SSH git push to secondary -> proxy to Primary
What does this MR do?
This MR implements the necessary logic to detect when an SSH git push is attempted to a secondary and proxys the HTTP equivalent requests to the primary and responds back the git client with the appropriate response.
- Two new Geo API methods:
-
/api/vX/geo/proxy_git_push_ssh/info_refs
- CallsGitlab::Geo::GitPushSSHProxy#info_refs
-
/api/vX/geo/proxy_git_push_ssh/push
- CallsGitlab::Geo::GitPushSSHProxy#push
-
- New
Gitlab::Geo::GitPushSSHProxy
class which contains:-
#info_refs
- CallsHTTP GET /repo.git/info/refs?service=git-receive-pack
on primary -
#push
- CallsHTTP POST /repo.git/git-receive-pack
on primary
-
Are there points in the code the reviewer needs to double check?
-
ee/lib/ee/gitlab/geo_git_access.rb#check_db_accessibility!
is thoroughly examined -
ee/lib/gitlab/geo/git_push_ssh_proxy.rb#remove_http_service_fragment_from!
is thoroughly examined -
Suitable tests exist -
Suitable API documentation added/updated -
FIXMEs addressed
⚠ Needed Dependencies ⚠
gitlab-shell!214 (merged) - Refactor that focuses on SRP improvements- gitlab-shell!215 (merged) - Custom Action support
- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21038 - Allow auth via JWT (always false in CE)
- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21034 - Custom Action support
- https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/6455 - Allow push_code when auth'd via Geo JWT
- Then, this MR :)
Why was this MR needed?
To facilitate the proxying of SSH git push requests sent to the primary, from the secondary https://gitlab.com/gitlab-org/gitlab-ee/issues/6533
Screenshots (if relevant)
Current
sequenceDiagram
participant Client
participant Secondary
participant SecondaryGitaly as Secondary gitaly
participant SecondaryGitLabShell as Secondary gitlab-shell
participant Primary
Note over Client,Secondary: $ git push
Client->>SecondaryGitLabShell: ssh <single> git-receive-pack ''/repo.git''
SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/internal/allowed
Secondary-->>-SecondaryGitLabShell: NOTOK
Note over SecondaryGitLabShell,Client: "You can't push code to a read-only GitLab instance. Please use the primary node URL instead .."
.
New
sequenceDiagram
participant Client
participant Secondary
participant SecondaryGitLabShell as Secondary gitlab-shell
participant Primary
Note over Client,Secondary: $ git push
Client->>SecondaryGitLabShell: ssh <single> git-receive-pack ''/repo.git''
SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/internal/allowed
Secondary-->>-SecondaryGitLabShell: OK, REDIRECT
SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/geo/proxy_git_push_ssh/info_refs
Secondary-->>Primary: HTTP GET /repo.git/info/refs?service=git-receive-pack
Primary-->>Secondary: <refs>
Secondary->>-SecondaryGitLabShell: <refs>
SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/geo/proxy_git_push_ssh/push
Secondary-->>Primary: HTTP POST /repo.git/info/refs?service=git-receive-pack/git-receive-pack
Primary-->>Secondary: <refs>
Secondary->>-SecondaryGitLabShell: <refs>
SecondaryGitLabShell-->>+Client: <refs>
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Conform by the code review guidelines
[ ] Has been reviewed by a UX Designer[ ] Has been reviewed by a Frontend maintainer-
Has been reviewed by a Backend maintainer [ ] Has been reviewed by a Database specialist
-
EE specific content should be in the top level /ee
folder -
Conform by the merge request performance guides -
Conform by the style guides [ ] Conform by the database guides-
If you have multiple commits, please combine them into a few logically organized commits by squashing them [ ] Internationalization required/considered-
If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan -
End-to-end tests pass ( package-and-qa
manual pipeline job)
What are the relevant issue numbers?
Edited by Ash McKenzie