LUCI: Create shadow bucket to enable LED builds.

Test: tools/luci/config/main.star Change-Id: I7b5995c82d24de270a3cfddc9ba7c2b0d3e17af7
author: David Srbecky <dsrbecky@google.com> 2024-09-02 17:17:23 +0100
committer: David Srbecky <dsrbecky@google.com> 2024-09-03 16:23:47 +0000
commit: 17c82897fefd05709cd8be41d84783662757ff8a (patch)
tree: 1b1af174b717c71967798bcaa75cead947ad039b
parent: fc0ed57a5f25d8a7b3fbf200224bd880ed05eff5 (diff)
3 files changed, 52 insertions, 0 deletions
diff --git a/tools/luci/config/generated/cr-buildbucket.cfg b/tools/luci/config/generated/cr-buildbucket.cfg
index 675bf2011b..488db709f5 100644
--- a/tools/luci/config/generated/cr-buildbucket.cfg
+++ b/tools/luci/config/generated/cr-buildbucket.cfg
@@ -776,4 +776,20 @@ buckets {
       }
     }
   }
+  shadow: "ci.shadow"
+}
+buckets {
+  name: "ci.shadow"
+  acls {
+    role: WRITER
+    group: "project-art-admins"
+  }
+  acls {
+    group: "all"
+  }
+  constraints {
+    pools: "luci.art.ci"
+    service_accounts: "art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  dynamic_builder_template {}
 }
diff --git a/tools/luci/config/generated/realms.cfg b/tools/luci/config/generated/realms.cfg
index c45317659a..d439ea168c 100644
--- a/tools/luci/config/generated/realms.cfg
+++ b/tools/luci/config/generated/realms.cfg
@@ -59,5 +59,20 @@ realms {
   }
 }
 realms {
+  name: "ci.shadow"
+  bindings {
+    role: "role/buildbucket.builderServiceAccount"
+    principals: "user:art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/buildbucket.creator"
+    principals: "user:art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
+    role: "role/buildbucket.triggerer"
+    principals: "user:art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+}
+realms {
   name: "pools/ci"
 }
diff --git a/tools/luci/config/main.star b/tools/luci/config/main.star
index 786b09c287..a17f955c95 100755
--- a/tools/luci/config/main.star
+++ b/tools/luci/config/main.star
@@ -102,6 +102,27 @@ luci.binding(
 luci.realm(name = "pools/ci")
 luci.bucket(name = "ci")
 
+# Shadow bucket is needed for LED.
+luci.bucket(
+    name = "ci.shadow",
+    shadows = "ci",
+    bindings = [
+        luci.binding(
+            roles = "role/buildbucket.creator",
+            users = ["art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"],
+        ),
+        luci.binding(
+            roles = "role/buildbucket.triggerer",
+            users = ["art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"],
+        ),
+    ],
+    constraints = luci.bucket_constraints(
+        pools = ["luci.art.ci"],
+        service_accounts = ["art-ci-builder@chops-service-accounts.iam.gserviceaccount.com"],
+    ),
+    dynamic = True,
+)
+
 luci.notifier_template(
     name = "default",
     body = io.read_file("luci-notify.template"),
author	David Srbecky <dsrbecky@google.com>	2024-09-02 17:17:23 +0100
committer	David Srbecky <dsrbecky@google.com>	2024-09-03 16:23:47 +0000
commit	17c82897fefd05709cd8be41d84783662757ff8a (patch)
tree	1b1af174b717c71967798bcaa75cead947ad039b
parent	fc0ed57a5f25d8a7b3fbf200224bd880ed05eff5 (diff)