[go: up one dir, main page]
Skip to content

Add deprecation note to GitLab deprecations regarding KAS private tls

What is this issue about?

The gitlab.kas.privateApi.tls.enabled and gitlab.kas.privateApi.tls.secretName attrs were deprecated following the linked discussion below.

The following discussion from !2888 (merged) should be addressed:

  • @Alexand started a discussion:

    I'm not sure if deprecating gitlab.kas.privateApi.tls.* is the best way forward. But my reasoning was:

    1. I want to simplify the chart options. So it's probably better to have just one documentation section explaining how to enable TLS for KAS.
    2. Having a global attribute to configure TLS for KAS across the chart gives us more power to automate these configurations. Right now, GitLab webservice needs KAS address (grpc vs grpcs). A configuration value that lives inside of the KAS sub-chart can't do it.
    3. I can't immediately think of a reason why one would want to enable just certain KAS servers with TLS, but not others.
    4. I don't think we'd need different certificates per KAS server, or any other TLS specific configuration that would be used differently for each KAS service.

    I'm leaving this thread open in case reviewer and maintainer have any thoughts regarding this.

This issue is to track adding a deprecation note to https://docs.gitlab.com/ee/update/deprecations.html.

Deprecation note proposal

Planned removal: GitLab 17.0 (2024-05-22)

The GitLab chart provides gitlab.kas.privateApi.tls.enabled and gitlab.kas.privateApi.tls.secretName to support TLS communication between KAS pods. To enable TLS communication between KAS and all other chart components that KAS needs to communicate to, one needs to set many other extra Helm values.

To facilitate enabling TLS communication between KAS and all the chart components, we've introduced the global.kas.tls.* Helm values. Since this is a more complete and simple approach to enabling TLS for KAS. We recommend you stop using gitlab.kas.privateApi.tls.* Helm values, and use global.kas.tls.* instead. Therefore, the gitlab.kas.privateApi.tls.* is deprecated and scheduled for removal in 17.0. For more information please refer to:

/cc @nmezzopera @nagyv-gitlab