feat: add --remote-repo option to image build (#427)

Author: reubeno

internal/app/azldev/cmds/image/build.go

@@ -24,6 +24,13 @@ type ImageBuildOptions struct {
 
 	// Paths to local repositories to include during build.
 	LocalRepoPaths []string
+
+	// URIs to remote repositories (http:// or https://) to include during build.
+	RemoteRepoPaths []string
+
+	// NoRemoteRepoGpgCheck disables GPG checking for all remote repositories
+	// specified via RemoteRepoPaths.
+	NoRemoteRepoGpgCheck bool
 }
 
 // ImageBuildResult summarizes the results of building an image.
@@ -66,6 +73,10 @@ This command invokes kiwi-ng via sudo to build the image.`,
 
 	cmd.Flags().StringArrayVar(&options.LocalRepoPaths, "local-repo", []string{},
 		"Paths to local repositories to include during build (can be specified multiple times)")
+	cmd.Flags().StringArrayVar(&options.RemoteRepoPaths, "remote-repo", []string{},
+		"URIs to remote repositories (http:// or https://) to include during build (can be specified multiple times)")
+	cmd.Flags().BoolVar(&options.NoRemoteRepoGpgCheck, "remote-repo-no-gpgcheck", false,
+		"Disable GPG checking for all remote repositories specified via --remote-repo (not for production use)")
 
 	return cmd
 }
@@ -132,9 +143,9 @@ func BuildImage(env *azldev.Env, options *ImageBuildOptions) (*ImageBuildResult,
 	}
 
 	// Run kiwi to build the image into the work directory.
-	kiwiRunner := kiwi.NewRunner(env, filepath.Dir(kiwiDefPath)).WithTargetDir(kiwiWorkDir)
-	for _, repoPath := range options.LocalRepoPaths {
-		kiwiRunner.AddLocalRepo(repoPath)
+	kiwiRunner, err := createKiwiRunner(env, kiwiDefPath, kiwiWorkDir, options)
+	if err != nil {
+		return nil, err
 	}
 
 	err = kiwiRunner.Build(env)
@@ -167,6 +178,29 @@ func checkBuildPrerequisites(env *azldev.Env) error {
 	return nil
 }
 
+// createKiwiRunner sets up a kiwi runner with the configured repositories.
+func createKiwiRunner(
+	env *azldev.Env,
+	kiwiDefPath, targetDir string,
+	options *ImageBuildOptions,
+) (*kiwi.Runner, error) {
+	runner := kiwi.NewRunner(env, filepath.Dir(kiwiDefPath)).
+		WithTargetDir(targetDir).
+		WithRemoteRepoGPGCheck(!options.NoRemoteRepoGpgCheck)
+
+	for _, repoURI := range options.RemoteRepoPaths {
+		if err := runner.AddRemoteRepo(repoURI); err != nil {
+			return nil, fmt.Errorf("invalid remote repository:\n%w", err)
+		}
+	}
+
+	for _, repoPath := range options.LocalRepoPaths {
+		runner.AddLocalRepo(repoPath)
+	}
+
+	return runner, nil
+}
+
 // linkImageArtifacts hard-links the final image artifacts from the work directory to the
 // output directory. Uses symlinks to avoid duplicating large image files.
 // It parses kiwi's result JSON to determine which files are artifacts.

internal/utils/kiwi/kiwi.go

@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -58,28 +59,38 @@ type Runner struct {
 
 	// localRepoPaths are paths to local RPM repositories to include during build.
 	localRepoPaths []string
+
+	// remoteRepoPaths are URIs to remote RPM repositories (http:// or https://) to include during build.
+	remoteRepoPaths []string
+
+	// remoteRepoGPGCheck controls whether GPG checking is enabled for remote repositories.
+	// Defaults to true.
+	remoteRepoGPGCheck bool
 }
 
 // NewRunner constructs a new [Runner] that can be used to invoke kiwi-ng.
 // The descriptionDir is the directory containing the kiwi description file (e.g., config.xml).
 func NewRunner(ctx opctx.Ctx, descriptionDir string) *Runner {
 	return &Runner{
-		fs:             ctx.FS(),
-		cmdFactory:     ctx,
-		verbose:        ctx.Verbose(),
-		descriptionDir: descriptionDir,
+		fs:                 ctx.FS(),
+		cmdFactory:         ctx,
+		verbose:            ctx.Verbose(),
+		descriptionDir:     descriptionDir,
+		remoteRepoGPGCheck: true, // GPG checking enabled by default
 	}
 }
 
 // Clone creates a deep copy of the provided [Runner] instance.
 func (r *Runner) Clone() *Runner {
 	return &Runner{
-		fs:             r.fs,
-		cmdFactory:     r.cmdFactory,
-		verbose:        r.verbose,
-		descriptionDir: r.descriptionDir,
-		targetDir:      r.targetDir,
-		localRepoPaths: deep.MustCopy(r.localRepoPaths),
+		fs:                 r.fs,
+		cmdFactory:         r.cmdFactory,
+		verbose:            r.verbose,
+		descriptionDir:     r.descriptionDir,
+		targetDir:          r.targetDir,
+		localRepoPaths:     deep.MustCopy(r.localRepoPaths),
+		remoteRepoPaths:    deep.MustCopy(r.remoteRepoPaths),
+		remoteRepoGPGCheck: r.remoteRepoGPGCheck,
 	}
 }
 
@@ -90,6 +101,19 @@ func (r *Runner) WithTargetDir(targetDir string) *Runner {
 	return r
 }
 
+// WithRemoteRepoGPGCheck sets whether GPG checking is enabled for remote repositories.
+// By default, GPG checking is enabled.
+func (r *Runner) WithRemoteRepoGPGCheck(enabled bool) *Runner {
+	r.remoteRepoGPGCheck = enabled
+
+	return r
+}
+
+// RemoteRepoGPGCheck returns whether GPG checking is enabled for remote repositories.
+func (r *Runner) RemoteRepoGPGCheck() bool {
+	return r.remoteRepoGPGCheck
+}
+
 // TargetDir retrieves the target directory configured for this [Runner].
 func (r *Runner) TargetDir() string {
 	return r.targetDir
@@ -108,6 +132,36 @@ func (r *Runner) LocalRepoPaths() []string {
 	return r.localRepoPaths
 }
 
+// AddRemoteRepo adds a URI to a remote RPM repository (http:// or https://) to include during build.
+// Remote repositories are added with lower priority than local repositories.
+// Returns an error if the URI is invalid or uses an unsupported scheme.
+func (r *Runner) AddRemoteRepo(repoURI string) error {
+	parsedURL, err := url.Parse(repoURI)
+	if err != nil {
+		return fmt.Errorf("invalid repository URI %#q:\n%w", repoURI, err)
+	}
+
+	switch parsedURL.Scheme {
+	case "http":
+		slog.Warn("Using insecure HTTP for remote repository; consider using HTTPS instead",
+			"uri", repoURI)
+	case "https":
+		// Valid, no warning needed
+	default:
+		return fmt.Errorf("unsupported scheme %#q for remote repository %#q: only http:// and https:// are supported",
+			parsedURL.Scheme, repoURI)
+	}
+
+	r.remoteRepoPaths = append(r.remoteRepoPaths, repoURI)
+
+	return nil
+}
+
+// RemoteRepoPaths retrieves the remote repository URIs configured for this [Runner].
+func (r *Runner) RemoteRepoPaths() []string {
+	return r.remoteRepoPaths
+}
+
 // DescriptionDir retrieves the description directory configured for this [Runner].
 func (r *Runner) DescriptionDir() string {
 	return r.descriptionDir
@@ -140,18 +194,42 @@ func (r *Runner) Build(ctx context.Context) error {
 		"--target-dir", r.targetDir,
 	}
 
+	// Add remote repositories using kiwi's --add-repo flag.
+	// These have lower priority (50) than local repos so local repos can override.
+	// Format: --add-repo=<uri>,rpm-md,<alias>,<priority>,,,,,,<repo_gpgcheck>
+	// Note: repo_gpgcheck is at position 10 (1-indexed: source,type,alias,priority,imageinclude,
+	//       package_gpgcheck,{signing_keys},components,distribution,repo_gpgcheck).
+	if len(r.remoteRepoPaths) > 0 && !r.remoteRepoGPGCheck {
+		slog.Warn("Remote repositories are configured with GPG checking disabled",
+			"count", len(r.remoteRepoPaths))
+	}
+
+	for repoIndex, repoURI := range r.remoteRepoPaths {
+		alias := fmt.Sprintf("remote-%d", repoIndex+1)
+		// Priority 50 for all remote repos (lower priority than local repos at priority 1).
+		// The trailing commas fill in: imageinclude, package_gpgcheck, signing_keys,
+		// components, distribution, then repo_gpgcheck.
+		gpgCheck := "true"
+		if !r.remoteRepoGPGCheck {
+			gpgCheck = "false"
+		}
+
+		repoArg := fmt.Sprintf("%s,rpm-md,%s,50,,,,,,%s", repoURI, alias, gpgCheck)
+		kiwiArgs = append(kiwiArgs, "--add-repo", repoArg)
+	}
+
 	// Add local repositories using kiwi's --add-repo flag.
+	// These have highest priority (1) to override both remote repos and kiwi defaults.
 	// Format: --add-repo=dir://<abs-path>,rpm-md,<alias>,<priority>
 	for repoIndex, repoPath := range r.localRepoPaths {
 		absRepoPath, err := filepath.Abs(repoPath)
 		if err != nil {
 			return fmt.Errorf("failed to get absolute path for local repo %#q:\n%w", repoPath, err)
 		}
 
-		// Use priority starting at 1 (highest priority) for local repos.
-		priority := repoIndex + 1
-		alias := fmt.Sprintf("local-%d", priority)
-		repoArg := fmt.Sprintf("dir://%s,rpm-md,%s,%d", absRepoPath, alias, priority)
+		// Priority 1 for all local repos (highest priority).
+		alias := fmt.Sprintf("local-%d", repoIndex+1)
+		repoArg := fmt.Sprintf("dir://%s,rpm-md,%s,1", absRepoPath, alias)
 		kiwiArgs = append(kiwiArgs, "--add-repo", repoArg)
 	}