Integrate git client with LUCI service accounts |
||||||||||||||
Issue descriptionE.g. make following work (without .netrc or .gitcookies): authutil context -scopes "https://www.googleapis.com/auth/gerritcodereview" -- git ls-remote https://chrome-internal.googlesource.com/<some-repo> This will likely require writing "git credential helper" and integrating it with our git wrapper. Need also some way to conditionally enable/disable this from recipes, to allow gradually rollout.
,
Sep 1 2017
,
Sep 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/91481c7b6cb2aabb89417b70dfa5eb90f39e9518 commit 91481c7b6cb2aabb89417b70dfa5eb90f39e9518 Author: Petr Hosek <phosek@google.com> Date: Sat Sep 02 01:29:32 2017 git-credential-luci: first version This enables integration of Git client with LUCI service accounts. Bug: 756224 Change-Id: Ibfdfffcbfc88ac2168179dff59fa9897b91d1506 Reviewed-on: https://chromium-review.googlesource.com/646977 Commit-Queue: Petr Hosek <phosek@chromium.org> Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/91481c7b6cb2aabb89417b70dfa5eb90f39e9518/client/authcli/authcli.go [add] https://crrev.com/91481c7b6cb2aabb89417b70dfa5eb90f39e9518/client/cmd/git-credential-luci/main.go
,
Sep 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/8a6d5f40374ad50c9e67e3c7f586f077edebca82 commit 8a6d5f40374ad50c9e67e3c7f586f077edebca82 Author: Petr Hosek <phosek@google.com> Date: Sat Sep 02 21:26:26 2017 Create package for git-credential-luci Bug: 756224 Change-Id: I694ea185322048ebddfde2c12346d8cbf1453c34 Reviewed-on: https://chromium-review.googlesource.com/648609 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Commit-Queue: Petr Hosek <phosek@chromium.org> [add] https://crrev.com/8a6d5f40374ad50c9e67e3c7f586f077edebca82/build/packages/git-credential-luci.yaml
,
Sep 13 2017
Assigned to current sprint M3-S8
,
Sep 13 2017
,
Sep 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/6523a32d2cb0092e339742c255c5142f938c3b2f commit 6523a32d2cb0092e339742c255c5142f938c3b2f Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Sep 15 23:50:28 2017 git-credential-luci: Make it work, add some bells and whistles. In particular: * Use 'git-<something>' as username, Gerrit doesn't like 'o' here. * Add 'luci-git-user' subcommand that returns an email and a user name that matches the credentials used. Useful when pushing commits to Gerrit. R=phosek@chromium.org BUG= 756224 Change-Id: I0017d2b9e3855b60134c7a71736f3d7438076b32 Reviewed-on: https://chromium-review.googlesource.com/648344 Reviewed-by: Petr Hosek <phosek@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/6523a32d2cb0092e339742c255c5142f938c3b2f/client/cmd/git-credential-luci/main.go
,
Sep 22 2017
,
Oct 3 2017
,
Oct 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/aee49d5475381d7cc7dfddda41606e1d397172c2 commit aee49d5475381d7cc7dfddda41606e1d397172c2 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 06 02:07:26 2017 git-credential-luci: Remove user profile fetching. We do it in git wrapper instead. Also bump default token lifetime to 10 min. 1 min may be not enough for long git fetches (depending on when exactly git calls the credential helper). R=phosek@chromium.org BUG= 756224 Change-Id: I95d83287cda8b89cfd493fe1475e045d97b9ca50 Reviewed-on: https://chromium-review.googlesource.com/704257 Reviewed-by: Petr Hosek <phosek@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/aee49d5475381d7cc7dfddda41606e1d397172c2/client/cmd/git-credential-luci/main.go
,
Oct 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/d0340d205d98d01ca3de89d6adabd25e4e95c752 commit d0340d205d98d01ca3de89d6adabd25e4e95c752 Author: Petr Hosek <phosek@google.com> Date: Fri Oct 06 03:07:57 2017 git: configure Git credential helper if requested Setup credentials and credential helper if running in the LUCI_CONTEXT environment. Bug: 756224 Change-Id: If2c4c333c04d84b3b8fdefa2d2289d99b73db7e2 Reviewed-on: https://chromium-review.googlesource.com/674526 Commit-Queue: Petr Hosek <phosek@chromium.org> Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/d0340d205d98d01ca3de89d6adabd25e4e95c752/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/d0340d205d98d01ca3de89d6adabd25e4e95c752/go/src/infra/tools/git/main.go
,
Oct 6 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/561490dc84414fe42934e5e319be15544b129834 commit 561490dc84414fe42934e5e319be15544b129834 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 06 04:30:39 2017
,
Oct 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/a8002fce9e0eb41d004dddd9fc0bbd883d25af33 commit a8002fce9e0eb41d004dddd9fc0bbd883d25af33 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Sat Oct 07 01:05:35 2017 auth: Add 'authtest' testing helpers package. Will be used to setup fake authentication context for various integration tests, in particular ones in Kitchen (that use git). R=iannucci@chromium.org BUG= 756224 Change-Id: Ic96d3786feac92f861e07a5256b1ece898824621 Reviewed-on: https://chromium-review.googlesource.com/706556 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [add] https://crrev.com/a8002fce9e0eb41d004dddd9fc0bbd883d25af33/common/auth/authtest/doc.go [add] https://crrev.com/a8002fce9e0eb41d004dddd9fc0bbd883d25af33/common/auth/authtest/fakectx.go [add] https://crrev.com/a8002fce9e0eb41d004dddd9fc0bbd883d25af33/common/auth/authtest/fakectx_test.go
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/16a608a8559edf91730470838600736d45435af4 commit 16a608a8559edf91730470838600736d45435af4 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Oct 10 00:50:24 2017 kitchen: Consistently pass environment through env.Environ object. We use it for passing environment for recipe_engine already. Use it for git too. This will be important once we start putting LUCI_CONTEXT there. Git wrapper requires LUCI_CONTEXT for authentication. It is ugly, but at least consistent. Also don't use mock user.email and user.name in production code. When using authentication they will be properly set by the kitchen. R=iannucci@chromium.org, nodir@chromium.org BUG= 756224 Change-Id: I0a475467e5bb6587b2c43af544236d4570920274 Reviewed-on: https://chromium-review.googlesource.com/708058 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/16a608a8559edf91730470838600736d45435af4/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/16a608a8559edf91730470838600736d45435af4/go/src/infra/tools/kitchen/git_test.go [modify] https://crrev.com/16a608a8559edf91730470838600736d45435af4/go/src/infra/tools/kitchen/cook_test.go [modify] https://crrev.com/16a608a8559edf91730470838600736d45435af4/go/src/infra/tools/kitchen/git.go
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/b934d1cb54af018e03f18a9d6dc071b1a5a45ea8 commit b934d1cb54af018e03f18a9d6dc071b1a5a45ea8 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Oct 10 01:21:15 2017 kitchen: Consume $kitchen properties in kitchen, don't pass them to recipes. In spirit of keeping layers separated. Recipe engine shouldn't make any decisions based on $kitchen properties. R=nodir@chromium.org, iannucci@chromium.org, phosek@chromium.org BUG= 756224 Change-Id: Iacce6a551f9cde28da11dbb4ff5608fe910c2b57 Reviewed-on: https://chromium-review.googlesource.com/704534 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/b934d1cb54af018e03f18a9d6dc071b1a5a45ea8/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/b934d1cb54af018e03f18a9d6dc071b1a5a45ea8/go/src/infra/tools/kitchen/git_test.go [modify] https://crrev.com/b934d1cb54af018e03f18a9d6dc071b1a5a45ea8/go/src/infra/tools/kitchen/cookflags/property_flag.go [modify] https://crrev.com/b934d1cb54af018e03f18a9d6dc071b1a5a45ea8/go/src/infra/tools/kitchen/cook_test.go [modify] https://crrev.com/b934d1cb54af018e03f18a9d6dc071b1a5a45ea8/go/src/infra/tools/kitchen/git.go
,
Oct 10 2017
Few more issues before we can start deploying this: 1. Usage of '-c user.email=...' in gitwrapper breaks various integration tests that configure user.email in per-repo config. 2. We need to retain some chunks of global ~/.gitconfig: https://chrome-internal.googlesource.com/infra/puppet/+/master/puppetm/etc/puppet/modules/chrome_infra/templates/setup/gitconfig.erb 3. We should teach Kitchen to switch into 'system' account when fetching recipes. Otherwise we won't be able to run jobs that don't specify task service account (which is almost all jobs now). This will greatly complicate the migration. So better to start using system account in kitchen right away. I'm working on this stuff now.
,
Oct 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/5dc79f4f9fe97336f51a1302ad662369afe68544 commit 5dc79f4f9fe97336f51a1302ad662369afe68544 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Wed Oct 11 17:42:29 2017 kitchen: Fetch recipe dependencies as a separate step. This would allow to start using git auth with 'system' account for them. R=nodir@chromium.org, iannucci@chromium.org BUG= 756224 Change-Id: I5504076fd037cee9d48ce44450cf749014d3501f Reviewed-on: https://chromium-review.googlesource.com/711376 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/5dc79f4f9fe97336f51a1302ad662369afe68544/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/5dc79f4f9fe97336f51a1302ad662369afe68544/go/src/infra/tools/kitchen/testdata/recipe_repo/recipes.py [modify] https://crrev.com/5dc79f4f9fe97336f51a1302ad662369afe68544/go/src/infra/tools/kitchen/recipe.go [modify] https://crrev.com/5dc79f4f9fe97336f51a1302ad662369afe68544/go/src/infra/tools/kitchen/cook_logdog.go [modify] https://crrev.com/5dc79f4f9fe97336f51a1302ad662369afe68544/go/src/infra/tools/kitchen/git.go
,
Oct 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/3e5eb824dd810046bd79b6021ca9fff2fcd2d527 commit 3e5eb824dd810046bd79b6021ca9fff2fcd2d527 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Wed Oct 11 19:41:15 2017 git: Teach git wrapper to override HOME via INFRA_GIT_WRAPPER_HOME. This will be used by Kitchen to supply appropriate global git config with configured user.email and credential.helper. Per git docs, git unconditionally looks into HOME for .gitconfig. Also, if there's ~/.netrc, it takes precedence over any custom credential helper. Replacing HOME completely solves this problem as well. R=iannucci@chromium.org BUG= 756224 Change-Id: I5c1f69fa6a7810be88ed2f68742d5427f324ab8e Reviewed-on: https://chromium-review.googlesource.com/713584 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Robbie Iannucci <iannucci@chromium.org> [modify] https://crrev.com/3e5eb824dd810046bd79b6021ca9fff2fcd2d527/go/src/infra/tools/git/main.go
,
Oct 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/c4560bb1d0ba03c48bee086b6363da9495292cd4 commit c4560bb1d0ba03c48bee086b6363da9495292cd4 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 02:37:50 2017 kitchen: Refactor authentication in preparation for adding more stuff. We are about to add support for Git and Devshell authentication (for gsutil). They require doing environment modifications and/or dropping some temporary files and/or running background goroutines. Extract all authentication related logic into AuthContext struct that exists in two instances: "system" context (used by kitchen itself), and "recipe" context (used by the user-supplied recipe). Each such context can be launched and stopped. When it is running, it can be "exported" into environ, thus making subprocesses inherit it. This is more than just LUCI_CONTEXT["local_auth"].DefaultAccountID modification, since we also need to modify Git and Devshell environment variables. This CL is mostly refactoring except one inconsequential (in theory) change: on Buildbot we now use the on-disk token cache to reuse -luci-system-account-json tokens between runs. (We should have been doing this from the start, it was oversight). R=nodir@chromium.org CC=phosek@chromium.org BUG= 756224 , 756229 Change-Id: Ide1b3d1dd43d5918b49bf44b47f5e9a97fcf76da Reviewed-on: https://chromium-review.googlesource.com/714888 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/cook_test.go [add] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/auth.go [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/monitoring_test.go [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/testdata/recipe_repo/recipes.py [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/cook_mode.go [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/monitoring.go [modify] https://crrev.com/c4560bb1d0ba03c48bee086b6363da9495292cd4/go/src/infra/tools/kitchen/cook_logdog.go
,
Oct 13 2017
Deployed this on staging and tested a bunch of use cases end-to-end: 1. Use whatever is predeployed on bots when git auth is not specifically enabled for the recipe in Buildbucket config: https://luci-milo-dev.appspot.com/swarming/task/39303504d4ed6f10?server=chromium-swarm-dev.appspot.com (this would allow us to carefully roll out git auth on builder-per-builder basis). 2. When git auth is enabled for the builder (like so https://chromium.googlesource.com/infra/infra/+/c0966f2801090afb77683f7dd4633cec273031ce), but service account is not specified, it uses anonymous access, ignoring whatever credentials are on the bot (they are not reliable and will eventually be removed): https://luci-milo-dev.appspot.com/swarming/task/393083a875eb2210?server=chromium-swarm-dev.appspot.com 3. When git auth is enabled and service account is specified, uses it for git: https://luci-milo-dev.appspot.com/swarming/task/39309e72170d7f10?server=chromium-swarm-dev.appspot.com Next steps are: deploy this to prod, write a short doc for how to add new service accounts (it is not entirely trivial), convert existing LUCI builders to use this.
,
Oct 14 2017
Unfortunately, this doesn't quite work on Windows. Git pops open interactive login prompt, since interactive login credential helper goes before luci credential helper in gitconfig list. CL with the fix: https://chromium-review.googlesource.com/c/infra/infra/+/719475
,
Oct 15 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/0c93ac75da0a9d5b2cbcf3840e36ed2e43d6f913 commit 0c93ac75da0a9d5b2cbcf3840e36ed2e43d6f913 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 20:08:07 2017
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc commit 3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 18:46:40 2017 kitchen: Hook up git authentication. We prepare a separate HOME for git with custom .gitconfig that includes the user email and a reference to 'git-credential-helper' binary (that actually performs auth). We then tell gitwrapper to use this new directory as HOME for git by setting INFRA_GIT_WRAPPER_HOME environment variable. One complication is forcing authentication for public Gerrit hosts. Otherwise Gerrit uses "anonymous" quota for requests. It depletes really fast. Git ignores the credential helper if the server replies with HTTP 200 to anonymous requests. So we need to make sure all Gerrit repos are accessed through /a/... path that unconditionally triggers authentication (even for public repos). The only way to do this is to use url.<host>.insteadOf config, which unfortunately requires listing each individual known public Gerrit host. On Buildbot it is set in global ~/.gitconfig. We add '-known-gerrit-host' flag to facilitate this in Kitchen. It will be set in Swarmbucket task template config. Another complication is support for anonymous recipe runs (when the Swarming task doesn't specify a service account). We do not want to use Git auth in this case, but we still want to avoid picking up default ~/.gitconfig, since on Chrome bots it actually has some credentials (they will be removed eventually). Tasks without a service account should use anonymous git access. R=nodir@chromium.org CC=​phosek@chromium.org BUG= 756224 Change-Id: I628039dcaad28a688115280dd8f6554f7b435aae Reviewed-on: https://chromium-review.googlesource.com/718117 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/git.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/cookflags/flags.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/cook_test.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/cookflags/flags_test.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/auth.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/testdata/recipe_repo/recipes.py [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/git_test.go [modify] https://crrev.com/3e0d05970e9309a8c59d0aa2c694d5cc8cb44cdc/go/src/infra/tools/kitchen/cookflags/validate.go
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/5aefb06849b915dd031dc205ee8b92b95e89f614 commit 5aefb06849b915dd031dc205ee8b92b95e89f614 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 19:51:06 2017 Add a recipe to test Git auth on LUCI end-to-end. R=tandrii@chromium.org BUG= 756224 Change-Id: Iad29d4fd311afb759df9d42383f265ef7881f25b Reviewed-on: https://chromium-review.googlesource.com/719381 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/5aefb06849b915dd031dc205ee8b92b95e89f614/recipes/README.recipes.md [add] https://crrev.com/5aefb06849b915dd031dc205ee8b92b95e89f614/recipes/recipes/gerrit_hello_world.expected/linux.json [add] https://crrev.com/5aefb06849b915dd031dc205ee8b92b95e89f614/recipes/recipes/gerrit_hello_world.py
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/a2e18d2df0f0a8d35a74d3eea62c4db47d08b2e5 commit a2e18d2df0f0a8d35a74d3eea62c4db47d08b2e5 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 19:51:33 2017 Setup a triggered job that runs 'gerrit_hello_world' recipe. The git auth is currently not enabled. It means the recipe will pick up whatever credentials are predeployed on the bot (likely 'chrome-bot@' or ccompute one). Next steps are: 1. Enable auth, but don't specify service account => should fail to push. 2. Specify the service account => should push as this account. R=tandrii@chromium.org BUG= 756224 Change-Id: I1d34870b4de9c5940846d0eec263713aa2163bda Reviewed-on: https://chromium-review.googlesource.com/719383 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> [modify] https://crrev.com/a2e18d2df0f0a8d35a74d3eea62c4db47d08b2e5/luci-scheduler-dev.cfg [modify] https://crrev.com/a2e18d2df0f0a8d35a74d3eea62c4db47d08b2e5/cr-buildbucket-dev.cfg
,
Oct 15 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/ba4e41b135a6f9715280790e1b93fe67e5addd95 commit ba4e41b135a6f9715280790e1b93fe67e5addd95 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 22:11:47 2017
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/90d04bf45e45fb9f28105913344306b2e605db75 commit 90d04bf45e45fb9f28105913344306b2e605db75 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 20:17:57 2017 Fix gerrit_hello_world recipe. Apparently api.file.write_text requires absolute paths. TBR=tandrii@chromium.org BUG= 756224 Change-Id: I3c20317386c206f9c04c5c64965d1623680a5837 Reviewed-on: https://chromium-review.googlesource.com/719608 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/90d04bf45e45fb9f28105913344306b2e605db75/recipes/recipes/gerrit_hello_world.expected/linux.json [modify] https://crrev.com/90d04bf45e45fb9f28105913344306b2e605db75/recipes/recipes/gerrit_hello_world.py
,
Oct 15 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/081e7de5f6098ba230fd987af7298842cc86cb1c commit 081e7de5f6098ba230fd987af7298842cc86cb1c Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 23:19:13 2017
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/c0966f2801090afb77683f7dd4633cec273031ce commit c0966f2801090afb77683f7dd4633cec273031ce Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 20:32:01 2017 Enable git authentication for gerrit_hello_world job. Git push should start failing with "need to login" error, since the job runs without the service account specified yet (this will be the next verification step). It should start using system account (pool-chrome@... in this case) when fetching the recipes. TBR=tandrii@chromium.org BUG= 756224 Change-Id: I138e24ed83ec50ae39039b5087486f5006e18bcd Reviewed-on: https://chromium-review.googlesource.com/719727 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/c0966f2801090afb77683f7dd4633cec273031ce/cr-buildbucket-dev.cfg
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/842a769b26247848b22052e515d39e7c6818ede6 commit 842a769b26247848b22052e515d39e7c6818ede6 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 21:51:56 2017 Make gerrit_hello_world use service account. This should allow it to push changes to Gerrit. This is final stage of git auth testing. TBR=tandrii@chromium.org BUG= 756224 Change-Id: I04a7d68df0a0413773345b935885fa8100871b28 Reviewed-on: https://chromium-review.googlesource.com/719613 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/842a769b26247848b22052e515d39e7c6818ede6/cr-buildbucket-dev.cfg
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/de0b9ba86586098c3cf09586db669a2117ac525c commit de0b9ba86586098c3cf09586db669a2117ac525c Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 13 23:08:46 2017 Enable git auth on all staging luci.infra.continuous builders. Mostly to confirm it is works on Windows. TBR=tandrii@chromium.org BUG= 756224 Change-Id: Iec739d449d6b47b6a6eeb53cc72d57996608f09a Reviewed-on: https://chromium-review.googlesource.com/719884 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/de0b9ba86586098c3cf09586db669a2117ac525c/cr-buildbucket-dev.cfg
,
Oct 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/703fcef282d20a0297778d8a2e1c13e32aeca437 commit 703fcef282d20a0297778d8a2e1c13e32aeca437 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Sat Oct 14 18:17:08 2017 kitchen: Get rid of default git credential helper on Windows. It is not helpful and extremely annoying (pops up modal prompts, and even when asked to shut up, takes time to startup (.NET FTW) and prints confusing messages to console). Unfortunately, it is specified in "system" gitconfig ($(prefix)/etc/gitconfig), so the only way to get rid of it is to stop picking up system config (there's an env var for this). It means we need to transfer all relevant .gitconfig properties from the system config into the global config (~/.gitconfig). System config is in fact present only in our Windows git installation, so this CL accidentally affects only Windows. R=nodir@chromium.org, iannucci@chromium.org BUG= 756224 Change-Id: Ie27892d0ef5252e1f0ece8e1ebe429517204e510 Reviewed-on: https://chromium-review.googlesource.com/719475 Reviewed-by: Petr Hosek <phosek@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/703fcef282d20a0297778d8a2e1c13e32aeca437/go/src/infra/tools/kitchen/git_test.go [modify] https://crrev.com/703fcef282d20a0297778d8a2e1c13e32aeca437/go/src/infra/tools/kitchen/auth.go [modify] https://crrev.com/703fcef282d20a0297778d8a2e1c13e32aeca437/go/src/infra/tools/kitchen/git.go
,
Oct 16 2017
There're some tests in infra.git that replace HOME when calling git. They don't work with gitwrapper, since it ignores HOME now if INFRA_GIT_WRAPPER_HOME is set. I'm inclined to treat these tests as obsolete since they test feature (custom .netrc for auth) that is obsolete in LUCI environment (where auth happens through a credential helper, not .netrc).
As such, I'm adding a simpler workaround instead of a more proper fix.
If we discover more dependencies on custom HOME for get, we'll have to extend gitwrapper HOME hack to do something similar to:
In kitchen:
INFRA_GIT_WRAPPER_OLD_HOME = os.environ["HOME"]
INFRA_GIT_WRAPPER_HOME = <new fake home>
In git wrapper:
if os.environ["HOME"] == INFRA_GIT_WRAPPER_OLD_HOME:
os.environ["HOME"] = INFRA_GIT_WRAPPER_HOME
I hope we can avoid this.
,
Oct 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/24d76f4e4ef66c6afa7002fcea804fc57ed97aa0 commit 24d76f4e4ef66c6afa7002fcea804fc57ed97aa0 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Mon Oct 16 22:30:56 2017 Make infra.libs.git2 tests work in LUCI environment. They used HOME manipulation for git which doesn't work with gitwrapper, see https://crbug.com/756224#c33 R=nodir@chromium.org BUG= 756224 Change-Id: I81a45a4efc22cd1d38d50b571f38938c161da41c Reviewed-on: https://chromium-review.googlesource.com/721625 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/24d76f4e4ef66c6afa7002fcea804fc57ed97aa0/infra/libs/git2/test/repo_test.py
,
Oct 17 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/c60fe3099c2cee5fca4ec8daf88a8aeeb0662df7 commit c60fe3099c2cee5fca4ec8daf88a8aeeb0662df7 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Oct 17 00:43:13 2017
,
Oct 17 2017
This has been deploy to prod. Now writing doc for how to add new service accounts.
,
Oct 17 2017
The doc is done: https://chrome-internal.googlesource.com/infra/infra_internal/+/master/doc/luci/new_service_account.md I think this feature is ~= done. Enabling git auth on existing builders should probably be a separate issue.
,
Oct 17 2017
,
Oct 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/5eb07dafad344a69dfbb54b62764dce9b9a748af commit 5eb07dafad344a69dfbb54b62764dce9b9a748af Author: Vadim Shtayura <vadimsh@chromium.org> Date: Wed Oct 18 21:44:08 2017 git-credential-luci: Reduce required token lifetime from 10m to 1m. Swarming can't guarantee tokens that live for 10m, it promises at least 5m. So sometimes git auth fails on Swarming because git-credential-luci can't grab a token that lives for at least 10m. 10m doesn't actually seem necessary, so reduce the minimal accepted token lifetime to 1m. TBR=nodir@chromium.org BUG= 756224 Change-Id: I4680cdeb8e4959c8bc0147cbaf1aa5b8ffe3e277 Reviewed-on: https://chromium-review.googlesource.com/726493 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/5eb07dafad344a69dfbb54b62764dce9b9a748af/client/cmd/git-credential-luci/main.go
,
Oct 19 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/359fe400c4b4b1321a97d78c48ae0f163e5ca32f commit 359fe400c4b4b1321a97d78c48ae0f163e5ca32f Author: Vadim Shtayura <vadimsh@chromium.org> Date: Thu Oct 19 19:58:25 2017
,
Oct 19 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/4a02526e0bbb011639e87141370610dd9fa5fe99 commit 4a02526e0bbb011639e87141370610dd9fa5fe99 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Thu Oct 19 21:47:54 2017
,
Nov 8 2017
,
Jan 31 2018
,
Jan 31 2018
,
Feb 15 2018
|
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by vadimsh@chromium.org
, Aug 16 2017