[go: up one dir, main page]
Skip to content

Document how to enable internal and external TLS communication for KAS endpoints

Updated Summary 2022-11-14

We decided to break this issue in two more. Documenting the metrics endpoint and the Redis SSL connection will be done as part of: #3994 (closed), #3995

Original Summary

We've recently introduce a way to mount certificate volumes into KAS pods. This enables KAS to talk internally and externally through TLS.

The way to enable this for the private_api endpoint is already documented. We should extend the documentation explaining how to enable it for the other endpoints using the gitlab.kas.customConfig.

The configuration to mount the secret volume is currently dependent on the privateApi.tls.enabled. As another follow-up we also intend to improve the UX of the chart to allow enabling TLS to all components in a more global fashion, and without the need to specify customConfig.

The discussion started at !2803 (merged):

  • @Alexand started a discussion: (+8 comments)

    Not included: KAS primary API endpoint supporting TLS

    @WarheadsSE, as a follow-up, over which channel of communication exactly are you referring to as the primary API?

    KAS exposes 5 ports:

    kas {"level":"info","msg":"Kubernetes API endpoint is up","mod_name":"kubernetes_api","net_network":"tcp","net_address":":8154"}                                                 

kas {"level":"info","msg":"Private API endpoint is up","net_network":"tcp","net_address":":8155"}                                                              

kas {"level":"info","msg":"API endpoint is up","net_network":"tcp","net_address":":8153"}                                                                                        

kas {"level":"info","msg":"Agentk API endpoint is up","net_network":"tcp","net_address":":8150","is_websocket":true}                                                             

kas {"level":"info","msg":"Observability endpoint is up","mod_name":"observability","net_network":"tcp","net_address":":8151"}
    • The Private API, is the one we took care in this MR.
    • The Observability, is used to expose metrics.
    • The Agentk API, is the one that agents use to connect to KAS. This one is routed by NGINX which serves the endpoint with tls.
    • The Kubernetes API, is the one the GitLab runner uses for the CD/CD Workflow (CI Tunnel). It also goes through NGINX configured with TLS.
    • The API endpoint, is the one used by GitLab backend to communicate to KAS. This one indeed I'm not sure whether it talks through TLS. 🤔

    @nmezzopera @ash2k do we need another issue for TLS for the "API endpoint" (GitLab backend -> KAS)? Or any other that I didn't recognise?

Edited by João Alexandre Cunha