From 0800b4ae241b0796835c82acf54a89dfa8689e90 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 30 Jun 2022 12:56:09 +0100 Subject: [PATCH 01/24] KAS --- assets/runtime/config/gitlabhq/gitlab.yml | 16 ++++++++++++++++ assets/runtime/env-defaults | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 6961a63ce..45ccc4eef 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1271,6 +1271,22 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + development: <<: *base diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 483446924..6b7e49f11 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -682,3 +682,10 @@ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_P ## Feature Flags GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} + +## Gitlab KAS +GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 5a166fd6244cf5d903c44ccc6e81bb5ffd151b71 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 4 Jul 2022 14:12:17 +0100 Subject: [PATCH 02/24] Added functions --- assets/runtime/functions | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/assets/runtime/functions b/assets/runtime/functions index d714f8c80..903640a6f 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -363,6 +363,17 @@ gitlab_configure_monitoring() { GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT } +gitlab_configure_gitlab_kas() { + echo "Configuring gitlab::KAS..." + + update_template ${GITLAB_CONFIG} \ + GITLAB_KAS_ENABLED \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_EXTERNAL \ + GITLAB_KAS_INTERNAL \ + GITLAB_KAS_PROXY +} + gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ @@ -2041,6 +2052,7 @@ configure_gitlab() { gitlab_configure_pages gitlab_configure_sentry generate_healthcheck_script + gitlab_configure_gitlab_kas gitlab_configure_content_security_policy # remove stale gitlab.socket From d000fc100f293e078cca92cc248eadc74c838ebd Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 13:56:26 +0100 Subject: [PATCH 03/24] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 6b7e49f11..1e8de0681 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -685,7 +685,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From ff85a104c5a2517b67b4767206f0cd65b39d9e4e Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 14:33:04 +0100 Subject: [PATCH 04/24] Added to Readme --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 23055cff1..1ba350e5a 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) + - [Gitlab KAS](#Gitlab KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -914,6 +915,16 @@ Configuring gitlab::feature_flags... ... ```` +#### Gitlab KAS + +Basic Gitlab KAS Settings + +- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` +- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` +- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` +- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` +- `GITLAB_KAS_PROXY=` + #### Available Configuration Parameters *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* From 07104862c75df564a25e8b64a83881b4d0e219f2 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:09:59 +0100 Subject: [PATCH 05/24] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 1e8de0681..e8ce35134 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -685,7 +685,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 12703a6777d9c1b6cf0349b6320c8bba043ade2b Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:11:58 +0100 Subject: [PATCH 06/24] Update README.md --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 1ba350e5a..cccd69116 100644 --- a/README.md +++ b/README.md @@ -1247,6 +1247,27 @@ Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSO Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` ++##### `GITLAB_KAS_ENABLED` ++ ++Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` ++ ++##### `GITLAB_KAS_SECRET` ++ ++File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` ++ ++##### `GITLAB_KAS_EXTERNAL` ++ ++User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` ++ ++##### `GITLAB_KAS_INTERNAL` ++ ++Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` ++ ++##### `GITLAB_KAS_PROXY` ++ ++The URL to the Kubernetes API proxy (used by GitLab users). No default. ++ + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. From 51e9a1378b00573e0bbf9acc098e049fe6f2764d Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:30:35 +0100 Subject: [PATCH 07/24] Update README.md Removed + --- README.md | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index cccd69116..a1481781e 100644 --- a/README.md +++ b/README.md @@ -1247,26 +1247,25 @@ Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSO Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` -+##### `GITLAB_KAS_ENABLED` -+ -+Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` -+ -+##### `GITLAB_KAS_SECRET` -+ -+File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` -+ -+##### `GITLAB_KAS_EXTERNAL` -+ -+User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` -+ -+##### `GITLAB_KAS_INTERNAL` -+ -+Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` -+ -+##### `GITLAB_KAS_PROXY` -+ -+The URL to the Kubernetes API proxy (used by GitLab users). No default. -+ +##### `GITLAB_KAS_ENABLED` + +Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` + +##### `GITLAB_KAS_SECRET` + +File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` + +##### `GITLAB_KAS_EXTERNAL` + +User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` + +##### `GITLAB_KAS_INTERNAL` + +Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` + +##### `GITLAB_KAS_PROXY` + +The URL to the Kubernetes API proxy (used by GitLab users). No default. ##### `GITLAB_LFS_ENABLED` From 53ee97ef09b92e5f2e4340daf3f26499f6db03ea Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 28 Jul 2022 14:08:14 +0100 Subject: [PATCH 08/24] Update README.md Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1481781e..d906e92e4 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab KAS) + - [Gitlab KAS](#Gitlab-KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) From e704e26368027c960999d9dbfc733c9f61f4e200 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:04 +0900 Subject: [PATCH 09/24] README.md: revise GitLab KAS section Fix link fragment for gitlab-kas in TOC (markdownlint: MD-051 - must be lowercase) --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index d906e92e4..6199282fd 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab-KAS) + - [Gitlab KAS](#gitlab-kas) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -917,13 +917,11 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -Basic Gitlab KAS Settings +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. +By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` -- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` -- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` -- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` -- `GITLAB_KAS_PROXY=` +See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters From eef55f842d9ecd0df1ef25a4972f105c8929d3d8 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 10/24] Add KAS config file, minimal parameterization also add process to generate secret files for KAS - GITLAB_KAS_SECRET - GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE - GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE --- README.md | 21 ++++ .../gitlab-agent/gitlab-kas_config.yaml | 101 ++++++++++++++++++ assets/runtime/env-defaults | 3 + assets/runtime/functions | 39 +++++++ 4 files changed, 164 insertions(+) create mode 100644 assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml diff --git a/README.md b/README.md index 6199282fd..f4c3c09d4 100644 --- a/README.md +++ b/README.md @@ -921,6 +921,13 @@ GitLab agent server for Kubernetes (KAS) is disabled by default, but you can ena By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. + +Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. +You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 + +Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. + See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters @@ -1265,6 +1272,20 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. +##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` + +##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. + +##### `GITLAB_KAS_REDIS_PASSWORD_FILE` + +Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. + +NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml new file mode 100644 index 000000000..b456620b8 --- /dev/null +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -0,0 +1,101 @@ +# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml +# +# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation +# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. + +gitlab: + address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required + authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + # ca_certificate_file: /server-ca.pem + api_rate_limit: + refill_rate_per_second: 10.0 + bucket_size: 50 +agent: + listen: + network: tcp + address: 127.0.0.1:8150 + websocket: false + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + connections_per_token_per_minute: 10000 + max_connection_age: "1800s" + configuration: + poll_period: "20s" + max_configuration_file_size: 131072 + gitops: + poll_period: "20s" + project_info_cache_ttl: "300s" + project_info_cache_error_ttl: "60s" + max_manifest_file_size: 5242880 + max_total_manifest_file_size: 20971520 + max_number_of_paths: 100 + max_number_of_files: 1000 + kubernetes_api: + listen: + network: tcp + address: 0.0.0.0:8154 + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + url_path_prefix: / + allowed_agent_cache_ttl: "60s" + allowed_agent_cache_error_ttl: "10s" + info_cache_ttl: "300s" + info_cache_error_ttl: "60s" + redis_conn_info_ttl: "300s" + redis_conn_info_refresh: "240s" + redis_conn_info_gc: "600s" +observability: + usage_reporting_period: "60s" + listen: + network: tcp + address: 127.0.0.1:8151 + prometheus: + url_path: /metrics + tracing: + connection_string: "" + sentry: + dsn: "" + environment: "" + logging: + level: info + grpc_level: error + google_profiler: + enabled: false + # project_id: "" + # credentials_file: /some/file + # debug_logging: false + liveness_probe: + url_path: /liveness + readiness_probe: + url_path: /readiness +gitaly: + global_api_rate_limit: + refill_rate_per_second: 30.0 + bucket_size: 70 + per_server_api_rate_limit: + refill_rate_per_second: 15.0 + bucket_size: 40 +private_api: + listen: + address: 127.0.0.1:8155 + authentication_secret_file: {{GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} + max_connection_age: 1800s +redis: + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required + pool_size: 5 + dial_timeout: "5s" + read_timeout: "1s" + write_timeout: "1s" + idle_timeout: "50s" + key_prefix: gitlab-kas + password_file: {{GITLAB_KAS_REDIS_PASSWORD_FILE}} + network: "tcp" +api: + listen: + network: tcp + address: 127.0.0.1:8153 + authentication_secret_file: {{GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + max_connection_age: "1800s" diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index e8ce35134..9ec8f9f4c 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -689,3 +689,6 @@ GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} +GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} +GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-} +GITLAB_KAS_REDIS_PASSWORD_FILE=${GITLAB_KAS_REDIS_PASSWORD_FILE:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index 903640a6f..88c4212bb 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -372,6 +372,24 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ GITLAB_KAS_PROXY + + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_KAS_REDIS_PASSWORD_FILE + + if [[ ! -f ${GITLAB_KAS_REDIS_PASSWORD_FILE} ]]; then + exec_as_git touch "${GITLAB_KAS_REDIS_PASSWORD_FILE}" + exec_as_git chmod 600 ${GITLAB_KAS_REDIS_PASSWORD_FILE} + # TODO: Once this image supports redis password authentication, write the password to a file here + fi + + # enable/disable startup of gitlab-kas : set autostart / autorestart entry in supervisor config using GITLAB_KAS_ENABLED + update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_KAS_ENABLED } gitlab_configure_gitlab_workhorse() { @@ -942,6 +960,23 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${pages_secret}" 32 chmod 600 "${pages_secret}" fi + + if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 + chmod 600 ${GITALB_KAS_SECRET} + fi + + if [[ ! -f "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi + + # KAS secret for private_api is not required so this can be empty string, + # but empty string is not match to "is file" condition so we don't care the case + if [[ ! -f "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi } gitlab_configure_sidekiq() { @@ -1991,6 +2026,10 @@ install_configuration_templates() { fi install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} + + if [[ ${GITLAB_KAS_ENABLED} == true ]]; then + install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640 + fi } configure_gitlab() { From a248b0d286e31c263348f4e14f2a68a092ef09a7 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 3 Apr 2024 15:17:01 +0900 Subject: [PATCH 11/24] Tweak kas config order in gitlab.yml sync with upstream --- assets/runtime/config/gitlabhq/gitlab.yml | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 45ccc4eef..a5f24ef00 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1174,6 +1174,22 @@ production: &base # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ @@ -1271,22 +1287,6 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} - gitlab_kas: - enabled: {{GITLAB_KAS_ENABLED}} - # File that contains the secret key for verifying access for gitlab-kas. - # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret - - # The URL to the external KAS API (used by the Kubernetes agents) - external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com - - # The URL to the internal KAS API (used by the GitLab backend) - internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 - - # The URL to the Kubernetes API proxy (used by GitLab users) - external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil - - development: <<: *base From 958e0fd7ce764fd66c0d0382e32f30de59c49738 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 12/24] Add built-in KAS - build KAS on build, enable via GITLAB_AGENT_KAS_ENABLED (automatically enabled if GITLAB_KAS_ENABLED=true) - Add built-in KAS config file kas config: import upstream (v15.10.0 - d88f4b89) - minimal parameterization gitlab side: - GITLAB_KAS_ENABLED gitlab_rails['gitlab_kas_enabled'] for omnibus installation - GITLAB_KAS_INTERNAL gitlab_rails['gitlab_kas_internal_url'] for omnibus installation - GITLAB_KAS_EXTERNAL gitlab_rails['gitlab_kas_external_url'] for omnibus installation - GITLAB_KAS_PROXY gitlab_rails['gitlab_kas_external_k8s_proxy_url'] for omnibus installation kas side: - GITLAB_AGENT_KAS_ENABLED gitlab_kas['enabled'] for omnibus installation - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE gitlab_kas['internal_api_listen_authentication_secret_file'] - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE used by both: - GITLAB_KAS_SECRET used as a value for - gitlabhq/gitlab.yml : production.gitlab_kas.secret_file - gitlab-agent/gitlab-kas_config.yaml : gitlab.authentication_secret_file Prefix for parameters that only used by gitlab-agent/kas is "GITLAB_AGENT_KAS_" Also add process to generate secret files for KAS Update built-in KAS to 16.10.1, sync config Update built-in gitlab-kas to v17.0.2, sync configuration - Bump to v17.0.0, sync configuration GitOps module have been removed. See upstream change: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/1436 - Bump: gitlab-kas 17.0.1 no change in configuration file - Bump: gitlab-kas 17.0.2 no change in configuration file Personal note: I am still unable to successfully connect the agent from the WebUI. The problem is that I don't know the correct way to do it in the first place, so I have to check it out. Stop gitlab_kas before restoring backup It seems that kas has DB connection and blocks restoration - Bump: gitlab-kas 18.1.0 reference configuration file have been renamed to kascfg_defaults.yaml and does not contain full configurations So I have to search a way to generate full configuration from .proto or docs --- Dockerfile | 2 + README.md | 36 +++++++++----- assets/build/install.sh | 28 +++++++++++ .../gitlab-agent/gitlab-kas_config.yaml | 48 +++++++++---------- assets/runtime/env-defaults | 9 ++-- assets/runtime/functions | 33 +++++++------ 6 files changed, 100 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index 189aae117..66b5a81d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.45.5 \ GITLAB_PAGES_VERSION=18.8.2 \ GITALY_SERVER_VERSION=18.8.2 \ + GITLAB_AGENT_VERSION=18.1.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ @@ -21,6 +22,7 @@ ENV GITLAB_VERSION=${VERSION} \ ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \ + GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" diff --git a/README.md b/README.md index f4c3c09d4..a17258899 100644 --- a/README.md +++ b/README.md @@ -917,18 +917,24 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. -By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). -You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true. +By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. + +#### Built-in GitLab-Agent KAS + +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). + +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. -You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 +You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. -See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html +See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail. #### Available Configuration Parameters @@ -1272,19 +1278,23 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_ENABLED` + +Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) + +##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` +An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` -##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. +An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. -##### `GITLAB_KAS_REDIS_PASSWORD_FILE` +##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE` -Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. +Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default. -NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 +NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) ##### `GITLAB_LFS_ENABLED` diff --git a/assets/build/install.sh b/assets/build/install.sh index 817fd61cf..6b07cec7e 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git +GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages GITLAB_GITALY_BUILD_DIR=/tmp/gitaly +GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz @@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local # clean up rm -rf ${GITLAB_GITALY_BUILD_DIR} +# download gitlab-agent (KAS) +echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..." +git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR} + +# install gitlab-agent (KAS) +mkdir -p "${GITLAB_AGENT_INSTALL_DIR}" +make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin +chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR} + +# clean up +rm -rf ${GITLAB_AGENT_BUILD_DIR} + # remove go go clean --modcache rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} @@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log EOF +# configure superisord to start gitlab-agent (KAS) +cat > /etc/supervisor/conf.d/gitlab-kas.conf < /etc/supervisor/conf.d/mail_room.conf < Date: Mon, 24 Apr 2023 08:35:25 +0900 Subject: [PATCH 13/24] kas: tweak defaults for gitlab.authentication_secret_file default to api.listen.authentication_secret_file, as omnibus-gitlab do --- README.md | 7 ++++++- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- assets/runtime/env-defaults | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a17258899..01d9389a0 100644 --- a/README.md +++ b/README.md @@ -927,7 +927,8 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). -You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) @@ -1282,6 +1283,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` + +An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. + ##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 8f38b8a06..48c436b7b 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -5,7 +5,7 @@ gitlab: address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required # ca_certificate_file: /server-ca.pem api_rate_limit: bucket_size: 250 diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 57f6a0a0e..098e35bd9 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -695,3 +695,4 @@ GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} +GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} From becb3748897ccd312eb610cc494f865dd521aa32 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:52:26 +0000 Subject: [PATCH 14/24] upgrade to 18.5.1 squash following commit: - update to 18.5.0 - upgrade to 18.5.1 --- Dockerfile | 2 +- .../gitlab-agent/gitlab-kas_config.yaml | 148 +++++++++--------- 2 files changed, 73 insertions(+), 77 deletions(-) diff --git a/Dockerfile b/Dockerfile index 66b5a81d0..7a6e0130d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.45.5 \ GITLAB_PAGES_VERSION=18.8.2 \ GITALY_SERVER_VERSION=18.8.2 \ - GITLAB_AGENT_VERSION=18.1.0 \ + GITLAB_AGENT_VERSION=18.5.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 48c436b7b..6683a62f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,99 +1,95 @@ -# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml -# -# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation -# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. -gitlab: - address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - # ca_certificate_file: /server-ca.pem - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 agent: - listen: - network: tcp - address: 127.0.0.1:8150 - websocket: false - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - connections_per_token_per_minute: 40000 - max_connection_age: "7200s" - listen_grace_period: "5s" configuration: - poll_period: "300s" max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s network: tcp - address: 0.0.0.0:8154 - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - listen_grace_period: "5s" - shutdown_grace_period: "3600s" - url_path_prefix: / - allowed_agent_cache_ttl: "60s" - allowed_agent_cache_error_ttl: "10s" - info_cache_ttl: "300s" - info_cache_error_ttl: "60s" - redis_conn_info_ttl: "300s" - redis_conn_info_refresh: "240s" - redis_conn_info_gc: "600s" -observability: - usage_reporting_period: "10s" + shutdown_grace_period: 3600s + url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8151 - prometheus: - url_path: /metrics - # tracing: - # otlp_endpoint: "https://localhost:4317/traces/foo/bar" - # otlp_token_secret_file: "/some/path" - # otlp_ca_certificate_file: "/some/path/ca.crt" - sentry: - dsn: "" - environment: "" - logging: - level: info - grpc_level: error - google_profiler: - enabled: false - # project_id: "" - # credentials_file: /some/file - # debug_logging: false - liveness_probe: - url_path: /liveness - readiness_probe: - url_path: /readiness - event_reporting_period: "10s" + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required gitaly: global_api_rate_limit: - refill_rate_per_second: 30.0 bucket_size: 70 + refill_rate_per_second: 30 per_server_api_rate_limit: - refill_rate_per_second: 15.0 bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s private_api: listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8155 authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} - max_connection_age: 7200s - listen_grace_period: "5s" redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s server: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required - dial_timeout: "5s" - write_timeout: "3s" - key_prefix: gitlab-kas - password_file: {{GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}} - network: "tcp" -api: +workspaces: listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s network: tcp - address: 127.0.0.1:8153 - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - max_connection_age: "7200s" - listen_grace_period: "5s" + shutdown_grace_period: 3600s + From 15d253bd30fe6bc49f8783068b25cbc4c3da4bd1 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:56:05 +0000 Subject: [PATCH 15/24] change name of secret add WEBTOKEN secret; remove GITLAB_KAS_SECRET Replace GITLAB_KAS_SECRET by GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE --- assets/runtime/config/gitlabhq/gitlab.yml | 4 ++-- assets/runtime/env-defaults | 4 ++-- assets/runtime/functions | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index a5f24ef00..1cbd9e0ef 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1178,7 +1178,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com @@ -1374,7 +1374,7 @@ test: region: us-east-1 gitlab: - host: localhost + host: 127.0.0.1 port: 80 content_security_policy: diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 098e35bd9..a372c0525 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -685,14 +685,14 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} -GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} +GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index 4a091d08d..c91b657a4 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -369,17 +369,17 @@ gitlab_configure_gitlab_kas() { update_template ${GITLAB_CONFIG} \ GITLAB_KAS_ENABLED \ - GITLAB_KAS_SECRET \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" update_template ${GITLAB_KAS_CONFIG} \ GITLAB_RELATIVE_URL_ROOT \ - GITLAB_KAS_SECRET \ GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE @@ -963,12 +963,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then - exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 - chmod 600 ${GITALB_KAS_SECRET} - fi - - if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi @@ -979,6 +974,11 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi + + if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72 + chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE} + fi } gitlab_configure_sidekiq() { From f152eb4461887b48240f0de4c67ff4754525c689 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Wed, 22 Oct 2025 08:14:37 +0000 Subject: [PATCH 16/24] configure NGINX for GITLAB_BUILTIN_KAS Add kas location to assets/runtime/config/nginx/gitlab(-ssl) config KAS location is affected by GITLAB_RELATIVE_URL_ROOT so add update process to assets/runtime/functions --- assets/runtime/config/nginx/gitlab | 48 ++++++++++++++++++++++++++ assets/runtime/config/nginx/gitlab-ssl | 48 ++++++++++++++++++++++++++ assets/runtime/functions | 7 ++++ 3 files changed, 103 insertions(+) diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 185ee0451..680e9ea71 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -84,6 +84,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index b52b86a67..33ce94bac 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -131,6 +131,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/functions b/assets/runtime/functions index c91b657a4..9b187bf50 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1600,12 +1600,19 @@ nginx_configure_gitlab_real_ip() { nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." + if [[ ! ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + sed -i "/#start-builtin-kas/,/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + else + sed -i "/#start-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + sed -i "/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + fi update_template ${GITLAB_NGINX_CONFIG} \ GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ + GITLAB_RELATIVE_URL_ROOT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ NGINX_X_FORWARDED_PROTO \ From a7020acdfce9ffad386750632809ed07b48c8a7e Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:22:02 +0000 Subject: [PATCH 17/24] tweak agent.kubernetes_api.url_path_prefix in gitlab-kas_config.yaml complete 18.5.0 upgrade --- .../gitlab-agent/gitlab-kas_config.yaml | 190 +++++++++--------- 1 file changed, 95 insertions(+), 95 deletions(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 6683a62f2..315dfb2c5 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,95 +1,95 @@ -# This is a configuration file for kas that contains the default values for the settings. -# It DOES NOT contain all the possible configuration knobs. -# The source of truth is kascfg.proto. -# It contains all the fields and documentation them. -# If you are looking for a setting, start from the ConfigurationFile message in: -# - the proto file kascfg.proto. -# - the generated documentation in kascfg_proto_docs.md. -# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. - -agent: - configuration: - max_configuration_file_size: 131072 - poll_period: 300s - info_cache_error_ttl: 60s - info_cache_ttl: 300s - kubernetes_api: - allowed_agent_cache_error_ttl: 10s - allowed_agent_cache_ttl: 60s - listen: - address: 127.0.0.1:8154 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} - websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} - listen: - address: 127.0.0.1:8150 - connections_per_token_per_minute: 40000 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - websocket: true - receptive_agent: - poll_period: 60s - redis_conn_info_gc: 600s - redis_conn_info_refresh: 240s - redis_conn_info_ttl: 300s -api: - listen: - address: 127.0.0.1:8153 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required -gitaly: - global_api_rate_limit: - bucket_size: 70 - refill_rate_per_second: 30 - per_server_api_rate_limit: - bucket_size: 40 - refill_rate_per_second: 15 -gitlab: - address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 -observability: - event_reporting_period: 300s - google_profiler: {} - listen: - address: 127.0.0.1:8151 - network: tcp - liveness_probe: - url_path: /liveness - logging: - level: debug - grpc_level: debug - prometheus: - url_path: /metrics - readiness_probe: - url_path: /readiness - sentry: {} - usage_reporting_period: 10s -private_api: - listen: - address: 0.0.0.0:8155 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} -redis: - dial_timeout: 5s - key_prefix: gitlab-kas - network: tcp - write_timeout: 3s - server: - address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required -workspaces: - listen: - address: 127.0.0.1:8160 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. + +agent: + configuration: + max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s + kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s + listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} + listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required +gitaly: + global_api_rate_limit: + bucket_size: 70 + refill_rate_per_second: 30 + per_server_api_rate_limit: + bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s +private_api: + listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required +workspaces: + listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + From de3e6e4f61221ffc6754557fb3235cac947ba717 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:46:21 +0000 Subject: [PATCH 18/24] fix GITLAB_AGENT_BUILTIN_KAS_ENABLED == false --- assets/runtime/env-defaults | 1 + assets/runtime/functions | 22 ++++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index a372c0525..9a76bc946 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -696,3 +696,4 @@ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KA GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} diff --git a/assets/runtime/functions b/assets/runtime/functions index 9b187bf50..d56bb280c 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -375,15 +375,17 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" - update_template ${GITLAB_KAS_CONFIG} \ - GITLAB_RELATIVE_URL_ROOT \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ - REDIS_HOST \ - REDIS_PORT \ - GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE - + if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE + fi + if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" @@ -963,7 +965,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi From ab1971e38d5208ee4b8ad73eed1f9d2def48ad0e Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Fri, 24 Oct 2025 18:50:34 +0900 Subject: [PATCH 19/24] Fix parameter name to enable builtin-kas Merge GITLAB_AGENT_BUILTIN_KAS_ENABLED and GITLAB_AGENT_KAS_ENABLED --- README.md | 4 ++-- assets/runtime/env-defaults | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 01d9389a0..d7e9e127e 100644 --- a/README.md +++ b/README.md @@ -925,7 +925,7 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ #### Built-in GitLab-Agent KAS -To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). @@ -1279,7 +1279,7 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_AGENT_KAS_ENABLED` +##### `GITLAB_AGENT_BUILTIN_KAS_ENABLED` Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 9a76bc946..8be96c171 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -690,7 +690,6 @@ GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) -GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} From dc58e91e10f6edcca672a2494d4dbcd129509901 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 14:17:44 +0000 Subject: [PATCH 20/24] fix kubernetes access --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 315dfb2c5..a65dce7d2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -21,7 +21,7 @@ agent: listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s - url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: address: 127.0.0.1:8150 From 7e23737899e5932edf5b9c4bc98dc4b3244f8221 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:09:47 +0900 Subject: [PATCH 21/24] Add description for `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d7e9e127e..2c54e0d49 100644 --- a/README.md +++ b/README.md @@ -1283,6 +1283,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` + +Websocket token secret file. Default to `${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret` + ##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. From f46dd8dfae23e5eb65bf3933dc2e27f1bd58abb0 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:21:18 +0900 Subject: [PATCH 22/24] Add example KAS configuration to README.md --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/README.md b/README.md index 2c54e0d49..f17a90569 100644 --- a/README.md +++ b/README.md @@ -923,6 +923,58 @@ You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_e You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. +Here is an example settings for kubernetes rc.yml: + +```yaml +spec: + containers: + - name: gitlab + image: sameersbn/gitlab:latest + env: + - name: GITLAB_KAS_ENABLED + value: "true" + - name: GITLAB_AGENT_BUILTIN_KAS_ENABLED + value: "true" + - name: GITLAB_KAS_EXTERNAL + value: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - name: GITLAB_KAS_INTERNAL + value: grpc://127.0.0.1:8153 + - name: GITLAB_KAS_PROXY + value: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - name: OWN_PRIVATE_API_URL + value: grpc://127.0.0.1:8155 +``` + +and for docker-compose.yml: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + - GITLAB_KAS_ENABLED=true + - GITLAB_AGENT_BUILTIN_KAS_ENABLED=true + - GITLAB_KAS_EXTERNAL=wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - GITLAB_KAS_INTERNAL=grpc://127.0.0.1:8153 + - GITLAB_KAS_PROXY=https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155 +``` + +or in another style: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + GITLAB_KAS_ENABLED: "true" + GITLAB_AGENT_BUILTIN_KAS_ENABLED: "true" + GITLAB_KAS_EXTERNAL: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + GITLAB_KAS_INTERNAL: grpc://127.0.0.1:8153 + GITLAB_KAS_PROXY: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + OWN_PRIVATE_API_URL: grpc://127.0.0.1:8155 +``` + #### Built-in GitLab-Agent KAS To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). From 13b15a0a8c87a719359d33cd9532aee18cf78daf Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:20:57 +0900 Subject: [PATCH 23/24] Fix assignment for GITLAB_KAS_SECRET User still only required to set `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` as `GITLAB_KAS_SECRET` finally default to `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` (over `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`) --- README.md | 2 +- assets/runtime/config/gitlabhq/gitlab.yml | 2 +- assets/runtime/env-defaults | 2 ++ assets/runtime/functions | 3 ++- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f17a90569..7b3d9b665 100644 --- a/README.md +++ b/README.md @@ -1317,7 +1317,7 @@ Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [officia ##### `GITLAB_KAS_SECRET` -File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` +File that contains the secret key for verifying access for GitLab KAS. This value will be used for `production.gitlab_kas.secret_file` in gitlab.yml. Defaults to `${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}` ##### `GITLAB_KAS_EXTERNAL` diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 1cbd9e0ef..8e05f3349 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1178,7 +1178,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 8be96c171..34d084bc1 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -696,3 +696,5 @@ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} + +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index d56bb280c..50f025075 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -371,7 +371,7 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_ENABLED \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_SECRET \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" @@ -381,6 +381,7 @@ gitlab_configure_gitlab_kas() { GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE From 85233586a528fd0d1c62f3f14d3a2da8630feaa2 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 18:10:00 +0900 Subject: [PATCH 24/24] Update built-in KAS to 18.8.2 Sync gitlab-kas config to 18.8.2 - Don't mention IPv4 for localhost since it'll listen on both v4 and v6 anyway https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/2641 Since: v18.2.0 - Improve kas and agentk configuration docs https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/2902 (This sets default value for agent.listen.websocket to false, but this commit just ignored it) Since: v18.4.0 Also, we set non-default value (`debug`) for `observability.logging.level` (default: `info`) and `.grpc_level` (default: `error`) --- Dockerfile | 2 +- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7a6e0130d..0f5906c7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.45.5 \ GITLAB_PAGES_VERSION=18.8.2 \ GITALY_SERVER_VERSION=18.8.2 \ - GITLAB_AGENT_VERSION=18.5.1 \ + GITLAB_AGENT_VERSION=18.8.2 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index a65dce7d2..f4f7ac9f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -17,7 +17,7 @@ agent: allowed_agent_cache_error_ttl: 10s allowed_agent_cache_ttl: 60s listen: - address: 127.0.0.1:8154 + address: :8154 listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s @@ -74,7 +74,7 @@ observability: usage_reporting_period: 10s private_api: listen: - address: 0.0.0.0:8155 + address: :8155 listen_grace_period: 5s max_connection_age: 7200s network: tcp @@ -88,8 +88,7 @@ redis: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required workspaces: listen: - address: 127.0.0.1:8160 + address: :8160 listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s -