Allow multiple Geo secondaries to be placed behind a load balancer
Zendesk: https://gitlab.zendesk.com/agent/tickets/97677
Customer's use case is that they want to build multiple Geo secondaries, placed strategically in various geographic areas. Then, users will access Geo through a common name/load balancer. The load balancer intelligently routes the user to the closest Geo node. This is useful in large enterprises because users don't need to know where the Geo nodes are or what their specific URL is.
This currently doesn't work with Geo due to OAuth. When attempting to authenticate via the load balanced name, OAuth fails with 'Invalid URI' on the GitLab primary. However, authentication works fine when accessing a specific Geo node via it's proper URL. This seems to be due to the way we do name matching.
Is there a way we can match the secondary instance during authentication and support this use-case?
I mentioned this to @nick.thomas in #geo. Nick, do you have any further thoughts on this?
Closing summary
We have at least 2 options:
- Support alternative OAuth redirect URL (so the load balancer address can be added): https://gitlab.com/gitlab-org/gitlab-ee/issues/9142
- Decouple the Geo node identity from
external_url
: https://gitlab.com/gitlab-org/gitlab-ee/issues/9174- This one also solves another use-case: when
external_url
is hidden behind the firewall
- This one also solves another use-case: when