Merge branch 'sh-test-openssh-proxy-patch' into 'master'

Add PROXY support to gitlab-shell container See merge request gitlab-org/build/CNG!657

Merge branch 'sh-test-openssh-proxy-patch' into 'master'
Add PROXY support to gitlab-shell container See merge request gitlab-org/build/CNG!657
43b50e73 · DJ Mountney · ee6dc58b · c08bc1d6 · 43b50e73 · 43b50e73
Commit 43b50e73 authored Jun 02, 2021 by DJ Mountney
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -974,6 +974,28 @@ gitlab-shell:
    - build:gitlab-gomplate
    - build:gitlab-shell

+gitlab-shell-libproxyproto:
+  <<: *job-base
+  <<: *except-deps
+  stage: phase-five
+  script:
+    - export shell_container=$(cat artifacts/shell_container.txt)
+    - build_if_needed --build-arg "TAG=$shell_container"
+    - push_tags gitlab-$GITLAB_REF_SLUG
+    - push_tags $GITLAB_SHELL_VERSION
+  dependencies:
+    - gitlab-shell
+  rules:
+    - <<: *if_deps_pipeline
+      when: never
+    - <<: *if_ubi_pipeline
+      when: never
+    - <<: *if_ubi_tag
+      when: never
+    - <<: *if_ubi_branch
+      when: never
+    - when: always
+
 build:git-base:
  <<: *build-job-base
  stage: prepare:phase-one

--- a/gitlab-shell-libproxyproto/Dockerfile
+++ b/gitlab-shell-libproxyproto/Dockerfile
+ARG CI_REGISTRY_IMAGE="registry.gitlab.com/gitlab-org/build/cng"
+ARG FROM_IMAGE="$CI_REGISTRY_IMAGE/gitlab-shell"
+ARG TAG="master"
+
+FROM ${FROM_IMAGE}:${TAG} as shell
+USER root
+
+# From https://gitlab.com/gitlab-com/gl-infra/openssh-patches/-/releases/v0.1.0
+RUN cd /tmp && \
+    curl --retry 6 -o openssh-client.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/4c4385c098a459689c4b97db0d0a14f8/openssh-client_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
+    curl --retry 6 -o openssh-server.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/520bba5376bef780cfd0c7ccefd4338d/openssh-sftp-server_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
+    curl --retry 6 -o openssh-sftp-server.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/520bba5376bef780cfd0c7ccefd4338d/openssh-sftp-server_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
+    dpkg -i openssh-client.deb openssh-server.deb openssh-sftp-server.deb && \
+    rm openssh-client.deb openssh-server.deb openssh-sftp-server.deb
+
+ARG GITLAB_USER=git
+USER $GITLAB_USER:$GITLAB_USER
--- a/gitlab-shell-libproxyproto/README.md
+++ b/gitlab-shell-libproxyproto/README.md
+### gitlab-shell with PROXY support
+
+This image is based off the gitlab-shell image but adds [PROXY protocol](https://developers.cloudflare.com/spectrum/proxy-protocol) support via [libproxyproto](https://github.com/msantos/libproxyproto).
+
+The Debian and Ubuntu patches to support this can be found in [this
+repository](https://gitlab.com/gitlab-com/gl-infra/openssh-patches).
+
+#### Configuration varaibles
+
+See [the list of environment variables](https://github.com/msantos/libproxyproto#environment-variables)
+that can be used.
+
+#### Quick start
+
+To enforce, PROXY v2 protocol, set:
+
+```yaml
+LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER: 1
+LIBPROXYPROTO_VERSION: 2
+```
+
+To test this image with debug logging:
+
+```sh
+docker run -e LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER=1 -e LIBPROXYPROTO_DEBUG=1 -it -v /run/sshd:/run/sshd -p 2222:2222 registry.gitlab.com/gitlab-org/build/cng/gitlab-shell-libproxyproto
+```
+
+This will start up an OpenSSH server with PROXY support on port 2222.