[realms] switch GN to LUCI realms.
R=phosek
Bug: chromium:1204962
Change-Id: If010f250ca283c0308d5299a6d2082cb63c4f495
Reviewed-on: https://gn-review.googlesource.com/c/gn/+/11442
Reviewed-by: Petr Hosek <phosek@google.com>
Commit-Queue: Petr Hosek <phosek@google.com>
diff --git a/infra/config/generated/cr-buildbucket.cfg b/infra/config/generated/cr-buildbucket.cfg
index ca250c4..9b61276 100644
--- a/infra/config/generated/cr-buildbucket.cfg
+++ b/infra/config/generated/cr-buildbucket.cfg
@@ -27,6 +27,10 @@
}
execution_timeout_secs: 3600
service_account: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "mac"
@@ -45,6 +49,10 @@
path: "macos_sdk"
}
service_account: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "win"
@@ -63,6 +71,10 @@
path: "windows_sdk"
}
service_account: "gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
}
}
@@ -93,6 +105,10 @@
}
execution_timeout_secs: 3600
service_account: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "mac"
@@ -111,6 +127,10 @@
path: "macos_sdk"
}
service_account: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
builders {
name: "win"
@@ -129,6 +149,10 @@
path: "windows_sdk"
}
service_account: "gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 100
+ }
}
}
}
diff --git a/infra/config/generated/luci-scheduler.cfg b/infra/config/generated/luci-scheduler.cfg
index 6657369..8540855 100644
--- a/infra/config/generated/luci-scheduler.cfg
+++ b/infra/config/generated/luci-scheduler.cfg
@@ -6,6 +6,7 @@
job {
id: "linux"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -15,6 +16,7 @@
}
job {
id: "mac"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -24,6 +26,7 @@
}
job {
id: "win"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -33,6 +36,7 @@
}
trigger {
id: "gn-trigger"
+ realm: "ci"
acl_sets: "ci"
triggers: "linux"
triggers: "mac"
diff --git a/infra/config/generated/realms.cfg b/infra/config/generated/realms.cfg
new file mode 100644
index 0000000..30aa2a9
--- /dev/null
+++ b/infra/config/generated/realms.cfg
@@ -0,0 +1,56 @@
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+# https://luci-config.appspot.com/schemas/projects:realms.cfg
+
+realms {
+ name: "@root"
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/configs.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.writer"
+ principals: "group:luci-logdog-chromium-writers"
+ }
+ bindings {
+ role: "role/scheduler.owner"
+ principals: "group:group:project-gn-committers"
+ }
+ bindings {
+ role: "role/scheduler.reader"
+ principals: "group:all"
+ }
+}
+realms {
+ name: "ci"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:gn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "user:luci-scheduler@appspot.gserviceaccount.com"
+ }
+}
+realms {
+ name: "try"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:gn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "group:project-gn-tryjob-access"
+ principals: "group:service-account-cq"
+ }
+}
diff --git a/infra/config/main.star b/infra/config/main.star
index cc82709..04c761f 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -1,5 +1,11 @@
#!/usr/bin/env lucicfg
+lucicfg.check_version("1.23.3", "Please update depot_tools")
+
+# Enable LUCI Realms support and launch all builds in realms-aware mode.
+lucicfg.enable_experiment("crbug.com/1085650")
+luci.builder.defaults.experiments.set({"luci.use_realms": 100})
+
lucicfg.config(
config_dir = "generated",
tracked_files = [
@@ -9,6 +15,7 @@
"luci-logdog.cfg",
"luci-milo.cfg",
"luci-scheduler.cfg",
+ "realms.cfg",
],
fail_on_warnings = True,
)
