Add support for observability endpoint TLS
Adds support for application-level TLS on the observability endpoint.
Requires the changes from gitlab-org/cluster-integration/gitlab-agent!745 (merged), to be released in v15.5.0.
Closes gitlab-org/gitlab#375329 (closed)
Testing
Does not include observability by default
helm template . | grep observability
returns no matches
Creates observability secret
helm template . \
--set config.observability.tls.enabled=true \
--set config.observability.tls.secret.create=true \
--set config.observability.tls.secret.name=example-name \
--set config.observability.tls.cert=example-cert-value \
--set config.observability.tls.key=example-key-value
Click to expand for output with the expected sections in bold:
--- # Source: gitlab-agent/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: release-name-gitlab-agent labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm --- # Source: gitlab-agent/templates/observability-secret.yaml apiVersion: v1 kind: Secret metadata: name: example-name labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm data: tls.key: ZXhhbXBsZS1rZXktdmFsdWU= tls.crt: ZXhhbXBsZS1jZXJ0LXZhbHVl type: kubernetes.io/tls --- # Source: gitlab-agent/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: release-name-gitlab-agent labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm data: --- # Source: gitlab-agent/templates/clusterrolebinding-cluster-admin.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:release-name-gitlab-agent-cluster-admin labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: release-name-gitlab-agent namespace: default --- # Source: gitlab-agent/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: release-name-gitlab-agent labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: gitlab-agent app: gitlab-agent template: metadata: annotations: prometheus.io/path: /metrics prometheus.io/port: "8080" prometheus.io/scrape: "true" labels: app.kubernetes.io/name: gitlab-agent app: gitlab-agent spec: serviceAccountName: release-name-gitlab-agent containers: - name: gitlab-agent image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:v15.4.0 imagePullPolicy: IfNotPresent args: - --token-file=/etc/agentk/secrets/token - --kas-address=wss://kas.gitlab.com - --observability-cert-file=/etc/agentk/observability-secrets/tls.crt - --observability-key-file=/etc/agentk/observability-secrets/tls.key livenessProbe: httpGet: path: /liveness port: 8080 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readiness port: 8080 initialDelaySeconds: 5 periodSeconds: 10 resources: {} env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: SERVICE_ACCOUNT_NAME valueFrom: fieldRef: fieldPath: spec.serviceAccountName volumeMounts: - name: secret-volume mountPath: /etc/agentk/secrets - name: observability-secret-volume mountPath: /etc/agentk/observability-secrets - name: config-volume mountPath: /etc/agentk/config volumes: - name: secret-volume secret: secretName: release-name-gitlab-agent-token - name: observability-secret-volume secret: secretName: example-name - name: config-volume configMap: name: release-name-gitlab-agent
Reuses existing secret
helm template . \
--set config.observability.tls.enabled=true \
--set config.observability.tls.secret.create=false
Click to see expand with output with emphasized expected results
--- # Source: gitlab-agent/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: release-name-gitlab-agent labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm --- # Source: gitlab-agent/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: release-name-gitlab-agent labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm data: --- # Source: gitlab-agent/templates/clusterrolebinding-cluster-admin.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:release-name-gitlab-agent-cluster-admin labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: release-name-gitlab-agent namespace: default --- # Source: gitlab-agent/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: release-name-gitlab-agent labels: helm.sh/chart: gitlab-agent-1.5.0 app.kubernetes.io/name: gitlab-agent app: gitlab-agent app.kubernetes.io/version: "v15.4.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: gitlab-agent app: gitlab-agent template: metadata: annotations: prometheus.io/path: /metrics prometheus.io/port: "8080" prometheus.io/scrape: "true" labels: app.kubernetes.io/name: gitlab-agent app: gitlab-agent spec: serviceAccountName: release-name-gitlab-agent containers: - name: gitlab-agent image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:v15.4.0 imagePullPolicy: IfNotPresent args: - --token-file=/etc/agentk/secrets/token - --kas-address=wss://kas.gitlab.com - --observability-cert-file=/etc/agentk/observability-secrets/tls.crt - --observability-key-file=/etc/agentk/observability-secrets/tls.key livenessProbe: httpGet: path: /liveness port: 8080 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readiness port: 8080 initialDelaySeconds: 5 periodSeconds: 10 resources: {} env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: SERVICE_ACCOUNT_NAME valueFrom: fieldRef: fieldPath: spec.serviceAccountName volumeMounts: - name: secret-volume mountPath: /etc/agentk/secrets - name: observability-secret-volume mountPath: /etc/agentk/observability-secrets - name: config-volume mountPath: /etc/agentk/config volumes: - name: secret-volume secret: secretName: release-name-gitlab-agent-token - name: observability-secret-volume secret: secretName: release-name-gitlab-agent-observability - name: config-volume configMap: name: release-name-gitlab-agent
--reuse-values
works
# Prepare a local cluster
kind create cluster
# Install latest chart from upstream
helm repo add gitlab https://charts.gitlab.io
helm repo update
helm upgrade --install agent gitlab/gitlab-agent \
--namespace gitlab-agent \
--create-namespace \
--set image.tag=v15.4.0 \
--set config.token=some-token \
--set config.kasAddress=wss://kas.gitlab.com
# Upgrade with changes from this branch and --reuse-values
helm upgrade --install agent . \
--reuse-values \
--namespace gitlab-agent \
--set image.tag=v15.4.0
Edited by Hordur Freyr Yngvason