From ca6b39b91a88ecdc0df9146f1ec4f0d657d65883 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 30 Jun 2022 12:56:09 +0100 Subject: [PATCH 01/25] KAS --- assets/runtime/config/gitlabhq/gitlab.yml | 16 ++++++++++++++++ assets/runtime/env-defaults | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index fcae8801a..f5e2f4e1a 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1315,6 +1315,22 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + development: <<: *base diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 024f87760..1e5aa5b01 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -694,3 +694,10 @@ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_P ## Feature Flags GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} + +## Gitlab KAS +GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 1326669cb53b9ae17daa12e4dd56b4d69cf76005 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 4 Jul 2022 14:12:17 +0100 Subject: [PATCH 02/25] Added functions --- assets/runtime/functions | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/assets/runtime/functions b/assets/runtime/functions index a5adbf641..5ecfc54c5 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -388,6 +388,17 @@ gitlab_configure_monitoring() { GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT } +gitlab_configure_gitlab_kas() { + echo "Configuring gitlab::KAS..." + + update_template ${GITLAB_CONFIG} \ + GITLAB_KAS_ENABLED \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_EXTERNAL \ + GITLAB_KAS_INTERNAL \ + GITLAB_KAS_PROXY +} + gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ @@ -2097,6 +2108,7 @@ configure_gitlab() { gitlab_configure_pages gitlab_configure_sentry generate_healthcheck_script + gitlab_configure_gitlab_kas gitlab_configure_content_security_policy # remove stale gitlab.socket From 865d1e55ccc731705ebf5115ebe2abbce0f98ab7 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 13:56:26 +0100 Subject: [PATCH 03/25] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 1e5aa5b01..e5b2247a3 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -697,7 +697,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 550f79c2a6dac79800713219a0281a40bcb5066c Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 14:33:04 +0100 Subject: [PATCH 04/25] Added to Readme --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 44a97e542..1c87e1379 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) + - [Gitlab KAS](#Gitlab KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -933,6 +934,16 @@ Configuring gitlab::feature_flags... ... ```` +#### Gitlab KAS + +Basic Gitlab KAS Settings + +- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` +- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` +- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` +- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` +- `GITLAB_KAS_PROXY=` + #### Available Configuration Parameters *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* From 839939a2f166f02112d2f34e45568da09c882fe5 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:09:59 +0100 Subject: [PATCH 05/25] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index e5b2247a3..57c25ec5f 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -697,7 +697,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 08c3fd03c2a493711b33548954a2a3e0a37202e3 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:11:58 +0100 Subject: [PATCH 06/25] Update README.md --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 1c87e1379..717aeb0ea 100644 --- a/README.md +++ b/README.md @@ -1274,6 +1274,26 @@ Cron notation for the GitLab admin email worker. Defaults to `'0 0 * * 0'` Cron notation for the GitLab personal access tokens expiring worker. Defaults to `'0 1 * * *'` +##### `GITLAB_KAS_ENABLED` + +Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` + +##### `GITLAB_KAS_SECRET` + +File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` + +##### `GITLAB_KAS_EXTERNAL` + +User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` + +##### `GITLAB_KAS_INTERNAL` + +Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` + +##### `GITLAB_KAS_PROXY` + +The URL to the Kubernetes API proxy (used by GitLab users). No default. + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. From 4890650f6ca1ed99af73b83213c770fc5080bf5a Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 28 Jul 2022 14:08:14 +0100 Subject: [PATCH 07/25] Update README.md Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 717aeb0ea..e760f9679 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab KAS) + - [Gitlab KAS](#Gitlab-KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) From f4c6fb9126b8672d3ee2ee5a0004714e3ba46653 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:04 +0900 Subject: [PATCH 08/25] README.md: revise GitLab KAS section Fix link fragment for gitlab-kas in TOC (markdownlint: MD-051 - must be lowercase) --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e760f9679..cfd1cb876 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab-KAS) + - [Gitlab KAS](#gitlab-kas) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -936,13 +936,11 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -Basic Gitlab KAS Settings +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. +By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` -- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` -- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` -- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` -- `GITLAB_KAS_PROXY=` +See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters From 67190c5f8abb39a48f32283474e7c7ea0fb55339 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 09/25] Add KAS config file, minimal parameterization also add process to generate secret files for KAS - GITLAB_KAS_SECRET - GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE - GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE --- README.md | 21 ++++ .../gitlab-agent/gitlab-kas_config.yaml | 101 ++++++++++++++++++ assets/runtime/env-defaults | 3 + assets/runtime/functions | 39 +++++++ 4 files changed, 164 insertions(+) create mode 100644 assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml diff --git a/README.md b/README.md index cfd1cb876..50da75ff3 100644 --- a/README.md +++ b/README.md @@ -940,6 +940,13 @@ GitLab agent server for Kubernetes (KAS) is disabled by default, but you can ena By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. + +Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. +You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 + +Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. + See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters @@ -1292,6 +1299,20 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. +##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` + +##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. + +##### `GITLAB_KAS_REDIS_PASSWORD_FILE` + +Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. + +NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml new file mode 100644 index 000000000..b456620b8 --- /dev/null +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -0,0 +1,101 @@ +# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml +# +# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation +# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. + +gitlab: + address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required + authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + # ca_certificate_file: /server-ca.pem + api_rate_limit: + refill_rate_per_second: 10.0 + bucket_size: 50 +agent: + listen: + network: tcp + address: 127.0.0.1:8150 + websocket: false + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + connections_per_token_per_minute: 10000 + max_connection_age: "1800s" + configuration: + poll_period: "20s" + max_configuration_file_size: 131072 + gitops: + poll_period: "20s" + project_info_cache_ttl: "300s" + project_info_cache_error_ttl: "60s" + max_manifest_file_size: 5242880 + max_total_manifest_file_size: 20971520 + max_number_of_paths: 100 + max_number_of_files: 1000 + kubernetes_api: + listen: + network: tcp + address: 0.0.0.0:8154 + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + url_path_prefix: / + allowed_agent_cache_ttl: "60s" + allowed_agent_cache_error_ttl: "10s" + info_cache_ttl: "300s" + info_cache_error_ttl: "60s" + redis_conn_info_ttl: "300s" + redis_conn_info_refresh: "240s" + redis_conn_info_gc: "600s" +observability: + usage_reporting_period: "60s" + listen: + network: tcp + address: 127.0.0.1:8151 + prometheus: + url_path: /metrics + tracing: + connection_string: "" + sentry: + dsn: "" + environment: "" + logging: + level: info + grpc_level: error + google_profiler: + enabled: false + # project_id: "" + # credentials_file: /some/file + # debug_logging: false + liveness_probe: + url_path: /liveness + readiness_probe: + url_path: /readiness +gitaly: + global_api_rate_limit: + refill_rate_per_second: 30.0 + bucket_size: 70 + per_server_api_rate_limit: + refill_rate_per_second: 15.0 + bucket_size: 40 +private_api: + listen: + address: 127.0.0.1:8155 + authentication_secret_file: {{GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} + max_connection_age: 1800s +redis: + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required + pool_size: 5 + dial_timeout: "5s" + read_timeout: "1s" + write_timeout: "1s" + idle_timeout: "50s" + key_prefix: gitlab-kas + password_file: {{GITLAB_KAS_REDIS_PASSWORD_FILE}} + network: "tcp" +api: + listen: + network: tcp + address: 127.0.0.1:8153 + authentication_secret_file: {{GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + max_connection_age: "1800s" diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 57c25ec5f..12ffcc91c 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -701,3 +701,6 @@ GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} +GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} +GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-} +GITLAB_KAS_REDIS_PASSWORD_FILE=${GITLAB_KAS_REDIS_PASSWORD_FILE:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index 5ecfc54c5..059a685da 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -397,6 +397,24 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ GITLAB_KAS_PROXY + + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_KAS_REDIS_PASSWORD_FILE + + if [[ ! -f ${GITLAB_KAS_REDIS_PASSWORD_FILE} ]]; then + exec_as_git touch "${GITLAB_KAS_REDIS_PASSWORD_FILE}" + exec_as_git chmod 600 ${GITLAB_KAS_REDIS_PASSWORD_FILE} + # TODO: Once this image supports redis password authentication, write the password to a file here + fi + + # enable/disable startup of gitlab-kas : set autostart / autorestart entry in supervisor config using GITLAB_KAS_ENABLED + update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_KAS_ENABLED } gitlab_configure_gitlab_workhorse() { @@ -985,6 +1003,23 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${pages_secret}" 32 chmod 600 "${pages_secret}" fi + + if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 + chmod 600 ${GITALB_KAS_SECRET} + fi + + if [[ ! -f "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi + + # KAS secret for private_api is not required so this can be empty string, + # but empty string is not match to "is file" condition so we don't care the case + if [[ ! -f "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi } gitlab_configure_sidekiq() { @@ -2046,6 +2081,10 @@ install_configuration_templates() { fi install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} + + if [[ ${GITLAB_KAS_ENABLED} == true ]]; then + install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640 + fi } configure_gitlab() { From a58bd76b434504645f997275c93a957d9d3ffd3f Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 3 Apr 2024 15:17:01 +0900 Subject: [PATCH 10/25] Tweak kas config order in gitlab.yml sync with upstream --- assets/runtime/config/gitlabhq/gitlab.yml | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index f5e2f4e1a..af27a482b 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1218,6 +1218,22 @@ production: &base # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ @@ -1315,22 +1331,6 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} - gitlab_kas: - enabled: {{GITLAB_KAS_ENABLED}} - # File that contains the secret key for verifying access for gitlab-kas. - # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret - - # The URL to the external KAS API (used by the Kubernetes agents) - external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com - - # The URL to the internal KAS API (used by the GitLab backend) - internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 - - # The URL to the Kubernetes API proxy (used by GitLab users) - external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil - - development: <<: *base From 00906870771d106b82f5c14e4547fcc8b0379ca7 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 11/25] Add built-in KAS - build KAS on build, enable via GITLAB_AGENT_KAS_ENABLED (automatically enabled if GITLAB_KAS_ENABLED=true) - Add built-in KAS config file kas config: import upstream (v15.10.0 - d88f4b89) - minimal parameterization gitlab side: - GITLAB_KAS_ENABLED gitlab_rails['gitlab_kas_enabled'] for omnibus installation - GITLAB_KAS_INTERNAL gitlab_rails['gitlab_kas_internal_url'] for omnibus installation - GITLAB_KAS_EXTERNAL gitlab_rails['gitlab_kas_external_url'] for omnibus installation - GITLAB_KAS_PROXY gitlab_rails['gitlab_kas_external_k8s_proxy_url'] for omnibus installation kas side: - GITLAB_AGENT_KAS_ENABLED gitlab_kas['enabled'] for omnibus installation - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE gitlab_kas['internal_api_listen_authentication_secret_file'] - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE used by both: - GITLAB_KAS_SECRET used as a value for - gitlabhq/gitlab.yml : production.gitlab_kas.secret_file - gitlab-agent/gitlab-kas_config.yaml : gitlab.authentication_secret_file Prefix for parameters that only used by gitlab-agent/kas is "GITLAB_AGENT_KAS_" Also add process to generate secret files for KAS Update built-in KAS to 16.10.1, sync config Update built-in gitlab-kas to v17.0.2, sync configuration - Bump to v17.0.0, sync configuration GitOps module have been removed. See upstream change: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/1436 - Bump: gitlab-kas 17.0.1 no change in configuration file - Bump: gitlab-kas 17.0.2 no change in configuration file Personal note: I am still unable to successfully connect the agent from the WebUI. The problem is that I don't know the correct way to do it in the first place, so I have to check it out. Stop gitlab_kas before restoring backup It seems that kas has DB connection and blocks restoration - Bump: gitlab-kas 18.1.0 reference configuration file have been renamed to kascfg_defaults.yaml and does not contain full configurations So I have to search a way to generate full configuration from .proto or docs --- Dockerfile | 2 + README.md | 36 +++++++++----- assets/build/install.sh | 28 +++++++++++ .../gitlab-agent/gitlab-kas_config.yaml | 48 +++++++++---------- assets/runtime/env-defaults | 9 ++-- assets/runtime/functions | 33 +++++++------ 6 files changed, 100 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index 37f08ed5d..14b2806a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.54.0 \ GITLAB_PAGES_VERSION=19.1.1 \ GITALY_SERVER_VERSION=19.1.1 \ + GITLAB_AGENT_VERSION=18.1.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ @@ -24,6 +25,7 @@ ENV GITLAB_VERSION=${VERSION} \ ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \ + GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" diff --git a/README.md b/README.md index 50da75ff3..c486db2d3 100644 --- a/README.md +++ b/README.md @@ -936,18 +936,24 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. -By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). -You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true. +By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. + +#### Built-in GitLab-Agent KAS + +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). + +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. -You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 +You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. -See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html +See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail. #### Available Configuration Parameters @@ -1299,19 +1305,23 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_ENABLED` + +Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) + +##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` +An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` -##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. +An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. -##### `GITLAB_KAS_REDIS_PASSWORD_FILE` +##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE` -Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. +Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default. -NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 +NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) ##### `GITLAB_LFS_ENABLED` diff --git a/assets/build/install.sh b/assets/build/install.sh index b923c83c4..840ea87a7 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git +GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages GITLAB_GITALY_BUILD_DIR=/tmp/gitaly +GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz @@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local # clean up rm -rf ${GITLAB_GITALY_BUILD_DIR} +# download gitlab-agent (KAS) +echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..." +git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR} + +# install gitlab-agent (KAS) +mkdir -p "${GITLAB_AGENT_INSTALL_DIR}" +make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin +chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR} + +# clean up +rm -rf ${GITLAB_AGENT_BUILD_DIR} + # remove go go clean --modcache rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} @@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log EOF +# configure superisord to start gitlab-agent (KAS) +cat > /etc/supervisor/conf.d/gitlab-kas.conf < /etc/supervisor/conf.d/mail_room.conf < Date: Mon, 24 Apr 2023 08:35:25 +0900 Subject: [PATCH 12/25] kas: tweak defaults for gitlab.authentication_secret_file default to api.listen.authentication_secret_file, as omnibus-gitlab do --- README.md | 7 ++++++- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- assets/runtime/env-defaults | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c486db2d3..d5d8875df 100644 --- a/README.md +++ b/README.md @@ -946,7 +946,8 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). -You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) @@ -1309,6 +1310,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` + +An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. + ##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 8f38b8a06..48c436b7b 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -5,7 +5,7 @@ gitlab: address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required # ca_certificate_file: /server-ca.pem api_rate_limit: bucket_size: 250 diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 25caeeced..26fdebcda 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -707,3 +707,4 @@ GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} +GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} From a4f81ee1f0056517875a2c02aa43751e2b9c0691 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:52:26 +0000 Subject: [PATCH 13/25] upgrade to 18.5.1 squash following commit: - update to 18.5.0 - upgrade to 18.5.1 --- Dockerfile | 2 +- .../gitlab-agent/gitlab-kas_config.yaml | 148 +++++++++--------- 2 files changed, 73 insertions(+), 77 deletions(-) diff --git a/Dockerfile b/Dockerfile index 14b2806a1..61faeda59 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.54.0 \ GITLAB_PAGES_VERSION=19.1.1 \ GITALY_SERVER_VERSION=19.1.1 \ - GITLAB_AGENT_VERSION=18.1.0 \ + GITLAB_AGENT_VERSION=18.5.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 48c436b7b..6683a62f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,99 +1,95 @@ -# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml -# -# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation -# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. -gitlab: - address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - # ca_certificate_file: /server-ca.pem - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 agent: - listen: - network: tcp - address: 127.0.0.1:8150 - websocket: false - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - connections_per_token_per_minute: 40000 - max_connection_age: "7200s" - listen_grace_period: "5s" configuration: - poll_period: "300s" max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s network: tcp - address: 0.0.0.0:8154 - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - listen_grace_period: "5s" - shutdown_grace_period: "3600s" - url_path_prefix: / - allowed_agent_cache_ttl: "60s" - allowed_agent_cache_error_ttl: "10s" - info_cache_ttl: "300s" - info_cache_error_ttl: "60s" - redis_conn_info_ttl: "300s" - redis_conn_info_refresh: "240s" - redis_conn_info_gc: "600s" -observability: - usage_reporting_period: "10s" + shutdown_grace_period: 3600s + url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8151 - prometheus: - url_path: /metrics - # tracing: - # otlp_endpoint: "https://localhost:4317/traces/foo/bar" - # otlp_token_secret_file: "/some/path" - # otlp_ca_certificate_file: "/some/path/ca.crt" - sentry: - dsn: "" - environment: "" - logging: - level: info - grpc_level: error - google_profiler: - enabled: false - # project_id: "" - # credentials_file: /some/file - # debug_logging: false - liveness_probe: - url_path: /liveness - readiness_probe: - url_path: /readiness - event_reporting_period: "10s" + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required gitaly: global_api_rate_limit: - refill_rate_per_second: 30.0 bucket_size: 70 + refill_rate_per_second: 30 per_server_api_rate_limit: - refill_rate_per_second: 15.0 bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s private_api: listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8155 authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} - max_connection_age: 7200s - listen_grace_period: "5s" redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s server: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required - dial_timeout: "5s" - write_timeout: "3s" - key_prefix: gitlab-kas - password_file: {{GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}} - network: "tcp" -api: +workspaces: listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s network: tcp - address: 127.0.0.1:8153 - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - max_connection_age: "7200s" - listen_grace_period: "5s" + shutdown_grace_period: 3600s + From f6ad6264dc671855b7e8be2d77cb2dd5c20e7cc9 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:56:05 +0000 Subject: [PATCH 14/25] change name of secret add WEBTOKEN secret; remove GITLAB_KAS_SECRET Replace GITLAB_KAS_SECRET by GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE --- assets/runtime/config/gitlabhq/gitlab.yml | 4 ++-- assets/runtime/env-defaults | 4 ++-- assets/runtime/functions | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index af27a482b..cd49fd8a6 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1222,7 +1222,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com @@ -1418,7 +1418,7 @@ test: region: us-east-1 gitlab: - host: localhost + host: 127.0.0.1 port: 80 content_security_policy: diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 26fdebcda..7a086d060 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -697,14 +697,14 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} -GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} +GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index 8c93f3264..d6710b00d 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -394,17 +394,17 @@ gitlab_configure_gitlab_kas() { update_template ${GITLAB_CONFIG} \ GITLAB_KAS_ENABLED \ - GITLAB_KAS_SECRET \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" update_template ${GITLAB_KAS_CONFIG} \ GITLAB_RELATIVE_URL_ROOT \ - GITLAB_KAS_SECRET \ GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE @@ -1006,12 +1006,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then - exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 - chmod 600 ${GITALB_KAS_SECRET} - fi - - if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi @@ -1022,6 +1017,11 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi + + if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72 + chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE} + fi } gitlab_configure_sidekiq() { From f41b2e5d6f7fb1811528100cca9e978552c2f810 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Wed, 22 Oct 2025 08:14:37 +0000 Subject: [PATCH 15/25] configure NGINX for GITLAB_BUILTIN_KAS Add kas location to assets/runtime/config/nginx/gitlab(-ssl) config KAS location is affected by GITLAB_RELATIVE_URL_ROOT so add update process to assets/runtime/functions --- assets/runtime/config/nginx/gitlab | 48 ++++++++++++++++++++++++++ assets/runtime/config/nginx/gitlab-ssl | 48 ++++++++++++++++++++++++++ assets/runtime/functions | 7 ++++ 3 files changed, 103 insertions(+) diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 185ee0451..680e9ea71 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -84,6 +84,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index b52b86a67..33ce94bac 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -131,6 +131,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/functions b/assets/runtime/functions index d6710b00d..1183b63b7 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1655,12 +1655,19 @@ nginx_configure_gitlab_real_ip() { nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." + if [[ ! ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + sed -i "/#start-builtin-kas/,/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + else + sed -i "/#start-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + sed -i "/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + fi update_template ${GITLAB_NGINX_CONFIG} \ GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ + GITLAB_RELATIVE_URL_ROOT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ NGINX_X_FORWARDED_PROTO \ From 2496d0ed7af798b1427da96d5a82d80bdba1c354 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:22:02 +0000 Subject: [PATCH 16/25] tweak agent.kubernetes_api.url_path_prefix in gitlab-kas_config.yaml complete 18.5.0 upgrade --- .../gitlab-agent/gitlab-kas_config.yaml | 190 +++++++++--------- 1 file changed, 95 insertions(+), 95 deletions(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 6683a62f2..315dfb2c5 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,95 +1,95 @@ -# This is a configuration file for kas that contains the default values for the settings. -# It DOES NOT contain all the possible configuration knobs. -# The source of truth is kascfg.proto. -# It contains all the fields and documentation them. -# If you are looking for a setting, start from the ConfigurationFile message in: -# - the proto file kascfg.proto. -# - the generated documentation in kascfg_proto_docs.md. -# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. - -agent: - configuration: - max_configuration_file_size: 131072 - poll_period: 300s - info_cache_error_ttl: 60s - info_cache_ttl: 300s - kubernetes_api: - allowed_agent_cache_error_ttl: 10s - allowed_agent_cache_ttl: 60s - listen: - address: 127.0.0.1:8154 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} - websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} - listen: - address: 127.0.0.1:8150 - connections_per_token_per_minute: 40000 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - websocket: true - receptive_agent: - poll_period: 60s - redis_conn_info_gc: 600s - redis_conn_info_refresh: 240s - redis_conn_info_ttl: 300s -api: - listen: - address: 127.0.0.1:8153 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required -gitaly: - global_api_rate_limit: - bucket_size: 70 - refill_rate_per_second: 30 - per_server_api_rate_limit: - bucket_size: 40 - refill_rate_per_second: 15 -gitlab: - address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 -observability: - event_reporting_period: 300s - google_profiler: {} - listen: - address: 127.0.0.1:8151 - network: tcp - liveness_probe: - url_path: /liveness - logging: - level: debug - grpc_level: debug - prometheus: - url_path: /metrics - readiness_probe: - url_path: /readiness - sentry: {} - usage_reporting_period: 10s -private_api: - listen: - address: 0.0.0.0:8155 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} -redis: - dial_timeout: 5s - key_prefix: gitlab-kas - network: tcp - write_timeout: 3s - server: - address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required -workspaces: - listen: - address: 127.0.0.1:8160 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. + +agent: + configuration: + max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s + kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s + listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} + listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required +gitaly: + global_api_rate_limit: + bucket_size: 70 + refill_rate_per_second: 30 + per_server_api_rate_limit: + bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s +private_api: + listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required +workspaces: + listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + From 792dea9e34af750e8e15d8300070f44044eec728 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:46:21 +0000 Subject: [PATCH 17/25] fix GITLAB_AGENT_BUILTIN_KAS_ENABLED == false --- assets/runtime/env-defaults | 1 + assets/runtime/functions | 22 ++++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 7a086d060..9809ae135 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -708,3 +708,4 @@ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KA GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} diff --git a/assets/runtime/functions b/assets/runtime/functions index 1183b63b7..425369c99 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -400,15 +400,17 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" - update_template ${GITLAB_KAS_CONFIG} \ - GITLAB_RELATIVE_URL_ROOT \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ - REDIS_HOST \ - REDIS_PORT \ - GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE - + if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE + fi + if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" @@ -1006,7 +1008,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi From 7804f77e31321894b217732cf87fcc4cb440a525 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Fri, 24 Oct 2025 18:50:34 +0900 Subject: [PATCH 18/25] Fix parameter name to enable builtin-kas Merge GITLAB_AGENT_BUILTIN_KAS_ENABLED and GITLAB_AGENT_KAS_ENABLED --- README.md | 4 ++-- assets/runtime/env-defaults | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d5d8875df..04a3339fb 100644 --- a/README.md +++ b/README.md @@ -944,7 +944,7 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ #### Built-in GitLab-Agent KAS -To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). @@ -1306,7 +1306,7 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_AGENT_KAS_ENABLED` +##### `GITLAB_AGENT_BUILTIN_KAS_ENABLED` Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 9809ae135..a2c6d6c88 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -702,7 +702,6 @@ GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) -GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} From 727037f9c083402ff3e17aeca8e9c721ce59ae61 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 14:17:44 +0000 Subject: [PATCH 19/25] fix kubernetes access --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 315dfb2c5..a65dce7d2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -21,7 +21,7 @@ agent: listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s - url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: address: 127.0.0.1:8150 From a57c8e1f4f4f54b98925b71cd7207c61b0899ab7 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:09:47 +0900 Subject: [PATCH 20/25] Add description for `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 04a3339fb..1468c1c65 100644 --- a/README.md +++ b/README.md @@ -1310,6 +1310,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` + +Websocket token secret file. Default to `${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret` + ##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. From 31a6fcf2b4983106c882bddff0511f29f3b08e23 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:21:18 +0900 Subject: [PATCH 21/25] Add example KAS configuration to README.md --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/README.md b/README.md index 1468c1c65..f18bb67e4 100644 --- a/README.md +++ b/README.md @@ -942,6 +942,58 @@ You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_e You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. +Here is an example settings for kubernetes rc.yml: + +```yaml +spec: + containers: + - name: gitlab + image: sameersbn/gitlab:latest + env: + - name: GITLAB_KAS_ENABLED + value: "true" + - name: GITLAB_AGENT_BUILTIN_KAS_ENABLED + value: "true" + - name: GITLAB_KAS_EXTERNAL + value: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - name: GITLAB_KAS_INTERNAL + value: grpc://127.0.0.1:8153 + - name: GITLAB_KAS_PROXY + value: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - name: OWN_PRIVATE_API_URL + value: grpc://127.0.0.1:8155 +``` + +and for docker-compose.yml: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + - GITLAB_KAS_ENABLED=true + - GITLAB_AGENT_BUILTIN_KAS_ENABLED=true + - GITLAB_KAS_EXTERNAL=wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - GITLAB_KAS_INTERNAL=grpc://127.0.0.1:8153 + - GITLAB_KAS_PROXY=https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155 +``` + +or in another style: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + GITLAB_KAS_ENABLED: "true" + GITLAB_AGENT_BUILTIN_KAS_ENABLED: "true" + GITLAB_KAS_EXTERNAL: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + GITLAB_KAS_INTERNAL: grpc://127.0.0.1:8153 + GITLAB_KAS_PROXY: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + OWN_PRIVATE_API_URL: grpc://127.0.0.1:8155 +``` + #### Built-in GitLab-Agent KAS To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). From 7208008c3bec7a1883501d947f33c6ae60c56f46 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:20:57 +0900 Subject: [PATCH 22/25] Fix assignment for GITLAB_KAS_SECRET User still only required to set `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` as `GITLAB_KAS_SECRET` finally default to `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` (over `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`) --- README.md | 2 +- assets/runtime/config/gitlabhq/gitlab.yml | 2 +- assets/runtime/env-defaults | 2 ++ assets/runtime/functions | 3 ++- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f18bb67e4..b20e149f4 100644 --- a/README.md +++ b/README.md @@ -1344,7 +1344,7 @@ Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [officia ##### `GITLAB_KAS_SECRET` -File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` +File that contains the secret key for verifying access for GitLab KAS. This value will be used for `production.gitlab_kas.secret_file` in gitlab.yml. Defaults to `${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}` ##### `GITLAB_KAS_EXTERNAL` diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index cd49fd8a6..4ed760fd9 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1222,7 +1222,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index a2c6d6c88..3872ef632 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -708,3 +708,5 @@ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} + +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index 425369c99..3ea7e6bef 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -396,7 +396,7 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_ENABLED \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_SECRET \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" @@ -406,6 +406,7 @@ gitlab_configure_gitlab_kas() { GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE From 75055d3d38b075c646de05e4030584d75c4ec338 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Thu, 26 Mar 2026 09:29:48 +0900 Subject: [PATCH 23/25] Sync gitlab-kas config to 18.5.1 - Don't mention IPv4 for localhost since it'll listen on both v4 and v6 anyway https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/2641 Since: v18.2.0 - Improve kas and agentk configuration docs https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/2902 (This sets default value for agent.listen.websocket to false, but this commit just ignored it) Since: v18.4.0 Also, we set non-default value (debug) for observability.logging.level (default: info) and .grpc_level (default: error) --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index a65dce7d2..f4f7ac9f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -17,7 +17,7 @@ agent: allowed_agent_cache_error_ttl: 10s allowed_agent_cache_ttl: 60s listen: - address: 127.0.0.1:8154 + address: :8154 listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s @@ -74,7 +74,7 @@ observability: usage_reporting_period: 10s private_api: listen: - address: 0.0.0.0:8155 + address: :8155 listen_grace_period: 5s max_connection_age: 7200s network: tcp @@ -88,8 +88,7 @@ redis: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required workspaces: listen: - address: 127.0.0.1:8160 + address: :8160 listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s - From 37169ff685c68d72c7ede62cff4eb348bc2f2d81 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 1 May 2026 21:38:42 +0900 Subject: [PATCH 24/25] KAS: fix CORS issue by setting gitlab.external_url --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 1 + assets/runtime/functions | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index f4f7ac9f2..e217a63df 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -51,6 +51,7 @@ gitaly: refill_rate_per_second: 15 gitlab: address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + external_url: {{GITLAB_SCHEME}}://{{GITLAB_HOST}} authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required api_rate_limit: bucket_size: 250 diff --git a/assets/runtime/functions b/assets/runtime/functions index 3ea7e6bef..b93ea5b0e 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -401,7 +401,14 @@ gitlab_configure_gitlab_kas() { printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + if [[ "${GITLAB_HTTPS}" == true ]]; then + GITLAB_SCHEME=https + else + GITLAB_SCHEME=http + fi update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_SCHEME \ + GITLAB_HOST \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ From 6b548727431ac1bd054302e007b2b26113e1bb95 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Thu, 9 Jul 2026 01:45:20 +0900 Subject: [PATCH 25/25] Update built-in KAS to 19.1.1 Just bump the version unless configuration file pkg/kascfg/kascfg_default.yml is not updated - Update to 18.8.2 - Update to 18.8.4 - Update to 18.9.0 - Update to 18.9.1 - Update to 18.9.2 - Update to 18.10.0 - Update to 18.10.1 - Update to 18.10.3 - Update to 18.11.0 - Update to 18.11.1 - Update to 18.11.2 - Update to 18.11.3 - Update to 19.0.1 - Update to 19.0.2 - Update to 19.1.0 - Update to 19.1.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 61faeda59..fba788d7f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.54.0 \ GITLAB_PAGES_VERSION=19.1.1 \ GITALY_SERVER_VERSION=19.1.1 \ - GITLAB_AGENT_VERSION=18.5.1 \ + GITLAB_AGENT_VERSION=19.1.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \