Shared credentials for SSH mirror authentication
Problem to solve
Pull mirroring (EE, 9.5+) and push mirroring (CE, 11.5+) support SSH authentication. Currently, this works by generating an SSH private key for the git client to use per-mirror. We also detect and store the other repository's known_hosts
key per-project. When mirroring lots of projects, this means there are a lot of credentials to manage.
Further details
It seems reasonable that an organisation might want to mirror a whole project hierarchy. Perhaps they have an open-source
group on their private GitLab instance, for instance. This might pull from third-party open-source projects on GitLab.com, or it might push to mirrors of their own open-source code on the same platforms.
Proposal
Add group-level SSH credentials that the mirror can be told to use. These should be managed at group level, and referenced, rather than copied into, the mirror settings - this way, changes to known_hosts
(for instance) can be reflected across a number of projects instantly.
What does success look like, and how can we measure that?
Able to set up SSH authentication for a large number of projects immediately, and have all those projects use the same credentials when authenticating against the other repository.