Add GCP IAM OIDC auth for Ruby billing SDK
What does this MR do and why?
The Data Insights Platform (DIP) billing collector protects the /com.snowplowanalytics.snowplow.auth/tp2 path and rejects unauthenticated requests. This MR lets the monolith's billing tracker authenticate to that path with a GCP IAM OIDC Bearer token, mirroring the GKG (labkit-rs) implementation.
This is the auth layer only; the base billing SDK was merged in !240688 (merged).
Feature flag
Gated behind billing_events_oidc_auth (default off). When disabled, billing events use the existing unauthenticated path. Rollout plan: enable on staging (billing.stgsub.gitlab.net), validate a 200 (no 403, org-number claim present) via the added logs, then production.
Testing
- Not verifiable locally (needs the GCE metadata server + protected collector). Validation happens on staging behind the flag.
- New/updated specs pass:
bundle exec rspec spec/lib/gitlab/tracking/destinations/billing_oidc_token_source_spec.rb spec/lib/gitlab/tracking/billing_auth_emitter_spec.rb spec/lib/gitlab/tracking/destinations/destination_configuration_spec.rb spec/lib/gitlab/tracking/destinations/snowplow_spec.rb→ 81 examples, 0 failures.
References
Edited by Ankit Panchal