infra: init LUCI Realms config for Angle.

This doesn't yet have any effect on Angle builds/tasks, but allows to associate Angle pools with the Realms config in https://crrev.com/i/3802849 Change-Id: Id756c14e7e181cc1820cee735668949bf9567d0c Bug: chromium:1204972 No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/2867082 Commit-Queue: Andrii Shyshkalov <tandrii@google.com> Reviewed-by: Jamie Madill <jmadill@chromium.org>

infra: init LUCI Realms config for Angle.
32ed5069 · Andrii Shyshkalov · Commit Bot · de3753d4 · 32ed5069 · 32ed5069
Commit 32ed5069 authored May 03, 2021 by Andrii Shyshkalov Committed by Commit Bot May 03, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 151 additions and 0 deletions

luci-scheduler.cfg infra/config/generated/luci-scheduler.cfg +23 -0

realms.cfg infra/config/generated/realms.cfg +86 -0

main.star infra/config/main.star +42 -0

No files found.
--- a/infra/config/generated/luci-scheduler.cfg
+++ b/infra/config/generated/luci-scheduler.cfg
@@ -6,6 +6,7 @@
 job {
  id: "android-arm-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -15,6 +16,7 @@ job {
 }
 job {
  id: "android-arm-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -24,6 +26,7 @@ job {
 }
 job {
  id: "android-arm64-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -33,6 +36,7 @@ job {
 }
 job {
  id: "android-arm64-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -42,6 +46,7 @@ job {
 }
 job {
  id: "linux-clang-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -51,6 +56,7 @@ job {
 }
 job {
  id: "linux-clang-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -60,6 +66,7 @@ job {
 }
 job {
  id: "linux-gcc-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -69,6 +76,7 @@ job {
 }
 job {
  id: "linux-gcc-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -78,6 +86,7 @@ job {
 }
 job {
  id: "linux-trace-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -87,6 +96,7 @@ job {
 }
 job {
  id: "mac-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -96,6 +106,7 @@ job {
 }
 job {
  id: "mac-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -105,6 +116,7 @@ job {
 }
 job {
  id: "win-clang-x64-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -114,6 +126,7 @@ job {
 }
 job {
  id: "win-clang-x64-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -123,6 +136,7 @@ job {
 }
 job {
  id: "win-clang-x86-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -132,6 +146,7 @@ job {
 }
 job {
  id: "win-clang-x86-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -141,6 +156,7 @@ job {
 }
 job {
  id: "win-msvc-x64-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -150,6 +166,7 @@ job {
 }
 job {
  id: "win-msvc-x64-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -159,6 +176,7 @@ job {
 }
 job {
  id: "win-msvc-x86-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -168,6 +186,7 @@ job {
 }
 job {
  id: "win-msvc-x86-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -177,6 +196,7 @@ job {
 }
 job {
  id: "win-trace-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -186,6 +206,7 @@ job {
 }
 job {
  id: "winuwp-x64-dbg"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -195,6 +216,7 @@ job {
 }
 job {
  id: "winuwp-x64-rel"
+  realm: "ci"
  acl_sets: "ci"
  buildbucket {
    server: "cr-buildbucket.appspot.com"
@@ -204,6 +226,7 @@ job {
 }
 trigger {
  id: "master-poller"
+  realm: "ci"
  schedule: "with 10s interval"
  acl_sets: "ci"
  triggers: "android-arm-dbg"

--- a/infra/config/generated/realms.cfg
+++ b/infra/config/generated/realms.cfg
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+#   https://luci-config.appspot.com/schemas/projects:realms.cfg
+realms {
+  name: "@root"
+  bindings {
+    role: "role/buildbucket.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/configs.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/logdog.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/logdog.writer"
+    principals: "group:luci-logdog-angle-writers"
+  }
+  bindings {
+    role: "role/scheduler.owner"
+    principals: "group:project-angle-admins"
+  }
+  bindings {
+    role: "role/scheduler.reader"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/swarming.poolOwner"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:project-angle-owners"
+  }
+  bindings {
+    role: "role/swarming.poolUser"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:project-angle-owners"
+  }
+  bindings {
+    role: "role/swarming.poolViewer"
+    principals: "group:all"
+  }
+  bindings {
+    role: "role/swarming.taskServiceAccount"
+    principals: "user:chrome-gpu-gold@chops-service-accounts.iam.gserviceaccount.com"
+    principals: "user:chromium-tester@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/swarming.taskTriggerer"
+    principals: "group:mdb/chrome-troopers"
+    principals: "group:project-angle-owners"
+  }
+}
+realms {
+  name: "ci"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:angle-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/buildbucket.triggerer"
+    principals: "user:angle-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+}
+realms {
+  name: "pools/ci"
+}
+realms {
+  name: "pools/try"
+}
+realms {
+  name: "try"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:angle-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/buildbucket.triggerer"
+    principals: "group:project-angle-tryjob-access"
+    principals: "group:service-account-cq"
+  }
+}
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -15,6 +15,12 @@ lucicfg.config(
    ],
 )
+# Enable LUCI Realms support.
+lucicfg.enable_experiment("crbug.com/1085650")
+# Launch 0% of Swarming tasks for builds in "realms-aware mode"
+# TODO(https://crbug.com/1204972): ramp up to 100%.
+# luci.builder.defaults.experiments.set({"luci.use_realms": 0})
 luci.project(
    name = "angle",
    buildbucket = "cr-buildbucket.appspot.com",
@@ -46,6 +52,42 @@ luci.project(
            groups = "luci-logdog-angle-writers",
        ),
    ],
+    bindings = [
+        luci.binding(
+            roles = "role/swarming.poolOwner",
+            groups = ["project-angle-owners", "mdb/chrome-troopers"],
+        ),
+        luci.binding(
+            roles = "role/swarming.poolViewer",
+            groups = "all",
+        ),
+        # Allow any Angle build to trigger a test ran under testing accounts
+        # used on shared chromium tester pools.
+        luci.binding(
+            roles = "role/swarming.taskServiceAccount",
+            users = [
+                "chromium-tester@chops-service-accounts.iam.gserviceaccount.com",
+                "chrome-gpu-gold@chops-service-accounts.iam.gserviceaccount.com",
+            ],
+        ),
+    ],
+)
+# Swarming permissions
+luci.realm(name = "pools/ci")
+luci.realm(name = "pools/try")
+# Allow Angle owners and Chrome troopers to run tasks directly for testing and
+# development on all Angle bots. E.g. via `led` tool or "Debug" button in Swarming Web UI.
+luci.binding(
+    realm = "@root",
+    roles = "role/swarming.poolUser",
+    groups = ["project-angle-owners", "mdb/chrome-troopers"],
+)
+luci.binding(
+    realm = "@root",
+    roles = "role/swarming.taskTriggerer",
+    groups = ["project-angle-owners", "mdb/chrome-troopers"],
 )
 def _generate_project_pyl(ctx):