Use self-hosted runner for Terraform workflow (#36)

* Use self-hosted runner for Terraform workflow

Switch both terraform-plan and terraform-apply jobs to use
the self-hosted VPC runner for consistency with the Grafana
workflow and to ensure K8s API access works with the new
firewall restrictions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix helm-diff plugin installation on self-hosted runner

Check if the plugin exists before installing to avoid "plugin
already exists" error on the persistent self-hosted runner.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Make GitHub runner ephemeral

Ephemeral runners exit after one job and restart fresh, avoiding
state accumulation issues (helm plugins, directories, etc.).

This reverts the helm-diff workaround since it's no longer needed.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Trigger CI with ephemeral runner

* Document K8s API access and certificate regeneration

Added Cluster Access section with:
- Network access table (VPC, Tailscale, public)
- Instructions for local and CI/CD access
- Certificate regeneration procedure for adding new SANs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: cmyui

README.md

@@ -73,11 +73,41 @@ ssh k8s-worker01
 ssh k8s-worker02
 ```
 
+## Cluster Access
+
+The K8s API (port 6443) is restricted to VPC and Tailscale networks only.
+
+| Network   | IP             | Use case                    |
+|-----------|----------------|-----------------------------|
+| Public    | 159.203.62.14  | Blocked by firewall         |
+| VPC       | 10.118.0.2     | CI/CD (GitHub runner)       |
+| Tailscale | 100.78.124.92  | Admin access (local kubectl)|
+
+**Local access**: Connect via Tailscale, then use `kubectl` with server `https://100.78.124.92:6443`.
+
+**CI/CD access**: The self-hosted runner in the VPC uses `https://10.118.0.2:6443`.
+
+### Regenerating API Server Certificate
+
+If you need to add new IPs to the K8s API certificate (e.g., new Tailscale IP):
+
+```bash
+ssh k8s-master01
+
+# Backup and regenerate
+sudo cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
+sudo rm /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.key
+sudo kubeadm init phase certs apiserver --apiserver-cert-extra-sans=10.118.0.2,100.78.124.92
+
+# Restart API server
+sudo crictl pods --name kube-apiserver -q | xargs sudo crictl stopp
+```
+
 ## CI/CD
 
 - **Grafana workflow**: Deploys k8s-monitoring stack on push to master
 - **Terraform CI**: Validates and applies infrastructure changes
-- **Self-hosted runner**: Runs in VPC for secure K8s API access (see `k8s/github-runner/`)
+- **Self-hosted runner**: Ephemeral runner in VPC for secure K8s API access (see `k8s/github-runner/`)
 
 ## Related Repositories
 

k8s/github-runner/templates/deployment.yaml

@@ -26,6 +26,8 @@ spec:
               value: {{ .Values.labels | quote }}
             - name: RUNNER_WORKDIR
               value: "/tmp/runner"
+            - name: EPHEMERAL
+              value: "true"
             - name: ACCESS_TOKEN
               valueFrom:
                 secretKeyRef: