Add GCP IAM OIDC auth for Ruby billing SDK

What does this MR do and why?

The Data Insights Platform (DIP) billing collector protects the /com.snowplowanalytics.snowplow.auth/tp2 path and rejects unauthenticated requests. This MR lets the monolith's billing tracker authenticate to that path with a GCP IAM OIDC Bearer token, mirroring the GKG (labkit-rs) implementation.

This is the auth layer only; the base billing SDK was merged in !240688 (merged).

Feature flag

Gated behind billing_events_oidc_auth (default off). When disabled, billing events use the existing unauthenticated path. Rollout plan: enable on staging (billing.stgsub.gitlab.net), validate a 200 (no 403, org-number claim present) via the added logs, then production.

Testing

  • Not verifiable locally (needs the GCE metadata server + protected collector). Validation happens on staging behind the flag.
  • New/updated specs pass: bundle exec rspec spec/lib/gitlab/tracking/destinations/billing_oidc_token_source_spec.rb spec/lib/gitlab/tracking/billing_auth_emitter_spec.rb spec/lib/gitlab/tracking/destinations/destination_configuration_spec.rb spec/lib/gitlab/tracking/destinations/snowplow_spec.rb → 81 examples, 0 failures.

References

Edited by Ankit Panchal

Merge request reports

Loading