Skip to content

Add basic auth to zoekt gateway

Dylan Griffith requested to merge 389749-proxy-with-tls-and-auth into main

Related to gitlab-org/gitlab#389749 (closed) . We need to add encryption and authentication to Zoekt. Zoekt is a HTTP server called from gitlab-rails. The encryption was already added in !15 (merged) . This MR adds the authentication using basic auth.

This is implemented as an optional configuration gateway.basicAuth.enabled which will mount a named secret that contains 2 files gitlab_username and gitlab_password. Then an init container converts these to the htpaswd format that Nginx expects and mounts that in another emptyDir volume.

I did not provide an optional setting to create the secret automatically as we plan on creating the secret in the GitLab parent chart in gitlab-org/charts/gitlab!3184 (merged) . This is because that project is already responsible for creating other secrets outside of Helm.

How to test

How to test
  1. Create a secret with the username and password 
    kubectl create secret generic gitlab-zoekt-basicauth --from-literal=gitlab_username=gitlab --from-literal=gitlab_password=password123
  2. Install the chart 
    helm install --set gateway.basicAuth.enabled=true --set gateway.basicAuth.secretName=gitlab-zoekt-basicauth gitlab-zoekt .
  3. Curl the API and confirm it fails with bad password 
    kubectl exec gitlab-zoekt-0 -- curl -XPOST -d '{"Q":"gitaly"}' 'http://gitlab:badpassword@127.0.0.1:8080/api/search' -i
  4. Curl the API and confirm it succeeds with good password 
    kubectl exec gitlab-zoekt-0 -- curl -XPOST -d '{"Q":"gitaly"}' 'http://gitlab:password123@127.0.0.1:8080/api/search' -i
  5. Confirm that / does not need a password 
    kubectl exec gitlab-zoekt-0 -- curl 'http://127.0.0.1:8080/' -i
  6. Confirm that /metrics does not need a password 
    kubectl exec gitlab-zoekt-0 -- curl 'http://127.0.0.1:8080/metrics' -i
  7. View nginx logs 
    kubectl logs gitlab-zoekt-0 zoekt-gateway

How to test integration with parent GitLab chart

There are instructions in the draft MR for the GitLab chart gitlab-org/charts/gitlab!3184 (merged) to confirm the integration is working as expected. The parent GitLab chart creates the secret for you automatically.

Edited by Dylan Griffith

Merge request reports