1566931 - [tracker] Manage everything with ci-admin

Status: RESOLVED FIXED

(Release Engineering :: Firefox-CI Administration, task)

Description

[Dustin J. Mitchell [:dustin] (he/him)]

We currently manage some roles, some hooks, and aws-provisioner worker types in ci-admin. To redeploy cleanly to a new cluster, we'll need to manage all of the required resources.

The first order of business is to figure out what those are, then parcel out the work of managing those things.

Comment 1

[Tom Prince [:tomprince]]

• manual cron tasks hooks (e.g. trigger nightlies for sherrifs)
• all scheduled tasks for mobile projects
• granting project-releng:ci-group roles to various other roles/users

Comment 2

[Tom Prince [:tomprince]]

• New worker-types needs secrets, but that isn't currently handled by ci-admin

Comment 3

[Dustin J. Mitchell [:dustin] (he/him)]

• Secrets used in tasks (e.g., project/releng/gecko/build/level-1/gls-gapi.data)

Comment 4

[Tom Prince [:tomprince]]

• service clients

Comment 5

[Tom Prince [:tomprince]]

• releng:nightly roles

Comment 6

[Tom Prince [:tomprince]]

• worker-type/worker-id roles

Comment 7

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Switch current taskcluster environment name to `legacy`; r?Callek

We have been consistently referring to the existing cluster as the legacy cluster.
Update the name to match.

Comment 8

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add firefoxci environment for new production cluster; r?Callek

Comment 9

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Rename `Environment.environment` to `Environment.name`; r?Callek

Comment 10

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add support for assigning scopes to arbitrary roles;

Comment 11

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Manage a bunch more roles in non-legacy clusters; r?Callek

Comment 12

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add `login-identity:*` role; r?Callek

Comment 13

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Fix grant tests now that the current environment is queried; r?Callek

Comment 14

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add releng/relops roles; r?callek

Comment 15

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Limit ec2-manager scopes to the legacy cluster; r?Callek

Comment 16

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Run ci-admin check against legacy and firefoxci environments; r?Callek

Comment 17

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Allow restricting grants to certain environemnts; r?Callek

This is useful for the legacy cluster, that has aws-provisioner and ec2-manager,
which don't exist in the new clusters.

Comment 18

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Move sheriff scopes to ci-admin; r?Callek

Comment 19

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Remove explict scope grants to releng; r?Callek

Given the broad scope grants given to releng, it isn't possible
to veirfy if these restricted grants are effective or correct.

Comment 20

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add mobile worker types to aws-provider; r?Callek

Comment 21

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add some modifiers for staging and firefoxci clusters; r?Callek

• Staging should not have always-running workers, since there is not the demand
  for it.
• firefox-ci should not currently have non-aws workers, as the currently expected
  providers don't exist in non-legacy clusters. We will adjust the config and then
  remove this modifier after the TCW.

Comment 22

[Tom Prince [:tomprince]]

Attachment: Bug 1566931: Add some modifiers for staging and firefoxci clusters; r?Callek

Comment 23

[Mihai Tabara [:mtabara]⌚️GMT]

Found in triaging: lots of good stuff landed in this bug, do we expect more work going forward or can we close this?

Comment 24

[bhearsum@mozilla.com (:bhearsum)]

This appears to be all done.