Skip to content

SSH git push to secondary -> proxy to Primary

Ash McKenzie requested to merge ash.mckenzie/geo-git-push-ssh-proxy into master

What does this MR do?

This MR implements the necessary logic to detect when an SSH git push is attempted to a secondary and proxys the HTTP equivalent requests to the primary and responds back the git client with the appropriate response.

  • Two new Geo API methods:
    • /api/vX/geo/proxy_git_push_ssh/info_refs - Calls Gitlab::Geo::GitPushSSHProxy#info_refs
    • /api/vX/geo/proxy_git_push_ssh/push - Calls Gitlab::Geo::GitPushSSHProxy#push
  • New Gitlab::Geo::GitPushSSHProxy class which contains:
    • #info_refs - Calls HTTP GET /repo.git/info/refs?service=git-receive-pack on primary
    • #push - Calls HTTP POST /repo.git/git-receive-pack on primary

Are there points in the code the reviewer needs to double check?

  • ee/lib/ee/gitlab/geo_git_access.rb#check_db_accessibility! is thoroughly examined
  • ee/lib/gitlab/geo/git_push_ssh_proxy.rb#remove_http_service_fragment_from! is thoroughly examined
  • Suitable tests exist
  • Suitable API documentation added/updated
  • FIXMEs addressed

Needed Dependencies

Why was this MR needed?

To facilitate the proxying of SSH git push requests sent to the primary, from the secondary https://gitlab.com/gitlab-org/gitlab-ee/issues/6533

Screenshots (if relevant)

Current

sequenceDiagram
  participant Client
  participant Secondary
  participant SecondaryGitaly as Secondary gitaly
  participant SecondaryGitLabShell as Secondary gitlab-shell
  participant Primary
  Note over Client,Secondary: $ git push
  Client->>SecondaryGitLabShell: ssh <single> git-receive-pack ''/repo.git''
  SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/internal/allowed
  Secondary-->>-SecondaryGitLabShell: NOTOK
  Note over SecondaryGitLabShell,Client: "You can't push code to a read-only GitLab instance.  Please use the primary node URL instead .."

.

New

sequenceDiagram
  participant Client
  participant Secondary
  participant SecondaryGitLabShell as Secondary gitlab-shell
  participant Primary
  Note over Client,Secondary: $ git push
  Client->>SecondaryGitLabShell: ssh <single> git-receive-pack ''/repo.git''
  SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/internal/allowed
  Secondary-->>-SecondaryGitLabShell: OK, REDIRECT
  SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/geo/proxy_git_push_ssh/info_refs
  Secondary-->>Primary: HTTP GET /repo.git/info/refs?service=git-receive-pack
  Primary-->>Secondary: <refs>
  Secondary->>-SecondaryGitLabShell: <refs>
  SecondaryGitLabShell->>+Secondary: HTTP POST /api/v4/geo/proxy_git_push_ssh/push
  Secondary-->>Primary: HTTP POST /repo.git/info/refs?service=git-receive-pack/git-receive-pack
  Primary-->>Secondary: <refs>
  Secondary->>-SecondaryGitLabShell: <refs>
  SecondaryGitLabShell-->>+Client: <refs>

Does this MR meet the acceptance criteria?

  • Changelog entry added, if necessary
  • Documentation created/updated
  • API support added
  • Tests added for this feature/bug
  • Conform by the code review guidelines
    • [ ] Has been reviewed by a UX Designer
    • [ ] Has been reviewed by a Frontend maintainer
    • Has been reviewed by a Backend maintainer
    • [ ] Has been reviewed by a Database specialist
  • EE specific content should be in the top level /ee folder
  • Conform by the merge request performance guides
  • Conform by the style guides
  • [ ] Conform by the database guides
  • If you have multiple commits, please combine them into a few logically organized commits by squashing them
  • [ ] Internationalization required/considered
  • If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan
  • End-to-end tests pass (package-and-qa manual pipeline job)

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ee/issues/6533

Edited by Ash McKenzie

Merge request reports