Receptive agent support Part 3 - TLS for API & Private API (!138) · Merge requests · GitLab.org / charts / GitLab Agent Helm Chart

Taka Nishida requested to merge receptive-agent-support-2 into main Sep 04, 2024

Part of #60 (closed).

Support receptive agents with TLS for API & Private API.

This includes:

Support new command line flags. Add new configurations under values.config for each of:
- api-cert-file
- api-key-file
- private-api-cert-file
- private-api-key-file
Support TLS termination at Ingress, if config.ingress.tls.enabled == true. Otherwise, it will pass API cert & key through api-cert-file and api-key-file.

Does NOT include: mTLS support, cert manager & cert manager issuer.

How to verify (Using GKE)

Prerequisites: Prepare GKE environments.

Go to GKE console.
Start your GKE cluster.
Connect to the cluster from your local kubectl command.

Verification steps:

Start GDK with the latest gitlab Rails.
Check Enable receptive mode and Save changes in Admin => Setting => General => open GitLab Agent for Kubernetes.
Get your project id and agent id.
Create URL configuration:

curl --header "Private-Token: <your_access_token>" \
"https://gdk.test:3443/api/v4/projects/<project id>/cluster_agents/<agent id>/url_configurations" \
-H "Content-Type:application/json" \
-X POST \
--data '{"url":"grpcs://your-domain.example.com"}'

Note your public_key from the response above.
Run helm install command and verify it.
- GRPC_GO_LOG_VERBOSITY_LEVEL and GRPC_GO_LOG_SEVERITY_LEVEL are optional, but good for debug.

$ helm install my-release . --debug \
--set config.token=<YOUR_TOKEN> \
--set image.tag=v17.4.0-rc1-debug \
--set config.receptive.enabled=true \
--set config.api.enabled=true \
--set config.api.tls.enabled=true \
--set config.api.listenAddress=:8082 \
--set config.api.tls.cert="$(cat <YOUR-domain.pem>)" \
--set config.api.tls.key="$(cat <privkey.pem>)" \
--set config.api.jwtPublicKey="<PUBLIC_KEY_RECEIVED_IN_THE_PREVIOUS_STEP>" \
--set config.privateApi.enabled=true \
--set config.privateApi.tls.enabled=true \
--set config.privateApi.tls.cert="$(cat <YOUR-tls.crt>)" \
--set config.privateApi.tls.key="$(cat <YOUR-tls.key>)" \
--set config.privateApi.tls.caCert="$(cat <YOUR-tls.crt>)" \
--set ingress.enabled=true \
--set ingress.tls.enabled=true \
--set ingress.hostname=<your-domain>.com \
--set ingress-nginx.enabled=true \
--set "extraEnv[0].name=GRPC_GO_LOG_VERBOSITY_LEVEL" \
--set "extraEnv[0].value='99'" \
--set "extraEnv[1].name=GRPC_GO_LOG_SEVERITY_LEVEL" \
--set "extraEnv[1].value=debug" \
--set "extraEnv[2].name=OWN_PRIVATE_API_HOST" \
--set "extraEnv[2].value=my-release-gitlab-agent-service.default.svc.cluster.local"

Get your Ingress service's external IP address. (kubectl get svc)
Set the IP address to your DNS setting for your domain.
Verify the agents are connected to KAS. Check UI & agent pod logs. (Find agent_id: <agent id> in your agent pod logs)
Verify K8s proxy requests works.

FYI: I verified based on some scenarios 👉

Edited Sep 12, 2024 by Taka Nishida

Receptive agent support Part 3 - TLS for API & Private API

How to verify (Using GKE)

Merge request reports