chore: new service account svc-gha-kubectl without sudo permissions (#51)

Author: felix-seifert

data/service_accounts.yaml

@@ -1,8 +1,14 @@
 ---
 # These service accounts are provisioned by MAAS through its one-time cloud-init process.
+# Optionally, they can be updated on the k3s cluster machines through the Ansible playbook
+# `ansible/playbooks/service_accounts.yaml`
 - account_name: svc-gha-ansible-reboot
-  description: GitHub Actions Ansible CI User
+  description: GitHub Actions Ansible CI user for reboots
   public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHaLPRZrnK/HEwLX56SbzIJlUJCkXiFLMbDCMpwg1YoR svc-gha-ansible-reboot CI key
   allow_connections_from: "192.168.150.0/24"
   sudo_permissions:
     - "/sbin/reboot"
+- account_name: svc-gha-kubectl
+  description: GitHub Actions user for calling kubectl
+  public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJTJ5LG+Qj0CKOt0mVBfSptjP4ziyKYJB31lyp4ORF9 svc-gha-kubectl CI key
+  allow_connections_from: "192.168.150.0/24"

terraform/modules/server/cloud-init.tpl

@@ -15,7 +15,9 @@ users:
 %{ for acct in service_accounts ~}
   - name: "${acct.account_name}"
     gecos: "${acct.description}"
+%{ if length(try(acct.sudo_permissions, [])) > 0 }
     sudo: "ALL=(ALL) NOPASSWD: ${join(",", acct.sudo_permissions)}"
+%{ endif }
     shell: /bin/bash
 %{ if startswith(acct.public_ssh_key, "gh:") }
     ssh_import_id: