Merge branch '231528-conditionally-fetching-aws-creds' into 'master'

Only send AWS Credentials ENV to indexer when AWS config is enabled Closes #231528 See merge request gitlab-org/gitlab!37865

Merge branch '231528-conditionally-fetching-aws-creds' into 'master'
Only send AWS Credentials ENV to indexer when AWS config is enabled Closes #231528 See merge request gitlab-org/gitlab!37865
c50776b6 · Stan Hu · 217af8aa · 68ee6948 · c50776b6 · c50776b6
Commit c50776b6 authored Jul 24, 2020 by Stan Hu
3 changed files
--- a/ee/changelogs/unreleased/231528-conditionally-fetching-aws-creds.yml
+++ b/ee/changelogs/unreleased/231528-conditionally-fetching-aws-creds.yml
+---
+title: Only send AWS Credentials ENV to indexer when AWS config is enabled
+merge_request: 37865
+author:
+type: fixed
--- a/ee/lib/gitlab/elastic/indexer.rb
+++ b/ee/lib/gitlab/elastic/indexer.rb
@@ -110,7 +110,9 @@ module Gitlab
        }

        # Set AWS environment variables for IAM role authentication if present
-        vars = build_aws_credentials_env(vars)
+        if Gitlab::CurrentSettings.elasticsearch_config[:aws]
+          vars = build_aws_credentials_env(vars)
+        end

        # Users can override default SSL certificate path via SSL_CERT_FILE SSL_CERT_DIR
        vars.merge(ENV.slice('SSL_CERT_FILE', 'SSL_CERT_DIR'))

--- a/ee/spec/lib/gitlab/elastic/indexer_spec.rb
+++ b/ee/spec/lib/gitlab/elastic/indexer_spec.rb
@@ -345,12 +345,26 @@ RSpec.describe Gitlab::Elastic::Indexer do
      allow(Gitlab::Elastic::Client).to receive(:aws_credential_provider).and_return(credentials)
    end

-    it 'credentials env vars will be included' do
-      expect(subject).to include({
-        'AWS_ACCESS_KEY_ID' => access_key_id,
-        'AWS_SECRET_ACCESS_KEY' => secret_access_key,
-        'AWS_SESSION_TOKEN' => session_token
-      })
+    context 'when AWS config is not enabled' do
+      it 'credentials env vars will not be included' do
+        expect(subject).not_to include('AWS_ACCESS_KEY_ID')
+        expect(subject).not_to include('AWS_SECRET_ACCESS_KEY')
+        expect(subject).not_to include('AWS_SESSION_TOKEN')
+      end
+    end
+
+    context 'when AWS config is enabled' do
+      before do
+        stub_application_setting(elasticsearch_aws: true)
+      end
+
+      it 'credentials env vars will be included' do
+        expect(subject).to include({
+          'AWS_ACCESS_KEY_ID' => access_key_id,
+          'AWS_SECRET_ACCESS_KEY' => secret_access_key,
+          'AWS_SESSION_TOKEN' => session_token
+        })
+      end
    end
  end