[Source Code] Cells: SSH Routing for Git Pull and Push
## Overview When `git push` is performed to a secondary node, the request must be rerouted to the primary node. Because Gitaly servers of the primary node are not exposed, we need to access the public endpoints (Git over SSH, Git over HTTP(S)) in order to redirect the request. As a result, we [opted](https://gitlab.com/groups/gitlab-org/-/epics/8819) to proxy the Git over SSH request to Git over HTTP(S), translate the Git HTTP(S) response to the one compatible with SSH protocol, and return it to the user. The solution is good for covering the general case. However, the subtle differences between SSH and HTTP(S) Git protocols cause [issues](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/751) in edge-case scenarios and make the solution unreliable and vulnerable to Git upgrades. For Geo and Cells we need a more sustainable solution. Blueprint: https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/cells/ssh_routing_service/ ## Proposal During https://gitlab.com/gitlab-org/gitlab/-/issues/438826+ initiative, https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146231+ has been introduced with the following MRs as PoCs: - [Create a Workhorse HTTP endpoint that exposes a Gitaly RPC for Git clone via SSH](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146227). - [Perform a request to this endpoint from GitLab Shell and send the response to the user](https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/969). ## Roadmap | Step | Description | Issue | Status | Milestone | Dependencies | |------|-------------|-------|--------|-----------|--------------| | 1 | Add route type to classify service with documentation | https://gitlab.com/gitlab-com/gl-infra/tenant-scale/cells-infrastructure/team/-/issues/634 | :white_check_mark: | \- | \- | | 2 | Configure Topology Service in GitLab Shell | [gitlab-shell#763 (closed)](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/763) | :white_check_mark: | 18.10 | Step 1 | | 3 | Implement Topology Service integration for cell routing (`/allowed`) | [gitlab-shell#764 (closed)](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/764) | :white_check_mark: | 19.0 | Step 2 | | 4 | Provide mTLS key pair to GitLab-Shell for Topology Service (gRPC) authentication | [gitlab-shell#845](https://gitlab.com/gitlab-org/gitlab-shell/-/work_items/845) | :red_circle: Open | 19.0-19.1 | Step 2 | | 5 | Add retry mechanism for Classify calls | [gitlab-shell#846 (closed)](https://gitlab.com/gitlab-org/gitlab-shell/-/work_items/846) | :white_check_mark: | 19.0 | Step 3 | | 6 | Implement authorization for Workhorse SSH endpoints | [gitlab#456128](https://gitlab.com/gitlab-org/gitlab/-/issues/456128) | :large_blue_circle: In progress | 19.0-19.1 | Step 3 | | 7 | Use Topology Service for SSH authentication (public key → cell routing) | [gitlab-shell#835 (closed)](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/835) | :white_check_mark: | 19.0 | Step 2 | | 8 | Topology Service routing for non-Git SSH commands (user-scoped endpoints) | [gitlab-shell#836 (closed)](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/836) | :white_check_mark: | 19.0 | Step 7 | | 9 | Topology Service routing for additional repo-scoped endpoints | [gitlab-shell#837 (closed)](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/837) | :white_check_mark: | 19.0 | Step 3 | | 10 | Add Prometheus metrics for Topology Service client | https://gitlab.com/gitlab-org/gitlab-shell/-/work_items/839 | :white_check_mark: | 18.11 | Step 2 | | 11 | Cells: Migrate SSH routing from SSHKey claim to SSHFingerprint claim | https://gitlab.com/gitlab-org/gitlab-shell/-/work_items/851 | :white_check_mark: | 19.1 | ~~Blocked by TS changes~~ Fixed by https://gitlab.com/gitlab-org/cells/topology-service/-/merge_requests/519 | | 12 | Add explicit Topology Service cell endpoint configuration | [gitlab-shell#860](https://gitlab.com/gitlab-org/gitlab-shell/-/work_items/860) | :red_circle: Open | 19.2 | Step 3 |
epic