Skip to content

Consolidate integration test servers and enable Yarn proxy testing#1454

Merged
taylormadore merged 9 commits into
hermetoproject:mainfrom
taylormadore:nexus-tls-compose
Apr 8, 2026
Merged

Consolidate integration test servers and enable Yarn proxy testing#1454
taylormadore merged 9 commits into
hermetoproject:mainfrom
taylormadore:nexus-tls-compose

Conversation

@taylormadore

@taylormadore taylormadore commented Mar 25, 2026

Copy link
Copy Markdown
Member
  • Enable yarn integration tests to run through the local Nexus proxy
  • Add TLS and mTLS support via an Nginx reverse proxy in front of Nexus, with a derived hermeto test image that trusts the test CA
  • Use podman-compose to manage Nexus and the Nginx reverse proxy
  • Consolidate dnfserver and pypiserver into the Nexus instance

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the integration testing infrastructure by deprecating standalone PyPI and DNF test servers in favor of a single Nexus instance managed via podman-compose. The Nexus setup now includes an Nginx proxy to support both basic TLS and mutual TLS (mTLS) authentication for PyPI and Yum repositories. Key changes involve adding podman-compose as a dependency, introducing certificate files for TLS/mTLS, updating test configurations to point to the new Nexus endpoints, and modifying the Hermeto image build process to trust test CA certificates. Additionally, Node.js processes are configured to use the OS trust store for certificates.

@a-ovchinnikov a-ovchinnikov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I believe something has to be done about c3b7509.

Replace the NexusContainer class with a declarative config to be run via
podman-compose. This simplifies the test setup/teardown and will be
extended in future commits. A standalone run.sh script is provided for
local development/debugging.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
Signed-off-by: Taylor Madore <tmadore@redhat.com>
This moves TLS certificates from tests/dnfserver/certificates/ to
tests/certificates/ so they can be reused by both the DNF server
and the NGINX TLS proxy for Nexus that will be introduced in future
commits.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
@taylormadore

Copy link
Copy Markdown
Member Author

Rebased on main.

Once these are both approved and merged:

I will regenerate 06b65b3 with the updated integration test data and drop the final "DO NOT MERGE" commit with the test data that points at my fork.

@eskultety eskultety left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to mention in the docs (where we mention local setups) that podman-compose is needed for integration tests.

Replace the standalone dnfserver with a yum-proxy repository in Nexus
and an nginx reverse proxy in the Nexus compose stack. Nginx will be
responsible for handling mTLS.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
Create a thin image layer on top of the base hermeto image for
integration test-specific modifications. Currently this is limited to
adding the test server CA certificate to the system trust store. This is
necessary so that tools/services in the container can connect to the
TLS-enabled test Nexus server.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
Nodejs ignores the system trust store by default in favor of the bundled
one. This can cause TLS verification failures after additional CAs are
added to the system trust via update-ca-trust.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Add a basic TLS server block (port 8443) to the nginx reverse proxy so
that proxy-mode tests access Nexus over HTTPS instead of plain HTTP.

This is necessary because some package managers refuse to use plain
HTTP.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Signed-off-by: Taylor Madore <tmadore@redhat.com>
Replace the standalone pypiserver with a PyPI proxy repository in Nexus.
Add basic-auth to the TLS reverse proxy so proxy-mode tests can verify
that functionality as well.

The basic-auth credentials used for integration tests were also renamed
from cachi2 --> hermeto.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
@taylormadore

Copy link
Copy Markdown
Member Author

It would be good to mention in the docs (where we mention local setups) that podman-compose is needed for integration tests.

Is that necessary given that podman-compose has been added to the project's test dependencies? I'll sync-up with you offline and make that adjustment to the docs tomorrow if so

@taylormadore taylormadore added this pull request to the merge queue Apr 8, 2026
Merged via the queue into hermetoproject:main with commit 500100c Apr 8, 2026
14 checks passed
@taylormadore taylormadore deleted the nexus-tls-compose branch April 8, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants