Add GitLab GKG (Knowledge Graph) CNG Image

Overview

Add a new CNG image gitlab-gkg for the GitLab Knowledge Graph service, similar to the existing gitlab-zoekt image. This image should support dual operating modes (indexer and webserver) controlled by environment variables.

Requirements

Core Functionality

  • Single Docker image containing the gkg-server-deployed binary (built from http-server-deployed in the knowledge-graph repository)
  • Dual-mode operation:
    • Indexer mode: Runs the indexing service (default port 3333)
    • Webserver mode: Runs the querying service (default port 3334)
  • Mode controlled by GITLAB_GKG_MODE environment variable

Technical Specifications

  • Base Image: Extend gitlab-base following CNG patterns
  • Build Process: Multi-stage build using gitlab-rust as builder image
  • Binary Source: Build http-server-deployed from https://gitlab.com/gitlab-org/rust/knowledge-graph.git
  • User: Run as git user (following CNG security practices)
  • Data Volume: /data/gkg for persistent data storage
  • Health Checks: Support Docker health checks via /health endpoint

Configuration Options

  • GITLAB_GKG_MODE: Operating mode (indexer | webserver)
  • GITLAB_GKG_SECRET_PATH: Path to JWT secret file (default: /.gitlab_shell_secret)
  • PORT: Override default ports per mode

Network Configuration

  • Indexer Mode: Binds to port 3333 by default
  • Webserver Mode: Binds to port 3334 by default
  • TCP binding only (--bind parameter)
  • Expose both ports in Dockerfile

Authentication

  • JWT authentication for all endpoints except /health and /metrics
  • Secret file required via --secret-path parameter

Implementation Details

File Structure

gitlab-gkg/
├── Dockerfile                 # Multi-stage build with Rust compilation
├── scripts/
│   ├── process-wrapper       # Mode selection and process execution
│   └── healthcheck          # Health check implementation

Environment Variables

  • GITLAB_GKG_MODE: indexer | webserver (required)
  • GITLAB_GKG_SECRET_PATH: JWT secret file path (required)
  • GITLAB_GKG_DATA_DIR: Data directory (default: /data/gkg)
  • PORT: Override default port

Build Arguments

  • GITLAB_GKG_SHA: Git branch/tag for knowledge-graph repository (default: main)
  • GITLAB_GKG_REPO: Repository URL for knowledge-graph source

Testing

  • Container should start successfully in both modes
  • Health endpoints should respond with 200 status
  • Binary should be built with release optimizations
  • Follow CNG security and layering patterns

Acceptance Criteria

  • Image builds successfully using ./build-scripts/build.sh
  • Container runs in indexer mode with proper port binding
  • Container runs in webserver mode with proper port binding
  • Health checks pass for both modes
  • Follows CNG architectural patterns (multi-stage build, minimal final image)
  • Security best practices (non-root user, no hardcoded secrets)
  • Documentation follows CNG component guidelines
Edited by Dmitry Gruzd