[ABLD-340] Datadog Internal Artifact Registry Setup (#42969)

### What does this PR do?
Adds Datadog Internal Artifact Registry config setup to have CI (which runs internally within Datadog Datacenter) pull from internal mirrors rather than going upstream (where possible, for python, go, java, npm)

### Motivation
Remove reliance on upstream during dependency resolution where possible

### Describe how you validated your changes
- [ ] CI Jobs pass
- [ ] Test that this setup won't impact external contributors with no access to the Datadog internal artifact registries

### Additional Notes

- The `.adms/bazel/adms.mirror.cfg` file blocks all URLs (except the whitelisted ones) in CI during `bazel build` commands, if these prove to be too blocking we will need to add more exceptions to the whitelist or remove these blocks and just leave the rewrites (to use the internal registries when pulling bazel dependencies)

- The env vars set in the different `.adms/<ecosystem>/gitlab.yaml` files will make CI jobs use the internal artifact registries as well as set the same env vars in the `.adms/<ecosystem>/<ecosystem>.bazelrc` files when running in CI, but will leave these blank when running locally 

- External contributors should not be affected by this configuration and only Datadog CI builds should be affected

- Internal Datadog employees can choose to set the same environment variables within an `.envrc` file if desired so their local package manager pulls and bazel commands also use the internal artifact registries


Co-authored-by: aiuto <[email protected]>

Author: robayu

.adms/adms.bazelrc

@@ -0,0 +1,10 @@
+# DO NOT EDIT
+
+# Pull in general ADMS-related configuration
+import %workspace%/.adms/bazel/bazel.bazelrc
+# Configure Python-related Bazel settings
+import %workspace%/.adms/python/python.bazelrc
+# Configure Go-related Bazel settings
+import %workspace%/.adms/go/go.bazelrc
+# Configure Npm-related Bazel settings
+import %workspace%/.adms/npm/npm.bazelrc

.adms/bazel/adms.mirror.cfg

@@ -0,0 +1,132 @@
+# DO NOT EDIT
+
+# Datadog Internal Hosts
+#######################################################################
+# (Allow more such hosts as needed.)
+# Note that anything else we rewrite to must also be allowed here.
+allow binaries.ddbuild.io
+allow depot-read-api-bzl.us1.ddbuild.io
+allow depot-read-api-cli.us1.ddbuild.io
+allow depot-read-api-generic.us1.ddbuild.io
+allow depot-read-api-go.us1.ddbuild.io
+allow depot-read-api-java.us1.ddbuild.io
+allow depot-read-api-python.us1.ddbuild.io
+allow registry.ddbuild.io
+allow vault.us1.ddbuild.io
+allow nodejs.org
+allow go.dev
+allow go.dev/dl
+allow golang.google.cn
+allow tukaani.org
+allow bcr.bazel.build
+allow dd-agent-omnibus.s3.amazonaws.com
+allow lua.org
+allow sqlite.org
+allow download.savannah.nongnu.org
+allow ftp.rpm.org
+allow gnupg.org
+allow sourceware.org
+allow mirrors.kernel.org
+allow mirrors.edge.kernel.org
+
+# DEBUGGING 
+######################################################################
+# These hosts have been used for downloading Java artifacts. We'll allow them
+# for the time being, but we should dig into how they are being specified in
+# broader Bazel configuration, and work get these artifacts into ADMS more
+# formally, so we can begin to lock down this configuration more.
+
+# Sqreen sources
+# (https://github.com/DataDog/logs-backend/blob/93eccaef54c4d0f99151c2bf49ff2bcb028c0bd7/rules/jvm/setup.bzl#L64-L73)
+allow sqreen-ci-java.s3.amazonaws.com
+
+# dd-agent and dd-trace jars
+# (https://github.com/DataDog/logs-backend/blob/8ea7c29de6185481f61ba0b3affa97acad69d18b/rules/jvm/setup.bzl#L84-L98)
+allow s3.us-east-1.amazonaws.com
+######################################################################
+
+# Rewrite Rules for External Hosts
+#######################################################################
+# The list of hosts below is based on what has already been observed in the wild,
+# and pulled in by Depot's Bazel support:
+#
+#     aws-vault exec sso-build-stable-dependency-mgmt-s3-admin -- \
+#         aws s3 ls s3://dd-depot-us1-ddbuild-io/bzl/
+#
+# We will explicitly enable downloading via Depot for these hosts, to preserve what
+# functionality we currently provide. This also gives us more control and visibility
+# into what we're actually downloading, and allows us to track down misconfigurations
+# more easily.
+rewrite (bcr.bazel.build)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (tukaani.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+# rewrite (go.dev)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+# rewrite (golang.google.cn)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (nodejs.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (aka.ms)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (apache.jfrog.io)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (archive.apache.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (boostorg.jfrog.io)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (cache.agilebits.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (cdn.azul.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (fastdl.mongodb.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (get.helm.sh)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (git.kernel.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (github.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+
+# Taken from https://blog.aspect.build/configuring-bazels-downloader
+# > For some reason the bazel team decided that mirror.bazel.build should be the source of truth for these 3 files, let
+# > those through
+rewrite (mirror.bazel.build/bazel_coverage_output_generator/.*) depot-read-api-bzl.us1.ddbuild.io/$1
+rewrite (mirror.bazel.build/bazel_java_tools/.*) depot-read-api-bzl.us1.ddbuild.io/$1
+rewrite (mirror.bazel.build/openjdk/.*) depot-read-api-bzl.us1.ddbuild.io/$1
+# > For everything else, our urls exactly match what mirror.bazel.build gives so skip the indirection
+rewrite mirror.bazel.build/(.*) depot-read-api-bzl.us1.ddbuild.io/$1
+
+rewrite (releases.hashicorp.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (snapshot.ubuntu.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (sourceware.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (storage.googleapis.com)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (www.colm.net)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (www.openssl.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (www.gnupg.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (www.unixodbc.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (mirrors.edge.kernel.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (pyyaml.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+rewrite (mirrors.kernel.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+
+# Rewrite Rules for External Hosts - Specific Language Ecosystems
+#######################################################################
+# In some cases, we are accessing upstream repositories for various language ecosystems
+# that we otherwise support internally, despite Bazel being ostensibly configured to use
+# our internal repositories. This potentially suggests "holes" in our configuration, or
+# artifacts being pulled in via harder-to-detect means.
+#
+# These situations are highlighted here for visibility; eventually, we should sort out
+# these situations and entirely block the relevant upstream hosts entirely.
+
+# TODO: Investigate why these aren't using our internal repository already.
+rewrite (pypi.org)/(.*) depot-read-api-python.us1.ddbuild.io/magicmirror/magicmirror/@current/$2
+rewrite (pypi.python.org)/(.*) depot-read-api-python.us1.ddbuild.io/magicmirror/magicmirror/@current/$2
+rewrite (files.pythonhosted.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+
+# TODO: Move to Depot NPM when available
+rewrite (registry.npmjs.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+
+# TODO: Move to Depot Java when we can determine why requests to repo1.maven.org
+# are still being made.
+rewrite (repo1.maven.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+
+# TODO: We don't support Rust in ADMS yet, but once we do, this can go away. In
+# the meantime, it's a kind of "back door" to mirroring Rust artifacts internally.
+rewrite (static.crates.io)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+# This is for Rust runtimes
+rewrite (static.rust-lang.org)/(.*) depot-read-api-bzl.us1.ddbuild.io/$1/$2
+
+# Block everything else
+#######################################################################
+# If something is not explicitly allowed above, it will be blocked. If users
+# need to download something that is blocked, they can speak with #dependency-management
+# in Slack to get it unblocked.
+block *
+all_blocked_message This blocking should only be happening in CI - reach out to Datadog#dependency-management

.adms/bazel/bazel.bazelrc

@@ -0,0 +1,5 @@
+# DO NOT EDIT
+
+# Ensure that Bazel uses the ADMS Bazel mirror for downloading dependencies.
+build:dd-internal --downloader_config=.adms/bazel/adms.mirror.cfg
+build:dd-internal --experimental_repository_downloader_retries=5

.adms/go/gitlab.yaml

@@ -0,0 +1,6 @@
+# DO NOT EDIT
+
+variables:
+    GOPROXY: "https://depot-read-api-go.us1.ddbuild.io/magicmirror/magicmirror/@current/|https://depot-read-api-go.us1.ddbuild.io/magicmirror/testing/@current/|https://depot-read-api-go.us1.ddbuild.io/magicmirror/magicmirror/@current/|https://depot-read-api-go.us1.ddbuild.io/magicmirror/testing/@current/|https://depot-read-api-go.us1.ddbuild.io/magicmirror/magicmirror/@current/|https://depot-read-api-go.us1.ddbuild.io/magicmirror/testing/@current/"
+    GONOSUMDB: "github.com/DataDog,go.ddbuild.io"
+    GOPRIVATE: ""

.adms/go/go.bazelrc

@@ -0,0 +1,5 @@
+# DO NOT EDIT
+
+common --repo_env=GOPROXY
+common --repo_env=GONOSUMDB
+common --repo_env=GOPRIVATE

.adms/npm/gitlab.yaml

@@ -0,0 +1,9 @@
+# DO NOT EDIT
+
+variables:
+    YARN_NPM_REGISTRY_SERVER: "https://depot-read-api-npm.us1.ddbuild.io/internal/magicmirror/magicmirror"
+    YARN_NPM_ALWAYS_AUTH: "false"
+    NPM_CONFIG_REGISTRY: "https://depot-read-api-npm.us1.ddbuild.io/internal/magicmirror/magicmirror"
+    npm_config_registry: "https://depot-read-api-npm.us1.ddbuild.io/internal/magicmirror/magicmirror"
+    NPM_CONFIG_ALWAYS_AUTH: "false"
+    npm_config_always_auth: "false"

.adms/npm/npm.bazelrc

@@ -0,0 +1,11 @@
+# DO NOT EDIT
+
+# yarn Configuration
+common --repo_env=YARN_NPM_REGISTRY_SERVER
+common --repo_env=YARN_NPM_ALWAYS_AUTH
+
+# npm Configuration
+common --repo_env=NPM_CONFIG_REGISTRY
+common --repo_env=npm_config_registry
+common --repo_env=NPM_CONFIG_ALWAYS_AUTH
+common --repo_env=npm_config_always_auth

.adms/python/gitlab.yaml

@@ -0,0 +1,7 @@
+# DO NOT EDIT
+
+variables:
+    PIP_INDEX_URL: "https://depot-read-api-python.us1.ddbuild.io/magicmirror/magicmirror/@current/simple"
+    PIP_EXTRA_INDEX_URL: "https://depot-read-api-python.us1.ddbuild.io/magicmirror/testing/@current/simple"
+    UV_INDEX: "https://depot-read-api-python.us1.ddbuild.io/magicmirror/magicmirror/@current/simple https://depot-read-api-python.us1.ddbuild.io/magicmirror/testing/@current/simple"
+    UV_DEFAULT_INDEX: "https://depot-read-api-python.us1.ddbuild.io/magicmirror/magicmirror/@current/simple"

.adms/python/python.bazelrc

@@ -0,0 +1,6 @@
+# DO NOT EDIT
+
+common --repo_env=PIP_INDEX_URL
+common --repo_env=PIP_EXTRA_INDEX_URL
+common --repo_env=UV_INDEX
+common --repo_env=UV_DEFAULT_INDEX

.bazelrc

@@ -1,5 +1,8 @@
 # Do not edit this file without a review from @DataDog/agent-build
 
+# Ensure access to DataDog internal artifact repositories in CI
+import %workspace%/.adms/adms.bazelrc
+
 # Startup options ------------------------------------------------------------------------------------------------------
 startup --max_idle_secs=28800 # Keep the server alive for at most 8 hours of inactivity
 
@@ -53,5 +56,6 @@ build:ci --output_groups=+clippy_checks
 build:ci --aspects=@rules_rust//rust:defs.bzl%rustfmt_aspect
 build:ci --output_groups=+rustfmt_checks
 
+#common:ci --config=dd-internal
 # Local development options --------------------------------------------------------------------------------------------
 try-import %workspace%/user.bazelrc