From baa49e0398fe7e2608967cf546e78d4ab84ac802 Mon Sep 17 00:00:00 2001 From: Steven Achilles Date: Wed, 31 Dec 2025 17:21:47 +0100 Subject: [PATCH 01/27] Upgrade GitLab CE to 18.7.0 --- Changelog.md | 7 ++++ Dockerfile | 8 ++-- README.md | 54 ++++++++++++------------- VERSION | 2 +- contrib/docker-swarm/docker-compose.yml | 2 +- docker-compose.swarm.yml | 2 +- docker-compose.yml | 2 +- docs/container_registry.md | 10 ++--- docs/docker-compose-keycloak.yml | 2 +- docs/docker-compose-registry.yml | 2 +- kubernetes/gitlab-rc.yml | 2 +- 11 files changed, 50 insertions(+), 43 deletions(-) diff --git a/Changelog.md b/Changelog.md index bec58acda..4bb828551 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,13 @@ This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https:// gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab. +## 18.7.0 + +- gitlab: upgrade CE to v18.7.0 +- gitaly: upgrade to v18.7.0 +- gitlab-pages: upgrade to v18.7.0 +- gitlab-shell: upgrade to v14.45.5 + ## 18.6.2 - gitlab: upgrade CE to v18.6.2 diff --git a/Dockerfile b/Dockerfile index debfcd7c7..741b9b968 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,15 @@ FROM ubuntu:noble-20251013 -ARG VERSION=18.6.2 +ARG VERSION=18.7.0 ENV GITLAB_VERSION=${VERSION} \ RUBY_VERSION=3.2.9 \ RUBY_SOURCE_SHA256SUM="abbad98db9aeb152773b0d35868e50003b8c467f3d06152577c4dfed9d88ed2a" \ RUBYGEMS_VERSION=3.7.2 \ GOLANG_VERSION=1.24.11 \ - GITLAB_SHELL_VERSION=14.45.3 \ - GITLAB_PAGES_VERSION=18.6.2 \ - GITALY_SERVER_VERSION=18.6.2 \ + GITLAB_SHELL_VERSION=14.45.5 \ + GITLAB_PAGES_VERSION=18.7.0 \ + GITALY_SERVER_VERSION=18.7.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ diff --git a/README.md b/README.md index c0685382f..b2a816d07 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# sameersbn/gitlab:18.6.2 +# sameersbn/gitlab:18.7.0 [![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master) @@ -128,7 +128,7 @@ Your docker host needs to have 1GB or more of available RAM to run GitLab. Pleas Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation. ```bash -docker pull sameersbn/gitlab:18.6.2 +docker pull sameersbn/gitlab:18.7.0 ``` You can also pull the `latest` tag which is built from the repository *HEAD* @@ -210,7 +210,7 @@ docker run --name gitlab -d \ --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \ --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` *Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options* @@ -245,7 +245,7 @@ Volumes can be mounted in docker by specifying the `-v` option in the docker run ```bash docker run --name gitlab -d \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` ### Database @@ -310,7 +310,7 @@ docker run --name gitlab -d \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` ##### Linking to PostgreSQL Container @@ -354,7 +354,7 @@ We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-postgresql:postgresql \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` Here the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images: @@ -392,7 +392,7 @@ The image can be configured to use an external redis server. The configuration s ```bash docker run --name gitlab -it --rm \ --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` #### Linking to Redis Container @@ -419,7 +419,7 @@ We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-redis:redisio \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` #### Mail @@ -432,7 +432,7 @@ If you are using Gmail then all you need to do is: docker run --name gitlab -d \ --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified. @@ -452,7 +452,7 @@ docker run --name gitlab -d \ --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \ --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified. @@ -536,7 +536,7 @@ docker run --name gitlab -d \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer. @@ -552,7 +552,7 @@ docker run --name gitlab -d \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --env 'NGINX_HSTS_MAXAGE=2592000' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` If you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`. @@ -575,7 +575,7 @@ docker run --name gitlab -d \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` Again, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates. @@ -623,7 +623,7 @@ Let's assume we want to deploy our application to '/git'. GitLab needs to know t docker run --name gitlab -it --rm \ --env 'GITLAB_RELATIVE_URL_ROOT=/git' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` GitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`. @@ -850,14 +850,14 @@ Also the container processes seem to be executed as the host's user/group `1000` ```bash docker run --name gitlab -it --rm [options] \ --env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \ - sameersbn/gitlab:18.6.2 + sameersbn/gitlab:18.7.0 ``` When changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command: ```bash docker run --name gitlab -d [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:sanitize + sameersbn/gitlab:18.7.0 app:sanitize ``` #### Piwik @@ -2620,7 +2620,7 @@ Execute the rake task to create a backup. ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:backup:create + sameersbn/gitlab:18.7.0 app:rake gitlab:backup:create ``` A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter. @@ -2655,14 +2655,14 @@ you need to prepare the database: ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake db:setup + sameersbn/gitlab:18.7.0 app:rake db:setup ``` Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore + sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. @@ -2671,7 +2671,7 @@ To avoid user interaction in the restore operation, specify the timestamp, date ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6 + sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6 ``` When using `docker-compose` you may use the following command to execute the restore. @@ -2720,7 +2720,7 @@ The `app:rake` command allows you to run gitlab rake tasks. To run a rake task s ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:env:info + sameersbn/gitlab:18.7.0 app:rake gitlab:env:info ``` You can also use `docker exec` to run rake tasks on running gitlab instance. For example, @@ -2733,7 +2733,7 @@ Similarly, to import bare repositories into GitLab project instance ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:import:repos + sameersbn/gitlab:18.7.0 app:rake gitlab:import:repos ``` Or @@ -2764,7 +2764,7 @@ Copy all the **bare** git repositories to the `repositories/` directory of the [ ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:import:repos + sameersbn/gitlab:18.7.0 app:rake gitlab:import:repos ``` Watch the logs and your repositories should be available into your new gitlab container. @@ -2795,12 +2795,12 @@ To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure > **Note** > -> Upgrading to `sameersbn/gitlab:18.6.2` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. +> Upgrading to `sameersbn/gitlab:18.7.0` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. - **Step 1**: Update the docker image. ```bash -docker pull sameersbn/gitlab:18.6.2 +docker pull sameersbn/gitlab:18.7.0 ``` - **Step 2**: Stop and remove the currently running image @@ -2830,7 +2830,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are > **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.** ```bash -docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.6.2 +docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.7.0 ``` ### Shell Access @@ -2866,7 +2866,7 @@ You can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com ```yml services: gitlab: - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 healthcheck: test: ["CMD", "/usr/local/sbin/healthcheck"] interval: 1m diff --git a/VERSION b/VERSION index fc558a423..fb67e3d51 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -18.6.2 +18.7.0 diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml index 21ddc5832..8c249db1c 100644 --- a/contrib/docker-swarm/docker-compose.yml +++ b/contrib/docker-swarm/docker-compose.yml @@ -20,7 +20,7 @@ services: gitlab: restart: always - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 depends_on: - redis - postgresql diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml index 8938757e2..e7fe1d4bf 100644 --- a/docker-compose.swarm.yml +++ b/docker-compose.swarm.yml @@ -62,7 +62,7 @@ services: - traefik-public gitlab: - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 depends_on: - redis - postgresql diff --git a/docker-compose.yml b/docker-compose.yml index 52d87375c..cc74b2440 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,7 +21,7 @@ services: gitlab: restart: always - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 depends_on: - redis - postgresql diff --git a/docs/container_registry.md b/docs/container_registry.md index f0f99189b..0a0671bfa 100644 --- a/docs/container_registry.md +++ b/docs/container_registry.md @@ -291,7 +291,7 @@ Execute the rake task with a removeable container. ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:backup:create + sameersbn/gitlab:18.7.0 app:rake gitlab:backup:create ``` ### Restoring Backups @@ -308,7 +308,7 @@ Execute the rake task to restore a backup. Make sure you run the container in in ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore + sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. @@ -317,7 +317,7 @@ To avoid user interaction in the restore operation, specify the timestamp of the ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore BACKUP=1417624827 + sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore BACKUP=1417624827 ``` ## Upgrading from an existing GitLab installation @@ -327,7 +327,7 @@ If you want enable this feature for an existing instance of GitLab you need to d - **Step 1**: Update the docker image. ```bash -docker pull sameersbn/gitlab:18.6.2 +docker pull sameersbn/gitlab:18.7.0 ``` - **Step 2**: Stop and remove the currently running image @@ -381,7 +381,7 @@ docker run --name gitlab -d [PREVIOUS_OPTIONS] \ --env 'GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt' \ --env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \ --link registry:registry -sameersbn/gitlab:18.6.2 +sameersbn/gitlab:18.7.0 ``` [storage-config]: https://docs.docker.com/registry/configuration/#storage diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml index b65c86b6d..451aa5cfe 100644 --- a/docs/docker-compose-keycloak.yml +++ b/docs/docker-compose-keycloak.yml @@ -20,7 +20,7 @@ services: gitlab: restart: always - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 depends_on: - redis - postgresql diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml index cd9f99527..b14727075 100644 --- a/docs/docker-compose-registry.yml +++ b/docs/docker-compose-registry.yml @@ -20,7 +20,7 @@ services: gitlab: restart: always - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 volumes: - gitlab-data:/home/git/data:Z - gitlab-logs:/var/log/gitlab diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml index eb4ee606e..0b88ea69f 100644 --- a/kubernetes/gitlab-rc.yml +++ b/kubernetes/gitlab-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: gitlab - image: sameersbn/gitlab:18.6.2 + image: sameersbn/gitlab:18.7.0 env: - name: TZ value: Asia/Kolkata From 1a75e89954fe9070095df870700ba0010060cde5 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 12:35:04 +0900 Subject: [PATCH 02/27] sync config/gitlabhq/puma.rb to gitlab v18.7.0 Without those changes puma (and then gitlab itself) does not starts See following upstream changes: - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128619 (overwritten by gitlab-org/gitlab!132581) - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132581 - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/211331 --- assets/runtime/config/gitlabhq/puma.rb | 62 ++++++++++++++++---------- 1 file changed, 39 insertions(+), 23 deletions(-) diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb index df5b5eeac..f77342124 100644 --- a/assets/runtime/config/gitlabhq/puma.rb +++ b/assets/runtime/config/gitlabhq/puma.rb @@ -40,28 +40,45 @@ require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/lifecycle_events" -on_restart do - # Signal application hooks that we're about to restart - Gitlab::Cluster::LifecycleEvents.do_before_master_restart -end +if Gem::Version.new(Puma::Const::PUMA_VERSION) < Gem::Version.new('7.0') + Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options -before_fork do - # Signal to the puma killer - Gitlab::Cluster::PumaWorkerKillerInitializer.start(@config.options, puma_per_worker_max_memory_mb: {{PUMA_PER_WORKER_MAX_MEMORY_MB}}, puma_master_max_memory_mb: {{PUMA_MASTER_MAX_MEMORY_MB}}) unless ENV['DISABLE_PUMA_WORKER_KILLER'] + on_restart do + # Signal application hooks that we're about to restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart + end - # Signal application hooks that we're about to fork - Gitlab::Cluster::LifecycleEvents.do_before_fork -end + on_worker_boot do + # Signal application hooks of worker start + Gitlab::Cluster::LifecycleEvents.do_worker_start + end -Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options -on_worker_boot do - # Signal application hooks of worker start - Gitlab::Cluster::LifecycleEvents.do_worker_start + on_worker_shutdown do + # Signal application hooks that a worker is shutting down + Gitlab::Cluster::LifecycleEvents.do_worker_stop + end +else + Gitlab::Cluster::LifecycleEvents.set_puma_worker_count(3) + + before_restart do + # Signal application hooks that we're about to restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart + end + + before_worker_boot do + # Signal application hooks of worker start + Gitlab::Cluster::LifecycleEvents.do_worker_start + end + + before_worker_shutdown do + # Signal application hooks that a worker is shutting down + Gitlab::Cluster::LifecycleEvents.do_worker_stop + end end -on_worker_shutdown do - # Signal application hooks that a worker is shutting down - Gitlab::Cluster::LifecycleEvents.do_worker_stop +before_fork do + # Signal application hooks that we're about to fork + Gitlab::Cluster::LifecycleEvents.do_before_fork end # Preload the application before starting the workers; this conflicts with @@ -87,11 +104,10 @@ json_formatter.call(str) end -lowlevel_error_handler do |ex, env| - if Raven.configuration.capture_allowed? - Raven.capture_exception(ex, tags: { 'handler': 'puma_low_level' }, extra: { puma_env: env }) - end +require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma/error_handler" + +error_handler = Gitlab::Puma::ErrorHandler.new(ENV['RAILS_ENV'] == 'production') - # note the below is just a Rack response - [500, {}, ["An error has occurred and reported in the system's low-level error handler."]] +lowlevel_error_handler do |ex, env, status_code| + error_handler.execute(ex, env, status_code) end From e0fac218eae96f9c24d5e11d8003e6081b8bec20 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 12:35:04 +0900 Subject: [PATCH 03/27] sync config/gitlabhq/puma.rb to gitlab v18.7.0 Without those changes puma (and then gitlab itself) does not starts See following upstream changes: - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128619 (overwritten by gitlab-org/gitlab!132581) - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132581 - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/211331 --- assets/runtime/config/gitlabhq/puma.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb index f77342124..faa5ca586 100644 --- a/assets/runtime/config/gitlabhq/puma.rb +++ b/assets/runtime/config/gitlabhq/puma.rb @@ -34,7 +34,6 @@ # Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only # accepted protocols. bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket' -bind 'tcp://127.0.0.1:8080' workers {{PUMA_WORKERS}} From 78269026f7512f1fd49ee04a6b4da6bb74f596fc Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 30 Jun 2022 12:56:09 +0100 Subject: [PATCH 04/27] KAS --- assets/runtime/config/gitlabhq/gitlab.yml | 16 ++++++++++++++++ assets/runtime/env-defaults | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 6961a63ce..45ccc4eef 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1271,6 +1271,22 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + development: <<: *base diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 483446924..6b7e49f11 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -682,3 +682,10 @@ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_P ## Feature Flags GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} + +## Gitlab KAS +GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 987c7239af9248d49797bfb0f273d6a4f27f945e Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 4 Jul 2022 14:12:17 +0100 Subject: [PATCH 05/27] Added functions --- assets/runtime/functions | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/assets/runtime/functions b/assets/runtime/functions index d714f8c80..903640a6f 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -363,6 +363,17 @@ gitlab_configure_monitoring() { GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT } +gitlab_configure_gitlab_kas() { + echo "Configuring gitlab::KAS..." + + update_template ${GITLAB_CONFIG} \ + GITLAB_KAS_ENABLED \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_EXTERNAL \ + GITLAB_KAS_INTERNAL \ + GITLAB_KAS_PROXY +} + gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ @@ -2041,6 +2052,7 @@ configure_gitlab() { gitlab_configure_pages gitlab_configure_sentry generate_healthcheck_script + gitlab_configure_gitlab_kas gitlab_configure_content_security_policy # remove stale gitlab.socket From 01aa149aa88a79b23329c1a8592e34dc06ad2824 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 13:56:26 +0100 Subject: [PATCH 06/27] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 6b7e49f11..1e8de0681 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -685,7 +685,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From a1550489b59c7f0bc8894abbeca410bfefd9684e Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Tue, 5 Jul 2022 14:33:04 +0100 Subject: [PATCH 07/27] Added to Readme --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index b2a816d07..1bc382717 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) + - [Gitlab KAS](#Gitlab KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -914,6 +915,16 @@ Configuring gitlab::feature_flags... ... ```` +#### Gitlab KAS + +Basic Gitlab KAS Settings + +- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` +- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` +- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` +- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` +- `GITLAB_KAS_PROXY=` + #### Available Configuration Parameters *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* From 6de43c7f86769b21e08e15f5b7fe43b92e484558 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:09:59 +0100 Subject: [PATCH 08/27] Update assets/runtime/env-defaults Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 1e8de0681..e8ce35134 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -685,7 +685,7 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}} +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} From 7ef8a4c1be771c5f2d5596463896596ab84e58c2 Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:11:58 +0100 Subject: [PATCH 09/27] Update README.md --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 1bc382717..a6b6dbea4 100644 --- a/README.md +++ b/README.md @@ -1247,6 +1247,27 @@ Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSO Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` ++##### `GITLAB_KAS_ENABLED` ++ ++Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` ++ ++##### `GITLAB_KAS_SECRET` ++ ++File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` ++ ++##### `GITLAB_KAS_EXTERNAL` ++ ++User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` ++ ++##### `GITLAB_KAS_INTERNAL` ++ ++Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` ++ ++##### `GITLAB_KAS_PROXY` ++ ++The URL to the Kubernetes API proxy (used by GitLab users). No default. ++ + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. From c908e6c3244507250f0cd5f3f880bb6f6889a43d Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Mon, 11 Jul 2022 09:30:35 +0100 Subject: [PATCH 10/27] Update README.md Removed + --- README.md | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index a6b6dbea4..0d7ddebbf 100644 --- a/README.md +++ b/README.md @@ -1247,26 +1247,25 @@ Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSO Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` -+##### `GITLAB_KAS_ENABLED` -+ -+Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` -+ -+##### `GITLAB_KAS_SECRET` -+ -+File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` -+ -+##### `GITLAB_KAS_EXTERNAL` -+ -+User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` -+ -+##### `GITLAB_KAS_INTERNAL` -+ -+Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` -+ -+##### `GITLAB_KAS_PROXY` -+ -+The URL to the Kubernetes API proxy (used by GitLab users). No default. -+ +##### `GITLAB_KAS_ENABLED` + +Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false` + +##### `GITLAB_KAS_SECRET` + +File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` + +##### `GITLAB_KAS_EXTERNAL` + +User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"` + +##### `GITLAB_KAS_INTERNAL` + +Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` + +##### `GITLAB_KAS_PROXY` + +The URL to the Kubernetes API proxy (used by GitLab users). No default. ##### `GITLAB_LFS_ENABLED` From ebc96da409ee148e581fb4e7dd0278b9dc010d8c Mon Sep 17 00:00:00 2001 From: Antt1995 Date: Thu, 28 Jul 2022 14:08:14 +0100 Subject: [PATCH 11/27] Update README.md Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d7ddebbf..0607088aa 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab KAS) + - [Gitlab KAS](#Gitlab-KAS) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) From dab94cab36ad6b0b4b7830a749daf1baaa8eee35 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:04 +0900 Subject: [PATCH 12/27] README.md: revise GitLab KAS section Fix link fragment for gitlab-kas in TOC (markdownlint: MD-051 - must be lowercase) --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 0607088aa..9b5f4ad8d 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - - [Gitlab KAS](#Gitlab-KAS) + - [Gitlab KAS](#gitlab-kas) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) @@ -917,13 +917,11 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -Basic Gitlab KAS Settings +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. +By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -- `GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}` -- `GITLAB_KAS_SECRET=${GITLAB_INSTALL_DIR}/.gitlab_kas_secret}` -- `GITLAB_KAS_EXTERNAL="wss://kas.example.com"}` -- `GITLAB_KAS_INTERNAL="grpc://localhost:8153"}` -- `GITLAB_KAS_PROXY=` +See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters From 8798c22c306b0338eaef13db7956a05577385bb1 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 13/27] Add KAS config file, minimal parameterization also add process to generate secret files for KAS - GITLAB_KAS_SECRET - GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE - GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE --- README.md | 21 ++++ .../gitlab-agent/gitlab-kas_config.yaml | 101 ++++++++++++++++++ assets/runtime/env-defaults | 3 + assets/runtime/functions | 39 +++++++ 4 files changed, 164 insertions(+) create mode 100644 assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml diff --git a/README.md b/README.md index 9b5f4ad8d..176484c26 100644 --- a/README.md +++ b/README.md @@ -921,6 +921,13 @@ GitLab agent server for Kubernetes (KAS) is disabled by default, but you can ena By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. + +Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. +You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 + +Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. + See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html #### Available Configuration Parameters @@ -1265,6 +1272,20 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. +##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` + +##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` + +An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. + +##### `GITLAB_KAS_REDIS_PASSWORD_FILE` + +Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. + +NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 + ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml new file mode 100644 index 000000000..b456620b8 --- /dev/null +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -0,0 +1,101 @@ +# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml +# +# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation +# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. + +gitlab: + address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required + authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + # ca_certificate_file: /server-ca.pem + api_rate_limit: + refill_rate_per_second: 10.0 + bucket_size: 50 +agent: + listen: + network: tcp + address: 127.0.0.1:8150 + websocket: false + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + connections_per_token_per_minute: 10000 + max_connection_age: "1800s" + configuration: + poll_period: "20s" + max_configuration_file_size: 131072 + gitops: + poll_period: "20s" + project_info_cache_ttl: "300s" + project_info_cache_error_ttl: "60s" + max_manifest_file_size: 5242880 + max_total_manifest_file_size: 20971520 + max_number_of_paths: 100 + max_number_of_files: 1000 + kubernetes_api: + listen: + network: tcp + address: 0.0.0.0:8154 + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + url_path_prefix: / + allowed_agent_cache_ttl: "60s" + allowed_agent_cache_error_ttl: "10s" + info_cache_ttl: "300s" + info_cache_error_ttl: "60s" + redis_conn_info_ttl: "300s" + redis_conn_info_refresh: "240s" + redis_conn_info_gc: "600s" +observability: + usage_reporting_period: "60s" + listen: + network: tcp + address: 127.0.0.1:8151 + prometheus: + url_path: /metrics + tracing: + connection_string: "" + sentry: + dsn: "" + environment: "" + logging: + level: info + grpc_level: error + google_profiler: + enabled: false + # project_id: "" + # credentials_file: /some/file + # debug_logging: false + liveness_probe: + url_path: /liveness + readiness_probe: + url_path: /readiness +gitaly: + global_api_rate_limit: + refill_rate_per_second: 30.0 + bucket_size: 70 + per_server_api_rate_limit: + refill_rate_per_second: 15.0 + bucket_size: 40 +private_api: + listen: + address: 127.0.0.1:8155 + authentication_secret_file: {{GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} + max_connection_age: 1800s +redis: + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required + pool_size: 5 + dial_timeout: "5s" + read_timeout: "1s" + write_timeout: "1s" + idle_timeout: "50s" + key_prefix: gitlab-kas + password_file: {{GITLAB_KAS_REDIS_PASSWORD_FILE}} + network: "tcp" +api: + listen: + network: tcp + address: 127.0.0.1:8153 + authentication_secret_file: {{GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required + # certificate_file: /server-cert.pem + # key_file: /server-key.pem + max_connection_age: "1800s" diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index e8ce35134..9ec8f9f4c 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -689,3 +689,6 @@ GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} +GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} +GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-} +GITLAB_KAS_REDIS_PASSWORD_FILE=${GITLAB_KAS_REDIS_PASSWORD_FILE:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index 903640a6f..88c4212bb 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -372,6 +372,24 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ GITLAB_KAS_PROXY + + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_KAS_SECRET \ + GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_KAS_REDIS_PASSWORD_FILE + + if [[ ! -f ${GITLAB_KAS_REDIS_PASSWORD_FILE} ]]; then + exec_as_git touch "${GITLAB_KAS_REDIS_PASSWORD_FILE}" + exec_as_git chmod 600 ${GITLAB_KAS_REDIS_PASSWORD_FILE} + # TODO: Once this image supports redis password authentication, write the password to a file here + fi + + # enable/disable startup of gitlab-kas : set autostart / autorestart entry in supervisor config using GITLAB_KAS_ENABLED + update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_KAS_ENABLED } gitlab_configure_gitlab_workhorse() { @@ -942,6 +960,23 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${pages_secret}" 32 chmod 600 "${pages_secret}" fi + + if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 + chmod 600 ${GITALB_KAS_SECRET} + fi + + if [[ ! -f "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi + + # KAS secret for private_api is not required so this can be empty string, + # but empty string is not match to "is file" condition so we don't care the case + if [[ ! -f "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 + chmod 600 ${GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} + fi } gitlab_configure_sidekiq() { @@ -1991,6 +2026,10 @@ install_configuration_templates() { fi install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} + + if [[ ${GITLAB_KAS_ENABLED} == true ]]; then + install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640 + fi } configure_gitlab() { From 71a555bcc68666e6650285068d82494124664b0f Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 3 Apr 2024 15:17:01 +0900 Subject: [PATCH 14/27] Tweak kas config order in gitlab.yml sync with upstream --- assets/runtime/config/gitlabhq/gitlab.yml | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 45ccc4eef..a5f24ef00 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1174,6 +1174,22 @@ production: &base # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret + gitlab_kas: + enabled: {{GITLAB_KAS_ENABLED}} + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil + + ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ @@ -1271,22 +1287,6 @@ production: &base # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} - gitlab_kas: - enabled: {{GITLAB_KAS_ENABLED}} - # File that contains the secret key for verifying access for gitlab-kas. - # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret - - # The URL to the external KAS API (used by the Kubernetes agents) - external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com - - # The URL to the internal KAS API (used by the GitLab backend) - internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153 - - # The URL to the Kubernetes API proxy (used by GitLab users) - external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil - - development: <<: *base From ebae4e28f4c1559398baca7ced7b46e751020531 Mon Sep 17 00:00:00 2001 From: Kazunori Kimura Date: Wed, 24 Aug 2022 17:48:17 +0900 Subject: [PATCH 15/27] Add built-in KAS - build KAS on build, enable via GITLAB_AGENT_KAS_ENABLED (automatically enabled if GITLAB_KAS_ENABLED=true) - Add built-in KAS config file kas config: import upstream (v15.10.0 - d88f4b89) - minimal parameterization gitlab side: - GITLAB_KAS_ENABLED gitlab_rails['gitlab_kas_enabled'] for omnibus installation - GITLAB_KAS_INTERNAL gitlab_rails['gitlab_kas_internal_url'] for omnibus installation - GITLAB_KAS_EXTERNAL gitlab_rails['gitlab_kas_external_url'] for omnibus installation - GITLAB_KAS_PROXY gitlab_rails['gitlab_kas_external_k8s_proxy_url'] for omnibus installation kas side: - GITLAB_AGENT_KAS_ENABLED gitlab_kas['enabled'] for omnibus installation - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE gitlab_kas['internal_api_listen_authentication_secret_file'] - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE used by both: - GITLAB_KAS_SECRET used as a value for - gitlabhq/gitlab.yml : production.gitlab_kas.secret_file - gitlab-agent/gitlab-kas_config.yaml : gitlab.authentication_secret_file Prefix for parameters that only used by gitlab-agent/kas is "GITLAB_AGENT_KAS_" Also add process to generate secret files for KAS Update built-in KAS to 16.10.1, sync config Update built-in gitlab-kas to v17.0.2, sync configuration - Bump to v17.0.0, sync configuration GitOps module have been removed. See upstream change: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/1436 - Bump: gitlab-kas 17.0.1 no change in configuration file - Bump: gitlab-kas 17.0.2 no change in configuration file Personal note: I am still unable to successfully connect the agent from the WebUI. The problem is that I don't know the correct way to do it in the first place, so I have to check it out. Stop gitlab_kas before restoring backup It seems that kas has DB connection and blocks restoration - Bump: gitlab-kas 18.1.0 reference configuration file have been renamed to kascfg_defaults.yaml and does not contain full configurations So I have to search a way to generate full configuration from .proto or docs --- Dockerfile | 2 + README.md | 36 +++++++++----- assets/build/install.sh | 28 +++++++++++ .../gitlab-agent/gitlab-kas_config.yaml | 48 +++++++++---------- assets/runtime/env-defaults | 9 ++-- assets/runtime/functions | 33 +++++++------ 6 files changed, 100 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index 741b9b968..195a2e1e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.45.5 \ GITLAB_PAGES_VERSION=18.7.0 \ GITALY_SERVER_VERSION=18.7.0 \ + GITLAB_AGENT_VERSION=18.1.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ @@ -21,6 +22,7 @@ ENV GITLAB_VERSION=${VERSION} \ ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \ + GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" diff --git a/README.md b/README.md index 176484c26..3a6cc03ac 100644 --- a/README.md +++ b/README.md @@ -917,18 +917,24 @@ Configuring gitlab::feature_flags... #### Gitlab KAS -GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#GITLAB_KAS_ENABLED) to true. -By default, built-in `gitlab-kas` is used. But you can use an external installation of KAS by setting internal URL for the GItLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#GITLAB_KAS_INTERNAL). -You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#GITLAB_KAS_EXTERNAL). If you set up proxy URL, use `GITLAB_KAS_PROXY`. +GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true. +By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal). +You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`. -You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#GITLAB_KAS_SECRET), [`GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_API_AUTHENTICATION_SECRET_FILE) and [`GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE`](#GITLAB_KAS_PRIVATE_API_AUTHENTICATION_SECRET_FILE). These secret files are automatically generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. + +#### Built-in GitLab-Agent KAS + +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). + +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. -You can specify the password file path in `GITLAB_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See https://github.com/sameersbn/docker-gitlab/pull/1026 +You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting. -See official documentation : https://docs.gitlab.com/ee/administration/clusters/kas.html +See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail. #### Available Configuration Parameters @@ -1272,19 +1278,23 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_ENABLED` + +Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) + +##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` +An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` -##### `GITLAB_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` +##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE` -An authentication secret file to verify JWT token, for KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. +An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default. -##### `GITLAB_KAS_REDIS_PASSWORD_FILE` +##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE` -Path for the file that contains redis password. This is not "required", so please leave blank if you don't need it. No default. +Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default. -NOTE: We currently do not support password authentication between gitlab and redis. See https://github.com/sameersbn/docker-gitlab/pull/1026 +NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) ##### `GITLAB_LFS_ENABLED` diff --git a/assets/build/install.sh b/assets/build/install.sh index 817fd61cf..6b07cec7e 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git +GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages GITLAB_GITALY_BUILD_DIR=/tmp/gitaly +GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz @@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local # clean up rm -rf ${GITLAB_GITALY_BUILD_DIR} +# download gitlab-agent (KAS) +echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..." +git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR} + +# install gitlab-agent (KAS) +mkdir -p "${GITLAB_AGENT_INSTALL_DIR}" +make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin +chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR} + +# clean up +rm -rf ${GITLAB_AGENT_BUILD_DIR} + # remove go go clean --modcache rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} @@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log EOF +# configure superisord to start gitlab-agent (KAS) +cat > /etc/supervisor/conf.d/gitlab-kas.conf < /etc/supervisor/conf.d/mail_room.conf < Date: Mon, 24 Apr 2023 08:35:25 +0900 Subject: [PATCH 16/27] kas: tweak defaults for gitlab.authentication_secret_file default to api.listen.authentication_secret_file, as omnibus-gitlab do --- README.md | 7 ++++++- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- assets/runtime/env-defaults | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3a6cc03ac..e9ab8edeb 100644 --- a/README.md +++ b/README.md @@ -927,7 +927,8 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). -You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. +Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`. You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026) @@ -1282,6 +1283,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` + +An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. + ##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret` diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 8f38b8a06..48c436b7b 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -5,7 +5,7 @@ gitlab: address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_KAS_SECRET}} # required + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required # ca_certificate_file: /server-ca.pem api_rate_limit: bucket_size: 250 diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 57f6a0a0e..098e35bd9 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -695,3 +695,4 @@ GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} +GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} From f5089a74a129196ad2a48d92be700441e874239d Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:52:26 +0000 Subject: [PATCH 17/27] upgrade to 18.5.1 squash following commit: - update to 18.5.0 - upgrade to 18.5.1 --- Dockerfile | 2 +- .../gitlab-agent/gitlab-kas_config.yaml | 148 +++++++++--------- 2 files changed, 73 insertions(+), 77 deletions(-) diff --git a/Dockerfile b/Dockerfile index 195a2e1e6..bd8e6776b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.45.5 \ GITLAB_PAGES_VERSION=18.7.0 \ GITALY_SERVER_VERSION=18.7.0 \ - GITLAB_AGENT_VERSION=18.1.0 \ + GITLAB_AGENT_VERSION=18.5.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 48c436b7b..6683a62f2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,99 +1,95 @@ -# Import from gitlab-org/cluster-integration/gitlab-agent/pkg/kascfg/config_example.yaml -# -# This is a sample configuration file for kas. The source of truth is pkg/kascfg/kascfg.proto. It contains documentation -# for all the fields. Configuration values in this file are the defaults (if set) that are used by kas. +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. -gitlab: - address: http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}} # required - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - # ca_certificate_file: /server-ca.pem - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 agent: - listen: - network: tcp - address: 127.0.0.1:8150 - websocket: false - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - connections_per_token_per_minute: 40000 - max_connection_age: "7200s" - listen_grace_period: "5s" configuration: - poll_period: "300s" max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s network: tcp - address: 0.0.0.0:8154 - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - listen_grace_period: "5s" - shutdown_grace_period: "3600s" - url_path_prefix: / - allowed_agent_cache_ttl: "60s" - allowed_agent_cache_error_ttl: "10s" - info_cache_ttl: "300s" - info_cache_error_ttl: "60s" - redis_conn_info_ttl: "300s" - redis_conn_info_refresh: "240s" - redis_conn_info_gc: "600s" -observability: - usage_reporting_period: "10s" + shutdown_grace_period: 3600s + url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8151 - prometheus: - url_path: /metrics - # tracing: - # otlp_endpoint: "https://localhost:4317/traces/foo/bar" - # otlp_token_secret_file: "/some/path" - # otlp_ca_certificate_file: "/some/path/ca.crt" - sentry: - dsn: "" - environment: "" - logging: - level: info - grpc_level: error - google_profiler: - enabled: false - # project_id: "" - # credentials_file: /some/file - # debug_logging: false - liveness_probe: - url_path: /liveness - readiness_probe: - url_path: /readiness - event_reporting_period: "10s" + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required gitaly: global_api_rate_limit: - refill_rate_per_second: 30.0 bucket_size: 70 + refill_rate_per_second: 30 per_server_api_rate_limit: - refill_rate_per_second: 15.0 bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s private_api: listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s network: tcp - address: 127.0.0.1:8155 authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} - max_connection_age: 7200s - listen_grace_period: "5s" redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s server: address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required - dial_timeout: "5s" - write_timeout: "3s" - key_prefix: gitlab-kas - password_file: {{GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}} - network: "tcp" -api: +workspaces: listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s network: tcp - address: 127.0.0.1:8153 - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required - # certificate_file: /server-cert.pem - # key_file: /server-key.pem - max_connection_age: "7200s" - listen_grace_period: "5s" + shutdown_grace_period: 3600s + From 9dad8d984235472e781abeb0c948076e23c01a12 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Tue, 21 Oct 2025 07:56:05 +0000 Subject: [PATCH 18/27] change name of secret add WEBTOKEN secret; remove GITLAB_KAS_SECRET Replace GITLAB_KAS_SECRET by GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE --- assets/runtime/config/gitlabhq/gitlab.yml | 4 ++-- assets/runtime/env-defaults | 4 ++-- assets/runtime/functions | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index a5f24ef00..1cbd9e0ef 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1178,7 +1178,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com @@ -1374,7 +1374,7 @@ test: region: us-east-1 gitlab: - host: localhost + host: 127.0.0.1 port: 80 content_security_policy: diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 098e35bd9..a372c0525 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -685,14 +685,14 @@ GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ## Gitlab KAS GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false} -GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_INSTALL_DIR}/.gitlab_kas_secret} GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"} -GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://localhost:8153"} +GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} +GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index 4a091d08d..c91b657a4 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -369,17 +369,17 @@ gitlab_configure_gitlab_kas() { update_template ${GITLAB_CONFIG} \ GITLAB_KAS_ENABLED \ - GITLAB_KAS_SECRET \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" update_template ${GITLAB_KAS_CONFIG} \ GITLAB_RELATIVE_URL_ROOT \ - GITLAB_KAS_SECRET \ GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE @@ -963,12 +963,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_KAS_SECRET}" ]]; then - exec_as_git openssl rand -base64 -out "${GITLAB_KAS_SECRET}" 32 - chmod 600 ${GITALB_KAS_SECRET} - fi - - if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi @@ -979,6 +974,11 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi + + if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then + exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72 + chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE} + fi } gitlab_configure_sidekiq() { From 0e581bab19d3c50a5f3e3880df846b193b5cf292 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Wed, 22 Oct 2025 08:14:37 +0000 Subject: [PATCH 19/27] configure NGINX for GITLAB_BUILTIN_KAS Add kas location to assets/runtime/config/nginx/gitlab(-ssl) config KAS location is affected by GITLAB_RELATIVE_URL_ROOT so add update process to assets/runtime/functions --- assets/runtime/config/nginx/gitlab | 48 ++++++++++++++++++++++++++ assets/runtime/config/nginx/gitlab-ssl | 48 ++++++++++++++++++++++++++ assets/runtime/functions | 7 ++++ 3 files changed, 103 insertions(+) diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 185ee0451..680e9ea71 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -84,6 +84,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index b52b86a67..33ce94bac 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -131,6 +131,54 @@ server { proxy_pass http://gitlab-workhorse; } + #start-builtin-kas + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8150; + } + + location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://127.0.0.1:8154; + } + #end-builtin-kas + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; diff --git a/assets/runtime/functions b/assets/runtime/functions index c91b657a4..9b187bf50 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1600,12 +1600,19 @@ nginx_configure_gitlab_real_ip() { nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." + if [[ ! ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + sed -i "/#start-builtin-kas/,/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + else + sed -i "/#start-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + sed -i "/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG} + fi update_template ${GITLAB_NGINX_CONFIG} \ GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ + GITLAB_RELATIVE_URL_ROOT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ NGINX_X_FORWARDED_PROTO \ From 702b59692dbf5e6e0e58a12d6d92fa1b863d0be5 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:22:02 +0000 Subject: [PATCH 20/27] tweak agent.kubernetes_api.url_path_prefix in gitlab-kas_config.yaml complete 18.5.0 upgrade --- .../gitlab-agent/gitlab-kas_config.yaml | 190 +++++++++--------- 1 file changed, 95 insertions(+), 95 deletions(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 6683a62f2..315dfb2c5 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -1,95 +1,95 @@ -# This is a configuration file for kas that contains the default values for the settings. -# It DOES NOT contain all the possible configuration knobs. -# The source of truth is kascfg.proto. -# It contains all the fields and documentation them. -# If you are looking for a setting, start from the ConfigurationFile message in: -# - the proto file kascfg.proto. -# - the generated documentation in kascfg_proto_docs.md. -# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. - -agent: - configuration: - max_configuration_file_size: 131072 - poll_period: 300s - info_cache_error_ttl: 60s - info_cache_ttl: 300s - kubernetes_api: - allowed_agent_cache_error_ttl: 10s - allowed_agent_cache_ttl: 60s - listen: - address: 127.0.0.1:8154 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - url_path_prefix: /{{GITLAB_RELATIVE_URL_ROOT}} - websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} - listen: - address: 127.0.0.1:8150 - connections_per_token_per_minute: 40000 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - websocket: true - receptive_agent: - poll_period: 60s - redis_conn_info_gc: 600s - redis_conn_info_refresh: 240s - redis_conn_info_ttl: 300s -api: - listen: - address: 127.0.0.1:8153 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required -gitaly: - global_api_rate_limit: - bucket_size: 70 - refill_rate_per_second: 30 - per_server_api_rate_limit: - bucket_size: 40 - refill_rate_per_second: 15 -gitlab: - address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} - authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required - api_rate_limit: - bucket_size: 250 - refill_rate_per_second: 50 -observability: - event_reporting_period: 300s - google_profiler: {} - listen: - address: 127.0.0.1:8151 - network: tcp - liveness_probe: - url_path: /liveness - logging: - level: debug - grpc_level: debug - prometheus: - url_path: /metrics - readiness_probe: - url_path: /readiness - sentry: {} - usage_reporting_period: 10s -private_api: - listen: - address: 0.0.0.0:8155 - listen_grace_period: 5s - max_connection_age: 7200s - network: tcp - authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} -redis: - dial_timeout: 5s - key_prefix: gitlab-kas - network: tcp - write_timeout: 3s - server: - address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required -workspaces: - listen: - address: 127.0.0.1:8160 - listen_grace_period: 5s - network: tcp - shutdown_grace_period: 3600s - +# This is a configuration file for kas that contains the default values for the settings. +# It DOES NOT contain all the possible configuration knobs. +# The source of truth is kascfg.proto. +# It contains all the fields and documentation them. +# If you are looking for a setting, start from the ConfigurationFile message in: +# - the proto file kascfg.proto. +# - the generated documentation in kascfg_proto_docs.md. +# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go. + +agent: + configuration: + max_configuration_file_size: 131072 + poll_period: 300s + info_cache_error_ttl: 60s + info_cache_ttl: 300s + kubernetes_api: + allowed_agent_cache_error_ttl: 10s + allowed_agent_cache_ttl: 60s + listen: + address: 127.0.0.1:8154 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} + listen: + address: 127.0.0.1:8150 + connections_per_token_per_minute: 40000 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + websocket: true + receptive_agent: + poll_period: 60s + redis_conn_info_gc: 600s + redis_conn_info_refresh: 240s + redis_conn_info_ttl: 300s +api: + listen: + address: 127.0.0.1:8153 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required +gitaly: + global_api_rate_limit: + bucket_size: 70 + refill_rate_per_second: 30 + per_server_api_rate_limit: + bucket_size: 40 + refill_rate_per_second: 15 +gitlab: + address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} + authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required + api_rate_limit: + bucket_size: 250 + refill_rate_per_second: 50 +observability: + event_reporting_period: 300s + google_profiler: {} + listen: + address: 127.0.0.1:8151 + network: tcp + liveness_probe: + url_path: /liveness + logging: + level: debug + grpc_level: debug + prometheus: + url_path: /metrics + readiness_probe: + url_path: /readiness + sentry: {} + usage_reporting_period: 10s +private_api: + listen: + address: 0.0.0.0:8155 + listen_grace_period: 5s + max_connection_age: 7200s + network: tcp + authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +redis: + dial_timeout: 5s + key_prefix: gitlab-kas + network: tcp + write_timeout: 3s + server: + address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required +workspaces: + listen: + address: 127.0.0.1:8160 + listen_grace_period: 5s + network: tcp + shutdown_grace_period: 3600s + From 7c4fbf9fc84aa6157b7d837c38b70ce24bd7f69b Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 07:46:21 +0000 Subject: [PATCH 21/27] fix GITLAB_AGENT_BUILTIN_KAS_ENABLED == false --- assets/runtime/env-defaults | 1 + assets/runtime/functions | 22 ++++++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index a372c0525..9a76bc946 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -696,3 +696,4 @@ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KA GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} +GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} diff --git a/assets/runtime/functions b/assets/runtime/functions index 9b187bf50..d56bb280c 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -375,15 +375,17 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" - update_template ${GITLAB_KAS_CONFIG} \ - GITLAB_RELATIVE_URL_ROOT \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ - GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ - REDIS_HOST \ - REDIS_PORT \ - GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE - + if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then + update_template ${GITLAB_KAS_CONFIG} \ + GITLAB_RELATIVE_URL_ROOT \ + GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + REDIS_HOST \ + REDIS_PORT \ + GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE + fi + if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}" @@ -963,7 +965,7 @@ gitlab_configure_secrets() { chmod 600 "${pages_secret}" fi - if [[ ! -f "${GITLAB_AGENT_kas_aPI_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then + if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32 chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE} fi From cc4582a2f3bf2d1d8b107e72a03e4bdf965ab97d Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Fri, 24 Oct 2025 18:50:34 +0900 Subject: [PATCH 22/27] Fix parameter name to enable builtin-kas Merge GITLAB_AGENT_BUILTIN_KAS_ENABLED and GITLAB_AGENT_KAS_ENABLED --- README.md | 4 ++-- assets/runtime/env-defaults | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e9ab8edeb..11bd25958 100644 --- a/README.md +++ b/README.md @@ -925,7 +925,7 @@ You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_ #### Built-in GitLab-Agent KAS -To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_KAS_ENABLED`](#gitlab_agent_kas_enabled). +To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist. Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file). @@ -1279,7 +1279,7 @@ Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"` The URL to the Kubernetes API proxy (used by GitLab users). No default. -##### `GITLAB_AGENT_KAS_ENABLED` +##### `GITLAB_AGENT_BUILTIN_KAS_ENABLED` Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 9a76bc946..8be96c171 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -690,7 +690,6 @@ GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"} GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-} ## gitlab-agent KAS (built-in one) -GITLAB_AGENT_KAS_ENABLED=${GITLAB_AGENT_KAS_ENABLED:-${GITLAB_KAS_ENABLED}} GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret} GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret} GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret} From 68435508e5d4d29ed621953701a6adeb126f9a21 Mon Sep 17 00:00:00 2001 From: Thomas Hiller Date: Fri, 24 Oct 2025 14:17:44 +0000 Subject: [PATCH 23/27] fix kubernetes access --- assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml index 315dfb2c5..a65dce7d2 100644 --- a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml +++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml @@ -21,7 +21,7 @@ agent: listen_grace_period: 5s network: tcp shutdown_grace_period: 3600s - url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/ + url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}} listen: address: 127.0.0.1:8150 From eee2ddea70aed26c82410b5dee89e90456c96740 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:09:47 +0900 Subject: [PATCH 24/27] Add description for `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 11bd25958..1ef2ce7a3 100644 --- a/README.md +++ b/README.md @@ -1283,6 +1283,10 @@ The URL to the Kubernetes API proxy (used by GitLab users). No default. Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) +##### `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE` + +Websocket token secret file. Default to `${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret` + ##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE` An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`. From c93d5bae383f377120b4a7d844d14b387cf9006e Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:21:18 +0900 Subject: [PATCH 25/27] Add example KAS configuration to README.md --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/README.md b/README.md index 1ef2ce7a3..302de84cb 100644 --- a/README.md +++ b/README.md @@ -923,6 +923,58 @@ You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_e You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist. +Here is an example settings for kubernetes rc.yml: + +```yaml +spec: + containers: + - name: gitlab + image: sameersbn/gitlab:latest + env: + - name: GITLAB_KAS_ENABLED + value: "true" + - name: GITLAB_AGENT_BUILTIN_KAS_ENABLED + value: "true" + - name: GITLAB_KAS_EXTERNAL + value: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - name: GITLAB_KAS_INTERNAL + value: grpc://127.0.0.1:8153 + - name: GITLAB_KAS_PROXY + value: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - name: OWN_PRIVATE_API_URL + value: grpc://127.0.0.1:8155 +``` + +and for docker-compose.yml: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + - GITLAB_KAS_ENABLED=true + - GITLAB_AGENT_BUILTIN_KAS_ENABLED=true + - GITLAB_KAS_EXTERNAL=wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + - GITLAB_KAS_INTERNAL=grpc://127.0.0.1:8153 + - GITLAB_KAS_PROXY=https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + - OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155 +``` + +or in another style: + +```yaml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + GITLAB_KAS_ENABLED: "true" + GITLAB_AGENT_BUILTIN_KAS_ENABLED: "true" + GITLAB_KAS_EXTERNAL: wss://gitlab.example.com/gitlab/-/kubernetes-agent/ + GITLAB_KAS_INTERNAL: grpc://127.0.0.1:8153 + GITLAB_KAS_PROXY: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/ + OWN_PRIVATE_API_URL: grpc://127.0.0.1:8155 +``` + #### Built-in GitLab-Agent KAS To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled). From 1ba472369fb02278c47ff019c3315f81d55aff19 Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 15:20:57 +0900 Subject: [PATCH 26/27] Fix assignment for GITLAB_KAS_SECRET User still only required to set `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` as `GITLAB_KAS_SECRET` finally default to `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` (over `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`) --- README.md | 2 +- assets/runtime/config/gitlabhq/gitlab.yml | 2 +- assets/runtime/env-defaults | 2 ++ assets/runtime/functions | 3 ++- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 302de84cb..8b341f595 100644 --- a/README.md +++ b/README.md @@ -1317,7 +1317,7 @@ Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [officia ##### `GITLAB_KAS_SECRET` -File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret` +File that contains the secret key for verifying access for GitLab KAS. This value will be used for `production.gitlab_kas.secret_file` in gitlab.yml. Defaults to `${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}` ##### `GITLAB_KAS_EXTERNAL` diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 1cbd9e0ef..8e05f3349 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1178,7 +1178,7 @@ production: &base enabled: {{GITLAB_KAS_ENABLED}} # File that contains the secret key for verifying access for gitlab-kas. # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). - secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret + secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret # The URL to the external KAS API (used by the Kubernetes agents) external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 8be96c171..34d084bc1 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -696,3 +696,5 @@ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-} GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false} + +GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} diff --git a/assets/runtime/functions b/assets/runtime/functions index d56bb280c..50f025075 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -371,7 +371,7 @@ gitlab_configure_gitlab_kas() { GITLAB_KAS_ENABLED \ GITLAB_KAS_EXTERNAL \ GITLAB_KAS_INTERNAL \ - GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ + GITLAB_KAS_SECRET \ GITLAB_KAS_PROXY printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}" @@ -381,6 +381,7 @@ gitlab_configure_gitlab_kas() { GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \ GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \ + GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE \ REDIS_HOST \ REDIS_PORT \ GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE From e2673eb7d9f41fe80def614b543e8fbabb063b0f Mon Sep 17 00:00:00 2001 From: KIMURA Kazunori Date: Tue, 6 Jan 2026 18:10:00 +0900 Subject: [PATCH 27/27] Update gitlab_agent_kas to 18.7.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bd8e6776b..a5b4128c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \ GITLAB_SHELL_VERSION=14.45.5 \ GITLAB_PAGES_VERSION=18.7.0 \ GITALY_SERVER_VERSION=18.7.0 \ - GITLAB_AGENT_VERSION=18.5.1 \ + GITLAB_AGENT_VERSION=18.7.0 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \