Skip to content

Remove basic auth support

Dmitry Gruzdrequested to merge
remove-basic-auth into main

What does this MR do and why?

This MR removes all basic authentication support from the GitLab Zoekt Helm chart as we have fully switched to using JWT authentication via the Gitlab-Zoekt-Api-Request header.

Problem Solved:

Basic authentication was a legacy authentication method that is no longer needed since JWT authentication is now fully implemented and tested. Maintaining both authentication methods:

  • Increases configuration complexity
  • Creates potential security confusion
  • Adds unnecessary code maintenance burden
  • May cause conflicts between authentication methods

Changes Made:

  1. Removed Basic Auth Configuration:

    • Removed gateway.basicAuth section from values.yaml
    • Removed basic auth configuration from test fixtures

  2. Updated Nginx Configuration:

    • Removed basic auth directives from nginx.conf template
    • Removed auth_basic off; from health/metrics endpoints (no longer needed)

  3. Cleaned Up StatefulSet Template:

    • Removed initContainer for htpasswd file creation
    • Removed basic auth volume mounts and volumes
    • Removed basic auth secret volume configuration

  4. Removed Helper Templates:

    • Removed gitlab-zoekt.basicAuth.secretName helper template

  5. Updated Tests:

    • Removed basic auth tests from StatefulSet specs
    • Removed basic auth tests from nginx-configmap specs
    • Removed basic auth configuration tests

  6. Updated Integration Script:

    • Removed basic auth secret creation
    • Removed basic auth variables and curl parameters
    • Removed "Wrong Auth" test case
    • Updated all curl commands to use only JWT authentication

Motivation:

  • Security: JWT authentication provides better security with token expiry
  • Simplification: Reduces configuration complexity for end users
  • Maintainability: Less code to maintain and test
  • Consistency: Aligns with GitLab's overall authentication strategy

How to set up and validate locally

1. Run Test Suite

Verify all tests pass after basic auth removal:

bundle exec rspec

2. Validate Chart Linting

Ensure the chart is still valid:

helm lint
helm lint -f spec/fixtures/many-values.yaml

3. Integration Testing (Optional)

Run integration tests to verify JWT authentication works:

./spec/scripts/integration.sh

4. Verify No Basic Auth References

Confirm all basic auth code is removed:

grep -r "basicAuth" --exclude-dir=.git .
grep -r "auth_basic" --exclude-dir=.git .

Expected Results:

  • All RSpec tests pass (80 examples, 0 failures)
  • Helm chart lints successfully
  • No basic auth configuration references remain
  • JWT authentication continues to work in integration tests
  • Nginx configuration is simplified and cleaner
Edited by Dmitry Gruzd

Merge request reports