change name of secret

add WEBTOKEN secret; remove GITLAB_KAS_SECRET

Replace GITLAB_KAS_SECRET by GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE

Author: th-2021

assets/runtime/config/gitlabhq/gitlab.yml

@@ -1177,7 +1177,7 @@ production: &base
     enabled: {{GITLAB_KAS_ENABLED}}
     # File that contains the secret key for verifying access for gitlab-kas.
     # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app).
-    secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret
+    secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret
 
     # The URL to the external KAS API (used by the Kubernetes agents)
     external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com
@@ -1373,7 +1373,7 @@ test:
         region: us-east-1
 
   gitlab:
-    host: localhost
+    host: 127.0.0.1
     port: 80
 
     content_security_policy:

assets/runtime/env-defaults

@@ -683,13 +683,13 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-}
 
 ## Gitlab KAS
 GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}
-GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}
 GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"}
-GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"}
+GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"}
 GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-}
 
 ## gitlab-agent KAS (built-in one)
 GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}}
 GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
 GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret}
+GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret}
 GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-}

assets/runtime/functions

@@ -369,17 +369,17 @@ gitlab_configure_gitlab_kas() {
 
   update_template ${GITLAB_CONFIG} \
     GITLAB_KAS_ENABLED \
-    GITLAB_KAS_SECRET \
     GITLAB_KAS_EXTERNAL \
     GITLAB_KAS_INTERNAL \
+    GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
     GITLAB_KAS_PROXY
 
   printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}"
   update_template ${GITLAB_KAS_CONFIG} \
     GITLAB_RELATIVE_URL_ROOT \
-    GITLAB_KAS_SECRET \
     GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
     GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+    GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \
     REDIS_HOST \
     REDIS_PORT \
     GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE
@@ -963,12 +963,7 @@ gitlab_configure_secrets() {
     chmod 600 "${pages_secret}"
   fi
 
-  if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then
-    exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32
-    chmod 600 ${GITALB_KAS_SECRET}
-  fi
-
-  if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+  if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
     exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
     chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}
   fi
@@ -979,6 +974,11 @@ gitlab_configure_secrets() {
     exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
     chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}
   fi
+  
+  if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72
+    chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}
+  fi
 }
 
 gitlab_configure_sidekiq() {