tasks: Move npm configuration to static file

Create a static /etc/npmrc on our tasks bot hosts which is suitable for
machines in the internal Red Hat network. (The role already assumed that
before, so that's not a regression - and easy enough to conditionalize
if we need to in the future).

This gets rid of the `npm config` calls in `setup-tasks`.

ansible/roles/tasks-systemd/tasks/main.yml

@@ -27,10 +27,22 @@
     semodule -i /tmp/cockpituous.pp
   when: selinux_policy.changed
 
+# This only applies to RH VPN; make that optional if we ever deploy to public infrastructure
+- name: Create npm configuration
+  copy:
+    dest: /etc/npmrc
+    mode: 0644
+    content: |
+      registry=https://repository.engineering.redhat.com/nexus/repository/registry.npmjs.org/
+      fetch-retries=6
+      fetch-timeout=600000
+      fetch-retry-mintimeout=60000
+      maxsockets=3
+      cafile=/run/secrets/tasks/npm-registry.crt
+
 - name: Set up systemd service for cockpit/tasks
   shell: |
     export INSTANCES={{ instances | default(4) }}
-    export NPM_REGISTRY=https://repository.engineering.redhat.com/nexus/repository/registry.npmjs.org/
     export TEST_NOTIFICATION_MX={{ notification_mx | default('') }}
     export TEST_NOTIFICATION_TO={{ notification_to | default('') }}
     /run/install-service

tasks/install-service

@@ -22,10 +22,6 @@ mkdir -p $SECRETS/tasks $SECRETS/webhook $CACHE
 chown -R 1111:1111 $SECRETS $CACHE
 chcon -R -t container_file_t $SECRETS $CACHE
 
-if [ -e "${SECRETS}/tasks/npm-registry.crt" ]; then
-    NODE_EXTRA_CA_CERTS=/run/secrets/tasks/npm-registry.crt
-fi
-
 if [ $INSTANCES -eq 1 ]; then
     # just use the hostname without prefix
     CONTAINER_HOSTNAME="%l"
@@ -47,7 +43,6 @@ Environment="TEST_CACHE=$CACHE"
 Environment="TEST_SECRETS=$SECRETS"
 Environment="TEST_NOTIFICATION_MX=${TEST_NOTIFICATION_MX:-}"
 Environment="TEST_NOTIFICATION_TO=${TEST_NOTIFICATION_TO:-}"
-Environment="NPM_REGISTRY=${NPM_REGISTRY:-}"
 Restart=always
 RestartSec=60
 # give image pull enough time
@@ -65,8 +60,7 @@ ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOS
     --volume=\${TEST_SECRETS}/tasks:/run/secrets/tasks:ro \
     --volume=\${TEST_SECRETS}/webhook:/run/secrets/webhook:ro \
     --volume=${IMAGE_STORES}:/work/.config/cockpit-dev/image-stores:ro \
-    --env=NPM_REGISTRY=\${NPM_REGISTRY} \
-    --env=NODE_EXTRA_CA_CERTS=${NODE_EXTRA_CA_CERTS:-} \
+    --volume=/etc/npmrc:/etc/npmrc:ro \
     --env=TEST_JOBS=\${TEST_JOBS} \
     --env=TEST_NOTIFICATION_MX=\${TEST_NOTIFICATION_MX} \
     --env=TEST_NOTIFICATION_TO=\${TEST_NOTIFICATION_TO} \

tasks/setup-tasks

@@ -9,18 +9,6 @@ if ! whoami && [ -w /etc/passwd ]; then
     export HOME=/work
 fi
 
-# set up custom NPM registry
-if [ -n "${NPM_REGISTRY:-}" ]; then
-    npm config set registry "$NPM_REGISTRY"
-    echo "Set NPM registry to $NPM_REGISTRY"
-fi
-
-# prone to timeouts and errors with lots of parallel containers
-npm config set fetch-retries 6
-npm config set fetch-timeout 600000
-npm config set fetch-retry-mintimeout 60000
-npm config set maxsockets 3
-
 # Set up secrets
 if [ -d /run/secrets/tasks ]; then
     ln -snf /run/secrets/tasks/s3-keys ~/.config/cockpit-dev/s3-keys