Configure elasticsearch username and password

Current state

When using elasticsearch for advanced search, one can only configure the elasticsearch_url according to the GET default variables.

The documentation for Advanced Search does not mention this at: https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/blob/main/docs/environment_advanced.md#advanced-search

As the documentation states, the process is designed to support OpenSearch the best way possible. This being said, the support for configuring elasticsearch is not very well reprensented in GET.

Note: we're using the Elastic Cloud offering as we're running on GCP and there is no OpenSearch. We also don't want to self-host any related or required service.

Looking at the default variables of GET led us to testing the following variables

advanced_search_hosts: "https://<user>:<password>@xxxx.europe-west4.gcp.elastic-cloud.com"
advanced_search_external: true
advanced_search_enable: true

As there are no configuration options for username and password which we need to use, we're setting the as part of the URL.

Basically everything works as expected.

Issue

The issue is within setting username and password as part of the URL. The url ultimately gets set as ApplicationSetting#elasticsearch_url which in turn is visible from the GitLab Admin Area. To us this is a security issue as the credentials can be retrieved when having access to the GitLab Admin Area.

Possible solution

As GitLab does not extract the username and password to be stored in ApplicationSetting#elasticsearch_username and ApplicationSetting#elasticsearch_password it would be great to extend the post_configure tasks to set username and password if given.

As setting an empty username and password does not lead to an error (I guess they're internally blank-checked anyway), we could simply adjust the commands of Configure Advanced Search Indexing and URL setting to also set username and password

gitlab-rails runner "
  ApplicationSetting.last.update(elasticsearch_url: \"{{ advanced_search_hosts | join(',') }}\")
  ApplicationSetting.last.update(elasticsearch_indexing: true)
  ApplicationSetting.last.update(elasticsearch_username: \"{{ advanced_search_username }}\")
  ApplicationSetting.last.update(elasticsearch_password: \"{{ advanced_search_password }}\")
"

For sure, the credentials have to be unset in Unconfigure Advanced Search settings

Next steps

If this is a reasonable adjustment, I am happy to contribute the required changes.

In case I missed how configuring username and password currently works, please point me to the right spot.

Thank you!