juntekim.com/github_runner/install/install_arc.sh

#!/bin/bash
set -ex

# =====================================================================
# OPTIONAL — MicroK8s setup/reset steps (only use when doing a hard reset)
# =====================================================================
# sudo microk8s reset --destroy-storage
# sudo snap remove microk8s
# sudo snap install microk8s --classic
# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server ingress
#
# # Rebuild kubeconfig for your local user (optional)
# microk8s kubectl config view --raw > ~/.kube/config
# chmod 600 ~/.kube/config
# sudo usermod -aG microk8s $USER
# sudo chown -f -R $USER ~/.kube

NAMESPACE="arc-systems"
RUNNER_NAME="mealcraft-runners"

# # =====================================================================
# # Remove previous ARC installation (safe even if missing)
# # =====================================================================
# helm uninstall arc -n "${NAMESPACE}" || true
# helm uninstall "${RUNNER_NAME}" -n "${NAMESPACE}" || true

# echo "=== Installing ARC Scale Set Controller ==="

# helm install arc \
#   --namespace "${NAMESPACE}" \
#   --create-namespace \
#   oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller

# echo "=== Installing MealCraft Runner Scale Set (NO Docker-in-Docker) ==="

# helm install "${RUNNER_NAME}" \
#   --namespace "${NAMESPACE}" \
#   --create-namespace \
#   --set runnerScaleSetName="${RUNNER_NAME}" \
#   --set githubConfigUrl="https://github.com/MealCraft" \
#   --set githubConfigSecret.name="github-secret" \
#   --set githubConfigSecret.github_token="$GITHUB_PAT" \
#   --set dockerInDockerEnabled=false \
#   --set containerMode.type="runner" \
#   --set runnerLabels[0]="mealcraft" \
#   oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set

# # =====================================================================
# # RBAC — IMPORTANT
# # Grants permissions to the exact ARC runner SA detected earlier.
# # =====================================================================

echo "=== Applying RBAC for all ARC runners + Traefik ==="

microk8s kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mealcraft-bootstrap-role
rules:
  # ----------------------------------------------------
  # Storage
  # ----------------------------------------------------
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["*"]

  # ----------------------------------------------------
  # Core API
  # PV, PVC, Namespaces, Secrets, ConfigMaps, Services,
  # ServiceAccounts (added for runner + Traefik needs)
  # ----------------------------------------------------
  - apiGroups: [""]
    resources:
      - persistentvolumes
      - persistentvolumeclaims
      - namespaces
      - secrets
      - configmaps
      - services
      - serviceaccounts
      - endpoints     # <-- Traefik requires
      - pods          # <-- Traefik requires
      - nodes         # <-- Traefik requires for node discovery
    verbs: ["*"]

  # ----------------------------------------------------
  # Apps: Deployments, DaemonSets, RS, StatefulSets
  # ----------------------------------------------------
  - apiGroups: ["apps"]
    resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
    verbs: ["*"]

  # ----------------------------------------------------
  # Networking & Ingress
  # (Traefik needs watch on ingresses & ingressclasses)
  # ----------------------------------------------------
  - apiGroups: ["networking.k8s.io", "extensions"]
    resources: ["ingresses", "ingressclasses", "*"]
    verbs: ["*"]

  # ----------------------------------------------------
  # Traefik v1 CRDs (old MicroK8s installs)
  # ----------------------------------------------------
  - apiGroups: ["traefik.containo.us"]
    resources: ["*"]
    verbs: ["*"]

  # ----------------------------------------------------
  # Traefik v2 CRDs (modern)
  # ----------------------------------------------------
  - apiGroups: ["traefik.io"]
    resources:
      - ingressroutes
      - ingressroutetcps
      - ingressrouteudps
      - middlewares
      - middlewaretcps
      - traefikservices
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs: ["*"]

  # ----------------------------------------------------
  # CRDs
  # ----------------------------------------------------
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["*"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: mealcraft-bootstrap-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mealcraft-bootstrap-role
subjects:
  - kind: ServiceAccount
    name: mealcraft-runners-gha-rs-no-permission
    namespace: arc-systems
EOF

microk8s kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-real-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mealcraft-bootstrap-role
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
EOF

microk8s kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-rbac-fix
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mealcraft-bootstrap-role
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
EOF


echo "=== ARC installation + RBAC complete ==="