Add support for propagation correlation IDs from trusted CIDRs (!66715) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-trusted-cidrs-workhorse into master Jul 23, 2021

When Gitaly makes internal API calls back to Workhorse in Git hooks, Workhorse previously would generate new correlation IDs, making it hard to trace the entire call flow.

In labkit!123 (merged), we added the ability to propagate correlation IDs from trusted CIDR blocks.

To use this feature, we add two configuraton parameters:

trusted_cidrs_for_x_forwarded_for
trusted_cidrs_for_propagation

If propagation of correlation ID is enabled, trusted_cidrs_for_x_forwarded_for tells LabKit what remote IPs can be trusted to use the X-Forwarded-For HTTP header to resolve the actual client IP. Note that this parameter is not yet used in Workhorse's remote IP resolution, but it should be.

trusted_cidrs_for_propagation allows Workhorse to restrict propagation to certain IP ranges. We will want to add the Gitaly servers to this list.

Relates to #324836 (closed)

Edited Jul 23, 2021 by Stan Hu

Add support for propagation correlation IDs from trusted CIDRs

Merge request reports