Skip to content

Update gitlab-shell chart to enable PROXY protocol

Robert May requested to merge robotmay_gitlab-master-patch-06076 into master

What does this MR do?

Enables PROXY header support for correct IP address detection when using gitlab-sshd.

Related issues

Related gitlab-org/gitlab-shell#548 (closed)

Related https://gitlab.com/gitlab-org/gitlab/-/issues/361755

Related https://gitlab.com/groups/gitlab-org/-/epics/8014

Related #2933

Testing

  1. Set up a VM with HAProxy and open port 2222. These are the config additions to /etc/haproxy/haproxy.cfg:
frontend fe_ssh
   bind 0.0.0.0:2222
   mode tcp
   default_backend ssh_ipv4

backend ssh_ipv4
   mode tcp
   server s1 <CLUSTER EXTERNAL IP>:22 send-proxy-v2
  1. Deploy a Cloud Native GitLab cluster with the Helm Chart. Apply these values.yaml settings:
global:
  shell:
    tcp:
      proxyProtocol: true
gitlab:
  gitlab-shell:
    sshDaemon: "gitlab-sshd"
    config:
      proxyProtocol: true

If everything is correct, you should see:

$ ssh git@<YOUR CLUSTER IP> -p 2222
PTY allocation request failed on channel 0
Welcome to GitLab, @root!
Connection to <YOUR CLUSTER IP> closed.

You should also be able to clone a test project called root/test.git via:

$ git clone ssh://git@<YOUR CLUSTER IP>:2222/root/test.git

If you forget to enable gitlab-sshd, you'll see something like this:

$ ssh git@<YOUR CLUSTER IP> -p 2222
Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to <YOUR CLUSTER IP> port 2222: message authentication code incorrect

If you use a branch that doesn't add the second :PROXY, you'll see gitlab-shell errors:

time="2022-05-09T19:17:11Z" level=info msg="server: handleConn: start" correlation_id=01G2N422STPA16A520P3JZDZ2T remote_addr="10.8.0.136:54116"
time="2022-05-09T19:17:11Z" level=error msg="server: handleConn: failed to initialize SSH connection" correlation_id=01G2N422STPA16A520P3JZDZ2T error="proxyproto: proxy protocol signature not present" remote_addr="10.8.0.136:54116"

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened
Edited by Mitchell Nielsen

Merge request reports