Skip to content

codeintel: Internal API proxy

Administrator requested to merge rfc199-codeintel-internal-proxy into master

Created by: efritz

This PR implements part of RFC 199: User code execution in the auto-indexer and closes https://github.com/sourcegraph/sourcegraph/issues/12666.

This PR adds a token-authenticated set of routes in the internally exposed frontend API that will perform requests to select routes on gitserver and to the precise-code-intel-indexer API introduced in https://github.com/sourcegraph/sourcegraph/pull/12657.

Things of note: we are planning on having the precise-code-intel-indexer that runs Firecracker VMs to be completely firewalled off from the rest of the application so that code running within the VMs cannot reach internal-only APIs and exfiltrate or modify data. This requires that all of the APIs required by the indexer be authenticated via shared tokens, and be exposed as part of the client/public-internet facing surface of Sourcegraph. Additionally, we cannot simply reverse proxy as the built-in support for reverse proxying in Go is fairly poor when supporting HTTP 307 responses with a POST request. We cannot simply return a Location header to an internal API, as that's useless for the firewalled service.

Additional note: I have a TODO in there about tracing requests. I plan to make an httputil package that will consolidate some of the tracing/observation logic that's pretty much copy-pasted in the queue index, bundle manager, and internal proxy client. Other existing clients can make use of this over time as well.

Merge request reports

Loading