Skip to content

Unable to configure OWN_PRIVATE_API_CIDR after OWN_PRIVATE_API_URL has been set once previously

When configuring KAS on multiple nodes, `OWN_PRIVATE_API_CIDR` cannot seem to be set if `OWN_PRIVATE_API_URL` has been set previously.

If old configuration is removed from gitlab.rb and reconfigured, KAS still holds onto the OWN_PRIVATE_API_URL as being set and logs report:

2024-10-17_04:23:25.81914 {"time":"2024-10-17T04:23:25.8188453Z","level":"INFO","msg":"Running KAS","kas":"gitlab-kas/v17.3.2/v17.3.2"}
2024-10-17_04:23:25.82038 {"time":"2024-10-17T04:23:25.820304609Z","level":"INFO","msg":"KAS shutdown done, exiting"}
2024-10-17_04:23:25.82045 {"time":"2024-10-17T04:23:25.820366129Z","level":"INFO","msg":"Received shutdown signal"}
2024-10-17_04:23:25.82046 Program aborted: private API server: either OWN_PRIVATE_API_URL or OWN_PRIVATE_API_CIDR should be specified, not both

I have tried commenting out as mentioned in documentation:

  • Comment out OWN_PRIVATE_API_URL to disable this variable.

Enabling and disabling KAS, commenting out, and reconfiguring between each appears to make no difference. An example of gitlab.rb where this happens:

gitlab_kas_external_url 'wss://kas.gitlab.example.net'

gitlab_kas['api_secret_key'] = 'snip'
gitlab_kas['private_api_secret_key'] = 'snip'
gitlab_kas['private_api_listen_address'] = '0.0.0.0:8155'
gitlab_kas['env'] = {
# 'OWN_PRIVATE_API_URL' => 'commented_out',
  'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
  'OWN_PRIVATE_API_CIDR' => '172.31.0.0/16',
  'OWN_PRIVATE_API_PORT' => '8155',
  'OWN_PRIVATE_API_SCHEME' => 'grpc'
}

gitlab_rails['gitlab_kas_external_url'] = 'wss://gitlab.example.net/-/kubernetes-agent/'
gitlab_rails['gitlab_kas_internal_url'] = 'grpc://kas.internal.gitlab.example.net'
gitlab_rails['gitlab_kas_external_k8s_proxy_url'] = 'https://gitlab.example.net/-/kubernetes-agent/k8s-proxy/'

Expected behaviour:

Should be able to comment out OWN_PRIVATE_API_URL in gitlab.rb and then add new configuration for multiple nodes, including OWN_PRIVATE_API_CIDR and have settings update after a reconfigure.