Add PROXY support to gitlab-shell container

This commit adds a new container, `gitlab-shell-libproxyproto`, that
supports the PROXY protocol
(https://developers.cloudflare.com/spectrum/proxy-protocol) via
libproxyproto (https://github.com/msantos/libproxyproto). This allows
the SSH server to get the real client IP instead of the IP of the load
balancer.

By default, the PROXY protocol is not enforced. This can be enabled in
the Helm Chart via this config:

```yaml
gitlab:
  gitlab-shell:
    enabled: true
    extraEnv:
      LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER: 1
```

Debugging can be enabled via `LIBPROXYPROTO_DEBUG: 1`.

Relates to https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/425

.gitlab-ci.yml

@@ -974,6 +974,21 @@ gitlab-shell:
     - build:gitlab-gomplate
     - build:gitlab-shell
 
+gitlab-shell-libproxyproto:
+  <<: *job-base
+  <<: *except-deps
+  stage: phase-five
+  script:
+    - export DOCKERFILE_EXT
+    - export IMAGE_TAG_EXT
+    - export shell_container=$(cat artifacts/shell_container.txt)
+    - build_if_needed --build-arg "TAG=$shell_container${IMAGE_TAG_EXT}"
+    - push_tags gitlab-$GITLAB_REF_SLUG${IMAGE_TAG_EXT}  # This can be removed during https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/1553
+    - push_tags $GITLAB_SHELL_VERSION${IMAGE_TAG_EXT}
+  dependencies:
+    - gitlab-shell
+    - build:gitlab-shell
+
 build:git-base:
   <<: *build-job-base
   stage: prepare:phase-one

gitlab-shell-libproxyproto/Dockerfile

+ARG CI_REGISTRY_IMAGE="registry.gitlab.com/gitlab-org/build/cng"
+ARG FROM_IMAGE="$CI_REGISTRY_IMAGE/gitlab-shell"
+ARG TAG="master"
+
+FROM ${FROM_IMAGE}:${TAG} as shell
+USER root
+
+# From https://gitlab.com/gitlab-com/gl-infra/openssh-patches/-/releases/v0.1.0
+RUN cd /tmp && \
+    curl --retry 6 -o openssh-client.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/4c4385c098a459689c4b97db0d0a14f8/openssh-client_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
+    curl --retry 6 -o openssh-server.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/520bba5376bef780cfd0c7ccefd4338d/openssh-sftp-server_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
+    curl --retry 6 -o openssh-sftp-server.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/520bba5376bef780cfd0c7ccefd4338d/openssh-sftp-server_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
+    dpkg -i openssh-client.deb openssh-server.deb openssh-sftp-server.deb && \
+    rm openssh-client.deb openssh-server.deb openssh-sftp-server.deb

gitlab-shell-libproxyproto/README.md

+### gitlab-shell with PROXY support
+
+This image is based off the gitlab-shell image but adds [PROXY protocol](https://developers.cloudflare.com/spectrum/proxy-protocol) support via [libproxyproto](https://github.com/msantos/libproxyproto).
+
+The Debian and Ubuntu patches to support this can be found in [this
+repository](https://gitlab.com/gitlab-com/gl-infra/openssh-patches).
+
+#### Configuration varaibles
+
+See [the list of environment variables](https://github.com/msantos/libproxyproto#environment-variables)
+that can be used.
+
+#### Quick start
+
+To enforce, PROXY v2 protocol, set:
+
+```yaml
+LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER: 1
+LIBPROXYPROTO_VERSION: 2
+```
+
+To test this image with debug logging:
+
+```sh
+docker run -e LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER=1 -e LIBPROXYPROTO_DEBUG=1 -it -v /run/sshd:/run/sshd -p 2222:2222 registry.gitlab.com/gitlab-org/build/cng/gitlab-shell-libproxyproto
+```
+
+This will start up an OpenSSH server with PROXY support on port 2222.