Add built-in KAS

- build KAS on build, enable via GITLAB_AGENT_KAS_ENABLED
  (automatically enabled if GITLAB_KAS_ENABLED=true)
- Add built-in KAS config file
  kas config: import upstream (v15.10.0 - d88f4b89)
- minimal parameterization
  gitlab side:
  - GITLAB_KAS_ENABLED
    gitlab_rails['gitlab_kas_enabled'] for omnibus installation
  - GITLAB_KAS_INTERNAL
    gitlab_rails['gitlab_kas_internal_url'] for omnibus installation
  - GITLAB_KAS_EXTERNAL
    gitlab_rails['gitlab_kas_external_url'] for omnibus installation
  - GITLAB_KAS_PROXY
    gitlab_rails['gitlab_kas_external_k8s_proxy_url'] for omnibus installation
  kas side:
  - GITLAB_AGENT_KAS_ENABLED
    gitlab_kas['enabled'] for omnibus installation
  - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE
    gitlab_kas['internal_api_listen_authentication_secret_file']
  - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE
  used by both:
  - GITLAB_KAS_SECRET
    used as a value for
    - gitlabhq/gitlab.yml : production.gitlab_kas.secret_file
    - gitlab-agent/gitlab-kas_config.yaml : gitlab.authentication_secret_file

Prefix for parameters that only used by gitlab-agent/kas is "GITLAB_AGENT_KAS_"

Also add process to generate secret files for KAS

Update built-in KAS to 16.10.1, sync config

Update built-in gitlab-kas to v17.0.2, sync configuration

- Bump to v17.0.0, sync configuration
  GitOps module have been removed. See upstream change:
  https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/1436

- Bump: gitlab-kas 17.0.1
  no change in configuration file

- Bump: gitlab-kas 17.0.2
  no change in configuration file

Personal note:
I am still unable to successfully connect the agent from the WebUI.
The problem is that I don't know the correct way to do it in the first place,
so I have to check it out.

Stop gitlab_kas before restoring backup

It seems that kas has DB connection and blocks restoration

- Bump: gitlab-kas 18.1.0
  reference configuration file have been renamed to kascfg_defaults.yaml
  and does not contain full configurations
  So I have to search a way to generate full configuration from .proto
  or docs

Author: kkimurak

Dockerfile

@@ -10,6 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \
     GITLAB_SHELL_VERSION=14.45.5 \
     GITLAB_PAGES_VERSION=18.7.0 \
     GITALY_SERVER_VERSION=18.7.0 \
+    GITLAB_AGENT_VERSION=18.1.0 \
     GITLAB_USER="git" \
     GITLAB_HOME="/home/git" \
     GITLAB_LOG_DIR="/var/log/gitlab" \
@@ -21,6 +22,7 @@ ENV GITLAB_VERSION=${VERSION} \
 ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \
     GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \
     GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \
+    GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \
     GITLAB_DATA_DIR="${GITLAB_HOME}/data" \
     GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \
     GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime"

README.md

@@ -917,18 +917,24 @@ Configuring gitlab::feature_flags...
 
 #### Gitlab KAS
 
-GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true.  
-By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). 
-You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`.
+GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true.  
+By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal).  
+You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`.
 
-You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist.   
+You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist.
+
+#### Built-in GitLab-Agent KAS
+
+To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled).
+
+You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist.
 
 Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`.  
-You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026
+You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
 
 Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting.
 
-See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html
+See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail.
 
 #### Available Configuration Parameters
 
@@ -1272,19 +1278,23 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"`
 
 The URL to the Kubernetes API proxy (used by GitLab users). No default.
 
-##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+##### `GITLAB_AGENT_KAS_ENABLED`
+
+Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled)
+
+##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`
 
-An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret`
+An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret`
 
-##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`
 
-An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default.
+An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default.
 
-##### `GITLAB_KAS_REDIS_PASSWORD_FILE`
+##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`
 
-Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default.
+Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default.
 
-NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026
+NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
 
 ##### `GITLAB_LFS_ENABLED`
 

assets/build/install.sh

@@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git
 GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2
 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git
 GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git
+GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git
 
 GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse
 GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages
 GITLAB_GITALY_BUILD_DIR=/tmp/gitaly
+GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent
 
 RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz
 
@@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local
 # clean up
 rm -rf ${GITLAB_GITALY_BUILD_DIR}
 
+# download gitlab-agent (KAS)
+echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..."
+git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR}
+
+# install gitlab-agent (KAS)
+mkdir -p "${GITLAB_AGENT_INSTALL_DIR}"
+make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin
+chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR}
+
+# clean up
+rm -rf ${GITLAB_AGENT_BUILD_DIR}
+
 # remove go
 go clean --modcache
 rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT}
@@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 EOF
 
+# configure superisord to start gitlab-agent (KAS)
+cat > /etc/supervisor/conf.d/gitlab-kas.conf <<EOF
+[program:gitlab_kas]
+priority=5
+directory=${GITLAB_AGENT_INSTALL_DIR}
+environment=HOME=${GITLAB_HOME}
+command=/usr/local/bin/kas --configuration-file="${GITLAB_AGENT_INSTALL_DIR}/gitlab-kas_config.yaml"
+user=git
+autostart={{GITLAB_AGENT_BUILTIN_KAS_ENABLED}}
+autorestart=true
+stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
+stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
+EOF
+
 # configure supervisord to start mail_room
 cat > /etc/supervisor/conf.d/mail_room.conf <<EOF
 [program:mail_room]

assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml

@@ -8,34 +8,29 @@ gitlab:
   authentication_secret_file: {{GITLAB_KAS_SECRET}} # required
   # ca_certificate_file: /server-ca.pem
   api_rate_limit:
-    refill_rate_per_second: 10.0
-    bucket_size: 50
+    bucket_size: 250
+    refill_rate_per_second: 50
 agent:
   listen:
     network: tcp
     address: 127.0.0.1:8150
     websocket: false
     # certificate_file: /server-cert.pem
     # key_file: /server-key.pem
-    connections_per_token_per_minute: 10000
-    max_connection_age: "1800s"
+    connections_per_token_per_minute: 40000
+    max_connection_age: "7200s"
+    listen_grace_period: "5s"
   configuration:
-    poll_period: "20s"
+    poll_period: "300s"
     max_configuration_file_size: 131072
-  gitops:
-    poll_period: "20s"
-    project_info_cache_ttl: "300s"
-    project_info_cache_error_ttl: "60s"
-    max_manifest_file_size: 5242880
-    max_total_manifest_file_size: 20971520
-    max_number_of_paths: 100
-    max_number_of_files: 1000
   kubernetes_api:
     listen:
       network: tcp
       address: 0.0.0.0:8154
       # certificate_file: /server-cert.pem
       # key_file: /server-key.pem
+      listen_grace_period: "5s"
+      shutdown_grace_period: "3600s"
     url_path_prefix: /
     allowed_agent_cache_ttl: "60s"
     allowed_agent_cache_error_ttl: "10s"
@@ -45,14 +40,16 @@ agent:
   redis_conn_info_refresh: "240s"
   redis_conn_info_gc: "600s"
 observability:
-  usage_reporting_period: "60s"
+  usage_reporting_period: "10s"
   listen:
     network: tcp
     address: 127.0.0.1:8151
   prometheus:
     url_path: /metrics
-  tracing:
-    connection_string: ""
+  # tracing:
+  #   otlp_endpoint: "https://localhost:4317/traces/foo/bar"
+  #   otlp_token_secret_file: "/some/path"
+  #   otlp_ca_certificate_file: "/some/path/ca.crt"
   sentry:
     dsn: ""
     environment: ""
@@ -68,6 +65,7 @@ observability:
     url_path: /liveness
   readiness_probe:
     url_path: /readiness
+  event_reporting_period: "10s"
 gitaly:
   global_api_rate_limit:
     refill_rate_per_second: 30.0
@@ -77,25 +75,25 @@ gitaly:
     bucket_size: 40
 private_api:
   listen:
+    network: tcp
     address: 127.0.0.1:8155
-    authentication_secret_file: {{GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
-    max_connection_age: 1800s
+    authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
+    max_connection_age: 7200s
+    listen_grace_period: "5s"
 redis:
   server:
     address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required
-  pool_size: 5
   dial_timeout: "5s"
-  read_timeout: "1s"
-  write_timeout: "1s"
-  idle_timeout: "50s"
+  write_timeout: "3s"
   key_prefix: gitlab-kas
-  password_file: {{GITLAB_KAS_REDIS_PASSWORD_FILE}}
+  password_file: {{GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}}
   network: "tcp"
 api:
   listen:
     network: tcp
     address: 127.0.0.1:8153
-    authentication_secret_file: {{GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required
+    authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required
     # certificate_file: /server-cert.pem
     # key_file: /server-key.pem
-    max_connection_age: "1800s"
+    max_connection_age: "7200s"
+    listen_grace_period: "5s"

assets/runtime/env-defaults

@@ -689,6 +689,9 @@ GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}
 GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"}
 GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"}
 GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-}
-GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
-GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-}
-GITLAB_KAS_REDIS_PASSWORD_FILE=${GITLAB_KAS_REDIS_PASSWORD_FILE:-}
+
+## gitlab-agent KAS (built-in one)
+GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}}
+GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
+GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret}
+GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-}

assets/runtime/functions

@@ -29,6 +29,7 @@ GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf"
 GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf"
 GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config"
 GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
+GITLAB_KAS_CONFIG="${GITLAB_AGENT_INSTALL_DIR}/gitlab-kas_config.yaml"
 
 # Compares two version strings `a` and `b`
 # Returns
@@ -373,23 +374,24 @@ gitlab_configure_gitlab_kas() {
     GITLAB_KAS_INTERNAL \
     GITLAB_KAS_PROXY
 
+  printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}"
   update_template ${GITLAB_KAS_CONFIG} \
     GITLAB_RELATIVE_URL_ROOT \
     GITLAB_KAS_SECRET \
-    GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
-    GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+    GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+    GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \
     REDIS_HOST \
     REDIS_PORT \
-    GITLAB_KAS_REDIS_PASSWORD_FILE
+    GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE
 
-  if [[ ! -f ${GITLAB_KAS_REDIS_PASSWORD_FILE} ]]; then
-    exec_as_git touch "${GITLAB_KAS_REDIS_PASSWORD_FILE}"
-    exec_as_git chmod 600 ${GITLAB_KAS_REDIS_PASSWORD_FILE}
+  if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then
+    exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}"
+    exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}"
     # TODO: Once this image supports redis password authentication, write the password to a file here
   fi
 
-  # enable/disable startup of gitlab-kas : set autostart / autorestart entry in supervisor config using GITLAB_KAS_ENABLED
-  update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_KAS_ENABLED
+  # enable/disable startup of gitlab-kas : set autostart entry in supervisor config using GITLAB_AGENT_BUILTIN_KAS_ENABLED
+  update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_AGENT_BUILTIN_KAS_ENABLED
 }
 
 gitlab_configure_gitlab_workhorse() {
@@ -966,16 +968,16 @@ gitlab_configure_secrets() {
     chmod 600 ${GITALB_KAS_SECRET}
   fi
 
-  if [[ ! -f "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
-    exec_as_git openssl rand -base64 -out "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
-    chmod 600 ${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}
   fi
 
   # KAS secret for private_api is not required so this can be empty string,
   # but empty string is not match to "is file" condition so we don't care the case
-  if [[ ! -f "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
-    exec_as_git openssl rand -base64 -out "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
-    chmod 600 ${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  if [[ ! -f "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}
   fi
 }
 
@@ -2027,7 +2029,7 @@ install_configuration_templates() {
 
   install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
 
-  if [[ ${GITLAB_KAS_ENABLED} == true ]]; then
+  if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
     install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640
   fi
 }
@@ -2334,6 +2336,7 @@ execute_raketask() {
     /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
     supervisorctl stop gitlab_extensions:*
     supervisorctl stop gitlab:*
+    supervisorctl stop gitlab_kas
     interactive=true
     for arg in $@
     do