Document how to enable internal and external TLS communication for KAS endpoints
Updated Summary 2022-11-14
We decided to break this issue in two more. Documenting the metrics endpoint and the Redis SSL connection will be done as part of: #3994 (closed), #3995
Original Summary
We've recently introduce a way to mount certificate volumes into KAS pods. This enables KAS to talk internally and externally through TLS.
The way to enable this for the private_api endpoint is already documented. We should extend the documentation explaining how to enable it for the other endpoints using the gitlab.kas.customConfig
.
The configuration to mount the secret volume is currently dependent on the privateApi.tls.enabled
. As another follow-up we also intend to improve the UX of the chart to allow enabling TLS to all components in a more global fashion, and without the need to specify customConfig
.
The discussion started at !2803 (merged):
-
@Alexand started a discussion: (+8 comments) Not included: KAS primary API endpoint supporting TLS
@WarheadsSE, as a follow-up, over which channel of communication exactly are you referring to as the primary API?
KAS exposes 5 ports:
kas {"level":"info","msg":"Kubernetes API endpoint is up","mod_name":"kubernetes_api","net_network":"tcp","net_address":":8154"} kas {"level":"info","msg":"Private API endpoint is up","net_network":"tcp","net_address":":8155"} kas {"level":"info","msg":"API endpoint is up","net_network":"tcp","net_address":":8153"} kas {"level":"info","msg":"Agentk API endpoint is up","net_network":"tcp","net_address":":8150","is_websocket":true} kas {"level":"info","msg":"Observability endpoint is up","mod_name":"observability","net_network":"tcp","net_address":":8151"}
- The Private API, is the one we took care in this MR.
- The Observability, is used to expose metrics.
- The Agentk API, is the one that agents use to connect to KAS. This one is routed by NGINX which serves the endpoint with tls.
- The Kubernetes API, is the one the GitLab runner uses for the CD/CD Workflow (CI Tunnel). It also goes through NGINX configured with TLS.
- The API endpoint, is the one used by GitLab backend to communicate to KAS. This one indeed I'm not sure whether it talks through TLS.
🤔
@nmezzopera @ash2k do we need another issue for TLS for the "API endpoint" (GitLab backend -> KAS)? Or any other that I didn't recognise?