Google Git
Sign in
gn/gn/46f9f594030d4d47ae17699acfd92f9536055a88^!/.
commit
46f9f594030d4d47ae17699acfd92f9536055a88
[log] [tgz]
author
Andrii Shyshkalov <tandrii@google.com>
Thu May 06 11:49:02 2021 +0200
committer
Commit Bot <commit-bot@chromium.org>
Thu May 06 18:29:01 2021 +0000
tree
b2e397d4701d9fada88c85493937924566947ed7
parent
bbd4ab0c3d992c15ec50850d72195d0fcc9dfe84 [diff]
[realms] switch GN to LUCI realms.

R=phosek

Bug: chromium:1204962
Change-Id: If010f250ca283c0308d5299a6d2082cb63c4f495
Reviewed-on: https://gn-review.googlesource.com/c/gn/+/11442
Reviewed-by: Petr Hosek <phosek@google.com>
Commit-Queue: Petr Hosek <phosek@google.com>

diff --git a/infra/config/generated/cr-buildbucket.cfg b/infra/config/generated/cr-buildbucket.cfg
index ca250c4..9b61276 100644
--- a/infra/config/generated/cr-buildbucket.cfg
+++ b/infra/config/generated/cr-buildbucket.cfg

@@ -27,6 +27,10 @@
       }
       execution_timeout_secs: 3600
       service_account: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+      experiments {
+        key: "luci.use_realms"
+        value: 100
+      }
     }
     builders {
       name: "mac"
@@ -45,6 +49,10 @@
         path: "macos_sdk"
       }
       service_account: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+      experiments {
+        key: "luci.use_realms"
+        value: 100
+      }
     }
     builders {
       name: "win"
@@ -63,6 +71,10 @@
         path: "windows_sdk"
       }
       service_account: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+      experiments {
+        key: "luci.use_realms"
+        value: 100
+      }
     }
   }
 }
@@ -93,6 +105,10 @@
       }
       execution_timeout_secs: 3600
       service_account: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+      experiments {
+        key: "luci.use_realms"
+        value: 100
+      }
     }
     builders {
       name: "mac"
@@ -111,6 +127,10 @@
         path: "macos_sdk"
       }
       service_account: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+      experiments {
+        key: "luci.use_realms"
+        value: 100
+      }
     }
     builders {
       name: "win"
@@ -129,6 +149,10 @@
         path: "windows_sdk"
       }
       service_account: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+      experiments {
+        key: "luci.use_realms"
+        value: 100
+      }
     }
   }
 }

diff --git a/infra/config/generated/luci-scheduler.cfg b/infra/config/generated/luci-scheduler.cfg
index 6657369..8540855 100644
--- a/infra/config/generated/luci-scheduler.cfg
+++ b/infra/config/generated/luci-scheduler.cfg

@@ -6,6 +6,7 @@
 
 job {
   id: "linux"
+  realm: "ci"
   acl_sets: "ci"
   buildbucket {
     server: "cr-buildbucket.appspot.com"
@@ -15,6 +16,7 @@
 }
 job {
   id: "mac"
+  realm: "ci"
   acl_sets: "ci"
   buildbucket {
     server: "cr-buildbucket.appspot.com"
@@ -24,6 +26,7 @@
 }
 job {
   id: "win"
+  realm: "ci"
   acl_sets: "ci"
   buildbucket {
     server: "cr-buildbucket.appspot.com"
@@ -33,6 +36,7 @@
 }
 trigger {
   id: "gn-trigger"
+  realm: "ci"
   acl_sets: "ci"
   triggers: "linux"
   triggers: "mac"

diff --git a/infra/config/generated/realms.cfg b/infra/config/generated/realms.cfg
new file mode 100644
index 0000000..30aa2a9
--- /dev/null
+++ b/infra/config/generated/realms.cfg

@@ -0,0 +1,56 @@
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+#   https://luci-config.appspot.com/schemas/projects:realms.cfg
+
+realms {
+  name: "@root"
+  bindings {
+    role: "role/buildbucket.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/configs.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/logdog.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/logdog.writer"
+    principals: "group:luci-logdog-chromium-writers"
+  }
+  bindings {
+    role: "role/scheduler.owner"
+    principals: "group:group:project-gn-committers"
+  }
+  bindings {
+    role: "role/scheduler.reader"
+    principals: "group:all"
+  }
+}
+realms {
+  name: "ci"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/buildbucket.triggerer"
+    principals: "user:luci-scheduler@appspot.gserviceaccount.com"
+  }
+}
+realms {
+  name: "try"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/buildbucket.triggerer"
+    principals: "group:project-gn-tryjob-access"
+    principals: "group:service-account-cq"
+  }
+}

diff --git a/infra/config/main.star b/infra/config/main.star
index cc82709..04c761f 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star

@@ -1,5 +1,11 @@
 #!/usr/bin/env lucicfg
 
+lucicfg.check_version("1.23.3", "Please update depot_tools")
+
+# Enable LUCI Realms support and launch all builds in realms-aware mode.
+lucicfg.enable_experiment("crbug.com/1085650")
+luci.builder.defaults.experiments.set({"luci.use_realms": 100})
+
 lucicfg.config(
     config_dir = "generated",
     tracked_files = [
@@ -9,6 +15,7 @@
         "luci-logdog.cfg",
         "luci-milo.cfg",
         "luci-scheduler.cfg",
+        "realms.cfg",
     ],
     fail_on_warnings = True,
 )