Add basic auth to Zoekt client
What does this MR do and why?
Add basic auth to Zoekt client
As part of #389749 (closed) we want
HTTP requests from Zoekt -> GitLab
to be authenticated. This MR adds
the ability to configure a zoekt.username_file
and
zoekt.password_file
(that default to .gitlab_zoekt_username
and
.gitlab_zoekt_password
respectively) in your config/gitlab.yml
.
If present these files will be used to populate basic auth credentials
in the HTTP requests to Zoekt. We likely won't use this in GDK because
basic authentication relies on an nginx proxy in front of Zoekt (this is
configured in the helm chart in
gitlab-org/cloud-native/charts/gitlab-zoekt!14 (merged)).
The indexer and webserver we run in GDK don't actually support basic
auth but I've verified locally that these changes do indeed send the
credentials.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
How to test
- Setup zoekt https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/zoekt.md
- Run a transparent proxy in front of port
6080
and6090
that validates basic auth using nginx.- Create
.htpasswd
file:htpasswd -c /tmp/.htpasswd user1 # set password to password1
- Create
/tmp/nginx.conf
with:
worker_processes 1; daemon off; events { worker_connections 4096; } http { server { listen 6081; auth_basic "Authentication required"; auth_basic_user_file /tmp/.htpasswd; location / { proxy_pass http://localhost:6080; } } server { listen 6091; auth_basic "Authentication required"; auth_basic_user_file /tmp/.htpasswd; location / { proxy_pass http://localhost:6090; } } }
- Run nginx with
nginx -c /tmp/nginx.conf
- Create
- Reconfigure from rails console to use this proxy
::Zoekt::Shard.first.update!(index_base_url: 'http://127.0.0.1:6081', search_base_url: 'http://127.0.0.1:6091')
- Create the files for username and password:
echo 'user1' > .gitlab_zoekt_username echo 'password1' > .gitlab_zoekt_password
gdk restart
- Do a search from GitLab UI and confirm they still work. Update the code and confirm indexing still works.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #389749 (closed)