Commit e0137111 authored by Hordur Freyr Yngvason's avatar Hordur Freyr Yngvason

Add config field gitlab_kas.external_k8s_proxy_url

KAS runs the Kubernetes API proxy on a separate port from the agentk
gRPC service. In the GitLab Helm chart, there is a reverse
proxy (Ingress) that combines both under a single address, but this is
not the case for other distributions, such as Omnibus and GDK.

Furthermore, the two are in separate security domains:

- gitlab_kas.external_url must be reachable from agentk instances
- gitlab_kas.external_k8s_proxy_url must be reachable from CI/CD and user machines

See https://gitlab.com/gitlab-org/gitlab/-/issues/342084

Changelog: added
parent ba24ccf6
......@@ -1218,6 +1218,9 @@ production: &base
# The URL to the internal KAS API (used by the GitLab backend)
# internal_url: grpc://localhost:8153
# The URL to the Kubernetes API proxy (used by GitLab users)
# external_k8s_proxy_url: https://localhost:8154 # default: nil
## GitLab Elasticsearch settings
elasticsearch:
indexer_path: /home/git/gitlab-elasticsearch-indexer/
......
......@@ -757,6 +757,7 @@ Settings.gitlab_kas['enabled'] ||= false
Settings.gitlab_kas['secret_file'] ||= Rails.root.join('.gitlab_kas_secret')
Settings.gitlab_kas['external_url'] ||= 'wss://kas.example.com'
Settings.gitlab_kas['internal_url'] ||= 'grpc://localhost:8153'
# Settings.gitlab_kas['external_k8s_proxy_url'] ||= 'grpc://localhost:8154' # NOTE: Do not set a default until all distributions have been updated with a correct value
#
# Repositories
......
......@@ -41,6 +41,10 @@ module Gitlab
end
def tunnel_url
configured = Gitlab.config.gitlab_kas['external_k8s_proxy_url']
return configured if configured.present?
# Legacy code path. Will be removed when all distributions provide a sane default here
uri = URI.join(external_url, K8S_PROXY_PATH)
uri.scheme = uri.scheme.in?(%w(grpcs wss)) ? 'https' : 'http'
uri.to_s
......
......@@ -70,30 +70,44 @@ RSpec.describe Gitlab::Kas do
stub_config(gitlab_kas: { external_url: external_url })
end
let(:external_url) { 'xyz' }
subject { described_class.tunnel_url }
context 'external_url uses wss://' do
let(:external_url) { 'wss://kas.gitlab.example.com' }
context 'with a gitlab_kas.external_k8s_proxy_url setting' do
let(:external_k8s_proxy_url) { 'abc' }
before do
stub_config(gitlab_kas: { external_k8s_proxy_url: external_k8s_proxy_url })
end
it { is_expected.to eq('https://kas.gitlab.example.com/k8s-proxy') }
it { is_expected.to eq(external_k8s_proxy_url) }
end
context 'external_url uses ws://' do
let(:external_url) { 'ws://kas.gitlab.example.com' }
context 'without a gitlab_kas.external_k8s_proxy_url setting' do
context 'external_url uses wss://' do
let(:external_url) { 'wss://kas.gitlab.example.com' }
it { is_expected.to eq('http://kas.gitlab.example.com/k8s-proxy') }
end
it { is_expected.to eq('https://kas.gitlab.example.com/k8s-proxy') }
end
context 'external_url uses grpcs://' do
let(:external_url) { 'grpcs://kas.gitlab.example.com' }
context 'external_url uses ws://' do
let(:external_url) { 'ws://kas.gitlab.example.com' }
it { is_expected.to eq('https://kas.gitlab.example.com/k8s-proxy') }
end
it { is_expected.to eq('http://kas.gitlab.example.com/k8s-proxy') }
end
context 'external_url uses grpcs://' do
let(:external_url) { 'grpcs://kas.gitlab.example.com' }
context 'external_url uses grpc://' do
let(:external_url) { 'grpc://kas.gitlab.example.com' }
it { is_expected.to eq('https://kas.gitlab.example.com/k8s-proxy') }
end
context 'external_url uses grpc://' do
let(:external_url) { 'grpc://kas.gitlab.example.com' }
it { is_expected.to eq('http://kas.gitlab.example.com/k8s-proxy') }
it { is_expected.to eq('http://kas.gitlab.example.com/k8s-proxy') }
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment