cmd/praefect: Check of the system clock synchronization

Because check of the authentication token depends on the time
we need to make sure it is synced on the praefect machine and
all gitaly machines that belong to the cluster. That is why
a new check point is added to the 'check' sub-command of the
praefect binary. The task should be run on the praefect node
and doesn't require praefect to be up and running. It is possible
to configure the URL of the NTP service and acceptable time
offset via env variables NTP_HOST and DRIFT_THRESHOLD.
The check has fatal severity because the cluster won't work
correctly if auth checks fail continuously for each request.

Closes: https://gitlab.com/gitlab-org/gitlab/-/issues/342574
Changelog: added

1 files changed, 16 insertions, 0 deletions

diff --git a/proto/server.proto b/proto/server.proto
index 0e35d8007..7a6140222 100644
--- a/proto/server.proto
+++ b/proto/server.proto
@@ -11,6 +11,9 @@ service ServerService {
 
   rpc ServerInfo(ServerInfoRequest) returns (ServerInfoResponse);
   rpc DiskStatistics(DiskStatisticsRequest) returns (DiskStatisticsResponse);
+  // ClockSynced checks if machine clock is synced
+  // (the offset is less that the one passed in the request).
+  rpc ClockSynced(ClockSyncedRequest) returns (ClockSyncedResponse) {}
 }
 
 message ServerInfoRequest {}
@@ -43,3 +46,16 @@ message DiskStatisticsResponse {
 
   repeated StorageStatus storage_statuses = 1;
 }
+
+message ClockSyncedRequest {
+  // ntp_host is a URL to the external NTP service that should be used for clock sync check.
+  // Default is ntp.pool.org
+  string ntp_host = 1;
+  // drift_threshold_millis is an allowed drift from the NTP service in milliseconds.
+  int64 drift_threshold_millis = 2;
+}
+
+message ClockSyncedResponse {
+  // synced is set to true if system clock has an affordable drift compared to NTP service.
+  bool synced = 1;
+}