SSH push mirroring support with public-key authentication
It is not uncommon for Git access to be restricted to SSH only, GitLab even allows Admins to restrict Git access protocols to Only SSH. It is impossible to use push mirroring to a Git server that does not allow HTTP/S access.
We should add support for SSH to push mirroring, in the same way as was done for pull mirroring in https://gitlab.com/gitlab-org/gitlab-ee/issues/98
Further details
There are many situations where HTTP access may not be possible for push mirroring, including security and legacy system configurations that cannot easily be changed.
Using SSH push mirroring also has the benefit of only granting write access to the repository, not the entire API scope of project/user that an access token or password would.
This feature has many moving parts. Items here:
-
Port SSH host key detection to CE https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22577 -
SSH pubkey auth in Gitaly UpdateRemoteMirror RPC gitaly-proto!236 (merged) -
Gitaly support for SSH pubkey auth gitaly!959 (merged) -
gitlab-rails support for SSH push mirroring https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22982 https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/8116 -
Refactor and big database migration to clean things up https://gitlab.com/gitlab-org/gitlab-ee/issues/2954
Proposal
Following the same workflow as SSH pull mirroring:
- Automatically detect or manually enter SSH host keys
- Authenticate via password or public key (GitLab will automatically generate a private key and display the public key to be added to the other server)