certs pv update
This commit is contained in:
Jun-te Kim
parent
a39f66b674
commit
b804311fba
2 changed files with 79 additions and 26 deletions
|
|
@ -1,31 +1,42 @@
|
|||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
# OPTIONAL: Enable MicroK8s features first
|
||||
# sudo microk8s enable dns rbac hostpath-storage host-access
|
||||
# sudo microk8s enable metrics-server
|
||||
|
||||
# OPTIONAL: Configure kubectl
|
||||
# =====================================================================
|
||||
# OPTIONAL — MicroK8s setup/reset steps (only use when doing a hard reset)
|
||||
# =====================================================================
|
||||
# sudo microk8s reset --destroy-storage
|
||||
# sudo snap remove microk8s
|
||||
# sudo snap install microk8s --classic
|
||||
# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server
|
||||
#
|
||||
# # Rebuild kubeconfig for your local user (optional)
|
||||
# microk8s kubectl config view --raw > ~/.kube/config
|
||||
# chmod 600 ~/.kube/config
|
||||
# sudo usermod -aG microk8s $USER
|
||||
# sudo chown -f -R $USER ~/.kube
|
||||
|
||||
helm uninstall arc -n arc-systems || true
|
||||
NAMESPACE="arc-systems"
|
||||
RUNNER_NAME="mealcraft-runners"
|
||||
|
||||
# =====================================================================
|
||||
# Remove previous ARC installation (safe even if missing)
|
||||
# =====================================================================
|
||||
helm uninstall arc -n "${NAMESPACE}" || true
|
||||
helm uninstall "${RUNNER_NAME}" -n "${NAMESPACE}" || true
|
||||
|
||||
echo "=== Installing ARC Scale Set Controller ==="
|
||||
|
||||
echo "=== Install ARC Scale Set Controller ==="
|
||||
helm install arc \
|
||||
--namespace arc-systems \
|
||||
--namespace "${NAMESPACE}" \
|
||||
--create-namespace \
|
||||
oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller
|
||||
|
||||
helm uninstall mealcraft-runners -n arc-systems || true
|
||||
echo "=== Installing MealCraft Runner Scale Set (NO Docker-in-Docker) ==="
|
||||
|
||||
echo "=== Install MealCraft Runner Scale Set (NO Docker-in-Docker) ==="
|
||||
helm install mealcraft-runners \
|
||||
--namespace arc-systems \
|
||||
helm install "${RUNNER_NAME}" \
|
||||
--namespace "${NAMESPACE}" \
|
||||
--create-namespace \
|
||||
--set runnerScaleSetName="mealcraft-runners" \
|
||||
--set runnerScaleSetName="${RUNNER_NAME}" \
|
||||
--set githubConfigUrl="https://github.com/MealCraft" \
|
||||
--set githubConfigSecret.name="github-secret" \
|
||||
--set githubConfigSecret.github_token="$GITHUB_PAT" \
|
||||
|
|
@ -34,33 +45,75 @@ helm install mealcraft-runners \
|
|||
--set runnerLabels[0]="mealcraft" \
|
||||
oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set
|
||||
|
||||
# =====================================================================
|
||||
# RBAC — IMPORTANT
|
||||
# Grants permissions to the exact ARC runner SA detected earlier.
|
||||
# =====================================================================
|
||||
|
||||
echo "=== Applying RBAC for runner ==="
|
||||
echo "=== Applying RBAC for all ARC runners ==="
|
||||
|
||||
microk8s kubectl apply -f - <<'EOF'
|
||||
microk8s kubectl apply -f - <<EOF
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: arc-runner-readonly
|
||||
name: mealcraft-bootstrap-role
|
||||
rules:
|
||||
# Storage
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Core API: PV, PVC, namespaces, secrets, configmaps, services, serviceaccounts (NEW)
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
resources:
|
||||
- persistentvolumes
|
||||
- persistentvolumeclaims
|
||||
- namespaces
|
||||
- secrets
|
||||
- configmaps
|
||||
- services
|
||||
- serviceaccounts # <── NEW
|
||||
verbs: ["*"]
|
||||
|
||||
# Apps (Deployments, DS, etc)
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Networking & Ingress
|
||||
- apiGroups: ["networking.k8s.io", "extensions"]
|
||||
resources: ["ingresses", "ingressclasses", "*"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Traefik v1
|
||||
- apiGroups: ["traefik.containo.us"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Traefik v2
|
||||
- apiGroups: ["traefik.io"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
|
||||
# CRDs
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["*"]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: arc-runner-readonly-binding
|
||||
name: mealcraft-bootstrap-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: mealcraft-bootstrap-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
name: mealcraft-runners-gha-rs-no-permission
|
||||
namespace: arc-systems
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: arc-runner-readonly
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
EOF
|
||||
|
||||
|
||||
echo "=== RBAC Applied Successfully ==="
|
||||
echo "=== ARC installation + RBAC complete ==="
|
||||
|
|
|
|||
|
|
@ -19,6 +19,6 @@ spec:
|
|||
- key: kubernetes.io/hostname
|
||||
operator: In
|
||||
values:
|
||||
- gpd
|
||||
- mist
|
||||
|
||||
|
||||
Loading…
Add table
Reference in a new issue