games/valheim: create serviceaccount for external users/systems
q3k uses this to give access to someone who plays on the valheim server
so that they can get logs / restart things / etc.
Change-Id: If205709142d386c460eeb835829888957d28a654
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1442
Reviewed-by: patryk <patryk@hackerspace.pl>
diff --git a/games/valheim/prod.jsonnet b/games/valheim/prod.jsonnet
index f1f3c34..82e2907 100644
--- a/games/valheim/prod.jsonnet
+++ b/games/valheim/prod.jsonnet
@@ -59,6 +59,37 @@
},
},
+ // Given to some external users/systems which manage a given valheim server in a namespace.
+ // TODO(q3k): only grant privileges to the same server
+ controlAccount: {
+ svcAccount: ns.Contain(kube.ServiceAccount(named("control"))),
+ role: ns.Contain(kube.Role("control")) {
+ rules: [
+ {
+ apiGroups: [""],
+ resources: ["pods"],
+ verbs: ["get", "list", "watch", "delete"],
+ },
+ {
+ apiGroups: [""],
+ resources: ["pods/log"],
+ verbs: ["get"],
+ },
+ {
+ apiGroups: ["apps"],
+ resources: ["deployments"],
+ verbs: ["get", "list", "watch"],
+ },
+ ],
+ },
+ roleBinding: ns.Contain(kube.RoleBinding(named("control"))) {
+ subjects_: [
+ game.controlAccount.svcAccount,
+ ],
+ roleRef_: game.controlAccount.role,
+ },
+ },
+
scripts: ns.Contain(kube.ConfigMap(named("scripts"))) {
data: {
# Based on https://github.com/mbround18/valheim-docker ,