infra: Add shadow buckets to trigger led job
This follows
http://go/luci-how-to-led#new-trigger-a-real-buildbucket-build-using-led
I'll use led to test recipe change.
Bug: 433861937
Change-Id: Iab6cf9743cfcbab7503d9f0a98b0fe9f0271283c
Reviewed-on: https://gn-review.googlesource.com/c/gn/+/19460
Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Commit-Queue: Takuto Ikuta <tikuta@google.com>
diff --git a/infra/config/generated/cr-buildbucket.cfg b/infra/config/generated/cr-buildbucket.cfg
index 01ab643..51c0ff6 100644
--- a/infra/config/generated/cr-buildbucket.cfg
+++ b/infra/config/generated/cr-buildbucket.cfg
@@ -73,6 +73,18 @@
}
}
}
+ shadow: "ci.shadow"
+}
+buckets {
+ name: "ci.shadow"
+ acls {
+ group: "all"
+ }
+ constraints {
+ pools: "luci.flex.ci"
+ service_accounts: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ dynamic_builder_template {}
}
buckets {
name: "try"
@@ -151,4 +163,16 @@
}
}
}
+ shadow: "try.shadow"
+}
+buckets {
+ name: "try.shadow"
+ acls {
+ group: "all"
+ }
+ constraints {
+ pools: "luci.flex.try"
+ service_accounts: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ dynamic_builder_template {}
}
diff --git a/infra/config/generated/project.cfg b/infra/config/generated/project.cfg
index 0462da7..bb145a6 100644
--- a/infra/config/generated/project.cfg
+++ b/infra/config/generated/project.cfg
@@ -7,7 +7,7 @@
name: "gn"
access: "group:all"
lucicfg {
- version: "1.45.3"
+ version: "1.45.6"
package_dir: ".."
config_dir: "generated"
entry_point: "main.star"
diff --git a/infra/config/generated/realms.cfg b/infra/config/generated/realms.cfg
index e9445b7..b75c130 100644
--- a/infra/config/generated/realms.cfg
+++ b/infra/config/generated/realms.cfg
@@ -39,6 +39,17 @@
}
}
realms {
+ name: "ci.shadow"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.creator"
+ principals: "group:project-gn-committers"
+ }
+}
+realms {
name: "try"
bindings {
role: "role/buildbucket.builderServiceAccount"
@@ -54,3 +65,14 @@
principals: "group:flex-try-led-users"
}
}
+realms {
+ name: "try.shadow"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.creator"
+ principals: "group:project-gn-committers"
+ }
+}
diff --git a/infra/config/main.star b/infra/config/main.star
index e988e49..0fb49df 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -89,6 +89,28 @@
),
])
+# Shadow bucket for led.
+luci.bucket(
+ name = "ci.shadow",
+ shadows = "ci",
+ constraints = luci.bucket_constraints(
+ pools = ["luci.flex.ci"],
+ service_accounts = [
+ "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com",
+ ],
+ ),
+ bindings = [
+ # for led permissions.
+ luci.binding(
+ roles = "role/buildbucket.creator",
+ groups = [
+ "project-gn-committers",
+ ],
+ ),
+ ],
+ dynamic = True,
+)
+
def ci_builder(name, os, caches = None):
builder(name, "ci", os, caches, triggered_by = ["gn-trigger"])
luci.console_view_entry(
@@ -139,6 +161,28 @@
),
])
+# Shadow bucket for led.
+luci.bucket(
+ name = "try.shadow",
+ shadows = "try",
+ constraints = luci.bucket_constraints(
+ pools = ["luci.flex.try"],
+ service_accounts = [
+ "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com",
+ ],
+ ),
+ bindings = [
+ # for led permissions.
+ luci.binding(
+ roles = "role/buildbucket.creator",
+ groups = [
+ "project-gn-committers",
+ ],
+ ),
+ ],
+ dynamic = True,
+)
+
luci.binding(
realm = "try",
roles = "role/swarming.taskTriggerer",
