Consolidate integration test servers and enable Yarn proxy testing#1454
Conversation
There was a problem hiding this comment.
Code Review
This pull request refactors the integration testing infrastructure by deprecating standalone PyPI and DNF test servers in favor of a single Nexus instance managed via podman-compose. The Nexus setup now includes an Nginx proxy to support both basic TLS and mutual TLS (mTLS) authentication for PyPI and Yum repositories. Key changes involve adding podman-compose as a dependency, introducing certificate files for TLS/mTLS, updating test configurations to point to the new Nexus endpoints, and modifying the Hermeto image build process to trust test CA certificates. Additionally, Node.js processes are configured to use the OS trust store for certificates.
a-ovchinnikov
left a comment
There was a problem hiding this comment.
LGTM, but I believe something has to be done about c3b7509.
Replace the NexusContainer class with a declarative config to be run via podman-compose. This simplifies the test setup/teardown and will be extended in future commits. A standalone run.sh script is provided for local development/debugging. Signed-off-by: Taylor Madore <tmadore@redhat.com> Assisted-by: Claude
Signed-off-by: Taylor Madore <tmadore@redhat.com>
This moves TLS certificates from tests/dnfserver/certificates/ to tests/certificates/ so they can be reused by both the DNF server and the NGINX TLS proxy for Nexus that will be introduced in future commits. Signed-off-by: Taylor Madore <tmadore@redhat.com>
c3b7509 to
a477781
Compare
|
Rebased on main. Once these are both approved and merged:
I will regenerate 06b65b3 with the updated integration test data and drop the final "DO NOT MERGE" commit with the test data that points at my fork. |
a477781 to
059246c
Compare
eskultety
left a comment
There was a problem hiding this comment.
It would be good to mention in the docs (where we mention local setups) that podman-compose is needed for integration tests.
Replace the standalone dnfserver with a yum-proxy repository in Nexus and an nginx reverse proxy in the Nexus compose stack. Nginx will be responsible for handling mTLS. Signed-off-by: Taylor Madore <tmadore@redhat.com> Assisted-by: Claude
Create a thin image layer on top of the base hermeto image for integration test-specific modifications. Currently this is limited to adding the test server CA certificate to the system trust store. This is necessary so that tools/services in the container can connect to the TLS-enabled test Nexus server. Signed-off-by: Taylor Madore <tmadore@redhat.com> Assisted-by: Claude
Nodejs ignores the system trust store by default in favor of the bundled one. This can cause TLS verification failures after additional CAs are added to the system trust via update-ca-trust. Signed-off-by: Taylor Madore <tmadore@redhat.com>
Add a basic TLS server block (port 8443) to the nginx reverse proxy so that proxy-mode tests access Nexus over HTTPS instead of plain HTTP. This is necessary because some package managers refuse to use plain HTTP. Signed-off-by: Taylor Madore <tmadore@redhat.com>
Signed-off-by: Taylor Madore <tmadore@redhat.com>
Replace the standalone pypiserver with a PyPI proxy repository in Nexus. Add basic-auth to the TLS reverse proxy so proxy-mode tests can verify that functionality as well. The basic-auth credentials used for integration tests were also renamed from cachi2 --> hermeto. Signed-off-by: Taylor Madore <tmadore@redhat.com> Assisted-by: Claude
059246c to
8c09809
Compare
Is that necessary given that podman-compose has been added to the project's test dependencies? I'll sync-up with you offline and make that adjustment to the docs tomorrow if so |
Uh oh!
There was an error while loading. Please reload this page.