feat: Pass Package Registry proxy configuration to Hermeto

This change makes Hermeto executor aware of ConfigMap and
populates Hermeto environment with key-value pairs from it.
The main goal of that is to share registry proxy URLs with
Hermeto. This change also adds necessary machinery to disable
package registries proxies for Hermeto basing on local state
of a pipeline and global ConfigMap configuration.

Signed-off-by: Alexey Ovchinnikov <aovchinn@redhat.com>

Author: a-ovchinnikov

pkg/cliwrappers/hermeto.go

@@ -4,6 +4,7 @@ package cliwrappers
 
 import (
 	"errors"
+	"os"
 
 	"github.com/konflux-ci/konflux-build-cli/pkg/logger"
 )
@@ -19,9 +20,10 @@ type HermetoCliInterface interface {
 
 type HermetoCli struct {
 	Executor CliExecutorInterface
+	Env	 []string  // constructed as expected by exec.Cmd.Env
 }
 
-func NewHermetoCli(executor CliExecutorInterface) (*HermetoCli, error) {
+func NewHermetoCli(executor CliExecutorInterface, env []string) (*HermetoCli, error) {
 	hermetoCliAvailable, err := CheckCliToolAvailable("hermeto")
 	if err != nil {
 		return nil, err
@@ -31,7 +33,7 @@ func NewHermetoCli(executor CliExecutorInterface) (*HermetoCli, error) {
 		return nil, errors.New("hermeto CLI is not available")
 	}
 
-	return &HermetoCli{Executor: executor}, nil
+	return &HermetoCli{Executor: executor, Env: env}, nil
 }
 
 // Print the Hermeto version.
@@ -79,7 +81,8 @@ func (hc *HermetoCli) FetchDeps(params *HermetoFetchDepsParams) error {
 	)
 
 	log.Debugf("Executing %s", shellJoin("hermeto", args...))
-	_, _, _, err := hc.Executor.Execute(Cmd{Name: "hermeto", Args: args, LogOutput: true})
+	extendedEnv := append(os.Environ(), hc.Env...)
+	_, _, _, err := hc.Executor.Execute(Cmd{Name: "hermeto", Args: args, LogOutput: true, Env: extendedEnv})
 	return err
 }
 

pkg/cliwrappers/hermeto_test.go

@@ -10,7 +10,8 @@ import (
 
 func setupHermetoCli() (*cliwrappers.HermetoCli, *mockExecutor) {
 	executor := &mockExecutor{}
-	hermetoCli := &cliwrappers.HermetoCli{Executor: executor}
+	emptyEnv := []string{}
+	hermetoCli := &cliwrappers.HermetoCli{Executor: executor, Env: emptyEnv}
 	return hermetoCli, executor
 }
 

pkg/commands/prefetch_dependencies/main.go

@@ -7,6 +7,7 @@ import (
 	"github.com/konflux-ci/konflux-build-cli/pkg/cliwrappers"
 	"github.com/konflux-ci/konflux-build-cli/pkg/common"
 	"github.com/konflux-ci/konflux-build-cli/pkg/logger"
+	cfg "github.com/konflux-ci/konflux-build-cli/pkg/config"
 
 	"github.com/spf13/cobra"
 )
@@ -17,20 +18,59 @@ type PrefetchDependencies struct {
 	Config     *Params
 	HermetoCli cliwrappers.HermetoCliInterface
 }
+type ConfigReaderFactory = func() (cfg.ConfigReader, error)
+
+func getPackageProxyConfiguration(configReaderFactory ConfigReaderFactory) ([]string, error) {
+	hermetoEnv := []string{}
+	configMapReader, err := configReaderFactory()
+	if err != nil { return hermetoEnv, err }
+	configMap, err := configMapReader.ReadConfigData()
+	if configMap != nil {
+		if configMap.HermetoPackageRegistryProxyAllowed != "true" {
+			log.Info("Not using package registry proxy because allow-package-registry-proxy " +
+			 	 "is not set to `true` on the cluster level")
+			return hermetoEnv, err
+		}
+		// Note that empty URLs must be sanitized here, or it would result in validation
+		// error in Hermeto.
+		if configMap.HermetoNpmProxy != "" {
+			envEntry := fmt.Sprintf("HERMETO_NPM__PROXY_URL=%s", configMap.HermetoNpmProxy)
+			hermetoEnv = append(hermetoEnv, envEntry)
+		}
+		if configMap.HermetoYarnProxy != "" {
+			envEntry := fmt.Sprintf("HERMETO_YARN__PROXY_URL=%s", configMap.HermetoYarnProxy)
+			hermetoEnv = append(hermetoEnv, envEntry)
+		}
+	}
+
+	return hermetoEnv, err
+}
 
 func New(cmd *cobra.Command) (*PrefetchDependencies, error) {
-	config := Params{}
-	if err := common.ParseParameters(cmd, ParamsConfig, &config); err != nil {
+	var err error
+	local_config := Params{}
+	if err = common.ParseParameters(cmd, ParamsConfig, &local_config); err != nil {
 		return nil, err
 	}
 
+	hermetoEnv := []string{}
+	if local_config.EnablePackageRegistryProxy {
+		hermetoEnv, err = getPackageProxyConfiguration(cfg.NewConfigReader)
+		if err != nil {
+			log.Warnf("Failed to extract Hermeto environment settings from ConfigMap: %+v", err)
+		}
+	} else {
+		log.Info("Not using package registry proxy because enable-package-registry-proxy is not set to `true` " +
+			 "on the pipeline level")
+	}
+
 	executor := cliwrappers.NewCliExecutor()
-	hermetoCli, err := cliwrappers.NewHermetoCli(executor)
+	hermetoCli, err := cliwrappers.NewHermetoCli(executor, hermetoEnv)
 	if err != nil {
 		return nil, err
 	}
 
-	prefetchDependencies := PrefetchDependencies{Config: &config, HermetoCli: hermetoCli}
+	prefetchDependencies := PrefetchDependencies{Config: &local_config, HermetoCli: hermetoCli}
 	return &prefetchDependencies, nil
 }
 

pkg/commands/prefetch_dependencies/main_test.go

@@ -0,0 +1,115 @@
+package prefetch_dependencies
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/konflux-ci/konflux-build-cli/pkg/config"
+	. "github.com/onsi/gomega"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fakeclient "k8s.io/client-go/kubernetes/fake"
+)
+
+func Test_getHermetoEnvFromConfigMap(t *testing.T) {
+	g := NewWithT(t)
+
+	testHttpProxy := "test.caching:3323"
+	testNamespace := "test_namespace"
+	testConfigMapName := "test_name"
+
+	t.Run("can successfully read a config map", func(t *testing.T) {
+		fakeClient := fakeclient.NewClientset()
+		fake_proxy_url := "https://www.example.com"
+		fakeK8sConfigMapReader := &config.K8sConfigMapReader{Name: testConfigMapName, Namespace: testNamespace, Clientset: fakeClient}
+		clusterConfigCMWithAllowCacheTrue := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      testConfigMapName,
+				Namespace: testNamespace,
+			},
+			Data: map[string]string{
+				"allow-cache-proxy": "true",
+				"http-proxy":        testHttpProxy,
+				"no-proxy":          "",
+				"package-registry-proxy-npm-url": fake_proxy_url,
+				"allow-package-registry-proxy": "true",
+			},
+		}
+		ctx := context.Background()
+		fakeClient.CoreV1().ConfigMaps(testNamespace).Create(ctx, clusterConfigCMWithAllowCacheTrue, metav1.CreateOptions{})
+		fakeConfigReaderFactory := func() (config.ConfigReader, error) {
+			return fakeK8sConfigMapReader, nil
+		}
+		expectedEnv := fmt.Sprintf("HERMETO_NPM__PROXY_URL=%s", fake_proxy_url)
+
+		parsed_config_map, err := getPackageProxyConfiguration(fakeConfigReaderFactory)
+
+		g.Expect(err).ToNot(HaveOccurred())
+		g.Expect(parsed_config_map).ToNot(BeNil())
+		g.Expect(parsed_config_map[0]).To(Equal(expectedEnv))
+	})
+
+	t.Run("returns empty env when there is an error creating config map reader", func(t *testing.T) {
+		fakeConfigReaderFactory := func() (config.ConfigReader, error) {
+			return nil, fmt.Errorf("Fake error")
+		}
+
+		parsed_config_map, err := getPackageProxyConfiguration(fakeConfigReaderFactory)
+
+		g.Expect(err).To(HaveOccurred())
+		g.Expect(parsed_config_map).To(BeEmpty())
+	})
+
+	t.Run("returns empty env when config map is empty", func(t *testing.T) {
+		fakeClient := fakeclient.NewClientset()
+		fakeK8sConfigMapReader := &config.K8sConfigMapReader{Name: testConfigMapName, Namespace: testNamespace, Clientset: fakeClient}
+		clusterConfigCMWithAllowCacheTrue := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      testConfigMapName,
+				Namespace: testNamespace,
+			},
+			Data: map[string]string{},
+		}
+		ctx := context.Background()
+		fakeClient.CoreV1().ConfigMaps(testNamespace).Create(ctx, clusterConfigCMWithAllowCacheTrue, metav1.CreateOptions{})
+		fakeConfigReaderFactory := func() (config.ConfigReader, error) {
+			return fakeK8sConfigMapReader, nil
+		}
+
+		parsed_config_map, err := getPackageProxyConfiguration(fakeConfigReaderFactory)
+
+		g.Expect(err).ToNot(HaveOccurred())
+		g.Expect(parsed_config_map).To(BeEmpty())
+	})
+
+	t.Run("returns empty env when no Hermeto fields are defined", func(t *testing.T) {
+		fakeClient := fakeclient.NewClientset()
+		fake_proxy_url := ""
+		fakeK8sConfigMapReader := &config.K8sConfigMapReader{Name: testConfigMapName, Namespace: testNamespace, Clientset: fakeClient}
+		clusterConfigCMWithAllowCacheTrue := &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      testConfigMapName,
+				Namespace: testNamespace,
+			},
+			Data: map[string]string{
+				"allow-cache-proxy": "true",
+				"http-proxy":        testHttpProxy,
+				"no-proxy":          "",
+				"hermeto-npm-proxy": fake_proxy_url,
+			},
+		}
+		ctx := context.Background()
+		fakeClient.CoreV1().ConfigMaps(testNamespace).Create(ctx, clusterConfigCMWithAllowCacheTrue, metav1.CreateOptions{})
+		fakeConfigReaderFactory := func() (config.ConfigReader, error) {
+			return fakeK8sConfigMapReader, nil
+		}
+
+		parsed_config_map, err := getPackageProxyConfiguration(fakeConfigReaderFactory)
+
+		g.Expect(err).ToNot(HaveOccurred())
+		g.Expect(parsed_config_map).ToNot(BeNil())
+		g.Expect(parsed_config_map).To(BeEmpty())
+	})
+}

pkg/commands/prefetch_dependencies/params.go

@@ -95,6 +95,14 @@ var ParamsConfig = map[string]common.Parameter{
 		Usage:        "directory with git auth credentials (.git-credentials, .gitconfig or username/password)",
 		Required:     false,
 	},
+	"enable-package-registry-proxy": {  // Pipeline-level registry proxy switch.
+		Name:       "enable-package-registry-proxy",
+		EnvVarName: "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY",
+		TypeKind:   reflect.Bool,
+		Usage:      "Pipeline-level enable package registry proxy. Defaults to true.",
+		DefaultValue: "true",  // A pipline will use a proxy unless explicitly told otherwise.
+		Required:     false,
+	},
 }
 
 type Params struct {
@@ -109,4 +117,5 @@ type Params struct {
 	RHSMOrg             string   `paramName:"rhsm-org"`
 	RHSMActivationKey   string   `paramName:"rhsm-activation-key"`
 	GitAuthDirectory    string   `paramName:"git-auth-directory"`
+	EnablePackageRegistryProxy bool   `paramName:"enable-package-registry-proxy"`
 }

pkg/config/config_reader.go

@@ -12,9 +12,16 @@ import (
 )
 
 type KonfluxInfo struct {
-	AllowCacheProxy string
-	HttpProxy       string
-	NoProxy         string
+	AllowCacheProxy 			string
+	HttpProxy       			string
+	NoProxy         			string
+
+	// Address of a package registry proxy serving npm packages
+	HermetoNpmProxy 			string
+	HermetoYarnProxy 			string
+	// Global setting allowing of forbidding usage of package registry rpoxies
+	// on the cluster level.
+	HermetoPackageRegistryProxyAllowed	string
 }
 
 // ConfigReader defines the interface for reading config data.
@@ -58,6 +65,9 @@ func (y *IniFileReader) ReadConfigData() (*KonfluxInfo, error) {
 		AllowCacheProxy: cfg.Section("cache-proxy").Key("allow-cache-proxy").String(),
 		HttpProxy:       cfg.Section("cache-proxy").Key("http-proxy").String(),
 		NoProxy:         cfg.Section("cache-proxy").Key("no-proxy").String(),
+		HermetoNpmProxy: cfg.Section("artifact-registry").Key("package-registry-proxy-npm-url").String(),
+		HermetoYarnProxy: cfg.Section("artifact-registry").Key("package-registry-proxy-yarn-url").String(),
+		HermetoPackageRegistryProxyAllowed: cfg.Section("artifact-registry").Key("allow-package-registry-proxy").String(),
 	}
 
 	return newCacheProxy, nil
@@ -71,9 +81,12 @@ func (k *K8sConfigMapReader) ReadConfigData() (*KonfluxInfo, error) {
 		return nil, fmt.Errorf("failed to get configmap %s/%s: %w", k.Namespace, k.Name, err)
 	}
 	newCacheProxy := &KonfluxInfo{
-		AllowCacheProxy: configMap.Data["allow-cache-proxy"],
-		HttpProxy:       configMap.Data["http-proxy"],
-		NoProxy:         configMap.Data["no-proxy"],
+		AllowCacheProxy: 			configMap.Data["allow-cache-proxy"],
+		HttpProxy:       			configMap.Data["http-proxy"],
+		NoProxy:         			configMap.Data["no-proxy"],
+		HermetoNpmProxy: 			configMap.Data["package-registry-proxy-npm-url"],
+		HermetoYarnProxy: 			configMap.Data["package-registry-proxy-yarn-url"],
+		HermetoPackageRegistryProxyAllowed: 	configMap.Data["allow-package-registry-proxy"],
 	}
 	return newCacheProxy, nil
 }