Skip npm install if duo-cli is already present in custom image

Falko Sieverdingrequested to merge
fsieverding/skip-npm-install-if-duo-cli-present into master

What does this MR do and why?

This MR makes the npm install -g @gitlab/duo-cli command conditional in Flow executor setup. It only runs if duo is not already available in PATH.

Problem

When using custom Docker images with duo-cli pre-installed (as documented in https://docs.gitlab.com/user/duo_agent_platform/flows/execution/#change-the-default-docker-image), Flow jobs still fail in network-restricted environments because:

  1. The current code unconditionally runs npm install -g @gitlab/duo-cli@VERSION
  2. Enterprises that block registry.gitlab.com typically also block npmjs.org
  3. Even though duo-cli is pre-installed in the custom image, the npm install times out

Evidence

Tested on a GitLab Dedicated test instance with AWS NACL rules blocking:

  • registry.gitlab.com
  • npmjs.org

Job log showing the problem:

$ which duo && duo --version
/usr/local/bin/duo
8.58.0

$ npm install -g @gitlab/duo-cli@8.48.0
npm error code ETIMEDOUT
npm error network request to https://registry.npmjs.org/@gitlab%2fduo-cli failed

The custom image had duo-cli v8.58.0 pre-installed and verified, but GitLab still tried to install v8.48.0 from npmjs.org.

Solution

Change from:

%(npm install -g @gitlab/duo-cli@#{DUO_CLI_VERSION})

To:

%(command -v duo > /dev/null 2>&1 || npm install -g @gitlab/duo-cli@#{DUO_CLI_VERSION})

This skips the npm install if duo is already available in PATH.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist.

Related issues

  • Closes #582126 (partial - enables custom image workaround)
  • Related #584689 (closed) (custom registry for Foundation Flows)
Edited by Falko Sieverding

Merge request reports