Add KAS config file, minimal parameterization

kkimurak · kkimurak · commit 5af9e6f292d8 · 2026-01-06T11:01:39.000+09:00
also add process to generate secret files for KAS
- GITLAB_KAS_SECRET
- GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE
- GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE
diff --git a/README.md b/README.md
@@ -921,6 +921,13 @@ GitLab agent server for Kubernetes (KAS) is disabled by default, but you can ena
 By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). 
 You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`.
 
+You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist.   
+
+Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`.  
+You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026
+
+Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting.
+
 See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html
 
 #### Available Configuration Parameters
@@ -1265,6 +1272,20 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"`
 
 The URL to the Kubernetes API proxy (used by GitLab users). No default.
 
+##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret`
+
+##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default.
+
+##### `GITLAB_KAS_REDIS_PASSWORD_FILE`
+
+Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default.
+
+NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026
+
 ##### `GITLAB_LFS_ENABLED`
 
 Enable/Disable Git LFS support. Defaults to `true`.
diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml
@@ -0,0 +1,101 @@
+# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml
+#
+# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation
+# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas.
+
+gitlab:
+  address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required
+  authentication_secret_file: {{GITLAB_KAS_SECRET}} # required
+  # ca_certificate_file: /server-ca.pem
+  api_rate_limit:
+    refill_rate_per_second: 10.0
+    bucket_size: 50
+agent:
+  listen:
+    network: tcp
+    address: 127.0.0.1:8150
+    websocket: false
+    # certificate_file: /server-cert.pem
+    # key_file: /server-key.pem
+    connections_per_token_per_minute: 10000
+    max_connection_age: "1800s"
+  configuration:
+    poll_period: "20s"
+    max_configuration_file_size: 131072
+  gitops:
+    poll_period: "20s"
+    project_info_cache_ttl: "300s"
+    project_info_cache_error_ttl: "60s"
+    max_manifest_file_size: 5242880
+    max_total_manifest_file_size: 20971520
+    max_number_of_paths: 100
+    max_number_of_files: 1000
+  kubernetes_api:
+    listen:
+      network: tcp
+      address: 0.0.0.0:8154
+      # certificate_file: /server-cert.pem
+      # key_file: /server-key.pem
+    url_path_prefix: /
+    allowed_agent_cache_ttl: "60s"
+    allowed_agent_cache_error_ttl: "10s"
+  info_cache_ttl: "300s"
+  info_cache_error_ttl: "60s"
+  redis_conn_info_ttl: "300s"
+  redis_conn_info_refresh: "240s"
+  redis_conn_info_gc: "600s"
+observability:
+  usage_reporting_period: "60s"
+  listen:
+    network: tcp
+    address: 127.0.0.1:8151
+  prometheus:
+    url_path: /metrics
+  tracing:
+    connection_string: ""
+  sentry:
+    dsn: ""
+    environment: ""
+  logging:
+    level: info
+    grpc_level: error
+  google_profiler:
+    enabled: false
+    # project_id: ""
+    # credentials_file: /some/file
+    # debug_logging: false
+  liveness_probe:
+    url_path: /liveness
+  readiness_probe:
+    url_path: /readiness
+gitaly:
+  global_api_rate_limit:
+    refill_rate_per_second: 30.0
+    bucket_size: 70
+  per_server_api_rate_limit:
+    refill_rate_per_second: 15.0
+    bucket_size: 40
+private_api:
+  listen:
+    address: 127.0.0.1:8155
+    authentication_secret_file: {{GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
+    max_connection_age: 1800s
+redis:
+  server:
+    address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required
+  pool_size: 5
+  dial_timeout: "5s"
+  read_timeout: "1s"
+  write_timeout: "1s"
+  idle_timeout: "50s"
+  key_prefix: gitlab-kas
+  password_file: {{GITLAB_KAS_REDIS_PASSWORD_FILE}}
+  network: "tcp"
+api:
+  listen:
+    network: tcp
+    address: 127.0.0.1:8153
+    authentication_secret_file: {{GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required
+    # certificate_file: /server-cert.pem
+    # key_file: /server-key.pem
+    max_connection_age: "1800s"
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -689,3 +689,6 @@ GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}
 GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"}
 GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"}
 GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-}
+GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
+GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-}
+GITLAB_KAS_REDIS_PASSWORD_FILE=${GITLAB_KAS_REDIS_PASSWORD_FILE:-}
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -372,6 +372,24 @@ gitlab_configure_gitlab_kas() {
     GITLAB_KAS_EXTERNAL \
     GITLAB_KAS_INTERNAL \
     GITLAB_KAS_PROXY
+
+  update_template ${GITLAB_KAS_CONFIG} \
+    GITLAB_RELATIVE_URL_ROOT \
+    GITLAB_KAS_SECRET \
+    GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+    GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+    REDIS_HOST \
+    REDIS_PORT \
+    GITLAB_KAS_REDIS_PASSWORD_FILE
+  
+  if [[ ! -f ${GITLAB_KAS_REDIS_PASSWORD_FILE} ]]; then
+    exec_as_git touch "${GITLAB_KAS_REDIS_PASSWORD_FILE}"
+    exec_as_git chmod 600 ${GITLAB_KAS_REDIS_PASSWORD_FILE}
+    # TODO: Once this image supports redis password authentication, write the password to a file here
+  fi
+
+  # enable/disable startup of gitlab-kas : set autostart / autorestart entry in supervisor config using GITLAB_KAS_ENABLED
+  update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_KAS_ENABLED
 }
 
 gitlab_configure_gitlab_workhorse() {
@@ -942,6 +960,23 @@ gitlab_configure_secrets() {
     exec_as_git openssl rand -base64 -out "${pages_secret}" 32
     chmod 600 "${pages_secret}"
   fi
+
+  if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32
+    chmod 600 ${GITALB_KAS_SECRET}
+  fi
+
+  if [[ ! -f "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  fi
+  
+  # KAS secret for private_api is not required so this can be empty string,
+  # but empty string is not match to "is file" condition so we don't care the case
+  if [[ ! -f "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  fi
 }
 
 gitlab_configure_sidekiq() {
@@ -1991,6 +2026,10 @@ install_configuration_templates() {
   fi
 
   install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
+  
+  if [[ ${GITLAB_KAS_ENABLED} == true ]]; then
+    install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640
+  fi
 }
 
 configure_gitlab() {
