Rework SSH private key handling for Geo nodes
Per https://gitlab.com/gitlab-org/gitlab-ee/issues/1255 , we are moving to a different model of SSH private key management for Geo users. They will be held in the database and automatically generated by GitLab in %10.1
For %10.0, we need to get the SSH keys off of the Geo primary nodes. We added a system check that will cause rake gitlab:check
to fail if the configured git user has any custom SSH config, like ~/.ssh/id_rsa
. Geo secondaries get a temporary reprieve: https://gitlab.com/gitlab-org/gitlab-ee/issues/3340 but it will be an error to have a ~git/.ssh/id_rsa
file on any other GitLab server.
I didn't know we were automatically generating private keys on all EE omnibus installations, per #1680 (closed) ! We need to stop doing that by %10.0. Unfortunately, we can't automatically remove the keys that were already added.
It seems we can restrict the automatic key generation to just Geo secondaries, so I'll do that for %10.0
There's also the gitlab-ctl set-geo-node-primary
command, which currently takes a public key - that requirement is going away.