Enable LUCI auth for all existing LUCI builders |
|||||
Issue description
Basically:
0. Discover all LUCI buckets.
1. Discover a location of cr-buildbucket.cfg.
2. Add following to 'recipe' section
properties_j: "$kitchen:{\"git_auth\": true}"
3. Create a new task service account (https://chrome-internal.googlesource.com/infra/infra_internal/+/master/doc/luci/new_service_account.md) for the builder (or reuse appropriate existing one).
4. See what breaks, fix.
5. Repeat 1-4.
Things that potentially might cause breakages:
1. Bugs in git auth implementation. It is very young and not battle tested.
2. Git quota issues. New accounts will have default git quota, not enormous chrome-internal-fetch@ quota.
3. Tests that try to replace HOME when calling git. Won't work with gitwrapper.
4. Builders that "secretly" fetch internal source code somewhere. Won't work with new accounts.
,
Oct 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/06725018125a836912783640d8832ab1b8e6acf4 commit 06725018125a836912783640d8832ab1b8e6acf4 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Oct 20 16:38:07 2017 Enable LUCI-based git auth on luci.infra.{ci,try} buckets. R=tandrii@chromium.org BUG= 776035 Change-Id: I3e1ee1a432bada2aa72dfe99015407fc0ca596b2 Reviewed-on: https://chromium-review.googlesource.com/729745 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> [modify] https://crrev.com/06725018125a836912783640d8832ab1b8e6acf4/cr-buildbucket.cfg
,
Nov 7 2017
Extending scope to include gsutil auth as well.
,
Nov 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/550a405b00d5e3197f08b39637294b481fd80848 commit 550a405b00d5e3197f08b39637294b481fd80848 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Nov 07 22:54:22 2017 Enable gsutil auth on infra Try and CI builders. Will run tryjobs for all affected repos once submitted to confirm. Doing it with led is pain in the back. R=tandrii@chromium.org BUG= 776035 Change-Id: Ibeb2ae209b50e417593366509ffb2670d52d87a6 Reviewed-on: https://chromium-review.googlesource.com/757512 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> [modify] https://crrev.com/550a405b00d5e3197f08b39637294b481fd80848/cr-buildbucket.cfg
,
Feb 28 2018
I'll be making $kitchen:{\"git_auth\": true, \"devshell\": true} default on Mar 1.
,
Mar 1 2018
Sent following CLs to explicitly disable git_auth and devshell on not fully configured builders (so we can flip the defaults sooner, until more unconfigured builders are added): https://boringssl-review.googlesource.com/c/boringssl/+/26304 https://chrome-internal-review.googlesource.com/c/chromeos/manifest-internal/+/579751 https://dart-review.googlesource.com/c/sdk/+/44404 https://chromium-review.googlesource.com/c/chromium/src/tools/franky/+/942057 https://chrome-internal-review.googlesource.com/c/infra/infra_internal/+/579893 https://skia-review.googlesource.com/c/skia/+/111187 (and also waiting on https://chromium-review.googlesource.com/c/v8/v8/+/941142/1/cr-buildbucket.cfg). I really hope to submit them all tomorrow and flip the default.
,
Mar 1 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/infra/infra_internal/+/57786626edca1f4288acebc49e4cfc3a2808a30a commit 57786626edca1f4288acebc49e4cfc3a2808a30a Author: Vadim Shtayura <vadimsh@chromium.org> Date: Thu Mar 01 04:18:01 2018
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src/tools/franky/+/cd2cdb3e0913cb478a2649fcd00778eb7b133c9f commit cd2cdb3e0913cb478a2649fcd00778eb7b133c9f Author: Vadim Shtayura <vadimsh@chromium.org> Date: Thu Mar 01 04:17:34 2018 Explicitly specify that Swarming based git and gsutil auth are not used. Soon they will be used by default, and this will likely break these builders, since they are not using the service account for git and gsutil currently. R=sergeyberezin@chromium.org, tandrii@chromium.org BUG= 776035 Change-Id: I6439233b88deb1e6b4f21267a9de12d4758c9b86 Reviewed-on: https://chromium-review.googlesource.com/942057 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> [modify] https://crrev.com/cd2cdb3e0913cb478a2649fcd00778eb7b133c9f/cr-buildbucket.cfg
,
Mar 1 2018
,
Mar 1 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/55005a98f26f74be5bb02767664972ba710b47a7 commit 55005a98f26f74be5bb02767664972ba710b47a7 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Thu Mar 01 04:19:57 2018 Explicitly specify that Swarming based git and gsutil auth are not used. Soon they will be used by default, and this will possibly break these builders, since they are not using the service account for git and gsutil currently. Note that even though builders are not uploading anything, they still need a service account for git, otherwise they'll be using very small anonymous git quota. R=tandrii@google.com, borenet@google.com BUG= chromium:776035 Change-Id: I426f29805f4bd9bb6f62e18dcf04a52d3345e79c Reviewed-on: https://skia-review.googlesource.com/111187 Reviewed-by: Andrii Shyshkalov <tandrii@google.com> Reviewed-by: Eric Boren <borenet@google.com> [modify] https://crrev.com/55005a98f26f74be5bb02767664972ba710b47a7/cr-buildbucket.cfg
,
Mar 1 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/manifest-internal/+/e2012d34cfd9d6d2dddc7993c0e1bc0a76445960 commit e2012d34cfd9d6d2dddc7993c0e1bc0a76445960 Author: Vadim Shtayura <vadimsh@google.com> Date: Thu Mar 01 21:15:23 2018
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/70be31c3bdd7641a2648ad4a495612e923158b4b commit 70be31c3bdd7641a2648ad4a495612e923158b4b Author: Vadim Shtayura <vadimsh@chromium.org> Date: Thu Mar 01 23:45:17 2018 [kitchen] Use Swarming auth for git and gsutil by default. Still can be disabled by setting $kitchen property to {"git_auth": false, "devshell": false}, e.g. in a buildbucket config: recipe { ... properties_j: "$kitchen:{\"git_auth\": false, \"devshell\": false}" } R=tandrii@chromium.org BUG= 776035 Change-Id: Id8a3d1e266be5cba530a07452962b2fda885d9f1 Reviewed-on: https://chromium-review.googlesource.com/944612 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/70be31c3bdd7641a2648ad4a495612e923158b4b/go/src/infra/tools/kitchen/cook.go [modify] https://crrev.com/70be31c3bdd7641a2648ad4a495612e923158b4b/go/src/infra/tools/kitchen/auth.go
,
Mar 2 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/32a7c7b9fd81357c7c8bfd6361a90388f7c237b7 commit 32a7c7b9fd81357c7c8bfd6361a90388f7c237b7 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Fri Mar 02 00:08:52 2018
,
Mar 5 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/297f3960341e897f5ee6e5d65553961b311bf192 commit 297f3960341e897f5ee6e5d65553961b311bf192 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Mon Mar 05 20:07:12 2018
,
Mar 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2678c004ed1c1b2ff119470a9e82cedf92b17970 commit 2678c004ed1c1b2ff119470a9e82cedf92b17970 Author: Sergiy Byelozyorov <sergiyb@chromium.org> Date: Thu Mar 08 16:13:55 2018 Whitespace CL TBR=sergiyb@chromium.org Bug: chromium:776035 Change-Id: I6a9f2cb62ec275af49ec629d6a4d41d61c0a9dfe Reviewed-on: https://chromium-review.googlesource.com/955322 Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org> Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org> Cr-Commit-Position: refs/heads/master@{#51815} [modify] https://crrev.com/2678c004ed1c1b2ff119470a9e82cedf92b17970/tools/whitespace.txt
,
Mar 13 2018
Could this change be potentially responsible for a Franky Mac bot using an incorrect (outdated) vpython? See issue 818718. Sample build: https://ci.chromium.org/p/franky/builds/b8952139878945874736
,
Mar 13 2018
Unlikely.
,
Mar 13 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/infradata/config/+/9d428c0397e3ec38db2bf3c01199b1235ef6bf7c commit 9d428c0397e3ec38db2bf3c01199b1235ef6bf7c Author: Sergey Berezin <sergeyberezin@google.com> Date: Tue Mar 13 22:26:26 2018
,
Mar 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src/tools/franky/+/491a661f4005bdfe12337a81277917444dfe0efc commit 491a661f4005bdfe12337a81277917444dfe0efc Author: Sergey Berezin <sergeyberezin@google.com> Date: Tue Mar 13 22:29:03 2018 Add a service account to Franky bots R=vadimsh@chromium.org BUG= 776035 Change-Id: Icc6b9151e008d24e47d7e7ec2357361c0ab4dcdd Reviewed-on: https://chromium-review.googlesource.com/961523 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/491a661f4005bdfe12337a81277917444dfe0efc/cr-buildbucket.cfg
,
Apr 30 2018
done? |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by bugdroid1@chromium.org
, Oct 20 2017