fix: add missing websocket_token_secret_file for KAS dev compose

Andrew Dunnrequested to merge
fix-kas-websocket-secret into master

What does this MR do?

Fix KAS startup crash caused by missing websocket_token_secret_file in the dev compose configuration.

KAS crashes on startup with:

{"level":"ERROR","msg":"Program aborted","error":"kubernetes_api: read file: open : no such file or directory"}

The empty path after open is the tell. dev/gitlab-kas/config.yml does not set agent.kubernetes_api.websocket_token_secret_file. This field became required in KAS 18.0 via MR !2441 (commit 6a3000c4, merged 2025-05-05). The proto changed from optional string to string, so an empty config value becomes an empty string passed to os.ReadFile("").

This affects every KAS release since v18.0.0. Earlier smoke tests didn't surface it because redis DNS failures would abort KAS before it reached the kubernetes_api module factory.

Changes

  1. dev/gitlab-kas/.gitlab_kas_websocket_token_secret (new file): dev-only sample secret for local compose testing. 72 bytes of random data, base64-encoded. KAS requires 64-72 decoded bytes for SHA3-512 HMAC; 72 matches the Helm chart convention. To regenerate: head -c 72 /dev/urandom | base64 -w0 > dev/gitlab-kas/.gitlab_kas_websocket_token_secret

  2. dev/gitlab-kas/config.yml: add websocket_token_secret_file field under agent.kubernetes_api

  3. docker-compose.yml: add volume mount for the secret file

Compatibility

dsop-scripts mounts dev configs from CNG via DEV_DIR. A companion MR on dsop-scripts adds the volume mount for this new file. Merge order: this CNG MR first, then the dsop-scripts MR.

Related issues

dsop-scripts#107

Test plan

Tested on CentOS Stream 10 (GCP, Docker CE 29.3.1, Compose v5.1.1) with CNG images v18.10.0. KAS starts cleanly with all 5 endpoints up (Kubernetes API :8154, Agent API :8150, API :8153, Private API :8155, Observability :8151).

Checklist

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • When ready for review, MR is labeled "~workflow::ready for review"
  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated (N/A, dev config only)
  • Integration tests added to GitLab QA (N/A, dev config only)
  • The impact any change in container size has should be evaluated (no image changes, config only)

AI-Generated Content Disclosure: This MR contains code generated with assistance from GitLab Duo and OpenCode. The output has been reviewed for correctness, tested, and validated against project requirements per GitLab's AI contribution guidelines.

Merge request reports