Skip to content

Add basic auth to Zoekt client

Dylan Griffith requested to merge 389749-zoekt-basic-auth into master

What does this MR do and why?

Add basic auth to Zoekt client

As part of #389749 (closed) we want HTTP requests from Zoekt -> GitLab to be authenticated. This MR adds the ability to configure a zoekt.username_file and zoekt.password_file (that default to .gitlab_zoekt_username and .gitlab_zoekt_password respectively) in your config/gitlab.yml . If present these files will be used to populate basic auth credentials in the HTTP requests to Zoekt. We likely won't use this in GDK because basic authentication relies on an nginx proxy in front of Zoekt (this is configured in the helm chart in gitlab-org/cloud-native/charts/gitlab-zoekt!14 (merged)). The indexer and webserver we run in GDK don't actually support basic auth but I've verified locally that these changes do indeed send the credentials.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

How to test
  1. Setup zoekt https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/zoekt.md
  2. Run a transparent proxy in front of port 6080 and 6090 that validates basic auth using nginx.
    1. Create .htpasswd file:
      htpasswd -c /tmp/.htpasswd user1 # set password to password1
    2. Create /tmp/nginx.conf with:
    worker_processes 1;
    daemon off;
    
    events {
      worker_connections  4096;
    }
    
    http {
    	server {
    		listen 6081;
    		auth_basic           "Authentication required";
    		auth_basic_user_file /tmp/.htpasswd;
    
    		location / {
    			proxy_pass      http://localhost:6080;
    		}
    	}
    
    	server {
    		listen 6091;
    		auth_basic           "Authentication required";
    		auth_basic_user_file /tmp/.htpasswd;
    
    		location / {
    			proxy_pass      http://localhost:6090;
    		}
    	}
    }
    1. Run nginx with nginx -c /tmp/nginx.conf
  3. Reconfigure from rails console to use this proxy
    ::Zoekt::Shard.first.update!(index_base_url: 'http://127.0.0.1:6081', search_base_url: 'http://127.0.0.1:6091')
  4. Create the files for username and password:
    echo 'user1' > .gitlab_zoekt_username
    echo 'password1' > .gitlab_zoekt_password
  5. gdk restart
  6. Do a search from GitLab UI and confirm they still work. Update the code and confirm indexing still works.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #389749 (closed)

Edited by Dylan Griffith

Merge request reports

Loading