,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -503,7 +513,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -579,6 +589,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -598,7 +610,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-workflow.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -699,6 +711,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Test ARC E2E
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -718,7 +732,7 @@ jobs:
    env:
      WORKFLOW_FILE: "arc-test-sleepy-matrix.yaml"
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          ref: ${{github.head_ref}}

@@ -789,6 +803,8 @@ jobs:
          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
          kubectl get pod -n arc-systems

+          sleep 60
+
      - name: Trigger long running jobs and wait for runners to pick them up
        uses: ./.github/actions/execute-assert-arc-e2e
        timeout-minutes: 10
@@ -880,3 +896,98 @@ jobs:
          helm uninstall "${{ steps.install_arc.outputs.ARC_NAME }}" --namespace "arc-runners" --debug
          kubectl wait --timeout=10s --for=delete AutoScalingRunnerSet -n "${{ steps.install_arc.outputs.ARC_NAME }}" -l app.kubernetes.io/instance="${{ steps.install_arc.outputs.ARC_NAME }}"
          kubectl logs deployment/arc-gha-rs-controller -n "arc-systems"
+
+  init-with-min-runners:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
+    env:
+      WORKFLOW_FILE: arc-test-workflow.yaml
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+
+      - uses: ./.github/actions/setup-arc-e2e
+        id: setup
+        with:
+          app-id: ${{secrets.E2E_TESTS_ACCESS_APP_ID}}
+          app-pk: ${{secrets.E2E_TESTS_ACCESS_PK}}
+          image-name: ${{env.IMAGE_NAME}}
+          image-tag: ${{env.IMAGE_VERSION}}
+          target-org: ${{env.TARGET_ORG}}
+
+      - name: Install gha-runner-scale-set-controller
+        id: install_arc_controller
+        run: |
+          helm install arc \
+          --namespace "arc-systems" \
+          --create-namespace \
+          --set image.repository=${{ env.IMAGE_NAME }} \
+          --set image.tag=${{ env.IMAGE_VERSION }} \
+          --set flags.updateStrategy="eventual" \
+          ./charts/gha-runner-scale-set-controller \
+          --debug
+          count=0
+          while true; do
+            POD_NAME=$(kubectl get pods -n arc-systems -l app.kubernetes.io/name=gha-rs-controller -o name)
+            if [ -n "$POD_NAME" ]; then
+              echo "Pod found: $POD_NAME"
+              break
+            fi
+            if [ "$count" -ge 60 ]; then
+              echo "Timeout waiting for controller pod with label app.kubernetes.io/name=gha-rs-controller"
+              exit 1
+            fi
+            sleep 1
+            count=$((count+1))
+          done
+          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l app.kubernetes.io/name=gha-rs-controller
+          kubectl get pod -n arc-systems
+          kubectl describe deployment arc-gha-rs-controller -n arc-systems
+
+      - name: Install gha-runner-scale-set
+        id: install_arc
+        run: |
+          ARC_NAME=${{github.job}}-$(date +'%M%S')$((($RANDOM + 100) % 100 + 1))
+          helm install "$ARC_NAME" \
+          --namespace "arc-runners" \
+          --create-namespace \
+          --set githubConfigUrl="https://github.com/${{ env.TARGET_ORG }}/${{env.TARGET_REPO}}" \
+          --set githubConfigSecret.github_token="${{ steps.setup.outputs.token }}" \
+          --set minRunners=5 \
+          ./charts/gha-runner-scale-set \
+          --debug
+          echo "ARC_NAME=$ARC_NAME" >> $GITHUB_OUTPUT
+          count=0
+          while true; do
+            POD_NAME=$(kubectl get pods -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME -o name)
+            if [ -n "$POD_NAME" ]; then
+              echo "Pod found: $POD_NAME"
+              break
+            fi
+            if [ "$count" -ge 60 ]; then
+              echo "Timeout waiting for listener pod with label actions.github.com/scale-set-name=$ARC_NAME"
+              exit 1
+            fi
+            sleep 1
+            count=$((count+1))
+          done
+          kubectl wait --timeout=30s --for=condition=ready pod -n arc-systems -l actions.github.com/scale-set-name=$ARC_NAME
+          kubectl get pod -n arc-systems
+      - name: Ensure 5 runners are up
+        run: |
+          count=0
+          while true; do
+            pod_count=$(kubectl get pods -n arc-runners --no-headers | wc -l)
+            if [[ "$pod_count" = 5 ]]; then
+              echo "5 pods are up!"
+              break
+            fi
+            if [[ "$count" -ge 12 ]]; then
+              echo "Timeout waiting for 5 pods to be created"
+              exit 1
+            fi
+            sleep 1
+            count=$((count+1))
+          done
--- a/.github/workflows/gha-publish-chart.yaml
+++ b/.github/workflows/gha-publish-chart.yaml
@@ -45,7 +45,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
@@ -72,10 +72,10 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          # Pinning v0.9.1 for Buildx and BuildKit v0.10.6
          # BuildKit v0.11 which has a bug causing intermittent
@@ -84,14 +84,14 @@ jobs:
          driver-opts: image=moby/buildkit:v0.10.6

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & push controller image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
        with:
          file: Dockerfile
          platforms: linux/amd64,linux/arm64
@@ -121,7 +121,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
@@ -140,8 +140,8 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}

@@ -169,7 +169,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          # If inputs.ref is empty, it'll resolve to the default branch
          ref: ${{ inputs.ref }}
@@ -188,8 +188,8 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}

--- a/.github/workflows/gha-validate-chart.yaml
+++ b/.github/workflows/gha-validate-chart.yaml
@@ -18,7 +18,7 @@ on:
  workflow_dispatch:
 env:
  KUBE_SCORE_VERSION: 1.16.1
-  HELM_VERSION: v3.8.0
+  HELM_VERSION: v3.17.0

 permissions:
  contents: read
@@ -36,34 +36,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Helm
-        # Using https://github.com/Azure/setup-helm/releases/tag/v3.5
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}

-      - name: Set up kube-score
-        run: |
-          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
-          chmod 755 kube-score
-
-      - name: Kube-score generated manifests
-        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
-              --ignore-test pod-networkpolicy
-              --ignore-test deployment-has-poddisruptionbudget
-              --ignore-test deployment-has-host-podantiaffinity
-              --ignore-test container-security-context
-              --ignore-test pod-probes
-              --ignore-test container-image-tag
-              --enable-optional-test container-security-context-privileged
-              --enable-optional-test container-security-context-readonlyrootfilesystem
-
      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

@@ -84,13 +68,13 @@ jobs:
          ct lint --config charts/.ci/ct-config-gha.yaml

      - name: Set up docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        if: steps.list-changed.outputs.changed == 'true'
        with:
          version: latest

      - name: Build controller image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
        if: steps.list-changed.outputs.changed == 'true'
        with:
          file: Dockerfile
@@ -123,3 +107,17 @@ jobs:
        if: steps.list-changed.outputs.changed == 'true'
        run: |
          ct install --config charts/.ci/ct-config-gha.yaml
+  test-chart:
+    name: Test Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+      - name: Test gha-runner-scale-set
+        run: go test ./charts/gha-runner-scale-set/...
+      - name: Test gha-runner-scale-set-controller
+        run: go test ./charts/gha-runner-scale-set-controller/...
--- a/.github/workflows/global-publish-canary.yaml
+++ b/.github/workflows/global-publish-canary.yaml
@@ -55,11 +55,11 @@ jobs:
      TARGET_REPO: actions-runner-controller
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Get Token
        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
+        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
        with:
          application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }}
          application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }}
@@ -90,10 +90,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -110,16 +110,16 @@ jobs:
          echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          version: latest

      # Unstable builds - run at your own risk
      - name: Build and Push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
--- a/.github/workflows/global-run-codeql.yaml
+++ b/.github/workflows/global-run-codeql.yaml
@@ -25,10 +25,10 @@ jobs:
      security-events: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod

--- a/.github/workflows/global-run-first-interaction.yaml
+++ b/.github/workflows/global-run-first-interaction.yaml
@@ -11,7 +11,7 @@ jobs:
  check_for_first_interaction:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: actions/first-interaction@main
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -29,8 +29,8 @@ jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: false
@@ -42,13 +42,13 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: false
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
        with:
          only-new-issues: true
          version: v1.55.2
@@ -56,8 +56,8 @@ jobs:
  generate:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: false
@@ -69,8 +69,8 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - run: make manifests
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,7 +1,9 @@
 run:
  timeout: 3m
 output:
-  format: github-actions
+  formats:
+    - format: github-actions
+      path: stdout
 linters-settings:
  errcheck:
    exclude-functions:
--- a/2
+++ b/2
@@ -1,2 +1,2 @@
 # actions-runner-controller maintainers
-* @mumoshu @toast-gear @actions/actions-launch @nikola-jokic
+* @mumoshu @toast-gear @actions/actions-launch @nikola-jokic @rentziass
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -73,7 +73,7 @@ To make your development cycle faster, use the below command to update deploy an
 # Makefile
 VERSION=controller1 \
  RUNNER_TAG=runner1 \
-  make acceptance/pull acceptance/kind docker-build acceptance/load acceptance/deploy
+  make acceptance/pull acceptance/kind docker-buildx acceptance/load acceptance/deploy
 ```

 If you've already deployed actions-runner-controller and only want to recreate pods to use the newer image, you can run:
--- a/6
+++ b/6
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.21.3 as builder
+FROM --platform=$BUILDPLATFORM golang:1.24.0 as builder

 WORKDIR /workspace

@@ -37,7 +37,7 @@ RUN --mount=target=. \
  --mount=type=cache,mode=0777,target=${GOCACHE} \
  export GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT#v} && \
  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/manager main.go && \
-  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener && \
+  go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/ghalistener ./cmd/ghalistener && \
  go build -trimpath -ldflags="-s -w" -o /out/github-webhook-server ./cmd/githubwebhookserver && \
  go build -trimpath -ldflags="-s -w" -o /out/actions-metrics-server ./cmd/actionsmetricsserver && \
  go build -trimpath -ldflags="-s -w" -o /out/sleep ./cmd/sleep
@@ -51,7 +51,7 @@ WORKDIR /
 COPY --from=builder /out/manager .
 COPY --from=builder /out/github-webhook-server .
 COPY --from=builder /out/actions-metrics-server .
-COPY --from=builder /out/github-runnerscaleset-listener .
+COPY --from=builder /out/ghalistener .
 COPY --from=builder /out/sleep .

 USER 65532:65532
--- a/12
+++ b/12
@@ -6,7 +6,7 @@ endif
 DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
 VERSION ?= dev
 COMMIT_SHA = $(shell git rev-parse HEAD)
-RUNNER_VERSION ?= 2.311.0
+RUNNER_VERSION ?= 2.323.0
 TARGETPLATFORM ?= $(shell arch)
 RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
 RUNNER_TAG  ?= ${VERSION}
@@ -23,7 +23,7 @@ KUBE_RBAC_PROXY_VERSION ?= v0.11.0
 SHELLCHECK_VERSION ?= 0.8.0

 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true"
+CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true"

 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -68,7 +68,7 @@ endif
 all: manager

 lint:
-	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v1.55.2 golangci-lint run
+	docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v1.57.2 golangci-lint run

 GO_TEST_ARGS ?= -short

@@ -87,7 +87,7 @@ test-with-deps: kube-apiserver etcd kubectl
 # Build manager binary
 manager: generate fmt vet
 	go build -o bin/manager main.go
-	go build -o bin/github-runnerscaleset-listener ./cmd/githubrunnerscalesetlistener
+	go build -o bin/github-runnerscaleset-listener ./cmd/ghalistener

 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
@@ -310,7 +310,7 @@ github-release: release
 # Otherwise we get errors like the below:
 #   Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
 #
-# Note that controller-gen newer than 0.6.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
+# Note that controller-gen newer than 0.6.2 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
 # Otherwise ObjectMeta embedded in Spec results in empty on the storage.
 controller-gen:
 ifeq (, $(shell which controller-gen))
@@ -320,7 +320,7 @@ ifeq (, $(wildcard $(GOBIN)/controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0 ;\
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.2 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 endif
--- a/README.md
+++ b/README.md
@@ -11,21 +11,22 @@ Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and s
 With ARC, you can create runner scale sets that automatically scale based on the number of workflows running in your repository, organization, or enterprise. Because controlled runners can be ephemeral and based on containers, new runner instances can scale up or down rapidly and cleanly. For more information about autoscaling, see ["Autoscaling with self-hosted runners."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)

 You can set up ARC on Kubernetes using Helm, then create and run a workflow that uses runner scale sets. For more information about runner scale sets, see ["Deploying runner scale sets with Actions Runner Controller."](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)
+
 ## People

 Actions Runner Controller (ARC) is an open-source project currently developed and maintained in collaboration with the GitHub Actions team, external maintainers @mumoshu and @toast-gear, various [contributors](https://github.com/actions/actions-runner-controller/graphs/contributors), and the [awesome community](https://github.com/actions/actions-runner-controller/discussions).

 If you think the project is awesome and is adding value to your business, please consider directly sponsoring [community maintainers](https://github.com/sponsors/actions-runner-controller) and individual contributors via GitHub Sponsors.

-In case you are already the employer of one of contributors, sponsoring via GitHub Sponsors might not be an option. Just support them in other means!
+If you are already the employer of one of the contributors, sponsoring via GitHub Sponsors might not be an option. Just support them by other means!

 See [the sponsorship dashboard](https://github.com/sponsors/actions-runner-controller) for the former and the current sponsors.

 ## Getting Started

-To give ARC a try with just a handful of commands, Please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
+To give ARC a try with just a handful of commands, please refer to the [Quickstart guide](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).

-For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller)
+For an overview of ARC, please refer to [About ARC](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).

 With the introduction of [autoscaling runner scale sets](https://github.com/actions/actions-runner-controller/discussions/2775), the existing [autoscaling modes](./docs/automatically-scaling-runners.md) are now legacy. The legacy modes have certain use cases and will continue to be maintained by the community only.

@@ -37,7 +38,7 @@ ARC documentation is available on [docs.github.com](https://docs.github.com/en/a

 ### Legacy documentation

-The following documentation is for the legacy autoscaling modes that continue to be maintained by the community
+The following documentation is for the legacy autoscaling modes that continue to be maintained by the community:

 - [Quickstart guide](/docs/quickstart.md)
 - [About ARC](/docs/about-arc.md)
--- a/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
@@ -61,6 +61,9 @@ type AutoscalingListenerSpec struct {
 	// +optional
 	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`

+	// +optional
+	Metrics *MetricsConfig `json:"metrics,omitempty"`
+
 	// +optional
 	Template *corev1.PodTemplateSpec `json:"template,omitempty"`
 }
@@ -68,11 +71,11 @@ type AutoscalingListenerSpec struct {
 // AutoscalingListenerStatus defines the observed state of AutoscalingListener
 type AutoscalingListenerStatus struct{}

-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
-//+kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name=GitHub Configure URL,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetNamespace",name=AutoscalingRunnerSet Namespace,type=string
+// +kubebuilder:printcolumn:JSONPath=".spec.autoscalingRunnerSetName",name=AutoscalingRunnerSet Name,type=string

 // AutoscalingListener is the Schema for the autoscalinglisteners API
 type AutoscalingListener struct {
@@ -83,7 +86,7 @@ type AutoscalingListener struct {
 	Status AutoscalingListenerStatus `json:"status,omitempty"`
 }

-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true

 // AutoscalingListenerList contains a list of AutoscalingListener
 type AutoscalingListenerList struct {
--- a/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
@@ -31,16 +31,16 @@ import (

 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.

-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
-//+kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
-//+kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:JSONPath=".spec.minRunners",name=Minimum Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".spec.maxRunners",name=Maximum Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.currentRunners",name=Current Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.state",name=State,type=string
+// +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer

 // AutoscalingRunnerSet is the Schema for the autoscalingrunnersets API
 type AutoscalingRunnerSet struct {
@@ -74,6 +74,9 @@ type AutoscalingRunnerSetSpec struct {
 	// Required
 	Template corev1.PodTemplateSpec `json:"template,omitempty"`

+	// +optional
+	ListenerMetrics *MetricsConfig `json:"listenerMetrics,omitempty"`
+
 	// +optional
 	ListenerTemplate *corev1.PodTemplateSpec `json:"listenerTemplate,omitempty"`

@@ -232,6 +235,32 @@ type ProxyServerConfig struct {
 	CredentialSecretRef string `json:"credentialSecretRef,omitempty"`
 }

+// MetricsConfig holds configuration parameters for each metric type
+type MetricsConfig struct {
+	// +optional
+	Counters map[string]*CounterMetric `json:"counters,omitempty"`
+	// +optional
+	Gauges map[string]*GaugeMetric `json:"gauges,omitempty"`
+	// +optional
+	Histograms map[string]*HistogramMetric `json:"histograms,omitempty"`
+}
+
+// CounterMetric holds configuration of a single metric of type Counter
+type CounterMetric struct {
+	Labels []string `json:"labels"`
+}
+
+// GaugeMetric holds configuration of a single metric of type Gauge
+type GaugeMetric struct {
+	Labels []string `json:"labels"`
+}
+
+// HistogramMetric holds configuration of a single metric of type Histogram
+type HistogramMetric struct {
+	Labels  []string  `json:"labels"`
+	Buckets []float64 `json:"buckets,omitempty"`
+}
+
 // AutoscalingRunnerSetStatus defines the observed state of AutoscalingRunnerSet
 type AutoscalingRunnerSetStatus struct {
 	// +optional
@@ -242,7 +271,7 @@ type AutoscalingRunnerSetStatus struct {

 	// EphemeralRunner counts separated by the stage ephemeral runners are in, taken from the EphemeralRunnerSet

-	//+optional
+	// +optional
 	PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
 	// +optional
 	RunningEphemeralRunners int `json:"runningEphemeralRunners"`
@@ -278,7 +307,7 @@ func (ars *AutoscalingRunnerSet) RunnerSetSpecHash() string {
 	return hash.ComputeTemplateHash(&spec)
 }

-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true

 // AutoscalingRunnerSetList contains a list of AutoscalingRunnerSet
 type AutoscalingRunnerSetList struct {
--- a/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
@@ -21,8 +21,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// EphemeralRunnerContainerName is the name of the runner container.
+// It represents the name of the container running the self-hosted runner image.
+const EphemeralRunnerContainerName = "runner"
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.githubConfigUrl",name="GitHub Config URL",type=string
 // +kubebuilder:printcolumn:JSONPath=".status.runnerId",name=RunnerId,type=number
 // +kubebuilder:printcolumn:JSONPath=".status.phase",name=Status,type=string
@@ -42,11 +46,29 @@ type EphemeralRunner struct {
 	Status EphemeralRunnerStatus `json:"status,omitempty"`
 }

+func (er *EphemeralRunner) IsDone() bool {
+	return er.Status.Phase == corev1.PodSucceeded || er.Status.Phase == corev1.PodFailed
+}
+
+func (er *EphemeralRunner) HasContainerHookConfigured() bool {
+	for i := range er.Spec.Spec.Containers {
+		if er.Spec.Spec.Containers[i].Name != EphemeralRunnerContainerName {
+			continue
+		}
+
+		for _, env := range er.Spec.Spec.Containers[i].Env {
+			if env.Name == "ACTIONS_RUNNER_CONTAINER_HOOKS" {
+				return true
+			}
+		}
+
+		return false
+	}
+	return false
+}
+
 // EphemeralRunnerSpec defines the desired state of EphemeralRunner
 type EphemeralRunnerSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// +required
 	GitHubConfigUrl string `json:"githubConfigUrl,omitempty"`

@@ -65,15 +87,11 @@ type EphemeralRunnerSpec struct {
 	// +optional
 	GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`

-	// +required
 	corev1.PodTemplateSpec `json:",inline"`
 }

 // EphemeralRunnerStatus defines the observed state of EphemeralRunner
 type EphemeralRunnerStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// Turns true only if the runner is online.
 	// +optional
 	Ready bool `json:"ready"`
@@ -119,7 +137,7 @@ type EphemeralRunnerStatus struct {
 	JobDisplayName string `json:"jobDisplayName,omitempty"`
 }

-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true

 // EphemeralRunnerList contains a list of EphemeralRunner
 type EphemeralRunnerList struct {
--- a/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
+++ b/apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
@@ -24,7 +24,9 @@ import (
 type EphemeralRunnerSetSpec struct {
 	// Replicas is the number of desired EphemeralRunner resources in the k8s namespace.
 	Replicas int `json:"replicas,omitempty"`
-
+	// PatchID is the unique identifier for the patch issued by the listener app
+	PatchID int `json:"patchID"`
+	// EphemeralRunnerSpec is the spec of the ephemeral runner
 	EphemeralRunnerSpec EphemeralRunnerSpec `json:"ephemeralRunnerSpec,omitempty"`
 }

@@ -32,9 +34,6 @@ type EphemeralRunnerSetSpec struct {
 type EphemeralRunnerSetStatus struct {
 	// CurrentReplicas is the number of currently running EphemeralRunner resources being managed by this EphemeralRunnerSet.
 	CurrentReplicas int `json:"currentReplicas"`
-
-	// EphemeralRunner counts separated by the stage ephemeral runners are in
-
 	// +optional
 	PendingEphemeralRunners int `json:"pendingEphemeralRunners"`
 	// +optional
@@ -47,10 +46,10 @@ type EphemeralRunnerSetStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:JSONPath=".spec.replicas",name="DesiredReplicas",type="integer"
 // +kubebuilder:printcolumn:JSONPath=".status.currentReplicas", name="CurrentReplicas",type="integer"
-//+kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
-//+kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.pendingEphemeralRunners",name=Pending Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.runningEphemeralRunners",name=Running Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.finishedEphemeralRunners",name=Finished Runners,type=integer
+// +kubebuilder:printcolumn:JSONPath=".status.deletingEphemeralRunners",name=Deleting Runners,type=integer

 // EphemeralRunnerSet is the Schema for the ephemeralrunnersets API
 type EphemeralRunnerSet struct {
@@ -61,7 +60,7 @@ type EphemeralRunnerSet struct {
 	Status EphemeralRunnerSetStatus `json:"status,omitempty"`
 }

-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true

 // EphemeralRunnerSetList contains a list of EphemeralRunnerSet
 type EphemeralRunnerSetList struct {
--- a/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
@@ -102,6 +102,11 @@ func (in *AutoscalingListenerSpec) DeepCopyInto(out *AutoscalingListenerSpec) {
 		*out = new(GitHubServerTLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Metrics != nil {
+		in, out := &in.Metrics, &out.Metrics
+		*out = new(MetricsConfig)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.Template != nil {
 		in, out := &in.Template, &out.Template
 		*out = new(v1.PodTemplateSpec)
@@ -207,6 +212,11 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
 		(*in).DeepCopyInto(*out)
 	}
 	in.Template.DeepCopyInto(&out.Template)
+	if in.ListenerMetrics != nil {
+		in, out := &in.ListenerMetrics, &out.ListenerMetrics
+		*out = new(MetricsConfig)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.ListenerTemplate != nil {
 		in, out := &in.ListenerTemplate, &out.ListenerTemplate
 		*out = new(v1.PodTemplateSpec)
@@ -249,6 +259,26 @@ func (in *AutoscalingRunnerSetStatus) DeepCopy() *AutoscalingRunnerSetStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CounterMetric) DeepCopyInto(out *CounterMetric) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CounterMetric.
+func (in *CounterMetric) DeepCopy() *CounterMetric {
+	if in == nil {
+		return nil
+	}
+	out := new(CounterMetric)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralRunner) DeepCopyInto(out *EphemeralRunner) {
 	*out = *in
@@ -446,6 +476,26 @@ func (in *EphemeralRunnerStatus) DeepCopy() *EphemeralRunnerStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GaugeMetric) DeepCopyInto(out *GaugeMetric) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GaugeMetric.
+func (in *GaugeMetric) DeepCopy() *GaugeMetric {
+	if in == nil {
+		return nil
+	}
+	out := new(GaugeMetric)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitHubServerTLSConfig) DeepCopyInto(out *GitHubServerTLSConfig) {
 	*out = *in
@@ -466,6 +516,94 @@ func (in *GitHubServerTLSConfig) DeepCopy() *GitHubServerTLSConfig {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HistogramMetric) DeepCopyInto(out *HistogramMetric) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Buckets != nil {
+		in, out := &in.Buckets, &out.Buckets
+		*out = make([]float64, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HistogramMetric.
+func (in *HistogramMetric) DeepCopy() *HistogramMetric {
+	if in == nil {
+		return nil
+	}
+	out := new(HistogramMetric)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricsConfig) DeepCopyInto(out *MetricsConfig) {
+	*out = *in
+	if in.Counters != nil {
+		in, out := &in.Counters, &out.Counters
+		*out = make(map[string]*CounterMetric, len(*in))
+		for key, val := range *in {
+			var outVal *CounterMetric
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = new(CounterMetric)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Gauges != nil {
+		in, out := &in.Gauges, &out.Gauges
+		*out = make(map[string]*GaugeMetric, len(*in))
+		for key, val := range *in {
+			var outVal *GaugeMetric
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = new(GaugeMetric)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Histograms != nil {
+		in, out := &in.Histograms, &out.Histograms
+		*out = make(map[string]*HistogramMetric, len(*in))
+		for key, val := range *in {
+			var outVal *HistogramMetric
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = new(HistogramMetric)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsConfig.
+func (in *MetricsConfig) DeepCopy() *MetricsConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(MetricsConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) {
 	*out = *in
--- a/apis/actions.summerwind.net/v1alpha1/runner_types.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_types.go
@@ -317,19 +317,19 @@ type RunnerStatusRegistration struct {
 type WorkVolumeClaimTemplate struct {
 	StorageClassName string                              `json:"storageClassName"`
 	AccessModes      []corev1.PersistentVolumeAccessMode `json:"accessModes"`
-	Resources        corev1.ResourceRequirements         `json:"resources"`
+	Resources        corev1.VolumeResourceRequirements   `json:"resources"`
 }

 func (w *WorkVolumeClaimTemplate) validate() error {
-	if w.AccessModes == nil || len(w.AccessModes) == 0 {
-		return errors.New("Access mode should have at least one mode specified")
+	if len(w.AccessModes) == 0 {
+		return errors.New("access mode should have at least one mode specified")
 	}

 	for _, accessMode := range w.AccessModes {
 		switch accessMode {
 		case corev1.ReadWriteOnce, corev1.ReadWriteMany:
 		default:
-			return fmt.Errorf("Access mode %v is not supported", accessMode)
+			return fmt.Errorf("access mode %v is not supported", accessMode)
 		}
 	}
 	return nil
--- a/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runner_webhook.go
@@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1

 import (
+	"context"
+	"fmt"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -32,36 +35,51 @@ var runnerLog = logf.Log.WithName("runner-resource")
 func (r *Runner) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithDefaulter(&RunnerDefaulter{}).
+		WithValidator(&RunnerValidator{}).
 		Complete()
 }

 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=mutate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1

-var _ webhook.Defaulter = &Runner{}
+var _ webhook.CustomDefaulter = &RunnerDefaulter{}
+
+type RunnerDefaulter struct{}

 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *Runner) Default() {
+func (*RunnerDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	// Nothing to do.
+	return nil
 }

 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=validate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1

-var _ webhook.Validator = &Runner{}
+var _ webhook.CustomValidator = &RunnerValidator{}
+
+type RunnerValidator struct{}

 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	r, ok := obj.(*Runner)
+	if !ok {
+		return nil, fmt.Errorf("expected Runner object, got %T", obj)
+	}
 	runnerLog.Info("validate resource to be created", "name", r.Name)
 	return nil, r.Validate()
 }

 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
+	r, ok := obj.(*Runner)
+	if !ok {
+		return nil, fmt.Errorf("expected Runner object, got %T", obj)
+	}
 	runnerLog.Info("validate resource to be updated", "name", r.Name)
 	return nil, r.Validate()
 }

 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *Runner) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }

--- a/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
@@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1

 import (
+	"context"
+	"fmt"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -32,36 +35,51 @@ var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
 func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithDefaulter(&RunnerDeploymentDefaulter{}).
+		WithValidator(&RunnerDeploymentValidator{}).
 		Complete()
 }

 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=mutate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1

-var _ webhook.Defaulter = &RunnerDeployment{}
+var _ webhook.CustomDefaulter = &RunnerDeploymentDefaulter{}
+
+type RunnerDeploymentDefaulter struct{}

 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerDeployment) Default() {
+func (*RunnerDeploymentDefaulter) Default(context.Context, runtime.Object) error {
 	// Nothing to do.
+	return nil
 }

 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=validate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1

-var _ webhook.Validator = &RunnerDeployment{}
+var _ webhook.CustomValidator = &RunnerDeploymentValidator{}
+
+type RunnerDeploymentValidator struct{}

 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	r, ok := obj.(*RunnerDeployment)
+	if !ok {
+		return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
+	}
 	runnerDeploymentLog.Info("validate resource to be created", "name", r.Name)
 	return nil, r.Validate()
 }

 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
+	r, ok := obj.(*RunnerDeployment)
+	if !ok {
+		return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
+	}
 	runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name)
 	return nil, r.Validate()
 }

 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerDeployment) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerDeploymentValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }

--- a/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
+++ b/apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
@@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1

 import (
+	"context"
+	"fmt"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -32,36 +35,51 @@ var runnerReplicaSetLog = logf.Log.WithName("runnerreplicaset-resource")
 func (r *RunnerReplicaSet) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
+		WithDefaulter(&RunnerReplicaSetDefaulter{}).
+		WithValidator(&RunnerReplicaSetValidator{}).
 		Complete()
 }

 // +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=mutate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1

-var _ webhook.Defaulter = &RunnerReplicaSet{}
+var _ webhook.CustomDefaulter = &RunnerReplicaSetDefaulter{}
+
+type RunnerReplicaSetDefaulter struct{}

 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RunnerReplicaSet) Default() {
+func (*RunnerReplicaSetDefaulter) Default(context.Context, runtime.Object) error {
 	// Nothing to do.
+	return nil
 }

 // +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=validate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1

-var _ webhook.Validator = &RunnerReplicaSet{}
+var _ webhook.CustomValidator = &RunnerReplicaSetValidator{}
+
+type RunnerReplicaSetValidator struct{}

 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateCreate() (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	r, ok := obj.(*RunnerReplicaSet)
+	if !ok {
+		return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
+	}
 	runnerReplicaSetLog.Info("validate resource to be created", "name", r.Name)
 	return nil, r.Validate()
 }

 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
+	r, ok := obj.(*RunnerReplicaSet)
+	if !ok {
+		return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
+	}
 	runnerReplicaSetLog.Info("validate resource to be updated", "name", r.Name)
 	return nil, r.Validate()
 }

 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *RunnerReplicaSet) ValidateDelete() (admission.Warnings, error) {
+func (*RunnerReplicaSetValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }

--- a/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
@@ -467,6 +467,21 @@ func (in *RunnerConfig) DeepCopy() *RunnerConfig {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerDefaulter) DeepCopyInto(out *RunnerDefaulter) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDefaulter.
+func (in *RunnerDefaulter) DeepCopy() *RunnerDefaulter {
+	if in == nil {
+		return nil
+	}
+	out := new(RunnerDefaulter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeployment) DeepCopyInto(out *RunnerDeployment) {
 	*out = *in
@@ -494,6 +509,21 @@ func (in *RunnerDeployment) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerDeploymentDefaulter) DeepCopyInto(out *RunnerDeploymentDefaulter) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentDefaulter.
+func (in *RunnerDeploymentDefaulter) DeepCopy() *RunnerDeploymentDefaulter {
+	if in == nil {
+		return nil
+	}
+	out := new(RunnerDeploymentDefaulter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerDeploymentList) DeepCopyInto(out *RunnerDeploymentList) {
 	*out = *in
@@ -596,6 +626,21 @@ func (in *RunnerDeploymentStatus) DeepCopy() *RunnerDeploymentStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerDeploymentValidator) DeepCopyInto(out *RunnerDeploymentValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerDeploymentValidator.
+func (in *RunnerDeploymentValidator) DeepCopy() *RunnerDeploymentValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(RunnerDeploymentValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerList) DeepCopyInto(out *RunnerList) {
 	*out = *in
@@ -815,6 +860,21 @@ func (in *RunnerReplicaSet) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerReplicaSetDefaulter) DeepCopyInto(out *RunnerReplicaSetDefaulter) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetDefaulter.
+func (in *RunnerReplicaSetDefaulter) DeepCopy() *RunnerReplicaSetDefaulter {
+	if in == nil {
+		return nil
+	}
+	out := new(RunnerReplicaSetDefaulter)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerReplicaSetList) DeepCopyInto(out *RunnerReplicaSetList) {
 	*out = *in
@@ -907,6 +967,21 @@ func (in *RunnerReplicaSetStatus) DeepCopy() *RunnerReplicaSetStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerReplicaSetValidator) DeepCopyInto(out *RunnerReplicaSetValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerReplicaSetValidator.
+func (in *RunnerReplicaSetValidator) DeepCopy() *RunnerReplicaSetValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(RunnerReplicaSetValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunnerSet) DeepCopyInto(out *RunnerSet) {
 	*out = *in
@@ -1112,6 +1187,21 @@ func (in *RunnerTemplate) DeepCopy() *RunnerTemplate {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunnerValidator) DeepCopyInto(out *RunnerValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerValidator.
+func (in *RunnerValidator) DeepCopy() *RunnerValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(RunnerValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScaleTargetRef) DeepCopyInto(out *ScaleTargetRef) {
 	*out = *in
--- a/charts/actions-runner-controller/Chart.yaml
+++ b/charts/actions-runner-controller/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.23.5
+version: 0.23.7

 # Used as the default manager tag value when no tag property is provided in the values.yaml
-appVersion: 0.27.5
+appVersion: 0.27.6

 home: https://github.com/actions/actions-runner-controller

--- a/charts/actions-runner-controller/README.md
+++ b/charts/actions-runner-controller/README.md
@@ -8,154 +8,156 @@ All additional docs are kept in the `docs/` folder, this README is solely for do

 > _Default values are the defaults set in the charts `values.yaml`, some properties have default configurations in the code for when the property is omitted or invalid_

-| Key                                                      | Description                                                                                                                               | Default                                                                                         |
-|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|
-| `labels`                                                 | Set labels to apply to all resources in the chart                                                                                         |                                                                                                 |
-| `replicaCount`                                           | Set the number of controller pods                                                                                                         | 1                                                                                               |
-| `webhookPort`                                            | Set the containerPort for the webhook Pod                                                                                                 | 9443                                                                                            |
-| `syncPeriod`                                             | Set the period in which the controller reconciles the desired runners count                                                               | 1m                                                                                              |
-| `enableLeaderElection`                                   | Enable election configuration                                                                                                             | true                                                                                            |
-| `leaderElectionId`                                       | Set the election ID for the controller group                                                                                              |                                                                                                 |
-| `githubEnterpriseServerURL`                              | Set the URL for a self-hosted GitHub Enterprise Server                                                                                    |                                                                                                 |
-| `githubURL`                                              | Override GitHub URL to be used for GitHub API calls                                                                                       |                                                                                                 |
-| `githubUploadURL`                                        | Override GitHub Upload URL to be used for GitHub API calls                                                                                |                                                                                                 |
-| `runnerGithubURL`                                        | Override GitHub URL to be used by runners during registration                                                                             |                                                                                                 |
-| `logLevel`                                               | Set the log level of the controller container                                                                                             |                                                                                                 |
-| `logFormat`                                              | Set the log format of the controller. Valid options are "text" and "json"                                                                 | text                                                                                            |
-| `additionalVolumes`                                      | Set additional volumes to add to the manager container                                                                                    |                                                                                                 |
-| `additionalVolumeMounts`                                 | Set additional volume mounts to add to the manager container                                                                              |                                                                                                 |
-| `authSecret.create`                                      | Deploy the controller auth secret                                                                                                         | false                                                                                           |
-| `authSecret.name`                                        | Set the name of the auth secret                                                                                                           | controller-manager                                                                              |
-| `authSecret.annotations`                                 | Set annotations for the auth Secret                                                                                                       |                                                                                                 |
-| `authSecret.github_app_id`                               | The ID of your GitHub App. **This can't be set at the same time as `authSecret.github_token`**                                            |                                                                                                 |
-| `authSecret.github_app_installation_id`                  | The ID of your GitHub App installation. **This can't be set at the same time as `authSecret.github_token`**                               |                                                                                                 |
-| `authSecret.github_app_private_key`                      | The multiline string of your GitHub App's private key. **This can't be set at the same time as `authSecret.github_token`**                |                                                                                                 |
-| `authSecret.github_token`                                | Your chosen GitHub PAT token. **This can't be set at the same time as the `authSecret.github_app_*`**                                     |                                                                                                 |
-| `authSecret.github_basicauth_username`                   | Username for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
-| `authSecret.github_basicauth_password`                   | Password for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
-| `dockerRegistryMirror`                                   | The default Docker Registry Mirror used by runners.                                                                                       |                                                                                                 |
-| `hostNetwork`                                            | The "hostNetwork" of the controller container                                                                                             | false                                                                                           |
-| `dnsPolicy`                                              | The "dnsPolicy" of the controller container                                                                                               | ClusterFirst                                                                                    |
-| `image.repository`                                       | The "repository/image" of the controller container                                                                                        | summerwind/actions-runner-controller                                                            |
-| `image.tag`                                              | The tag of the controller container                                                                                                       |                                                                                                 |
-| `image.actionsRunnerRepositoryAndTag`                    | The "repository/image" of the actions runner container                                                                                    | summerwind/actions-runner:latest                                                                |
-| `image.actionsRunnerImagePullSecrets`                    | Optional image pull secrets to be included in the runner pod's ImagePullSecrets                                                           |                                                                                                 |
-| `image.dindSidecarRepositoryAndTag`                      | The "repository/image" of the dind sidecar container                                                                                      | docker:dind                                                                                     |
-| `image.pullPolicy`                                       | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
-| `metrics.serviceMonitor.enable`                                 | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
-| `metrics.serviceMonitor.interval`                                 | Configure the interval that Prometheus should scrap the controller's metrics                                                                      | 1m                                                                                           |
-| `metrics.serviceMonitor.timeout`                                 | Configure the timeout the timeout of Prometheus scrapping.                                                                      | 30s                                                                                           |
-| `metrics.serviceAnnotations`                             | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
-| `metrics.port`                                           | Set port of metrics service                                                                                                               | 8443                                                                                            |
-| `metrics.proxy.enabled`                                  | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
-| `metrics.proxy.image.repository`                         | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
-| `metrics.proxy.image.tag`                                | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
-| `metrics.serviceMonitorLabels`                           | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
-| `imagePullSecrets`                                       | Specifies the secret to be used when pulling the controller pod containers                                                                |                                                                                                 |
-| `fullnameOverride`                                       | Override the full resource names	                                                                                                       |                                                                                                 |
-| `nameOverride`                                           | Override the resource name prefix	                                                                                                       |                                                                                                 |
-| `serviceAccount.annotations`                             | Set annotations to the service account                                                                                                    |                                                                                                 |
-| `serviceAccount.create`                                  | Deploy the controller pod under a service account                                                                                         | true                                                                                            |
-| `podAnnotations`                                         | Set annotations for the controller pod                                                                                                    |                                                                                                 |
-| `podLabels`                                              | Set labels for the controller pod                                                                                                         |                                                                                                 |
-| `serviceAccount.name`                                    | Set the name of the service account                                                                                                       |                                                                                                 |
-| `securityContext`                                        | Set the security context for each container in the controller pod                                                                         |                                                                                                 |
-| `podSecurityContext`                                     | Set the security context to controller pod                                                                                                |                                                                                                 |
-| `service.annotations`                                    | Set annotations for the provisioned webhook service resource                                                                              |                                                                                                 |
-| `service.port`                                           | Set controller service ports                                                                                                              |                                                                                                 |
-| `service.type`                                           | Set controller service type                                                                                                               |                                                                                                 |
-| `topologySpreadConstraints`                              | Set the controller pod topologySpreadConstraints                                                                                          |                                                                                                 |
-| `nodeSelector`                                           | Set the controller pod nodeSelector                                                                                                       |                                                                                                 |
-| `resources`                                              | Set the controller pod resources                                                                                                          |                                                                                                 |
-| `affinity`                                               | Set the controller pod affinity rules                                                                                                     |                                                                                                 |
-| `podDisruptionBudget.enabled`                            | Enables a PDB to ensure HA of controller pods                                                                                             |      false                                                                                      |
-| `podDisruptionBudget.minAvailable`                       | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
-| `podDisruptionBudget.maxUnavailable`                     | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
-| `tolerations`                                            | Set the controller pod tolerations                                                                                                        |                                                                                                 |
-| `env`                                                    | Set environment variables for the controller container                                                                                    |                                                                                                 |
-| `priorityClassName`                                      | Set the controller pod priorityClassName                                                                                                  |                                                                                                 |
-| `scope.watchNamespace`                                   | Tells the controller and the github webhook server which namespace to watch if `scope.singleNamespace` is true                            | `Release.Namespace` (the default namespace of the helm chart).                                  |
-| `scope.singleNamespace`                                  | Limit the controller to watch a single namespace                                                                                          | false                                                                                           |
-| `certManagerEnabled`                                     | Enable cert-manager. If disabled you must set admissionWebHooks.caBundle and create TLS secrets manually                                  | true                                                                                            |
-| `runner.statusUpdateHook.enabled`                        | Use custom RBAC for runners (role, role binding and service account), this will enable reporting runner statuses                          | false                                                                                           |
-| `admissionWebHooks.caBundle`                             | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate                                                 |                                                                                                 |
-| `githubWebhookServer.logLevel`                           | Set the log level of the githubWebhookServer container                                                                                    |                                                                                                 |
-| `githubWebhookServer.logFormat`                          | Set the log format of the githubWebhookServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
-| `githubWebhookServer.replicaCount`                       | Set the number of webhook server pods                                                                                                     | 1                                                                                               |
-| `githubWebhookServer.useRunnerGroupsVisibility`          | Enable supporting runner groups with custom visibility, you also need to set `githubWebhookServer.secret.enabled` to enable this feature. | false                                                                                           |
-| `githubWebhookServer.enabled`                            | Deploy the webhook server pod                                                                                                             | false                                                                                           |
-| `githubWebhookServer.queueLimit`                         | Set the queue size limit in the githubWebhookServer                                                                                       |                                                                                                 |
-| `githubWebhookServer.secret.enabled`                     | Passes the webhook hook secret to the github-webhook-server                                                                               | false                                                                                           |
-| `githubWebhookServer.secret.create`                      | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
-| `githubWebhookServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | github-webhook-server                                                                           |
-| `githubWebhookServer.secret.github_webhook_secret_token` | Set the webhook secret token value                                                                                                        |                                                                                                 |
-| `githubWebhookServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the githubWebhookServer pod containers                                                       |                                                                                                 |
-| `githubWebhookServer.nameOverride`                       | Override the resource name prefix	                                                                                                       |                                                                                                 |
-| `githubWebhookServer.fullnameOverride`                   | Override the full resource names	                                                                                                       |                                                                                                 |
-| `githubWebhookServer.serviceAccount.create`              | Deploy the githubWebhookServer under a service account                                                                                    | true                                                                                            |
-| `githubWebhookServer.serviceAccount.annotations`         | Set annotations for the service account                                                                                                   |                                                                                                 |
-| `githubWebhookServer.serviceAccount.name`                | Set the service account name                                                                                                              |                                                                                                 |
-| `githubWebhookServer.podAnnotations`                     | Set annotations for the githubWebhookServer pod                                                                                           |                                                                                                 |
-| `githubWebhookServer.podLabels`                          | Set labels for the githubWebhookServer pod                                                                                                |                                                                                                 |
-| `githubWebhookServer.podSecurityContext`                 | Set the security context to githubWebhookServer pod                                                                                       |                                                                                                 |
-| `githubWebhookServer.securityContext`                    | Set the security context for each container in the githubWebhookServer pod                                                                |                                                                                                 |
-| `githubWebhookServer.resources`                          | Set the githubWebhookServer pod resources                                                                                                 |                                                                                                 |
-| `githubWebhookServer.topologySpreadConstraints`          | Set the githubWebhookServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
-| `githubWebhookServer.nodeSelector`                       | Set the githubWebhookServer pod nodeSelector                                                                                              |                                                                                                 |
-| `githubWebhookServer.tolerations`                        | Set the githubWebhookServer pod tolerations                                                                                               |                                                                                                 |
-| `githubWebhookServer.affinity`                           | Set the githubWebhookServer pod affinity rules                                                                                            |                                                                                                 |
-| `githubWebhookServer.priorityClassName`                  | Set the githubWebhookServer pod priorityClassName                                                                                         |                                                                                                 |
-| `githubWebhookServer.terminationGracePeriodSeconds`      | Set the githubWebhookServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                            | `10`                                                                                            |
-| `githubWebhookServer.lifecycle`                          | Set the githubWebhookServer pod lifecycle hooks                                                                                           | `{}`                                                                                            |
-| `githubWebhookServer.service.type`                       | Set githubWebhookServer service type                                                                                                      |                                                                                                 |
-| `githubWebhookServer.service.ports`                      | Set githubWebhookServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
-| `githubWebhookServer.service.loadBalancerSourceRanges`   | Set githubWebhookServer loadBalancerSourceRanges for restricting loadBalancer type services                                               | `[]`                                                                                            |
-| `githubWebhookServer.ingress.enabled`                    | Deploy an ingress kind for the githubWebhookServer                                                                                        | false                                                                                           |
-| `githubWebhookServer.ingress.annotations`                | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
-| `githubWebhookServer.ingress.hosts`                      | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
-| `githubWebhookServer.ingress.tls`                        | Set tls configuration for ingress                                                                                                         |                                                                                                 |
-| `githubWebhookServer.ingress.ingressClassName`           | Set ingress class name                                                                                                                    |                                                                                                 |
-| `githubWebhookServer.podDisruptionBudget.enabled`        | Enables a PDB to ensure HA of githubwebhook pods                                                                                          | false                                                                                           |
-| `githubWebhookServer.podDisruptionBudget.minAvailable`   | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
-| `githubWebhookServer.podDisruptionBudget.maxUnavailable` | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
-| `actionsMetricsServer.logLevel`                           | Set the log level of the actionsMetricsServer container                                                                                    |                                                                                                 |
-| `actionsMetricsServer.logFormat`                          | Set the log format of the actionsMetricsServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
-| `actionsMetricsServer.enabled`                            | Deploy the actions metrics server pod                                                                                                             | false                                                                                           |
+| Key                                                       | Description                                                                                                                               | Default                                                                                         |
+|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|
+| `labels`                                                  | Set labels to apply to all resources in the chart                                                                                         |                                                                                                 |
+| `replicaCount`                                            | Set the number of controller pods                                                                                                         | 1                                                                                               |
+| `webhookPort`                                             | Set the containerPort for the webhook Pod                                                                                                 | 9443                                                                                            |
+| `syncPeriod`                                              | Set the period in which the controller reconciles the desired runners count                                                               | 1m                                                                                              |
+| `enableLeaderElection`                                    | Enable election configuration                                                                                                             | true                                                                                            |
+| `leaderElectionId`                                        | Set the election ID for the controller group                                                                                              |                                                                                                 |
+| `githubEnterpriseServerURL`                               | Set the URL for a self-hosted GitHub Enterprise Server                                                                                    |                                                                                                 |
+| `githubURL`                                               | Override GitHub URL to be used for GitHub API calls                                                                                       |                                                                                                 |
+| `githubUploadURL`                                         | Override GitHub Upload URL to be used for GitHub API calls                                                                                |                                                                                                 |
+| `runnerGithubURL`                                         | Override GitHub URL to be used by runners during registration                                                                             |                                                                                                 |
+| `logLevel`                                                | Set the log level of the controller container                                                                                             |                                                                                                 |
+| `logFormat`                                               | Set the log format of the controller. Valid options are "text" and "json"                                                                 | text                                                                                            |
+| `additionalVolumes`                                       | Set additional volumes to add to the manager container                                                                                    |                                                                                                 |
+| `additionalVolumeMounts`                                  | Set additional volume mounts to add to the manager container                                                                              |                                                                                                 |
+| `authSecret.create`                                       | Deploy the controller auth secret                                                                                                         | false                                                                                           |
+| `authSecret.name`                                         | Set the name of the auth secret                                                                                                           | controller-manager                                                                              |
+| `authSecret.annotations`                                  | Set annotations for the auth Secret                                                                                                       |                                                                                                 |
+| `authSecret.github_app_id`                                | The ID of your GitHub App. **This can't be set at the same time as `authSecret.github_token`**                                            |                                                                                                 |
+| `authSecret.github_app_installation_id`                   | The ID of your GitHub App installation. **This can't be set at the same time as `authSecret.github_token`**                               |                                                                                                 |
+| `authSecret.github_app_private_key`                       | The multiline string of your GitHub App's private key. **This can't be set at the same time as `authSecret.github_token`**                |                                                                                                 |
+| `authSecret.github_token`                                 | Your chosen GitHub PAT token. **This can't be set at the same time as the `authSecret.github_app_*`**                                     |                                                                                                 |
+| `authSecret.github_basicauth_username`                    | Username for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
+| `authSecret.github_basicauth_password`                    | Password for GitHub basic auth to use instead of PAT or GitHub APP in case it's running behind a proxy API                                |                                                                                                 |
+| `dockerRegistryMirror`                                    | The default Docker Registry Mirror used by runners.                                                                                       |                                                                                                 |
+| `hostNetwork`                                             | The "hostNetwork" of the controller container                                                                                             | false                                                                                           |
+| `dnsPolicy`                                               | The "dnsPolicy" of the controller container                                                                                               | ClusterFirst                                                                                    |
+| `image.repository`                                        | The "repository/image" of the controller container                                                                                        | summerwind/actions-runner-controller                                                            |
+| `image.tag`                                               | The tag of the controller container                                                                                                       |                                                                                                 |
+| `image.actionsRunnerRepositoryAndTag`                     | The "repository/image" of the actions runner container                                                                                    | summerwind/actions-runner:latest                                                                |
+| `image.actionsRunnerImagePullSecrets`                     | Optional image pull secrets to be included in the runner pod's ImagePullSecrets                                                           |                                                                                                 |
+| `image.dindSidecarRepositoryAndTag`                       | The "repository/image" of the dind sidecar container                                                                                      | docker:dind                                                                                     |
+| `image.pullPolicy`                                        | The pull policy of the controller image                                                                                                   | IfNotPresent                                                                                    |
+| `metrics.serviceMonitor.enable`                           | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
+| `metrics.serviceMonitor.interval`                         | Configure the interval that Prometheus should scrap the controller's metrics                                                              | 1m                                                                                              |
+| `metrics.serviceMonitor.namespace                         | Namespace which Prometheus is running in                                                                                                  | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `metrics.serviceMonitor.timeout`                          | Configure the timeout the timeout of Prometheus scrapping.                                                                                | 30s                                                                                             |
+| `metrics.serviceAnnotations`                              | Set annotations for the provisioned metrics service resource                                                                              |                                                                                                 |
+| `metrics.port`                                            | Set port of metrics service                                                                                                               | 8443                                                                                            |
+| `metrics.proxy.enabled`                                   | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
+| `metrics.proxy.image.repository`                          | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
+| `metrics.proxy.image.tag`                                 | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
+| `metrics.serviceMonitorLabels`                            | Set labels to apply to ServiceMonitor resources                                                                                           |                                                                                                 |
+| `imagePullSecrets`                                        | Specifies the secret to be used when pulling the controller pod containers                                                                |                                                                                                 |
+| `fullnameOverride`                                        | Override the full resource names	                                                                                                        |                                                                                                 |
+| `nameOverride`                                            | Override the resource name prefix	                                                                                                        |                                                                                                 |
+| `serviceAccount.annotations`                              | Set annotations to the service account                                                                                                    |                                                                                                 |
+| `serviceAccount.create`                                   | Deploy the controller pod under a service account                                                                                         | true                                                                                            |
+| `podAnnotations`                                          | Set annotations for the controller pod                                                                                                    |                                                                                                 |
+| `podLabels`                                               | Set labels for the controller pod                                                                                                         |                                                                                                 |
+| `serviceAccount.name`                                     | Set the name of the service account                                                                                                       |                                                                                                 |
+| `securityContext`                                         | Set the security context for each container in the controller pod                                                                         |                                                                                                 |
+| `podSecurityContext`                                      | Set the security context to controller pod                                                                                                |                                                                                                 |
+| `service.annotations`                                     | Set annotations for the provisioned webhook service resource                                                                              |                                                                                                 |
+| `service.port`                                            | Set controller service ports                                                                                                              |                                                                                                 |
+| `service.type`                                            | Set controller service type                                                                                                               |                                                                                                 |
+| `topologySpreadConstraints`                               | Set the controller pod topologySpreadConstraints                                                                                          |                                                                                                 |
+| `nodeSelector`                                            | Set the controller pod nodeSelector                                                                                                       |                                                                                                 |
+| `resources`                                               | Set the controller pod resources                                                                                                          |                                                                                                 |
+| `affinity`                                                | Set the controller pod affinity rules                                                                                                     |                                                                                                 |
+| `podDisruptionBudget.enabled`                             | Enables a PDB to ensure HA of controller pods                                                                                             | false                                                                                      |
+| `podDisruptionBudget.minAvailable`                        | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
+| `podDisruptionBudget.maxUnavailable`                      | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
+| `tolerations`                                             | Set the controller pod tolerations                                                                                                        |                                                                                                 |
+| `env`                                                     | Set environment variables for the controller container                                                                                    |                                                                                                 |
+| `priorityClassName`                                       | Set the controller pod priorityClassName                                                                                                  |                                                                                                 |
+| `scope.watchNamespace`                                    | Tells the controller and the github webhook server which namespace to watch if `scope.singleNamespace` is true                            | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `scope.singleNamespace`                                   | Limit the controller to watch a single namespace                                                                                          | false                                                                                           |
+| `certManagerEnabled`                                      | Enable cert-manager. If disabled you must set admissionWebHooks.caBundle and create TLS secrets manually                                  | true                                                                                            |
+| `runner.statusUpdateHook.enabled`                         | Use custom RBAC for runners (role, role binding and service account), this will enable reporting runner statuses                          | false                                                                                           |
+| `admissionWebHooks.caBundle`                              | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate                                                 |                                                                                                 |
+| `githubWebhookServer.logLevel`                            | Set the log level of the githubWebhookServer container                                                                                    |                                                                                                 |
+| `githubWebhookServer.logFormat`                           | Set the log format of the githubWebhookServer controller. Valid options are "text" and "json"                                             | text                                                                                            |
+| `githubWebhookServer.replicaCount`                        | Set the number of webhook server pods                                                                                                     | 1                                                                                               |
+| `githubWebhookServer.useRunnerGroupsVisibility`           | Enable supporting runner groups with custom visibility, you also need to set `githubWebhookServer.secret.enabled` to enable this feature. | false                                                                                           |
+| `githubWebhookServer.enabled`                             | Deploy the webhook server pod                                                                                                             | false                                                                                           |
+| `githubWebhookServer.queueLimit`                          | Set the queue size limit in the githubWebhookServer                                                                                       |                                                                                                 |
+| `githubWebhookServer.secret.enabled`                      | Passes the webhook hook secret to the github-webhook-server                                                                               | false                                                                                           |
+| `githubWebhookServer.secret.create`                       | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
+| `githubWebhookServer.secret.name`                         | Set the name of the webhook hook secret                                                                                                   | github-webhook-server                                                                           |
+| `githubWebhookServer.secret.github_webhook_secret_token`  | Set the webhook secret token value                                                                                                        |                                                                                                 |
+| `githubWebhookServer.imagePullSecrets`                    | Specifies the secret to be used when pulling the githubWebhookServer pod containers                                                       |                                                                                                 |
+| `githubWebhookServer.nameOverride`                        | Override the resource name prefix	                                                                                                        |                                                                                                 |
+| `githubWebhookServer.fullnameOverride`                    | Override the full resource names	                                                                                                        |                                                                                                 |
+| `githubWebhookServer.serviceAccount.create`               | Deploy the githubWebhookServer under a service account                                                                                    | true                                                                                            |
+| `githubWebhookServer.serviceAccount.annotations`          | Set annotations for the service account                                                                                                   |                                                                                                 |
+| `githubWebhookServer.serviceAccount.name`                 | Set the service account name                                                                                                              |                                                                                                 |
+| `githubWebhookServer.podAnnotations`                      | Set annotations for the githubWebhookServer pod                                                                                           |                                                                                                 |
+| `githubWebhookServer.podLabels`                           | Set labels for the githubWebhookServer pod                                                                                                |                                                                                                 |
+| `githubWebhookServer.podSecurityContext`                  | Set the security context to githubWebhookServer pod                                                                                       |                                                                                                 |
+| `githubWebhookServer.securityContext`                     | Set the security context for each container in the githubWebhookServer pod                                                                |                                                                                                 |
+| `githubWebhookServer.resources`                           | Set the githubWebhookServer pod resources                                                                                                 |                                                                                                 |
+| `githubWebhookServer.topologySpreadConstraints`           | Set the githubWebhookServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
+| `githubWebhookServer.nodeSelector`                        | Set the githubWebhookServer pod nodeSelector                                                                                              |                                                                                                 |
+| `githubWebhookServer.tolerations`                         | Set the githubWebhookServer pod tolerations                                                                                               |                                                                                                 |
+| `githubWebhookServer.affinity`                            | Set the githubWebhookServer pod affinity rules                                                                                            |                                                                                                 |
+| `githubWebhookServer.priorityClassName`                   | Set the githubWebhookServer pod priorityClassName                                                                                         |                                                                                                 |
+| `githubWebhookServer.terminationGracePeriodSeconds`       | Set the githubWebhookServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                            | `10`                                                                                            |
+| `githubWebhookServer.lifecycle`                           | Set the githubWebhookServer pod lifecycle hooks                                                                                           | `{}`                                                                                            |
+| `githubWebhookServer.service.type`                        | Set githubWebhookServer service type                                                                                                      |                                                                                                 |
+| `githubWebhookServer.service.ports`                       | Set githubWebhookServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
+| `githubWebhookServer.service.loadBalancerSourceRanges`    | Set githubWebhookServer loadBalancerSourceRanges for restricting loadBalancer type services                                               | `[]`                                                                                            |
+| `githubWebhookServer.ingress.enabled`                     | Deploy an ingress kind for the githubWebhookServer                                                                                        | false                                                                                           |
+| `githubWebhookServer.ingress.annotations`                 | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
+| `githubWebhookServer.ingress.hosts`                       | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
+| `githubWebhookServer.ingress.tls`                         | Set tls configuration for ingress                                                                                                         |                                                                                                 |
+| `githubWebhookServer.ingress.ingressClassName`            | Set ingress class name                                                                                                                    |                                                                                                 |
+| `githubWebhookServer.podDisruptionBudget.enabled`         | Enables a PDB to ensure HA of githubwebhook pods                                                                                          | false                                                                                           |
+| `githubWebhookServer.podDisruptionBudget.minAvailable`    | Minimum number of pods that must be available after eviction                                                                              |                                                                                                 |
+| `githubWebhookServer.podDisruptionBudget.maxUnavailable`  | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required.                                                  |                                                                                                 |
+| `actionsMetricsServer.logLevel`                           | Set the log level of the actionsMetricsServer container                                                                                   |                                                                                                 |
+| `actionsMetricsServer.logFormat`                          | Set the log format of the actionsMetricsServer controller. Valid options are "text" and "json"                                            | text                                                                                            |
+| `actionsMetricsServer.enabled`                            | Deploy the actions metrics server pod                                                                                                     | false                                                                                           |
 | `actionsMetricsServer.secret.enabled`                     | Passes the webhook hook secret to the actions-metrics-server                                                                              | false                                                                                           |
 | `actionsMetricsServer.secret.create`                      | Deploy the webhook hook secret                                                                                                            | false                                                                                           |
-| `actionsMetricsServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | actions-metrics-server                                                                           |
+| `actionsMetricsServer.secret.name`                        | Set the name of the webhook hook secret                                                                                                   | actions-metrics-server                                                                          |
 | `actionsMetricsServer.secret.github_webhook_secret_token` | Set the webhook secret token value                                                                                                        |                                                                                                 |
-| `actionsMetricsServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the actionsMetricsServer pod containers                                                       |                                                                                                 |
-| `actionsMetricsServer.nameOverride`                       | Override the resource name prefix	                                                                                                       |                                                                                                 |
-| `actionsMetricsServer.fullnameOverride`                   | Override the full resource names	                                                                                                       |                                                                                                 |
-| `actionsMetricsServer.serviceAccount.create`              | Deploy the actionsMetricsServer under a service account                                                                                    | true                                                                                            |
+| `actionsMetricsServer.imagePullSecrets`                   | Specifies the secret to be used when pulling the actionsMetricsServer pod containers                                                      |                                                                                                 |
+| `actionsMetricsServer.nameOverride`                       | Override the resource name prefix	                                                                                                        |                                                                                                 |
+| `actionsMetricsServer.fullnameOverride`                   | Override the full resource names	                                                                                                        |                                                                                                 |
+| `actionsMetricsServer.serviceAccount.create`              | Deploy the actionsMetricsServer under a service account                                                                                   | true                                                                                            |
 | `actionsMetricsServer.serviceAccount.annotations`         | Set annotations for the service account                                                                                                   |                                                                                                 |
 | `actionsMetricsServer.serviceAccount.name`                | Set the service account name                                                                                                              |                                                                                                 |
-| `actionsMetricsServer.podAnnotations`                     | Set annotations for the actionsMetricsServer pod                                                                                           |                                                                                                 |
-| `actionsMetricsServer.podLabels`                          | Set labels for the actionsMetricsServer pod                                                                                                |                                                                                                 |
-| `actionsMetricsServer.podSecurityContext`                 | Set the security context to actionsMetricsServer pod                                                                                       |                                                                                                 |
-| `actionsMetricsServer.securityContext`                    | Set the security context for each container in the actionsMetricsServer pod                                                                |                                                                                                 |
-| `actionsMetricsServer.resources`                          | Set the actionsMetricsServer pod resources                                                                                                 |                                                                                                 |
-| `actionsMetricsServer.topologySpreadConstraints`          | Set the actionsMetricsServer pod topologySpreadConstraints                                                                                 |                                                                                                 |
-| `actionsMetricsServer.nodeSelector`                       | Set the actionsMetricsServer pod nodeSelector                                                                                              |                                                                                                 |
-| `actionsMetricsServer.tolerations`                        | Set the actionsMetricsServer pod tolerations                                                                                               |                                                                                                 |
-| `actionsMetricsServer.affinity`                           | Set the actionsMetricsServer pod affinity rules                                                                                            |                                                                                                 |
-| `actionsMetricsServer.priorityClassName`                  | Set the actionsMetricsServer pod priorityClassName                                                                                         |                                                                                                 |
+| `actionsMetricsServer.podAnnotations`                     | Set annotations for the actionsMetricsServer pod                                                                                          |                                                                                                 |
+| `actionsMetricsServer.podLabels`                          | Set labels for the actionsMetricsServer pod                                                                                               |                                                                                                 |
+| `actionsMetricsServer.podSecurityContext`                 | Set the security context to actionsMetricsServer pod                                                                                      |                                                                                                 |
+| `actionsMetricsServer.securityContext`                    | Set the security context for each container in the actionsMetricsServer pod                                                               |                                                                                                 |
+| `actionsMetricsServer.resources`                          | Set the actionsMetricsServer pod resources                                                                                                |                                                                                                 |
+| `actionsMetricsServer.topologySpreadConstraints`          | Set the actionsMetricsServer pod topologySpreadConstraints                                                                                |                                                                                                 |
+| `actionsMetricsServer.nodeSelector`                       | Set the actionsMetricsServer pod nodeSelector                                                                                             |                                                                                                 |
+| `actionsMetricsServer.tolerations`                        | Set the actionsMetricsServer pod tolerations                                                                                              |                                                                                                 |
+| `actionsMetricsServer.affinity`                           | Set the actionsMetricsServer pod affinity rules                                                                                           |                                                                                                 |
+| `actionsMetricsServer.priorityClassName`                  | Set the actionsMetricsServer pod priorityClassName                                                                                        |                                                                                                 |
 | `actionsMetricsServer.terminationGracePeriodSeconds`      | Set the actionsMetricsServer pod terminationGracePeriodSeconds. Useful when using preStop hooks to drain/sleep.                           | `10`                                                                                            |
 | `actionsMetricsServer.lifecycle`                          | Set the actionsMetricsServer pod lifecycle hooks                                                                                          | `{}`                                                                                            |
-| `actionsMetricsServer.service.type`                       | Set actionsMetricsServer service type                                                                                                      |                                                                                                 |
-| `actionsMetricsServer.service.ports`                      | Set actionsMetricsServer service ports                                                                                                     | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
+| `actionsMetricsServer.service.type`                       | Set actionsMetricsServer service type                                                                                                     |                                                                                                 |
+| `actionsMetricsServer.service.ports`                      | Set actionsMetricsServer service ports                                                                                                    | `[{"port":80, "targetPort:"http", "protocol":"TCP", "name":"http"}]`                            |
 | `actionsMetricsServer.service.loadBalancerSourceRanges`   | Set actionsMetricsServer loadBalancerSourceRanges for restricting loadBalancer type services                                              | `[]`                                                                                            |
-| `actionsMetricsServer.ingress.enabled`                    | Deploy an ingress kind for the actionsMetricsServer                                                                                        | false                                                                                           |
+| `actionsMetricsServer.ingress.enabled`                    | Deploy an ingress kind for the actionsMetricsServer                                                                                       | false                                                                                           |
 | `actionsMetricsServer.ingress.annotations`                | Set annotations for the ingress kind                                                                                                      |                                                                                                 |
 | `actionsMetricsServer.ingress.hosts`                      | Set hosts configuration for ingress                                                                                                       | `[{"host": "chart-example.local", "paths": []}]`                                                |
 | `actionsMetricsServer.ingress.tls`                        | Set tls configuration for ingress                                                                                                         |                                                                                                 |
 | `actionsMetricsServer.ingress.ingressClassName`           | Set ingress class name                                                                                                                    |                                                                                                 |
-| `actionsMetrics.serviceMonitor.enable`                           | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
-| `actionsMetrics.serviceMonitor.interval`                                 | Configure the interval that Prometheus should scrap the controller's metrics                                                                      | 1m                                                                                           |
-| `actionsMetrics.serviceMonitor.timeout`                                 | Configure the timeout the timeout of Prometheus scrapping.                                                                      | 30s                                                                                           |
-| `actionsMetrics.serviceAnnotations`                       | Set annotations for the provisioned actions metrics service resource                                                                              |                                                                                                 |
-| `actionsMetrics.port`                                     | Set port of actions metrics service                                                                                                               | 8443                                                                                            |
+| `actionsMetrics.serviceMonitor.enable`                    | Deploy serviceMonitor kind for for use with prometheus-operator CRDs                                                                      | false                                                                                           |
+| `actionsMetrics.serviceMonitor.interval`                  | Configure the interval that Prometheus should scrap the controller's metrics                                                              | 1m                                                                                              |
+| `actionsMetrics.serviceMonitor.namespace`                 | Namespace which Prometheus is running in.                                                                                                 | `Release.Namespace` (the default namespace of the helm chart).                                  |
+| `actionsMetrics.serviceMonitor.timeout`                   | Configure the timeout the timeout of Prometheus scrapping.                                                                                | 30s                                                                                             |
+| `actionsMetrics.serviceAnnotations`                       | Set annotations for the provisioned actions metrics service resource                                                                      |                                                                                                 |
+| `actionsMetrics.port`                                     | Set port of actions metrics service                                                                                                       | 8443                                                                                            |
 | `actionsMetrics.proxy.enabled`                            | Deploy kube-rbac-proxy container in controller pod                                                                                        | true                                                                                            |
 | `actionsMetrics.proxy.image.repository`                   | The "repository/image" of the kube-proxy container                                                                                        | quay.io/brancz/kube-rbac-proxy                                                                  |
 | `actionsMetrics.proxy.image.tag`                          | The tag of the kube-proxy image to use when pulling the container                                                                         | v0.13.1                                                                                         |
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: horizontalrunnerautoscalers.actions.summerwind.dev
 spec:
  group: actions.summerwind.dev
@@ -35,10 +35,19 @@ spec:
          description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler API
          properties:
            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
              type: string
            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
              type: string
            metadata:
              type: object
@@ -47,7 +56,9 @@ spec:
              properties:
                capacityReservations:
                  items:
-                    description: CapacityReservation specifies the number of replicas temporarily added to the scale target until ExpirationTime.
+                    description: |-
+                      CapacityReservation specifies the number of replicas temporarily added
+                      to the scale target until ExpirationTime.
                    properties:
                      effectiveTime:
                        format: date-time
@@ -79,30 +90,46 @@ spec:
                  items:
                    properties:
                      repositoryNames:
-                        description: RepositoryNames is the list of repository names to be used for calculating the metric. For example, a repository name is the REPO part of `github.com/USER/REPO`.
+                        description: |-
+                          RepositoryNames is the list of repository names to be used for calculating the metric.
+                          For example, a repository name is the REPO part of `github.com/USER/REPO`.
                        items:
                          type: string
                        type: array
                      scaleDownAdjustment:
-                        description: ScaleDownAdjustment is the number of runners removed on scale-down. You can only specify either ScaleDownFactor or ScaleDownAdjustment.
+                        description: |-
+                          ScaleDownAdjustment is the number of runners removed on scale-down.
+                          You can only specify either ScaleDownFactor or ScaleDownAdjustment.
                        type: integer
                      scaleDownFactor:
-                        description: ScaleDownFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be removed.
+                        description: |-
+                          ScaleDownFactor is the multiplicative factor applied to the current number of runners used
+                          to determine how many pods should be removed.
                        type: string
                      scaleDownThreshold:
-                        description: ScaleDownThreshold is the percentage of busy runners less than which will trigger the hpa to scale the runners down.
+                        description: |-
+                          ScaleDownThreshold is the percentage of busy runners less than which will
+                          trigger the hpa to scale the runners down.
                        type: string
                      scaleUpAdjustment:
-                        description: ScaleUpAdjustment is the number of runners added on scale-up. You can only specify either ScaleUpFactor or ScaleUpAdjustment.
+                        description: |-
+                          ScaleUpAdjustment is the number of runners added on scale-up.
+                          You can only specify either ScaleUpFactor or ScaleUpAdjustment.
                        type: integer
                      scaleUpFactor:
-                        description: ScaleUpFactor is the multiplicative factor applied to the current number of runners used to determine how many pods should be added.
+                        description: |-
+                          ScaleUpFactor is the multiplicative factor applied to the current number of runners used
+                          to determine how many pods should be added.
                        type: string
                      scaleUpThreshold:
-                        description: ScaleUpThreshold is the percentage of busy runners greater than which will trigger the hpa to scale runners up.
+                        description: |-
+                          ScaleUpThreshold is the percentage of busy runners greater than which will
+                          trigger the hpa to scale runners up.
                        type: string
                      type:
-                        description: Type is the type of metric to be used for autoscaling. It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
+                        description: |-
+                          Type is the type of metric to be used for autoscaling.
+                          It can be TotalNumberOfQueuedAndInProgressWorkflowRuns or PercentageRunnersBusy.
                        type: string
                    type: object
                  type: array
@@ -110,7 +137,9 @@ spec:
                  description: MinReplicas is the minimum number of replicas the deployment is allowed to scale
                  type: integer
                scaleDownDelaySecondsAfterScaleOut:
-                  description: ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up Used to prevent flapping (down->up->down->... loop)
+                  description: |-
+                    ScaleDownDelaySecondsAfterScaleUp is the approximate delay for a scale down followed by a scale up
+                    Used to prevent flapping (down->up->down->... loop)
                  type: integer
                scaleTargetRef:
                  description: ScaleTargetRef is the reference to scaled resource like RunnerDeployment
@@ -126,7 +155,16 @@ spec:
                      type: string
                  type: object
                scaleUpTriggers:
-                  description: "ScaleUpTriggers is an experimental feature to increase the desired replicas by 1 on each webhook requested received by the webhookBasedAutoscaler. \n This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster. \n Note that the added runners remain until the next sync period at least, and they may or may not be used by GitHub Actions depending on the timing. They are intended to be used to gain \"resource slack\" immediately after you receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available."
+                  description: |-
+                    ScaleUpTriggers is an experimental feature to increase the desired replicas by 1
+                    on each webhook requested received by the webhookBasedAutoscaler.
+
+                    This feature requires you to also enable and deploy the webhookBasedAutoscaler onto your cluster.
+
+                    Note that the added runners remain until the next sync period at least,
+                    and they may or may not be used by GitHub Actions depending on the timing.
+                    They are intended to be used to gain "resource slack" immediately after you
+                    receive a webhook from GitHub, so that you can loosely expect MinReplicas runners to be always available.
                  items:
                    properties:
                      amount:
@@ -139,12 +177,18 @@ spec:
                            description: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#check_run
                            properties:
                              names:
-                                description: Names is a list of GitHub Actions glob patterns. Any check_run event whose name matches one of patterns in the list can trigger autoscaling. Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file. So it is very likely that you can utilize this to trigger depending on the job.
+                                description: |-
+                                  Names is a list of GitHub Actions glob patterns.
+                                  Any check_run event whose name matches one of patterns in the list can trigger autoscaling.
+                                  Note that check_run name seem to equal to the job name you've defined in your actions workflow yaml file.
+                                  So it is very likely that you can utilize this to trigger depending on the job.
                                items:
                                  type: string
                                type: array
                              repositories:
-                                description: Repositories is a list of GitHub repositories. Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
+                                description: |-
+                                  Repositories is a list of GitHub repositories.
+                                  Any check_run event whose repository matches one of repositories in the list can trigger autoscaling.
                                items:
                                  type: string
                                type: array
@@ -169,7 +213,9 @@ spec:
                                type: array
                            type: object
                          push:
-                            description: PushSpec is the condition for triggering scale-up on push event Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
+                            description: |-
+                              PushSpec is the condition for triggering scale-up on push event
+                              Also see https://docs.github.com/en/actions/reference/events-that-trigger-workflows#push
                            type: object
                          workflowJob:
                            description: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
@@ -178,23 +224,33 @@ spec:
                    type: object
                  type: array
                scheduledOverrides:
-                  description: ScheduledOverrides is the list of ScheduledOverride. It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. The earlier a scheduled override is, the higher it is prioritized.
+                  description: |-
+                    ScheduledOverrides is the list of ScheduledOverride.
+                    It can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
+                    The earlier a scheduled override is, the higher it is prioritized.
                  items:
-                    description: ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule. A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
+                    description: |-
+                      ScheduledOverride can be used to override a few fields of HorizontalRunnerAutoscalerSpec on schedule.
+                      A schedule can optionally be recurring, so that the corresponding override happens every day, week, month, or year.
                    properties:
                      endTime:
                        description: EndTime is the time at which the first override ends.
                        format: date-time
                        type: string
                      minReplicas:
-                        description: MinReplicas is the number of runners while overriding. If omitted, it doesn't override minReplicas.
+                        description: |-
+                          MinReplicas is the number of runners while overriding.
+                          If omitted, it doesn't override minReplicas.
                        minimum: 0
                        nullable: true
                        type: integer
                      recurrenceRule:
                        properties:
                          frequency:
-                            description: Frequency is the name of a predefined interval of each recurrence. The valid values are "Daily", "Weekly", "Monthly", and "Yearly". If empty, the corresponding override happens only once.
+                            description: |-
+                              Frequency is the name of a predefined interval of each recurrence.
+                              The valid values are "Daily", "Weekly", "Monthly", and "Yearly".
+                              If empty, the corresponding override happens only once.
                            enum:
                              - Daily
                              - Weekly
@@ -202,7 +258,9 @@ spec:
                              - Yearly
                            type: string
                          untilTime:
-                            description: UntilTime is the time of the final recurrence. If empty, the schedule recurs forever.
+                            description: |-
+                              UntilTime is the time of the final recurrence.
+                              If empty, the schedule recurs forever.
                            format: date-time
                            type: string
                        type: object
@@ -231,18 +289,24 @@ spec:
                    type: object
                  type: array
                desiredReplicas:
-                  description: DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
+                  description: |-
+                    DesiredReplicas is the total number of desired, non-terminated and latest pods to be set for the primary RunnerSet
+                    This doesn't include outdated pods while upgrading the deployment and replacing the runnerset.
                  type: integer
                lastSuccessfulScaleOutTime:
                  format: date-time
                  nullable: true
                  type: string
                observedGeneration:
-                  description: ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g. RunnerDeployment's generation, which is updated on mutation by the API Server.
+                  description: |-
+                    ObservedGeneration is the most recent generation observed for the target. It corresponds to e.g.
+                    RunnerDeployment's generation, which is updated on mutation by the API Server.
                  format: int64
                  type: integer
                scheduledOverridesSummary:
-                  description: ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output for observability.
+                  description: |-
+                    ScheduledOverridesSummary is the summary of active and upcoming scheduled overrides to be shown in e.g. a column of a `kubectl get hra` output
+                    for observability.
                  type: string
              type: object
          type: object
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
--- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
+++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
--- a/charts/actions-runner-controller/templates/NOTES.txt
+++ b/charts/actions-runner-controller/templates/NOTES.txt
@@ -6,17 +6,17 @@
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export NODE_PORT=$(kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ include "actions-runner-controller.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "actions-runner-controller.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+           You can watch the status of by running 'kubectl get --namespace {{ include "actions-runner-controller.namespace" . }} svc -w {{ include "actions-runner-controller.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ include "actions-runner-controller.namespace" . }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  export POD_NAME=$(kubectl get pods --namespace {{ include "actions-runner-controller.namespace" . }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "actions-runner-controller.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+  kubectl --namespace {{ include "actions-runner-controller.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
--- a/charts/actions-runner-controller/templates/_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_helpers.tpl
@@ -1,3 +1,14 @@
+{{/*
+Allow overriding the namespace for the resources.
+*/}}
+{{- define "actions-runner-controller.namespace" -}}
+{{- if .Values.namespaceOverride }}
+  {{- .Values.namespaceOverride }}
+{{- else }}
+  {{- .Release.Namespace }}
+{{- end }}
+{{- end }}
+
 {{/*
 Expand the name of the chart.
 */}}
--- a/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
--- a/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.ingress.yaml.yml
@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.actionsMetricsServer.ingress.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.secrets.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller-actions-metrics-server.selectorLabels" . | nindent 4 }}
 {{- if .Values.actionsMetricsServer.service.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.serviceaccount.yaml.yml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller-actions-metrics-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.actionsMetricsServer.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
+++ b/charts/actions-runner-controller/templates/actionsmetrics.servicemonitor.yaml.yml
@@ -1,4 +1,5 @@
 {{- if and .Values.actionsMetricsServer.enabled .Values.actionsMetrics.serviceMonitor.enable }}
+{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -8,7 +9,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller-actions-metrics-server.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $servicemonitornamespace }}
 spec:
  endpoints:
    - path: /metrics
--- a/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/certificate.yaml
+++ b/charts/actions-runner-controller/templates/certificate.yaml
@@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  selfSigned: {}
 ---
@@ -14,11 +14,11 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ include "actions-runner-controller.servingCertName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  dnsNames:
-  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc
-  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ include "actions-runner-controller.namespace" . }}.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
--- a/charts/actions-runner-controller/templates/controller.metrics.service.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.service.yaml
@@ -4,7 +4,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller.metricsServiceName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  {{- with .Values.metrics.serviceAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/controller.metrics.serviceMonitor.yaml
@@ -8,7 +8,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  endpoints:
    - path: /metrics
--- a/charts/actions-runner-controller/templates/controller.pdb.yaml
+++ b/charts/actions-runner-controller/templates/controller.pdb.yaml
@@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller.pdbName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  {{- if .Values.podDisruptionBudget.minAvailable }}
  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
--- a/charts/actions-runner-controller/templates/deployment.yaml
+++ b/charts/actions-runner-controller/templates/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@@ -56,7 +56,7 @@ spec:
        - "--docker-registry-mirror={{ .Values.dockerRegistryMirror }}"
        {{- end }}
        {{- if .Values.scope.singleNamespace }}
-        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
        {{- end }}
        {{- if .Values.logLevel }}
        - "--log-level={{ .Values.logLevel }}"
--- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
@@ -43,7 +43,7 @@ spec:
        - "--log-level={{ .Values.githubWebhookServer.logLevel }}"
        {{- end }}
        {{- if .Values.scope.singleNamespace }}
-        - "--watch-namespace={{ default .Release.Namespace .Values.scope.watchNamespace }}"
+        - "--watch-namespace={{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}"
        {{- end }}
        {{- if .Values.runnerGithubURL  }}
        - "--runner-github-url={{ .Values.runnerGithubURL }}"
--- a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
@@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.githubWebhookServer.ingress.annotations }}
--- a/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.pdb.yaml
@@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  name: {{ include "actions-runner-controller-github-webhook-server.pdbName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 spec:
  {{- if .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
  minAvailable: {{ .Values.githubWebhookServer.podDisruptionBudget.minAvailable }}
--- a/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
 subjects:
  - kind: ServiceAccount
    name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "actions-runner-controller.namespace" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/actions-runner-controller/templates/githubwebhook.service.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 4 }}
 {{- if .Values.githubWebhookServer.service.annotations }}
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceMonitor.yaml
@@ -1,4 +1,5 @@
 {{- if and .Values.githubWebhookServer.enabled .Values.metrics.serviceMonitor.enable }}
+{{- $servicemonitornamespace := .Values.actionsMetrics.serviceMonitor.namespace | default (include "actions-runner-controller.namespace" .) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -8,7 +9,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  name: {{ include "actions-runner-controller-github-webhook-server.serviceMonitorName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $servicemonitornamespace }}
 spec:
  endpoints:
    - path: /metrics
--- a/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.serviceaccount.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller-github-webhook-server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.githubWebhookServer.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/leader_election_role.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 rules:
 - apiGroups:
  - ""
--- a/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_role_binding.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
@@ -6,7 +6,7 @@ kind: ClusterRoleBinding
 {{- end }}
 metadata:
  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  {{- if .Values.scope.singleNamespace }}
@@ -18,4 +18,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
--- a/charts/actions-runner-controller/templates/manager_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_secrets.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller.secretName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  {{- if .Values.authSecret.annotations }}
  annotations:
    {{ toYaml .Values.authSecret.annotations | nindent 4 }}
--- a/charts/actions-runner-controller/templates/serviceaccount.yaml
+++ b/charts/actions-runner-controller/templates/serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
--- a/charts/actions-runner-controller/templates/webhook_configs.yaml
+++ b/charts/actions-runner-controller/templates/webhook_configs.yaml
@@ -2,7 +2,7 @@
 We will use a self managed CA if one is not provided by cert-manager
 */}}
 {{- $ca := genCA "actions-runner-ca" 3650 }}
-{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace)) 3650 $ca }}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) (include "actions-runner-controller.namespace" .)) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) (include "actions-runner-controller.namespace" .))) 3650 $ca }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -11,7 +11,7 @@ metadata:
  name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration
  {{- if .Values.certManagerEnabled }}
  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+    cert-manager.io/inject-ca-from: {{ include "actions-runner-controller.namespace" . }}/{{ include "actions-runner-controller.servingCertName" . }}
  {{- end }}
 webhooks:
 - admissionReviewVersions:
@@ -19,7 +19,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -29,7 +29,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-actions-summerwind-dev-v1alpha1-runner
  failurePolicy: Fail
  name: mutate.runner.actions.summerwind.dev
@@ -50,7 +50,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -60,7 +60,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment
  failurePolicy: Fail
  name: mutate.runnerdeployment.actions.summerwind.dev
@@ -81,7 +81,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -91,7 +91,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset
  failurePolicy: Fail
  name: mutate.runnerreplicaset.actions.summerwind.dev
@@ -112,7 +112,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -122,7 +122,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /mutate-runner-set-pod
  failurePolicy: Fail
  name: mutate-runner-pod.webhook.actions.summerwind.dev
@@ -148,7 +148,7 @@ metadata:
  name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration
  {{- if .Values.certManagerEnabled }}
  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+    cert-manager.io/inject-ca-from: {{ include "actions-runner-controller.namespace" . }}/{{ include "actions-runner-controller.servingCertName" . }}
  {{- end }}
 webhooks:
 - admissionReviewVersions:
@@ -156,7 +156,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -166,7 +166,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /validate-actions-summerwind-dev-v1alpha1-runner
  failurePolicy: Fail
  name: validate.runner.actions.summerwind.dev
@@ -187,7 +187,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -197,7 +197,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment
  failurePolicy: Fail
  name: validate.runnerdeployment.actions.summerwind.dev
@@ -218,7 +218,7 @@ webhooks:
  {{- if .Values.scope.singleNamespace }}
  namespaceSelector:
    matchLabels:
-      kubernetes.io/metadata.name: {{ default .Release.Namespace .Values.scope.watchNamespace }}
+      kubernetes.io/metadata.name: {{ default (include "actions-runner-controller.namespace" .) .Values.scope.watchNamespace }}
  {{- end }}
  clientConfig:
    {{- if .Values.admissionWebHooks.caBundle }}
@@ -228,7 +228,7 @@ webhooks:
    {{- end }}
    service:
      name: {{ include "actions-runner-controller.webhookServiceName" . }}
-      namespace: {{ .Release.Namespace }}
+      namespace: {{ include "actions-runner-controller.namespace" . }}
      path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset
  failurePolicy: Fail
  name: validate.runnerreplicaset.actions.summerwind.dev
@@ -250,7 +250,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "actions-runner-controller.servingCertName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: kubernetes.io/tls
--- a/charts/actions-runner-controller/templates/webhook_service.yaml
+++ b/charts/actions-runner-controller/templates/webhook_service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "actions-runner-controller.webhookServiceName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "actions-runner-controller.namespace" . }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
  {{- with .Values.service.annotations }}
--- a/charts/actions-runner-controller/values.yaml
+++ b/charts/actions-runner-controller/values.yaml
@@ -111,6 +111,7 @@ metrics:
  serviceAnnotations: {}
  serviceMonitor:
    enable: false
+    namespace: ""
    timeout: 30s
    interval: 1m
  serviceMonitorLabels: {}
@@ -312,6 +313,7 @@ actionsMetrics:
  # to deploy the actions-metrics-server whose k8s service is referenced by the service monitor.
  serviceMonitor:
    enable: false
+    namespace: ""
    timeout: 30s
    interval: 1m
  serviceMonitorLabels: {}
@@ -418,3 +420,6 @@ actionsMetricsServer:
    #      - chart-example.local
  terminationGracePeriodSeconds: 10
  lifecycle: {}
+
+# Add the option to deploy in another namespace rather than .Release.Namespace.
+namespaceOverride: ""
--- a/charts/gha-runner-scale-set-controller/Chart.yaml
+++ b/charts/gha-runner-scale-set-controller/Chart.yaml
@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.11.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.7.0"
+appVersion: "0.11.0"

 home: https://github.com/actions/actions-runner-controller

--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
--- a/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
+++ b/charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
--- a/charts/gha-runner-scale-set-controller/templates/NOTES.txt
+++ b/charts/gha-runner-scale-set-controller/templates/NOTES.txt
@@ -1,4 +1,3 @@
 Thank you for installing {{ .Chart.Name }}.

 Your release is named {{ .Release.Name }}.
-
--- a/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set-controller/templates/_helpers.tpl
@@ -7,6 +7,17 @@ Expand the name of the chart.
 gha-rs-controller
 {{- end }}

+{{/*
+Allow overriding the namespace for the resources.
+*/}}
+{{- define "gha-runner-scale-set-controller.namespace" -}}
+{{- if .Values.namespaceOverride }}
+  {{- .Values.namespaceOverride }}
+{{- else }}
+  {{- .Release.Namespace }}
+{{- end }}
+{{- end }}
+
 {{- define "gha-runner-scale-set-controller.name" -}}
 {{- default (include "gha-base-name" .) .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
@@ -57,7 +68,7 @@ Selector labels
 */}}
 {{- define "gha-runner-scale-set-controller.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "gha-runner-scale-set-controller.name" . }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

@@ -126,7 +137,3 @@ Create the name of the service account to use
 {{- end }}
 {{- $names | join ","}}
 {{- end }}
-
-{{- define "gha-runner-scale-set-controller.serviceMonitorName" -}}
-{{- include "gha-runner-scale-set-controller.fullname" . }}-service-monitor
-{{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/deployment.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/deployment.yaml
@@ -2,10 +2,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gha-runner-scale-set-controller.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
  labels:
    {{- include "gha-runner-scale-set-controller.labels" . | nindent 4 }}
-    actions.github.com/controller-service-account-namespace: {{ .Release.Namespace }}
+    actions.github.com/controller-service-account-namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
    actions.github.com/controller-service-account-name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
    {{- if .Values.flags.watchSingleNamespace }}
    actions.github.com/controller-watch-single-namespace: {{ .Values.flags.watchSingleNamespace }}
@@ -25,7 +25,7 @@ spec:
      labels:
        app.kubernetes.io/part-of: gha-rs-controller
        app.kubernetes.io/component: controller-manager
-        app.kubernetes.io/version: {{ .Chart.Version }}
+        app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
        {{- include "gha-runner-scale-set-controller.selectorLabels" . | nindent 8 }}
        {{- with .Values.podLabels }}
          {{- toYaml . | nindent 8 }}
@@ -65,6 +65,9 @@ spec:
        {{- with .Values.flags.watchSingleNamespace }}
        - "--watch-single-namespace={{ . }}"
        {{- end }}
+        {{- with .Values.flags.runnerMaxConcurrentReconciles }}
+        - "--runner-max-concurrent-reconciles={{ . }}"
+        {{- end }}
        {{- with .Values.flags.updateStrategy }}
        - "--update-strategy={{ . }}"
        {{- end }}
@@ -79,6 +82,15 @@ spec:
        - "--listener-metrics-endpoint="
        - "--metrics-addr=0"
        {{- end }}
+        {{- range .Values.flags.excludeLabelPropagationPrefixes }}
+        - "--exclude-label-propagation-prefix={{ . }}"
+        {{- end }}
+        {{- with .Values.flags.k8sClientRateLimiterQPS }}
+        - "--k8s-client-rate-limiter-qps={{ . }}"
+        {{- end }}
+        {{- with .Values.flags.k8sClientRateLimiterBurst }}
+        - "--k8s-client-rate-limiter-burst={{ . }}"
+        {{- end }}
        command:
        - "/manager"
        {{- with .Values.metrics }}
@@ -110,10 +122,16 @@ spec:
        volumeMounts:
        - mountPath: /tmp
          name: tmp
+        {{- range .Values.volumeMounts }}
+        - {{ toYaml . | nindent 10 }}
+        {{- end }}
      terminationGracePeriodSeconds: 10
      volumes:
      - name: tmp
        emptyDir: {}
+      {{- range .Values.volumes }}
+      - {{ toYaml . | nindent 8 }}
+      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -122,6 +140,10 @@ spec:
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
--- a/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/leader_election_role.yaml
@@ -4,9 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set-controller.leaderElectionRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 rules:
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
-{{- end }}
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+{{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/leader_election_role_binding.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set-controller.leaderElectionRoleBinding" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -11,5 +11,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_cluster_role_binding.yaml
@@ -10,5 +10,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_listener_role.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerListenerRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 rules:
 - apiGroups:
  - ""
--- a/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_listener_role_binding.yaml
@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerListenerRoleBinding" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerSingleNamespaceRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 rules:
 - apiGroups:
  - actions.github.com
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role_binding.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set-controller.managerSingleNamespaceRoleBinding" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -11,5 +11,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role_binding.yaml
@@ -11,5 +11,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
+++ b/charts/gha-runner-scale-set-controller/templates/serviceaccount.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gha-runner-scale-set-controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set-controller.namespace" . }}
  labels:
    {{- include "gha-runner-scale-set-controller.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
--- a/charts/gha-runner-scale-set-controller/tests/template_test.go
+++ b/charts/gha-runner-scale-set-controller/tests/template_test.go
@@ -17,6 +17,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 type Chart struct {
@@ -345,6 +346,7 @@ func TestTemplate_ControllerDeployment_Defaults(t *testing.T) {

 	assert.Len(t, deployment.Spec.Template.Spec.NodeSelector, 0)
 	assert.Nil(t, deployment.Spec.Template.Spec.Affinity)
+	assert.Len(t, deployment.Spec.Template.Spec.TopologySpreadConstraints, 0)
 	assert.Len(t, deployment.Spec.Template.Spec.Tolerations, 0)

 	managerImage := "ghcr.io/actions/gha-runner-scale-set-controller:dev"
@@ -365,6 +367,7 @@ func TestTemplate_ControllerDeployment_Defaults(t *testing.T) {
 		"--metrics-addr=0",
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
+		"--runner-max-concurrent-reconciles=2",
 	}
 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)

@@ -424,10 +427,17 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 			"tolerations[0].key":           "foo",
 			"affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key":      "foo",
 			"affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator": "bar",
-			"priorityClassName":    "test-priority-class",
-			"flags.updateStrategy": "eventual",
-			"flags.logLevel":       "info",
-			"flags.logFormat":      "json",
+			"topologySpreadConstraints[0].labelSelector.matchLabels.foo":                                                             "bar",
+			"topologySpreadConstraints[0].maxSkew":                                                                                   "1",
+			"topologySpreadConstraints[0].topologyKey":                                                                               "foo",
+			"priorityClassName":         "test-priority-class",
+			"flags.updateStrategy":      "eventual",
+			"flags.logLevel":            "info",
+			"flags.logFormat":           "json",
+			"volumes[0].name":           "customMount",
+			"volumes[0].configMap.name": "my-configmap",
+			"volumeMounts[0].name":      "customMount",
+			"volumeMounts[0].mountPath": "/my/mount/path",
 		},
 		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
 	}
@@ -470,9 +480,11 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 	assert.Equal(t, int64(1000), *deployment.Spec.Template.Spec.SecurityContext.FSGroup)
 	assert.Equal(t, "test-priority-class", deployment.Spec.Template.Spec.PriorityClassName)
 	assert.Equal(t, int64(10), *deployment.Spec.Template.Spec.TerminationGracePeriodSeconds)
-	assert.Len(t, deployment.Spec.Template.Spec.Volumes, 1)
+	assert.Len(t, deployment.Spec.Template.Spec.Volumes, 2)
 	assert.Equal(t, "tmp", deployment.Spec.Template.Spec.Volumes[0].Name)
-	assert.NotNil(t, 10, deployment.Spec.Template.Spec.Volumes[0].EmptyDir)
+	assert.NotNil(t, deployment.Spec.Template.Spec.Volumes[0].EmptyDir)
+	assert.Equal(t, "customMount", deployment.Spec.Template.Spec.Volumes[1].Name)
+	assert.Equal(t, "my-configmap", deployment.Spec.Template.Spec.Volumes[1].ConfigMap.Name)

 	assert.Len(t, deployment.Spec.Template.Spec.NodeSelector, 1)
 	assert.Equal(t, "bar", deployment.Spec.Template.Spec.NodeSelector["foo"])
@@ -481,6 +493,11 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 	assert.Equal(t, "foo", deployment.Spec.Template.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchExpressions[0].Key)
 	assert.Equal(t, "bar", string(deployment.Spec.Template.Spec.Affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[0].MatchExpressions[0].Operator))

+	assert.Len(t, deployment.Spec.Template.Spec.TopologySpreadConstraints, 1)
+	assert.Equal(t, "bar", deployment.Spec.Template.Spec.TopologySpreadConstraints[0].LabelSelector.MatchLabels["foo"])
+	assert.Equal(t, int32(1), deployment.Spec.Template.Spec.TopologySpreadConstraints[0].MaxSkew)
+	assert.Equal(t, "foo", deployment.Spec.Template.Spec.TopologySpreadConstraints[0].TopologyKey)
+
 	assert.Len(t, deployment.Spec.Template.Spec.Tolerations, 1)
 	assert.Equal(t, "foo", deployment.Spec.Template.Spec.Tolerations[0].Key)

@@ -503,6 +520,7 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}

 	assert.ElementsMatch(t, expectArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -521,9 +539,11 @@ func TestTemplate_ControllerDeployment_Customize(t *testing.T) {
 	assert.True(t, *deployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot)
 	assert.Equal(t, int64(1000), *deployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)

-	assert.Len(t, deployment.Spec.Template.Spec.Containers[0].VolumeMounts, 1)
+	assert.Len(t, deployment.Spec.Template.Spec.Containers[0].VolumeMounts, 2)
 	assert.Equal(t, "tmp", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name)
 	assert.Equal(t, "/tmp", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[0].MountPath)
+	assert.Equal(t, "customMount", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[1].Name)
+	assert.Equal(t, "/my/mount/path", deployment.Spec.Template.Spec.Containers[0].VolumeMounts[1].MountPath)
 }

 func TestTemplate_EnableLeaderElectionRole(t *testing.T) {
@@ -629,6 +649,7 @@ func TestTemplate_EnableLeaderElection(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}

 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -669,6 +690,7 @@ func TestTemplate_ControllerDeployment_ForwardImagePullSecrets(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}

 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -737,6 +759,7 @@ func TestTemplate_ControllerDeployment_WatchSingleNamespace(t *testing.T) {

 	assert.Len(t, deployment.Spec.Template.Spec.NodeSelector, 0)
 	assert.Nil(t, deployment.Spec.Template.Spec.Affinity)
+	assert.Len(t, deployment.Spec.Template.Spec.TopologySpreadConstraints, 0)
 	assert.Len(t, deployment.Spec.Template.Spec.Tolerations, 0)

 	managerImage := "ghcr.io/actions/gha-runner-scale-set-controller:dev"
@@ -758,6 +781,7 @@ func TestTemplate_ControllerDeployment_WatchSingleNamespace(t *testing.T) {
 		"--listener-metrics-addr=0",
 		"--listener-metrics-endpoint=",
 		"--metrics-addr=0",
+		"--runner-max-concurrent-reconciles=2",
 	}

 	assert.ElementsMatch(t, expectedArgs, deployment.Spec.Template.Spec.Containers[0].Args)
@@ -1017,3 +1041,184 @@ func TestControllerDeployment_MetricsPorts(t *testing.T) {
 		assert.Equal(t, value.frequency, 1, fmt.Sprintf("frequency of %q is not 1", key))
 	}
 }
+
+func TestDeployment_excludeLabelPropagationPrefixes(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set-controller")
+	require.NoError(t, err)
+
+	chartContent, err := os.ReadFile(filepath.Join(helmChartPath, "Chart.yaml"))
+	require.NoError(t, err)
+
+	chart := new(Chart)
+	err = yaml.Unmarshal(chartContent, chart)
+	require.NoError(t, err)
+
+	releaseName := "test-arc"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"flags.excludeLabelPropagationPrefixes[0]": "prefix.com/",
+			"flags.excludeLabelPropagationPrefixes[1]": "complete.io/label",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/deployment.yaml"})
+
+	var deployment appsv1.Deployment
+	helm.UnmarshalK8SYaml(t, output, &deployment)
+
+	require.Len(t, deployment.Spec.Template.Spec.Containers, 1, "Expected one container")
+	container := deployment.Spec.Template.Spec.Containers[0]
+
+	assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=prefix.com/")
+	assert.Contains(t, container.Args, "--exclude-label-propagation-prefix=complete.io/label")
+}
+func TestNamespaceOverride(t *testing.T) {
+	t.Parallel()
+
+	chartPath := "../../gha-runner-scale-set-controller"
+
+	releaseName := "test"
+	releaseNamespace := "test-" + strings.ToLower(random.UniqueId())
+	namespaceOverride := "test-" + strings.ToLower(random.UniqueId())
+
+	tt := map[string]struct {
+		file          string
+		options       *helm.Options
+		wantNamespace string
+	}{
+		"deployment": {
+			file: "deployment.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride": namespaceOverride,
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"leader_election_role_binding": {
+			file: "leader_election_role_binding.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride": namespaceOverride,
+					"replicaCount":      "2",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"leader_election_role": {
+			file: "leader_election_role.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride": namespaceOverride,
+					"replicaCount":      "2",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"manager_listener_role_binding": {
+			file: "manager_listener_role_binding.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride": namespaceOverride,
+					"replicaCount":      "2",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"manager_listener_role": {
+			file: "manager_listener_role.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride": namespaceOverride,
+					"replicaCount":      "2",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"manager_single_namespace_controller_role": {
+			file: "manager_single_namespace_controller_role.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":          namespaceOverride,
+					"flags.watchSingleNamespace": "true",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"manager_single_namespace_controller_role_binding": {
+			file: "manager_single_namespace_controller_role_binding.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":          namespaceOverride,
+					"flags.watchSingleNamespace": "true",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: namespaceOverride,
+		},
+		"manager_single_namespace_watch_role": {
+			file: "manager_single_namespace_watch_role.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":          namespaceOverride,
+					"flags.watchSingleNamespace": "target-ns",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: "target-ns",
+		},
+		"manager_single_namespace_watch_role_binding": {
+			file: "manager_single_namespace_watch_role_binding.yaml",
+			options: &helm.Options{
+				Logger: logger.Discard,
+				SetValues: map[string]string{
+					"namespaceOverride":          namespaceOverride,
+					"flags.watchSingleNamespace": "target-ns",
+				},
+				KubectlOptions: k8s.NewKubectlOptions("", "", releaseNamespace),
+			},
+			wantNamespace: "target-ns",
+		},
+	}
+
+	for name, tc := range tt {
+		c := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			templateFile := filepath.Join("./templates", c.file)
+
+			output, err := helm.RenderTemplateE(t, c.options, chartPath, releaseName, []string{templateFile})
+			if err != nil {
+				t.Errorf("Error rendering template %s from chart %s: %s", c.file, chartPath, err)
+			}
+
+			type object struct {
+				Metadata metav1.ObjectMeta
+			}
+			var renderedObject object
+			helm.UnmarshalK8SYaml(t, output, &renderedObject)
+			assert.Equal(t, tc.wantNamespace, renderedObject.Metadata.Namespace)
+		})
+	}
+}
--- a/charts/gha-runner-scale-set-controller/values.yaml
+++ b/charts/gha-runner-scale-set-controller/values.yaml
@@ -72,14 +72,20 @@ tolerations: []

 affinity: {}

+topologySpreadConstraints: []
+
+# Mount volumes in the container.
+volumes: []
+volumeMounts: []
+
 # Leverage a PriorityClass to ensure your pods survive resource shortages
 # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
 # PriorityClass: system-cluster-critical
 priorityClassName: ""

-## If `metrics:` object is not provided, or commented out, the following flags 
-## will be applied the controller-manager and listener pods with empty values: 
-## `--metrics-addr`, `--listener-metrics-addr`, `--listener-metrics-endpoint`. 
+## If `metrics:` object is not provided, or commented out, the following flags
+## will be applied the controller-manager and listener pods with empty values:
+## `--metrics-addr`, `--listener-metrics-addr`, `--listener-metrics-endpoint`.
 ## This will disable metrics.
 ##
 ## To enable metrics, uncomment the following lines.
@@ -100,9 +106,14 @@ flags:
  ## Defaults to watch all namespaces when unset.
  # watchSingleNamespace: ""

+  ## The maximum number of concurrent reconciles which can be run by the EphemeralRunner controller.
+  # Increase this value to improve the throughput of the controller.
+  # It may also increase the load on the API server and the external service (e.g. GitHub API).
+  runnerMaxConcurrentReconciles: 2
+
  ## Defines how the controller should handle upgrades while having running jobs.
  ##
-  ## The srategies available are:
+  ## The strategies available are:
  ## - "immediate": (default) The controller will immediately apply the change causing the
  ##   recreation of the listener and ephemeral runner set. This can lead to an
  ##   overprovisioning of runners, if there are pending / running jobs. This should not
@@ -115,3 +126,19 @@ flags:
  ##   This can lead to a longer time to apply the change but it will ensure
  ##   that you don't have any overprovisioning of runners.
  updateStrategy: "immediate"
+
+  ## Defines a list of prefixes that should not be propagated to internal resources.
+  ## This is useful when you have labels that are used for internal purposes and should not be propagated to internal resources.
+  ## See https://github.com/actions/actions-runner-controller/issues/3533 for more information.
+  ##
+  ## By default, all labels are propagated to internal resources
+  ## Labels that match prefix specified in the list are excluded from propagation.
+  # excludeLabelPropagationPrefixes:
+  #   - "argocd.argoproj.io/instance"
+
+# Overrides the default `.Release.Namespace` for all resources in this chart.
+namespaceOverride: ""
+
+## Defines the K8s client rate limiter parameters.
+  # k8sClientRateLimiterQPS: 20
+  # k8sClientRateLimiterBurst: 30
--- a/charts/gha-runner-scale-set/Chart.yaml
+++ b/charts/gha-runner-scale-set/Chart.yaml
@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.11.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.7.0"
+appVersion: "0.11.0"

 home: https://github.com/actions/actions-runner-controller

--- a/charts/gha-runner-scale-set/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set/templates/_helpers.tpl
@@ -43,7 +43,7 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/part-of: gha-rs
 actions.github.com/scale-set-name: {{ include "gha-runner-scale-set.scale-set-name" . }}
-actions.github.com/scale-set-namespace: {{ .Release.Namespace }}
+actions.github.com/scale-set-namespace: {{ include "gha-runner-scale-set.namespace" . }}
 {{- end }}

 {{/*
@@ -87,7 +87,7 @@ app.kubernetes.io/instance: {{ include "gha-runner-scale-set.scale-set-name" . }
  {{- if eq $val.name "runner" }}
 image: {{ $val.image }}
 command: ["cp"]
-args: ["-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"]
+args: ["-r", "/home/runner/externals/.", "/home/runner/tmpDir/"]
 volumeMounts:
  - name: dind-externals
    mountPath: /home/runner/tmpDir
@@ -99,7 +99,7 @@ volumeMounts:
 image: docker:dind
 args:
  - dockerd
-  - --host=unix:///run/docker/docker.sock
+  - --host=unix:///var/run/docker.sock
  - --group=$(DOCKER_GROUP_GID)
 env:
  - name: DOCKER_GROUP_GID
@@ -110,7 +110,7 @@ volumeMounts:
  - name: work
    mountPath: /home/runner/_work
  - name: dind-sock
-    mountPath: /run/docker
+    mountPath: /var/run
  - name: dind-externals
    mountPath: /home/runner/externals
 {{- end }}
@@ -136,7 +136,7 @@ volumeMounts:
  {{- range $i, $volume := .Values.template.spec.volumes }}
    {{- if eq $volume.name "work" }}
      {{- $createWorkVolume = 0 }}
- {{ $volume | toYaml | nindent 2 }}
+- {{ $volume | toYaml | nindent 2 | trim }}
    {{- end }}
  {{- end }}
  {{- if eq $createWorkVolume 1 }}
@@ -150,7 +150,7 @@ volumeMounts:
  {{- range $i, $volume := .Values.template.spec.volumes }}
    {{- if eq $volume.name "work" }}
      {{- $createWorkVolume = 0 }}
- {{ $volume | toYaml | nindent 2 }}
+- {{ $volume | toYaml | nindent 2 | trim  }}
    {{- end }}
  {{- end }}
  {{- if eq $createWorkVolume 1 }}
@@ -165,7 +165,7 @@ volumeMounts:
 {{- define "gha-runner-scale-set.non-work-volumes" -}}
  {{- range $i, $volume := .Values.template.spec.volumes }}
    {{- if ne $volume.name "work" }}
- {{ $volume | toYaml | nindent 2 }}
+- {{ $volume | toYaml | nindent 2 | trim }}
    {{- end }}
  {{- end }}
 {{- end }}
@@ -218,12 +218,12 @@ env:
        {{- if eq $env.name "RUNNER_UPDATE_CA_CERTS" }}
          {{- $setRunnerUpdateCaCerts = 0 }}
        {{- end }}
-  - {{ $env | toYaml | nindent 4 }}
+  - {{ $env | toYaml | nindent 4 | trim }}
      {{- end }}
    {{- end }}
    {{- if $setDockerHost }}
  - name: DOCKER_HOST
-    value: unix:///run/docker/docker.sock
+    value: unix:///var/run/docker.sock
    {{- end }}
    {{- if $setRunnerWaitDocker }}
  - name: RUNNER_WAIT_FOR_DOCKER_IN_SECONDS
@@ -255,7 +255,7 @@ volumeMounts:
        {{- if eq $volMount.name "github-server-tls-cert" }}
          {{- $mountGitHubServerTLS = 0 }}
        {{- end }}
-  - {{ $volMount | toYaml | nindent 4 }}
+  - {{ $volMount | toYaml | nindent 4 | trim }}
      {{- end }}
    {{- end }}
    {{- if $mountWork }}
@@ -264,8 +264,7 @@ volumeMounts:
    {{- end }}
    {{- if $mountDindCert }}
  - name: dind-sock
-    mountPath: /run/docker
-    readOnly: true
+    mountPath: /var/run
    {{- end }}
    {{- if $mountGitHubServerTLS }}
  - name: github-server-tls-cert
@@ -385,6 +384,9 @@ volumeMounts:
    {{- $setNodeExtraCaCerts = 1 }}
    {{- $setRunnerUpdateCaCerts = 1 }}
  {{- end }}
+
+  {{- $mountGitHubServerTLS := 0 }}
+  {{- if or $container.env $setNodeExtraCaCerts $setRunnerUpdateCaCerts }}
  env:
    {{- with $container.env }}
      {{- range $i, $env := . }}
@@ -405,10 +407,12 @@ volumeMounts:
    - name: RUNNER_UPDATE_CA_CERTS
      value: "1"
    {{- end }}
-    {{- $mountGitHubServerTLS := 0 }}
    {{- if $tlsConfig.runnerMountPath }}
      {{- $mountGitHubServerTLS = 1 }}
    {{- end }}
+  {{- end }}
+
+  {{- if or $container.volumeMounts $mountGitHubServerTLS }}
  volumeMounts:
    {{- with $container.volumeMounts }}
      {{- range $i, $volMount := . }}
@@ -423,6 +427,7 @@ volumeMounts:
      mountPath: {{ clean (print $tlsConfig.runnerMountPath "/" $tlsConfig.certificateFrom.configMapKeyRef.key) }}
      subPath: {{ $tlsConfig.certificateFrom.configMapKeyRef.key }}
    {{- end }}
+  {{- end}}
 {{- end }}
 {{- end }}
 {{- end }}
@@ -476,8 +481,8 @@ volumeMounts:
      {{- $managerServiceAccountName = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-name") }}
    {{- end }}
  {{- else if gt $singleNamespaceCounter 0 }}
-    {{- if hasKey $singleNamespaceControllerDeployments .Release.Namespace }}
-      {{- $controllerDeployment = get $singleNamespaceControllerDeployments .Release.Namespace }}
+    {{- if hasKey $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
+      {{- $controllerDeployment = get $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
      {{- with $controllerDeployment.metadata }}
        {{- $managerServiceAccountName = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-name") }}
      {{- end }}
@@ -520,31 +525,39 @@ volumeMounts:
    {{- end }}
  {{- end }}
  {{- if and (eq $multiNamespacesCounter 0) (eq $singleNamespaceCounter 0) }}
-    {{- fail "No gha-rs-controller deployment found using label (app.kubernetes.io/part-of=gha-rs-controller). Consider setting controllerServiceAccount.name in values.yaml to be explicit if you think the discovery is wrong." }}
+    {{- fail "No gha-rs-controller deployment found using label (app.kubernetes.io/part-of=gha-rs-controller). Consider setting controllerServiceAccount.namespace in values.yaml to be explicit if you think the discovery is wrong." }}
  {{- end }}
  {{- if and (gt $multiNamespacesCounter 0) (gt $singleNamespaceCounter 0) }}
-    {{- fail "Found both gha-rs-controller installed with flags.watchSingleNamespace set and unset in cluster, this is not supported. Consider setting controllerServiceAccount.name in values.yaml to be explicit if you think the discovery is wrong." }}
+    {{- fail "Found both gha-rs-controller installed with flags.watchSingleNamespace set and unset in cluster, this is not supported. Consider setting controllerServiceAccount.namespace in values.yaml to be explicit if you think the discovery is wrong." }}
  {{- end }}
  {{- if gt $multiNamespacesCounter 1 }}
-    {{- fail "More than one gha-rs-controller deployment found using label (app.kubernetes.io/part-of=gha-rs-controller). Consider setting controllerServiceAccount.name in values.yaml to be explicit if you think the discovery is wrong." }}
+    {{- fail "More than one gha-rs-controller deployment found using label (app.kubernetes.io/part-of=gha-rs-controller). Consider setting controllerServiceAccount.namespace in values.yaml to be explicit if you think the discovery is wrong." }}
  {{- end }}
  {{- if eq $multiNamespacesCounter 1 }}
    {{- with $controllerDeployment.metadata }}
      {{- $managerServiceAccountNamespace = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-namespace") }}
    {{- end }}
  {{- else if gt $singleNamespaceCounter 0 }}
-    {{- if hasKey $singleNamespaceControllerDeployments .Release.Namespace }}
-      {{- $controllerDeployment = get $singleNamespaceControllerDeployments .Release.Namespace }}
+    {{- if hasKey $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
+      {{- $controllerDeployment = get $singleNamespaceControllerDeployments (include "gha-runner-scale-set.namespace" .) }}
      {{- with $controllerDeployment.metadata }}
        {{- $managerServiceAccountNamespace = (get $controllerDeployment.metadata.labels "actions.github.com/controller-service-account-namespace") }}
      {{- end }}
    {{- else }}
-      {{- fail "No gha-rs-controller deployment that watch this namespace found using label (actions.github.com/controller-watch-single-namespace). Consider setting controllerServiceAccount.name in values.yaml to be explicit if you think the discovery is wrong." }}
+      {{- fail "No gha-rs-controller deployment that watch this namespace found using label (actions.github.com/controller-watch-single-namespace). Consider setting controllerServiceAccount.namespace in values.yaml to be explicit if you think the discovery is wrong." }}
    {{- end }}
  {{- end }}
  {{- if eq $managerServiceAccountNamespace "" }}
-    {{- fail "No service account namespace found for gha-rs-controller deployment using label (actions.github.com/controller-service-account-namespace), consider setting controllerServiceAccount.name in values.yaml to be explicit if you think the discovery is wrong." }}
+    {{- fail "No service account namespace found for gha-rs-controller deployment using label (actions.github.com/controller-service-account-namespace), consider setting controllerServiceAccount.namespace in values.yaml to be explicit if you think the discovery is wrong." }}
  {{- end }}
 {{- $managerServiceAccountNamespace }}
 {{- end }}
 {{- end }}
+
+{{- define "gha-runner-scale-set.namespace" -}}
+{{- if .Values.namespaceOverride }}
+  {{- .Values.namespaceOverride }}
+{{- else }}
+  {{- .Release.Namespace }}
+{{- end }}
+{{- end }}
--- a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
+++ b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
@@ -1,18 +1,36 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.autoscalingRunnerSet) }}
 apiVersion: actions.github.com/v1alpha1
 kind: AutoscalingRunnerSet
 metadata:
  {{- if or (not (include "gha-runner-scale-set.scale-set-name" .)) (gt (len (include "gha-runner-scale-set.scale-set-name" .)) 45) }}
  {{ fail "Name must have up to 45 characters" }}
  {{- end }}
-  {{- if gt (len .Release.Namespace) 63 }}
+  {{- if gt (len (include "gha-runner-scale-set.namespace" .)) 63 }}
  {{ fail "Namespace must have up to 63 characters" }}
  {{- end }}
  name: {{ include "gha-runner-scale-set.scale-set-name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.autoscalingRunnerSet.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
    app.kubernetes.io/component: "autoscaling-runner-set"
    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.autoscalingRunnerSet.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
    {{- $containerMode := .Values.containerMode }}
    {{- if not (kindIs "string" .Values.githubConfigSecret) }}
    actions.github.com/cleanup-github-secret-name: {{ include "gha-runner-scale-set.githubsecret" . }}
@@ -88,11 +106,16 @@ spec:
  minRunners: {{ .Values.minRunners | int }}
  {{- end }}

-  {{- with .Values.listenerTemplate}}
+  {{- with .Values.listenerTemplate }}
  listenerTemplate:
    {{- toYaml . | nindent 4}}
  {{- end }}

+  {{- with .Values.listenerMetrics }}
+  listenerMetrics:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
  template:
    {{- with .Values.template.metadata }}
    metadata:
--- a/charts/gha-runner-scale-set/templates/githubsecret.yaml
+++ b/charts/gha-runner-scale-set/templates/githubsecret.yaml
@@ -1,11 +1,29 @@
 {{- if not (kindIs "string" .Values.githubConfigSecret) }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.githubConfigSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gha-runner-scale-set.githubsecret" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.githubConfigSecret.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.githubConfigSecret.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
  finalizers:
    - actions.github.com/cleanup-protection
 data:
--- a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml
+++ b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml
@@ -1,11 +1,31 @@
 {{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }}
 {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 # default permission for runner pod service account in kubernetes mode (container hook)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRole.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRole.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
  finalizers:
    - actions.github.com/cleanup-protection
 rules:
--- a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml
+++ b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml
@@ -1,10 +1,31 @@
 {{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRoleBinding) }}
 {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRoleBinding.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRoleBinding.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
  finalizers:
    - actions.github.com/cleanup-protection
 roleRef:
@@ -14,5 +35,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
 {{- end }}
--- a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml
+++ b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml
@@ -1,18 +1,33 @@
 {{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeServiceAccount) }}
 {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
-  {{- if .Values.containerMode.kubernetesModeServiceAccount }}
-  {{- with .Values.containerMode.kubernetesModeServiceAccount.annotations }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
+  {{- if or .Values.annotations $hasCustomResourceMeta }}
  annotations:
-  {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeServiceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
  {{- end }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeServiceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+
  finalizers:
    - actions.github.com/cleanup-protection
-  labels:
-    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
 {{- end }}
--- a/charts/gha-runner-scale-set/templates/manager_role.yaml
+++ b/charts/gha-runner-scale-set/templates/manager_role.yaml
@@ -1,11 +1,29 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRole) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "gha-runner-scale-set.managerRoleName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRole.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
    app.kubernetes.io/component: manager-role
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRole.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
  finalizers:
    - actions.github.com/cleanup-protection
 rules:
--- a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml
+++ b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml
@@ -1,11 +1,29 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRoleBinding) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "gha-runner-scale-set.managerRoleBindingName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "gha-runner-scale-set.namespace" . }}
  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRoleBinding.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
    app.kubernetes.io/component: manager-role-binding
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRoleBinding.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
  finalizers:
    - actions.github.com/cleanup-protection
 roleRef:
--- a/Show More
+++ b/Show More