PoC for Cell 1.0

Overview

With the proposal for Cells 1.0 we would like to do a small PoC built on top of the rules router PoC so that we test basic GitLab functionality and see if things work as expected.

The PoC is limited, it should not care about any uniqueness like user, project, group. The only uniqness is the IDs, we can bump all IDs in cell 2 by 1M.

We've discussed this in sync in 👉 https://www.youtube.com/watch?v=OiZSEhryXZ0&feature=youtu.be

Results

Complexity of Cell 1.0 Proposal

The proposal as it exists right now in !139519 (merged) is achievable and gives us the share-nothing model that we want for all of the GitLab stack. There are nor major hurdles from a technical perspective to achieve this goal, and from our PoC we saw that it's possible.

Usage of secret-based routing

Using secret-based routing will get us 80% of the way there, we are still going to need classification for things like git basic auth, and SSH. This complicates it a little bit and will require us to extract a cluster-wide service (global service) in Cell 1.0 so that we can classify routes accordingly. We'll be testing this in #438662 (closed)

Action Items

• GitLab Cell 1 accessible cell-1.steveazz.xyz
• GitLab Cell 2 accessible cell-2.steveazz.xyz
• Router accessible gitlab.steveazz.xyz
• Fix Host header issue 👉 #437818 (comment 1723352223)
• Router to be able to "pin" to a specific Cell 👉 #437818 (comment 1727374916)
• Have _gitlab_session generated with a configurable (via env vars) prefix 👉 #437818 (comment 1723591729)
  • Before: _gitlab_session=e33771b6100b734ea3d68ace2843ef2c (session not valid)
  • After: _gitlab_session=$PREFIXe33771b6100b734ea3d68ace2843ef2c
• Have GitLab Tokens (PAT, Job Token, Runner Token) generated with a configurable (via env vars) prefix 👉 #437818 (comment 1721607526)
  • Before: glpat-jJeRqmW..... (token not valid)
  • After: glpat-$PREFIXjJeRqmW.....
• Support private token routing 👉 #437818 (comment 1728681627)
• Support job token routing 👉 #437818 (comment 1729151436)
• Support runner token routing 👉 #437818 (comment 1729033312)

Reference

• Cell 1: https://cell-1.steveazz.xyz/
  • Username: root
  • Password: #437818 (comment 1727729082)
  • SSH: gcloud --project eng-core-tenant-poc-bbc34148 compute ssh cell-1
    • Run sudo su - steve to log in and find the GDK root and load profile (/home/steve/gitlab-development-kit)
• Cell 2: https://cell-2.steveazz.xyz/
  • Username: cell_2_root
  • Password: #437818 (comment 1727729082)
  • SSH: gcloud --project eng-core-tenant-poc-bbc34148 compute ssh cell-1
    • Run sudo su - steve to log in and find the GDK root and load profile (/home/steve/gitlab-development-kit)
• GitLab Router: https://gitlab.steveazz.xyz/
  • Force Cell 2: https://gitlab.com/gitlab-org/tenant-scale-group/pocs/routing/rules-router#force-cell-2

Specific Patches

To make the PoC work we had to apply the following patches:

• gitlab-runner 👉 #437818 (comment 1729033312)
• rails 👉 !141495 (closed)

Known Broken Features

• WebIDE 👉 #437818 (comment 1729076408)
• git clone for GitLab Runner 👉 #437818 (comment 1729151436)

Testing Plan

1. Go to gitlab.steveazz.xyz
2. Log into cell 1
3. Create Project
4. Create PAT
5. Send API requests to gitlab.steveazz.xyz with cell 1 PAT
6. Log into cell 2
7. Create Project
8. Create PAT
9. Send API requests to gitlab.steveazz.xyz with cell 2 PAT