From 3c9b825ec799c61815533113b54aef1574632061 Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Sun, 27 Nov 2022 14:48:07 +0000 Subject: [PATCH] games/valheim: create serviceaccount for external users/systems q3k uses this to give access to someone who plays on the valheim server so that they can get logs / restart things / etc. Change-Id: If205709142d386c460eeb835829888957d28a654 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1442 Reviewed-by: patryk --- games/valheim/prod.jsonnet | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/games/valheim/prod.jsonnet b/games/valheim/prod.jsonnet index f1f3c346..82e29076 100644 --- a/games/valheim/prod.jsonnet +++ b/games/valheim/prod.jsonnet @@ -59,6 +59,37 @@ local kube = import "../../kube/kube.libsonnet"; }, }, + // Given to some external users/systems which manage a given valheim server in a namespace. + // TODO(q3k): only grant privileges to the same server + controlAccount: { + svcAccount: ns.Contain(kube.ServiceAccount(named("control"))), + role: ns.Contain(kube.Role("control")) { + rules: [ + { + apiGroups: [""], + resources: ["pods"], + verbs: ["get", "list", "watch", "delete"], + }, + { + apiGroups: [""], + resources: ["pods/log"], + verbs: ["get"], + }, + { + apiGroups: ["apps"], + resources: ["deployments"], + verbs: ["get", "list", "watch"], + }, + ], + }, + roleBinding: ns.Contain(kube.RoleBinding(named("control"))) { + subjects_: [ + game.controlAccount.svcAccount, + ], + roleRef_: game.controlAccount.role, + }, + }, + scripts: ns.Contain(kube.ConfigMap(named("scripts"))) { data: { # Based on https://github.com/mbround18/valheim-docker ,