From 43946faf1b742a20514f759f758a08bdf102fef3 Mon Sep 17 00:00:00 2001
From: Shea Levy <shea@shealevy.com>
Date: Fri, 29 Dec 2023 15:24:52 -0500
Subject: [PATCH] deploy: Run with a service account that can schedule jobs

---
 deploy/dapps-certification.yaml | 36 +++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/deploy/dapps-certification.yaml b/deploy/dapps-certification.yaml
index 581d6834..324fc26c 100644
--- a/deploy/dapps-certification.yaml
+++ b/deploy/dapps-certification.yaml
@@ -149,6 +149,9 @@ spec:
             volumes:
               - name: ipc
                 path: /ipc
+        - type: service-account
+          properties:
+            name: dapps-certification
       type: webservice
   policies:
     - name: local-dapps-certification
@@ -166,3 +169,36 @@ spec:
         properties:
           policies:
             - local-dapps-certification
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dapps-certification
+  namespace: dapps-certification-staging
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dapps-certification
+  namespace: dapps-certification-staging
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "create", "watch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dapps-certification
+  namespace: dapps-certification-staging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dapps-certification
+subjects:
+  - kind: ServiceAccount
+    name: dapps-certification
+    namespace: dapps-certification-staging