From ff172c9e5ee1eae849c20883c4220395fe6f8f39 Mon Sep 17 00:00:00 2001 From: Martin Atkins Date: Mon, 14 Apr 2025 14:41:37 -0700 Subject: [PATCH] main: Module package fetcher knows how to build OCI repo store These completes the wiring of the OCI credentials policy into the "package fetcher" component of the module installer. The module installer does not yet make any use of this, but a future commit will introduce a new "oci" source address scheme that will make use of this. Signed-off-by: Martin Atkins --- cmd/tofu/main.go | 2 +- cmd/tofu/module_source.go | 28 ++++++++++++++++++++++++++-- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/cmd/tofu/main.go b/cmd/tofu/main.go index d593618088..a2449db07a 100644 --- a/cmd/tofu/main.go +++ b/cmd/tofu/main.go @@ -185,7 +185,7 @@ func realMain() int { } services.SetUserAgent(httpclient.OpenTofuUserAgent(version.String())) - modulePkgFetcher := remoteModulePackageFetcher() + modulePkgFetcher := remoteModulePackageFetcher(config.OCICredentialsPolicy) providerSrc, diags := providerSource(config.ProviderInstallation, services, config.OCICredentialsPolicy) if len(diags) > 0 { diff --git a/cmd/tofu/module_source.go b/cmd/tofu/module_source.go index 31cdfff9d9..e967931c08 100644 --- a/cmd/tofu/module_source.go +++ b/cmd/tofu/module_source.go @@ -6,11 +6,35 @@ package main import ( + "context" + "fmt" + "github.com/opentofu/opentofu/internal/getmodules" ) -func remoteModulePackageFetcher() *getmodules.PackageFetcher { +func remoteModulePackageFetcher(getOCICredsPolicy ociCredsPolicyBuilder) *getmodules.PackageFetcher { // TODO: Pass in a real getmodules.PackageFetcherEnvironment here, // which knows how to make use of the OCI authentication policy. - return getmodules.NewPackageFetcher(nil) + return getmodules.NewPackageFetcher(&modulePackageFetcherEnvironment{ + getOCICredsPolicy: getOCICredsPolicy, + }) +} + +type modulePackageFetcherEnvironment struct { + getOCICredsPolicy ociCredsPolicyBuilder +} + +// OCIRepositoryStore implements getmodules.PackageFetcherEnvironment. +func (m *modulePackageFetcherEnvironment) OCIRepositoryStore(ctx context.Context, registryDomainName string, repositoryPath string) (getmodules.OCIRepositoryStore, error) { + // We intentionally delay the finalization of the credentials policy until + // just before we need it because most OpenTofu commands don't install + // module packages at all, and even those that do only need to do this if + // using the "oci" source type, so we can avoid doing this work at all + // most of the time. + credsPolicy, err := m.getOCICredsPolicy(ctx) + if err != nil { + // This deals with only a small number of errors that we can't catch during CLI config validation + return nil, fmt.Errorf("invalid credentials configuration for OCI registries: %w", err) + } + return getOCIRepositoryStore(ctx, registryDomainName, repositoryPath, credsPolicy) }