kas: tweak defaults for gitlab.authentication_secret_file

kkimurak · kkimurak · commit a214c823c364 · 2026-01-06T17:53:48.000+09:00
default to api.listen.authentication_secret_file,
as omnibus-gitlab do
diff --git a/README.md b/README.md
@@ -927,7 +927,8 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_
 
 To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled).
 
-You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist.
+You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist.  
+Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file).
 
 Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`.  
 You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
@@ -1282,6 +1283,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default.
 
 Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled)
 
+##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`.
+
 ##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`
 
 An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret`
diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml
@@ -5,7 +5,7 @@
 
 gitlab:
   address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required
-  authentication_secret_file: {{GITLAB_KAS_SECRET}} # required
+  authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required
   # ca_certificate_file: /server-ca.pem
   api_rate_limit:
     bucket_size: 250
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -695,3 +695,4 @@ GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}}
 GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
 GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret}
 GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-}
+GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
