main: Module package fetcher knows how to build OCI repo store

These completes the wiring of the OCI credentials policy into the "package fetcher" component of the module installer. The module installer does not yet make any use of this, but a future commit will introduce a new "oci" source address scheme that will make use of this. Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
2025-12-19 17:59:05 -05:00 · 2025-04-14 14:41:37 -07:00
parent 0f0b928e98
commit ff172c9e5e
2 changed files with 27 additions and 3 deletions
--- a/cmd/tofu/main.go
+++ b/cmd/tofu/main.go
@@ -185,7 +185,7 @@ func realMain() int {
 	}
 	services.SetUserAgent(httpclient.OpenTofuUserAgent(version.String()))

-	modulePkgFetcher := remoteModulePackageFetcher()
+	modulePkgFetcher := remoteModulePackageFetcher(config.OCICredentialsPolicy)

 	providerSrc, diags := providerSource(config.ProviderInstallation, services, config.OCICredentialsPolicy)
 	if len(diags) > 0 {
--- a/cmd/tofu/module_source.go
+++ b/cmd/tofu/module_source.go
@@ -6,11 +6,35 @@
 package main

 import (
+	"context"
+	"fmt"
+
 	"github.com/opentofu/opentofu/internal/getmodules"
 )

-func remoteModulePackageFetcher() *getmodules.PackageFetcher {
+func remoteModulePackageFetcher(getOCICredsPolicy ociCredsPolicyBuilder) *getmodules.PackageFetcher {
 	// TODO: Pass in a real getmodules.PackageFetcherEnvironment here,
 	// which knows how to make use of the OCI authentication policy.
-	return getmodules.NewPackageFetcher(nil)
+	return getmodules.NewPackageFetcher(&modulePackageFetcherEnvironment{
+		getOCICredsPolicy: getOCICredsPolicy,
+	})
+}
+
+type modulePackageFetcherEnvironment struct {
+	getOCICredsPolicy ociCredsPolicyBuilder
+}
+
+// OCIRepositoryStore implements getmodules.PackageFetcherEnvironment.
+func (m *modulePackageFetcherEnvironment) OCIRepositoryStore(ctx context.Context, registryDomainName string, repositoryPath string) (getmodules.OCIRepositoryStore, error) {
+	// We intentionally delay the finalization of the credentials policy until
+	// just before we need it because most OpenTofu commands don't install
+	// module packages at all, and even those that do only need to do this if
+	// using the "oci" source type, so we can avoid doing this work at all
+	// most of the time.
+	credsPolicy, err := m.getOCICredsPolicy(ctx)
+	if err != nil {
+		// This deals with only a small number of errors that we can't catch during CLI config validation
+		return nil, fmt.Errorf("invalid credentials configuration for OCI registries: %w", err)
+	}
+	return getOCIRepositoryStore(ctx, registryDomainName, repositoryPath, credsPolicy)
 }