Add support for observability endpoint TLS
Adds support for application-level TLS on the observability endpoint.
Requires the changes from gitlab-org/cluster-integration/gitlab-agent!745 (merged), to be released in v15.5.0.
Closes gitlab-org/gitlab#375329 (closed)
Testing
Does not include observability by default
helm template . | grep observabilityreturns no matches
Creates observability secret
helm template . \
--set config.observability.tls.enabled=true \
--set config.observability.tls.secret.create=true \
--set config.observability.tls.secret.name=example-name \
--set config.observability.tls.cert=example-cert-value \
--set config.observability.tls.key=example-key-valueClick to expand for output with the expected sections in bold:
---
# Source: gitlab-agent/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
---
# Source: gitlab-agent/templates/observability-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: example-name
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
data:
tls.key: ZXhhbXBsZS1rZXktdmFsdWU=
tls.crt: ZXhhbXBsZS1jZXJ0LXZhbHVl
type: kubernetes.io/tls
---
# Source: gitlab-agent/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
data:
---
# Source: gitlab-agent/templates/clusterrolebinding-cluster-admin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default:release-name-gitlab-agent-cluster-admin
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: release-name-gitlab-agent
namespace: default
---
# Source: gitlab-agent/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
spec:
serviceAccountName: release-name-gitlab-agent
containers:
- name: gitlab-agent
image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:v15.4.0
imagePullPolicy: IfNotPresent
args:
- --token-file=/etc/agentk/secrets/token
- --kas-address=wss://kas.gitlab.com
- --observability-cert-file=/etc/agentk/observability-secrets/tls.crt
- --observability-key-file=/etc/agentk/observability-secrets/tls.key
livenessProbe:
httpGet:
path: /liveness
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readiness
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
{}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SERVICE_ACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
volumeMounts:
- name: secret-volume
mountPath: /etc/agentk/secrets
- name: observability-secret-volume
mountPath: /etc/agentk/observability-secrets
- name: config-volume
mountPath: /etc/agentk/config
volumes:
- name: secret-volume
secret:
secretName: release-name-gitlab-agent-token
- name: observability-secret-volume
secret:
secretName: example-name
- name: config-volume
configMap:
name: release-name-gitlab-agent
Reuses existing secret
helm template . \
--set config.observability.tls.enabled=true \
--set config.observability.tls.secret.create=falseClick to see expand with output with emphasized expected results
---
# Source: gitlab-agent/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
---
# Source: gitlab-agent/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
data:
---
# Source: gitlab-agent/templates/clusterrolebinding-cluster-admin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default:release-name-gitlab-agent-cluster-admin
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: release-name-gitlab-agent
namespace: default
---
# Source: gitlab-agent/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.5.0
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
app.kubernetes.io/version: "v15.4.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/name: gitlab-agent
app: gitlab-agent
spec:
serviceAccountName: release-name-gitlab-agent
containers:
- name: gitlab-agent
image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:v15.4.0
imagePullPolicy: IfNotPresent
args:
- --token-file=/etc/agentk/secrets/token
- --kas-address=wss://kas.gitlab.com
- --observability-cert-file=/etc/agentk/observability-secrets/tls.crt
- --observability-key-file=/etc/agentk/observability-secrets/tls.key
livenessProbe:
httpGet:
path: /liveness
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readiness
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
{}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SERVICE_ACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
volumeMounts:
- name: secret-volume
mountPath: /etc/agentk/secrets
- name: observability-secret-volume
mountPath: /etc/agentk/observability-secrets
- name: config-volume
mountPath: /etc/agentk/config
volumes:
- name: secret-volume
secret:
secretName: release-name-gitlab-agent-token
- name: observability-secret-volume
secret:
secretName: release-name-gitlab-agent-observability
- name: config-volume
configMap:
name: release-name-gitlab-agent
--reuse-values works
# Prepare a local cluster
kind create cluster
# Install latest chart from upstream
helm repo add gitlab https://charts.gitlab.io
helm repo update
helm upgrade --install agent gitlab/gitlab-agent \
--namespace gitlab-agent \
--create-namespace \
--set image.tag=v15.4.0 \
--set config.token=some-token \
--set config.kasAddress=wss://kas.gitlab.com
# Upgrade with changes from this branch and --reuse-values
helm upgrade --install agent . \
--reuse-values \
--namespace gitlab-agent \
--set image.tag=v15.4.0Edited by Hordur Freyr Yngvason