From 6e572fedf11447305ade41684b20f7c00c4112b9 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 30 Jun 2022 12:56:09 +0100 Subject: [PATCH 01/25] KAS --- assets/runtime/config/gitlabhq/gitlab.yml | 16 ++++++++++++++++ assets/runtime/env-defaults | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index fcae8801a..f5e2f4e1a 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1315,6 +1315,22 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + development: <<: *base diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 024f87760..1e5aa5b01 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -694,3 +694,10 @@ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_P ## Feature Flags GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} + +## Gitlab KAS +GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From b7f4ee7b6fd777df485f28b83814ac90212555c0 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 4 Jul 2022 14:12:17 +0100 Subject: [PATCH 02/25] Added functions --- assets/runtime/functions | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/assets/runtime/functions b/assets/runtime/functions index a5adbf641..5ecfc54c5 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -388,6 +388,17 @@ gitlab_configure_monitoring() { GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT } +gitlab_configure_gitlab_kas() { + echo "Configuring gitlab::KAS..." + + update_template ${GITLAB_CONFIG} \ + GITLAB_KAS_ENABLED \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_EXTERNAL \ + GITLAB_KAS_INTERNAL \ + GITLAB_KAS_PROXY +} + gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ @@ -2097,6 +2108,7 @@ configure_gitlab() { gitlab_configure_pages gitlab_configure_sentry generate_healthcheck_script + gitlab_configure_gitlab_kas gitlab_configure_content_security_policy # remove stale gitlab.socket From 775064c8b92a600682f9f58a8bfeac9d61919595 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 13:56:26 +0100 Subject: [PATCH 03/25] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 1e5aa5b01..e5b2247a3 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -697,7 +697,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From f4f7ba595228ab0e1b5d4c0b2945630f8a27637a Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 14:33:04 +0100 Subject: [PATCH 04/25] Added to Readme --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 93611b239..9efd984da 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) + - [Gitlab KAS](#Gitlab KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -933,6 +934,16 @@ Configuring gitlab::feature_flags... ... ```` +#### Gitlab KAS + +Basic Gitlab KAS Settings + +- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` +- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` +- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` +- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` +- `GITLAB_KAS_PROXY=` + #### Available Configuration Parameters *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* From bdc099923aef2df28d966229bcea9e2a263e06f5 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:09:59 +0100 Subject: [PATCH 05/25] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index e5b2247a3..57c25ec5f 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -697,7 +697,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From d604ed265720268e715157c0c36b791eae8f8ded Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:11:58 +0100 Subject: [PATCH 06/25] Update README.md --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 9efd984da..3c6efd9aa 100644 --- a/README.md +++ b/README.md @@ -1274,6 +1274,26 @@ Cron notation for the GitLab admin email worker. Defaults to `'0 0 * * 0'` Cron notation for the GitLab personal access tokens expiring worker. Defaults to `'0 1 * * *'` +##### `GITLAB_KAS_ENABLED` + +Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` + +##### `GITLAB_KAS_SECRET` + +File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` + +##### `GITLAB_KAS_EXTERNAL` + +User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` + +##### `GITLAB_KAS_INTERNAL` + +Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` + +##### `GITLAB_KAS_PROXY` + +The URL to the Kubernetes API proxy (used by GitLab users). No default. + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. From 64aa1d2775f2b012ff669873a2c48aa7381928f0 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 28 Jul 2022 14:08:14 +0100 Subject: [PATCH 07/25] Update README.md Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c6efd9aa..17bf02412 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab KAS) + - [Gitlab KAS](#Gitlab-KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) From 18132d7cc58e24f892892c28dfe62e091af1f223 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:04 +0900 Subject: [PATCH 08/25] README.md: revise GitLab KAS section Fix link fragment for gitlab-kas in TOC (markdownlint: MD-051 - must be lowercase) --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 17bf02412..285b1ddcc 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab-KAS) + - [Gitlab KAS](#gitlab-kas) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -936,13 +936,11 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -Basic Gitlab KAS Settings +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. +By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` -- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` -- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` -- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` -- `GITLAB_KAS_PROXY=` +See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters From e7178a82d672a1a1ee5abe5dd6cc5a25252d6242 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 09/25] Add KAS config file, minimal parameterization also add process to generate secret files for KAS - GITLAB_KAS_SECRET - GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE - GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE --- README.md | 21 ++++ .../gitlab-agent/gitlab-kas_config.yaml | 101 ++++++++++++++++++ assets/runtime/env-defaults | 3 + assets/runtime/functions | 39 +++++++ 4 files changed, 164 insertions(+) create mode 100644 assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml diff --git a/README.md b/README.md index 285b1ddcc..594cef9ef 100644 --- a/README.md +++ b/README.md @@ -940,6 +940,13 @@ GitLab agent server for Kubernetes (KAS) is disabled by default, but you can ena By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. + +Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. +You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 + +Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. + See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters @@ -1292,6 +1299,20 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. +##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` + +##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. + +##### `GITLAB_KAS_REDIS_PASSWORD_FILE` + +Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. + +NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml new file mode 100644 index 000000000..b456620b8 --- /dev/null +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -0,0 +1,101 @@ +# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml +# +# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation +# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. + +gitlab: + address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required + authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + # ca_certificate_file: /server-ca.pem + api_rate_limit: + refill_rate_per_second: 10.0 + bucket_size: 50 +agent: + listen: + network: tcp + address: 127.0.0.1:8150 + websocket: false + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + connections_per_token_per_minute: 10000 + max_connection_age: "1800s" + configuration: + poll_period: "20s" + max_configuration_file_size: 131072 + gitops: + poll_period: "20s" + project_info_cache_ttl: "300s" + project_info_cache_error_ttl: "60s" + max_manifest_file_size: 5242880 + max_total_manifest_file_size: 20971520 + max_number_of_paths: 100 + max_number_of_files: 1000 + kubernetes_api: + listen: + network: tcp + address: 0.0.0.0:8154 + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + url_path_prefix: / + allowed_agent_cache_ttl: "60s" + allowed_agent_cache_error_ttl: "10s" + info_cache_ttl: "300s" + info_cache_error_ttl: "60s" + redis_conn_info_ttl: "300s" + redis_conn_info_refresh: "240s" + redis_conn_info_gc: "600s" +observability: + usage_reporting_period: "60s" + listen: + network: tcp + address: 127.0.0.1:8151 + prometheus: + url_path: /metrics + tracing: + connection_string: "" + sentry: + dsn: "" + environment: "" + logging: + level: info + grpc_level: error + google_profiler: + enabled: false + # project_id: "" + # credentials_file: /some/file + # debug_logging: false + liveness_probe: + url_path: /liveness + readiness_probe: + url_path: /readiness +gitaly: + global_api_rate_limit: + refill_rate_per_second: 30.0 + bucket_size: 70 + per_server_api_rate_limit: + refill_rate_per_second: 15.0 + bucket_size: 40 +private_api: + listen: + address: 127.0.0.1:8155 + authentication_secret_file: {{GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} + max_connection_age: 1800s +redis: + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required + pool_size: 5 + dial_timeout: "5s" + read_timeout: "1s" + write_timeout: "1s" + idle_timeout: "50s" + key_prefix: gitlab-kas + password_file: {{GITLAB_KAS_REDIS_PASSWORD_FILE}} + network: "tcp" +api: + listen: + network: tcp + address: 127.0.0.1:8153 + authentication_secret_file: {{GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + max_connection_age: "1800s" diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 57c25ec5f..12ffcc91c 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -701,3 +701,6 @@ GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} +GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} +GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-} +GITLAB_KAS_REDIS_PASSWORD_FILE=${GITLAB_KAS_REDIS_PASSWORD_FILE:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index 5ecfc54c5..059a685da 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -397,6 +397,24 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ GITLAB_KAS_PROXY + + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_KAS_REDIS_PASSWORD_FILE + + if [[ ! -f ${GITLAB_KAS_REDIS_PASSWORD_FILE} ]]; then + exec_as_git touch "${GITLAB_KAS_REDIS_PASSWORD_FILE}" + exec_as_git chmod 600 ${GITLAB_KAS_REDIS_PASSWORD_FILE} + # TODO: Once this image supports redis password authentication, write the password to a file here + fi + + # enable/disable startup of gitlab-kas : set autostart / autorestart entry in supervisor config using GITLAB_KAS_ENABLED + update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_KAS_ENABLED } gitlab_configure_gitlab_workhorse() { @@ -985,6 +1003,23 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${pages_secret}" 32 chmod 600 "${pages_secret}" fi + + if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 + chmod 600 ${GITALB_KAS_SECRET} + fi + + if [[ ! -f "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi + + # KAS secret for private_api is not required so this can be empty string, + # but empty string is not match to "is file" condition so we don't care the case + if [[ ! -f "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi } gitlab_configure_sidekiq() { @@ -2046,6 +2081,10 @@ install_configuration_templates() { fi install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} + + if [[ ${GITLAB_KAS_ENABLED} == true ]]; then + install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640 + fi } configure_gitlab() { From ab364f347491e392f6bb9b0adedafaae3b055ad3 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 3 Apr 2024 15:17:01 +0900 Subject: [PATCH 10/25] Tweak kas config order in gitlab.yml sync with upstream --- assets/runtime/config/gitlabhq/gitlab.yml | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index f5e2f4e1a..af27a482b 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1218,6 +1218,22 @@ production: &base # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ @@ -1315,22 +1331,6 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} - gitlab_kas: - enabled: {{GITLAB_KAS_ENABLED}} - # File that contains the secret key for verifying access for gitlab-kas. - # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret - - # The URL to the external KAS API (used by the Kubernetes agents) - external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com - - # The URL to the internal KAS API (used by the GitLab backend) - internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 - - # The URL to the Kubernetes API proxy (used by GitLab users) - external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil - - development: <<: *base From aaf950e608c4135ad191464cb0706a45df302910 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 11/25] Add built-in KAS - build KAS on build, enable via GITLAB_AGENT_KAS_ENABLED (automatically enabled if GITLAB_KAS_ENABLED=true) - Add built-in KAS config file kas config: import upstream (v15.10.0 - d88f4b89) - minimal parameterization gitlab side: - GITLAB_KAS_ENABLED gitlab_rails['gitlab_kas_enabled'] for omnibus installation - GITLAB_KAS_INTERNAL gitlab_rails['gitlab_kas_internal_url'] for omnibus installation - GITLAB_KAS_EXTERNAL gitlab_rails['gitlab_kas_external_url'] for omnibus installation - GITLAB_KAS_PROXY gitlab_rails['gitlab_kas_external_k8s_proxy_url'] for omnibus installation kas side: - GITLAB_AGENT_KAS_ENABLED gitlab_kas['enabled'] for omnibus installation - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE gitlab_kas['internal_api_listen_authentication_secret_file'] - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE used by both: - GITLAB_KAS_SECRET used as a value for - gitlabhq/gitlab.yml : production.gitlab_kas.secret_file - gitlab-agent/gitlab-kas_config.yaml : gitlab.authentication_secret_file Prefix for parameters that only used by gitlab-agent/kas is "GITLAB_AGENT_KAS_" Also add process to generate secret files for KAS Update built-in KAS to 16.10.1, sync config Update built-in gitlab-kas to v17.0.2, sync configuration - Bump to v17.0.0, sync configuration GitOps module have been removed. See upstream change: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/1436 - Bump: gitlab-kas 17.0.1 no change in configuration file - Bump: gitlab-kas 17.0.2 no change in configuration file Personal note: I am still unable to successfully connect the agent from the WebUI. The problem is that I don't know the correct way to do it in the first place, so I have to check it out. Stop gitlab_kas before restoring backup It seems that kas has DB connection and blocks restoration - Bump: gitlab-kas 18.1.0 reference configuration file have been renamed to kascfg_defaults.yaml and does not contain full configurations So I have to search a way to generate full configuration from .proto or docs --- Dockerfile | 2 + README.md | 36 +++++++++----- assets/build/install.sh | 28 +++++++++++ .../gitlab-agent/gitlab-kas_config.yaml | 48 +++++++++---------- assets/runtime/env-defaults | 9 ++-- assets/runtime/functions | 33 +++++++------ 6 files changed, 100 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index d1413ec37..6873f8e69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.54.0 \ GITLAB_PAGES_VERSION=19.1.0 \ GITALY_SERVER_VERSION=19.1.0 \ + GITLAB_AGENT_VERSION=18.1.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ @@ -24,6 +25,7 @@ ENV GITLAB_VERSION=${VERSION} \ ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \ + GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" diff --git a/README.md b/README.md index 594cef9ef..a3d0cfb7a 100644 --- a/README.md +++ b/README.md @@ -936,18 +936,24 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. -By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). -You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true. +By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. + +#### Built-in GitLab-Agent KAS + +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). + +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. -You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 +You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. -See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html +See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail. #### Available Configuration Parameters @@ -1299,19 +1305,23 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_ENABLED` + +Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) + +##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` +An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` -##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. +An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. -##### `GITLAB_KAS_REDIS_PASSWORD_FILE` +##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE` -Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. +Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default. -NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 +NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) ##### `GITLAB_LFS_ENABLED` diff --git a/assets/build/install.sh b/assets/build/install.sh index b923c83c4..840ea87a7 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git +GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages GITLAB_GITALY_BUILD_DIR=/tmp/gitaly +GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz @@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local # clean up rm -rf ${GITLAB_GITALY_BUILD_DIR} +# download gitlab-agent (KAS) +echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..." +git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR} + +# install gitlab-agent (KAS) +mkdir -p "${GITLAB_AGENT_INSTALL_DIR}" +make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin +chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR} + +# clean up +rm -rf ${GITLAB_AGENT_BUILD_DIR} + # remove go go clean --modcache rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} @@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log EOF +# configure superisord to start gitlab-agent (KAS) +cat > /etc/supervisor/conf.d/gitlab-kas.conf < /etc/supervisor/conf.d/mail_room.conf < Date: Mon, 24 Apr 2023 08:35:25 +0900 Subject: [PATCH 12/25] kas: tweak defaults for gitlab.authentication_secret_file default to api.listen.authentication_secret_file, as omnibus-gitlab do --- README.md | 7 ++++++- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- assets/runtime/env-defaults | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a3d0cfb7a..31deede9a 100644 --- a/README.md +++ b/README.md @@ -946,7 +946,8 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). -You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) @@ -1309,6 +1310,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` + +An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. + ##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 8f38b8a06..48c436b7b 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -5,7 +5,7 @@ gitlab: address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required # ca_certificate_file: /server-ca.pem api_rate_limit: bucket_size: 250 diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 25caeeced..26fdebcda 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -707,3 +707,4 @@ GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} +GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} From dd32d09e721fba66e80f077ac6d85e537c3710bb Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:52:26 +0000 Subject: [PATCH 13/25] upgrade to 18.5.1 squash following commit: - update to 18.5.0 - upgrade to 18.5.1 --- Dockerfile | 2 +- .../gitlab-agent/gitlab-kas_config.yaml | 148 +++++++++--------- 2 files changed, 73 insertions(+), 77 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6873f8e69..ec5bf8546 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.54.0 \ GITLAB_PAGES_VERSION=19.1.0 \ GITALY_SERVER_VERSION=19.1.0 \ - GITLAB_AGENT_VERSION=18.1.0 \ + GITLAB_AGENT_VERSION=18.5.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 48c436b7b..6683a62f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,99 +1,95 @@ -# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml -# -# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation -# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. -gitlab: - address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - # ca_certificate_file: /server-ca.pem - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 agent: - listen: - network: tcp - address: 127.0.0.1:8150 - websocket: false - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - connections_per_token_per_minute: 40000 - max_connection_age: "7200s" - listen_grace_period: "5s" configuration: - poll_period: "300s" max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s network: tcp - address: 0.0.0.0:8154 - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - listen_grace_period: "5s" - shutdown_grace_period: "3600s" - url_path_prefix: / - allowed_agent_cache_ttl: "60s" - allowed_agent_cache_error_ttl: "10s" - info_cache_ttl: "300s" - info_cache_error_ttl: "60s" - redis_conn_info_ttl: "300s" - redis_conn_info_refresh: "240s" - redis_conn_info_gc: "600s" -observability: - usage_reporting_period: "10s" + shutdown_grace_period: 3600s + url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8151 - prometheus: - url_path: /metrics - # tracing: - # otlp_endpoint: "https://localhost:4317/traces/foo/bar" - # otlp_token_secret_file: "/some/path" - # otlp_ca_certificate_file: "/some/path/ca.crt" - sentry: - dsn: "" - environment: "" - logging: - level: info - grpc_level: error - google_profiler: - enabled: false - # project_id: "" - # credentials_file: /some/file - # debug_logging: false - liveness_probe: - url_path: /liveness - readiness_probe: - url_path: /readiness - event_reporting_period: "10s" + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required gitaly: global_api_rate_limit: - refill_rate_per_second: 30.0 bucket_size: 70 + refill_rate_per_second: 30 per_server_api_rate_limit: - refill_rate_per_second: 15.0 bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s private_api: listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8155 authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} - max_connection_age: 7200s - listen_grace_period: "5s" redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s server: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required - dial_timeout: "5s" - write_timeout: "3s" - key_prefix: gitlab-kas - password_file: {{GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}} - network: "tcp" -api: +workspaces: listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s network: tcp - address: 127.0.0.1:8153 - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - max_connection_age: "7200s" - listen_grace_period: "5s" + shutdown_grace_period: 3600s + From 11dbfb1baf2b91c1afa85522e014dc6ec2273683 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:56:05 +0000 Subject: [PATCH 14/25] change name of secret add WEBTOKEN secret; remove GITLAB_KAS_SECRET Replace GITLAB_KAS_SECRET by GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE --- assets/runtime/config/gitlabhq/gitlab.yml | 4 ++-- assets/runtime/env-defaults | 4 ++-- assets/runtime/functions | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index af27a482b..cd49fd8a6 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1222,7 +1222,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com @@ -1418,7 +1418,7 @@ test: region: us-east-1 gitlab: - host: localhost + host: 127.0.0.1 port: 80 content_security_policy: diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 26fdebcda..7a086d060 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -697,14 +697,14 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} -GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} +GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index 8c93f3264..d6710b00d 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -394,17 +394,17 @@ gitlab_configure_gitlab_kas() { update_template ${GITLAB_CONFIG} \ GITLAB_KAS_ENABLED \ - GITLAB_KAS_SECRET \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" update_template ${GITLAB_KAS_CONFIG} \ GITLAB_RELATIVE_URL_ROOT \ - GITLAB_KAS_SECRET \ GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE @@ -1006,12 +1006,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then - exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 - chmod 600 ${GITALB_KAS_SECRET} - fi - - if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi @@ -1022,6 +1017,11 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi + + if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72 + chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE} + fi } gitlab_configure_sidekiq() { From 24a9d1f092dd5ba5576d0bd39b57d33482eb6165 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Wed, 22 Oct 2025 08:14:37 +0000 Subject: [PATCH 15/25] configure NGINX for GITLAB_BUILTIN_KAS Add kas location to assets/runtime/config/nginx/gitlab(-ssl) config KAS location is affected by GITLAB_RELATIVE_URL_ROOT so add update process to assets/runtime/functions --- assets/runtime/config/nginx/gitlab | 48 ++++++++++++++++++++++++++ assets/runtime/config/nginx/gitlab-ssl | 48 ++++++++++++++++++++++++++ assets/runtime/functions | 7 ++++ 3 files changed, 103 insertions(+) diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 185ee0451..680e9ea71 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -84,6 +84,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index b52b86a67..33ce94bac 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -131,6 +131,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/functions b/assets/runtime/functions index d6710b00d..1183b63b7 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1655,12 +1655,19 @@ nginx_configure_gitlab_real_ip() { nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." + if [[ ! ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + sed -i "/#start-builtin-kas/,/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + else + sed -i "/#start-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + sed -i "/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + fi update_template ${GITLAB_NGINX_CONFIG} \ GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ + GITLAB_RELATIVE_URL_ROOT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ NGINX_X_FORWARDED_PROTO \ From ae2fbcf65c74fcc25f73d9f0b5dc720f015eda95 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:22:02 +0000 Subject: [PATCH 16/25] tweak agent.kubernetes_api.url_path_prefix in gitlab-kas_config.yaml complete 18.5.0 upgrade --- .../gitlab-agent/gitlab-kas_config.yaml | 190 +++++++++--------- 1 file changed, 95 insertions(+), 95 deletions(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 6683a62f2..315dfb2c5 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,95 +1,95 @@ -# This is a configuration file for kas that contains the default values for the settings. -# It DOES NOT contain all the possible configuration knobs. -# The source of truth is kascfg.proto. -# It contains all the fields and documentation them. -# If you are looking for a setting, start from the ConfigurationFile message in: -# - the proto file kascfg.proto. -# - the generated documentation in kascfg_proto_docs.md. -# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. - -agent: - configuration: - max_configuration_file_size: 131072 - poll_period: 300s - info_cache_error_ttl: 60s - info_cache_ttl: 300s - kubernetes_api: - allowed_agent_cache_error_ttl: 10s - allowed_agent_cache_ttl: 60s - listen: - address: 127.0.0.1:8154 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} - websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} - listen: - address: 127.0.0.1:8150 - connections_per_token_per_minute: 40000 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - websocket: true - receptive_agent: - poll_period: 60s - redis_conn_info_gc: 600s - redis_conn_info_refresh: 240s - redis_conn_info_ttl: 300s -api: - listen: - address: 127.0.0.1:8153 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required -gitaly: - global_api_rate_limit: - bucket_size: 70 - refill_rate_per_second: 30 - per_server_api_rate_limit: - bucket_size: 40 - refill_rate_per_second: 15 -gitlab: - address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 -observability: - event_reporting_period: 300s - google_profiler: {} - listen: - address: 127.0.0.1:8151 - network: tcp - liveness_probe: - url_path: /liveness - logging: - level: debug - grpc_level: debug - prometheus: - url_path: /metrics - readiness_probe: - url_path: /readiness - sentry: {} - usage_reporting_period: 10s -private_api: - listen: - address: 0.0.0.0:8155 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} -redis: - dial_timeout: 5s - key_prefix: gitlab-kas - network: tcp - write_timeout: 3s - server: - address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required -workspaces: - listen: - address: 127.0.0.1:8160 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. + +agent: + configuration: + max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s + kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s + listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} + listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required +gitaly: + global_api_rate_limit: + bucket_size: 70 + refill_rate_per_second: 30 + per_server_api_rate_limit: + bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s +private_api: + listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required +workspaces: + listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + From af0f99e75ecb07562ec80d946ae5caba55b39de4 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:46:21 +0000 Subject: [PATCH 17/25] fix GITLAB_AGENT_BUILTIN_KAS_ENABLED == false --- assets/runtime/env-defaults | 1 + assets/runtime/functions | 22 ++++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 7a086d060..9809ae135 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -708,3 +708,4 @@ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KA GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} diff --git a/assets/runtime/functions b/assets/runtime/functions index 1183b63b7..425369c99 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -400,15 +400,17 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" - update_template ${GITLAB_KAS_CONFIG} \ - GITLAB_RELATIVE_URL_ROOT \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ - REDIS_HOST \ - REDIS_PORT \ - GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE - + if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE + fi + if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" @@ -1006,7 +1008,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi From 7817763ef89a09f5af9f8ffdea8c196d32d4ffef Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Fri, 24 Oct 2025 18:50:34 +0900 Subject: [PATCH 18/25] Fix parameter name to enable builtin-kas Merge GITLAB_AGENT_BUILTIN_KAS_ENABLED and GITLAB_AGENT_KAS_ENABLED --- README.md | 4 ++-- assets/runtime/env-defaults | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 31deede9a..736d3a1aa 100644 --- a/README.md +++ b/README.md @@ -944,7 +944,7 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ #### Built-in GitLab-Agent KAS -To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). @@ -1306,7 +1306,7 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_AGENT_KAS_ENABLED` +##### `GITLAB_AGENT_BUILTIN_KAS_ENABLED` Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 9809ae135..a2c6d6c88 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -702,7 +702,6 @@ GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) -GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} From f4f12c05471625f97a3c722ca8a62c700f9acf57 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 14:17:44 +0000 Subject: [PATCH 19/25] fix kubernetes access --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 315dfb2c5..a65dce7d2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -21,7 +21,7 @@ agent: listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s - url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: address: 127.0.0.1:8150 From fe43509decbcff84b02f710684258bcf21a03642 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:09:47 +0900 Subject: [PATCH 20/25] Add description for `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 736d3a1aa..6f043988a 100644 --- a/README.md +++ b/README.md @@ -1310,6 +1310,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` + +Websocket token secret file. Default to `${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret` + ##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. From 4cab961e143fec94f04168bb3c81d65825912514 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:21:18 +0900 Subject: [PATCH 21/25] Add example KAS configuration to README.md --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/README.md b/README.md index 6f043988a..ba588bc3e 100644 --- a/README.md +++ b/README.md @@ -942,6 +942,58 @@ You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_e You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. +Here is an example settings for kubernetes rc.yml: + +```yaml +spec: + containers: + - name: gitlab + image: sameersbn/gitlab:latest + env: + - name: GITLAB_KAS_ENABLED + value: "true" + - name: GITLAB_AGENT_BUILTIN_KAS_ENABLED + value: "true" + - name: GITLAB_KAS_EXTERNAL + value: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - name: GITLAB_KAS_INTERNAL + value: grpc://127.0.0.1:8153 + - name: GITLAB_KAS_PROXY + value: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - name: OWN_PRIVATE_API_URL + value: grpc://127.0.0.1:8155 +``` + +and for docker-compose.yml: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + - GITLAB_KAS_ENABLED=true + - GITLAB_AGENT_BUILTIN_KAS_ENABLED=true + - GITLAB_KAS_EXTERNAL=wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - GITLAB_KAS_INTERNAL=grpc://127.0.0.1:8153 + - GITLAB_KAS_PROXY=https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155 +``` + +or in another style: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + GITLAB_KAS_ENABLED: "true" + GITLAB_AGENT_BUILTIN_KAS_ENABLED: "true" + GITLAB_KAS_EXTERNAL: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + GITLAB_KAS_INTERNAL: grpc://127.0.0.1:8153 + GITLAB_KAS_PROXY: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + OWN_PRIVATE_API_URL: grpc://127.0.0.1:8155 +``` + #### Built-in GitLab-Agent KAS To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). From 4c424fb38892954382513284cca499fafed537cf Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:20:57 +0900 Subject: [PATCH 22/25] Fix assignment for GITLAB_KAS_SECRET User still only required to set `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` as `GITLAB_KAS_SECRET` finally default to `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` (over `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`) --- README.md | 2 +- assets/runtime/config/gitlabhq/gitlab.yml | 2 +- assets/runtime/env-defaults | 2 ++ assets/runtime/functions | 3 ++- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ba588bc3e..0ee22ee02 100644 --- a/README.md +++ b/README.md @@ -1344,7 +1344,7 @@ Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [officia ##### `GITLAB_KAS_SECRET` -File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` +File that contains the secret key for verifying access for GitLab KAS. This value will be used for `production.gitlab_kas.secret_file` in gitlab.yml. Defaults to `${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}` ##### `GITLAB_KAS_EXTERNAL` diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index cd49fd8a6..4ed760fd9 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1222,7 +1222,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index a2c6d6c88..3872ef632 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -708,3 +708,5 @@ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} + +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index 425369c99..3ea7e6bef 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -396,7 +396,7 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_ENABLED \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_SECRET \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" @@ -406,6 +406,7 @@ gitlab_configure_gitlab_kas() { GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE From 15419fbea831c2e4d0afe8f811deb66b1a656ee4 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Thu, 26 Mar 2026 09:29:48 +0900 Subject: [PATCH 23/25] Sync gitlab-kas config to 18.5.1 - Don't mention IPv4 for localhost since it'll listen on both v4 and v6 anyway https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/2641 Since: v18.2.0 - Improve kas and agentk configuration docs https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/2902 (This sets default value for agent.listen.websocket to false, but this commit just ignored it) Since: v18.4.0 Also, we set non-default value (debug) for observability.logging.level (default: info) and .grpc_level (default: error) --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index a65dce7d2..f4f7ac9f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -17,7 +17,7 @@ agent: allowed_agent_cache_error_ttl: 10s allowed_agent_cache_ttl: 60s listen: - address: 127.0.0.1:8154 + address: :8154 listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s @@ -74,7 +74,7 @@ observability: usage_reporting_period: 10s private_api: listen: - address: 0.0.0.0:8155 + address: :8155 listen_grace_period: 5s max_connection_age: 7200s network: tcp @@ -88,8 +88,7 @@ redis: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required workspaces: listen: - address: 127.0.0.1:8160 + address: :8160 listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s - From d8bb0bd476c070c6aba8ef5859d8b47c22b25fd3 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 1 May 2026 21:38:42 +0900 Subject: [PATCH 24/25] KAS: fix CORS issue by setting gitlab.external_url --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 1 + assets/runtime/functions | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index f4f7ac9f2..e217a63df 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -51,6 +51,7 @@ gitaly: refill_rate_per_second: 15 gitlab: address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + external_url: {{GITLAB_SCHEME}}://{{GITLAB_HOST}} authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required api_rate_limit: bucket_size: 250 diff --git a/assets/runtime/functions b/assets/runtime/functions index 3ea7e6bef..b93ea5b0e 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -401,7 +401,14 @@ gitlab_configure_gitlab_kas() { printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + if [[ "${GITLAB_HTTPS}" == true ]]; then + GITLAB_SCHEME=https + else + GITLAB_SCHEME=http + fi update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_SCHEME \ + GITLAB_HOST \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ From 816da952a38f867c5b45cfdc64cb73eebddd22f7 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Thu, 26 Mar 2026 09:32:44 +0900 Subject: [PATCH 25/25] Update built-in KAS to 19.1.0 Just bump the version unless configuration file pkg/kascfg/kascfg_default.yml is not updated - Update to 18.8.2 - Update to 18.8.4 - Update to 18.9.0 - Update to 18.9.1 - Update to 18.9.2 - Update to 18.10.0 - Update to 18.10.1 - Update to 18.10.3 - Update to 18.11.0 - Update to 18.11.1 - Update to 18.11.2 - Update to 18.11.3 - Update to 19.0.1 - Update to 19.0.2 - Update to 19.1.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ec5bf8546..b9239f037 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.54.0 \ GITLAB_PAGES_VERSION=19.1.0 \ GITALY_SERVER_VERSION=19.1.0 \ - GITLAB_AGENT_VERSION=18.5.1 \ + GITLAB_AGENT_VERSION=19.1.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \