Module: Gitlab::Kas

Includes:

JwtAuthenticatable

Defined in:

lib/gitlab/kas.rb,
lib/gitlab/kas/client.rb,
lib/gitlab/kas/server_info.rb,
lib/gitlab/kas/user_access.rb,
app/presenters/gitlab/kas/server_info_presenter.rb

Defined Under Namespace

Classes: Client, ServerInfo, ServerInfoPresenter, UserAccess

Constant Summary

INTERNAL_API_AGENT_REQUEST_HEADER =

'Gitlab-Agent-Api-Request'

INTERNAL_API_KAS_REQUEST_HEADER =

'Gitlab-Kas-Api-Request'

VERSION_FILE =

'GITLAB_KAS_VERSION'

JWT_ISSUER =

'gitlab-kas'

JWT_AUDIENCE =

'gitlab'

K8S_PROXY_PATH =

'k8s-proxy'

COOKIE_KEY =

The name of the cookie that will be used for the KAS cookie

'_gitlab_kas'

DEFAULT_ENCRYPTED_COOKIE_CIPHER =

'aes-256-gcm'

Constants included from JwtAuthenticatable

JwtAuthenticatable::SECRET_LENGTH

Class Method Summary

• .client_timeout_seconds ⇒ Object
• .display_version_info ⇒ Gitlab::VersionInfo

  Return GitLab KAS version info for display This is the version that is displayed on the frontend.

• .enabled? ⇒ Boolean

  Return whether GitLab KAS is enabled.

• .ensure_secret! ⇒ Object
• .external_url ⇒ String

  Return GitLab KAS external_url.

• .install_version_info ⇒ Gitlab::VersionInfo

  Return GitLab KAS version info for installation This is the version used as the image tag when generating the command to install a Gitlab agent.

• .internal_url ⇒ String

  Return GitLab KAS internal_url.

• .secret_path ⇒ Object
• .tunnel_url ⇒ Object
• .tunnel_ws_url ⇒ Object
• .verify_api_request(request_headers) ⇒ Object

Methods included from JwtAuthenticatable

included

Class Method Details

.client_timeout_seconds ⇒ Object

# File 'lib/gitlab/kas.rb', line 103

def client_timeout_seconds
  Gitlab.config.gitlab_kas&.fetch('client_timeout_seconds', 5) || 5
end

.display_version_info ⇒ Gitlab::VersionInfo

Return GitLab KAS version info for display This is the version that is displayed on the frontend. This is also used to check if the version of an existing agent does not match the latest agent version. If the getServerInfo RPC call fails, we fallback to GITLAB_KAS_VERSION file; If the GITLAB_KAS_VERSION file contains a SHA, we defer instead to the Gitlab version.

For further details, see: gitlab.com/gitlab-org/gitlab/-/merge_requests/149794

Returns:

• (Gitlab::VersionInfo) —

  version_info

# File 'lib/gitlab/kas.rb', line 40

def display_version_info
  server_version = ServerInfo.new.version_info
  return server_version if server_version&.valid?
  return version_info_from_file if version_info_from_file.valid?

  Gitlab.version_info
end

.enabled? ⇒ Boolean

Return whether GitLab KAS is enabled

Returns:

• (Boolean) —

  external_url

# File 'lib/gitlab/kas.rb', line 99

def enabled?
  !!Gitlab.config['gitlab_kas']&.fetch('enabled', false)
end

.ensure_secret! ⇒ Object

# File 'lib/gitlab/kas.rb', line 25

def ensure_secret!
  return if File.exist?(secret_path)

  write_secret
end

.external_url ⇒ String

Return GitLab KAS external_url

Returns:

• (String) —

  external_url

# File 'lib/gitlab/kas.rb', line 68

def external_url
  Gitlab.config.gitlab_kas.external_url
end

.install_version_info ⇒ Gitlab::VersionInfo

Return GitLab KAS version info for installation This is the version used as the image tag when generating the command to install a Gitlab agent. If the getServerInfo RPC call fails, we fallback to GITLAB_KAS_VERSION file; If the GITLAB_KAS_VERSION file contains a SHA, we defer instead to the Gitlab version without the patch. This could mean that it might point to a Gitlab agent version that is several patches behind the latest one.

Further details: gitlab.com/gitlab-org/gitlab/-/merge_requests/149794

Returns:

• (Gitlab::VersionInfo) —

  version_info

# File 'lib/gitlab/kas.rb', line 57

def install_version_info
  server_version = ServerInfo.new.version_info
  return server_version.without_patch if server_version&.valid?
  return version_info_from_file if version_info_from_file.valid?

  Gitlab.version_info.without_patch
end

.internal_url ⇒ String

Return GitLab KAS internal_url

Returns:

• (String) —

  internal_url

# File 'lib/gitlab/kas.rb', line 92

def internal_url
  Gitlab.config.gitlab_kas.internal_url
end

.secret_path ⇒ Object

# File 'lib/gitlab/kas.rb', line 21

def secret_path
  Gitlab.config.gitlab_kas.secret_file
end

.tunnel_url ⇒ Object

# File 'lib/gitlab/kas.rb', line 72

def tunnel_url
  configured = Gitlab.config.gitlab_kas['external_k8s_proxy_url']
  return configured if configured.present?

  # Legacy code path. Will be removed when all distributions provide a sane default here
  uri = URI.join(external_url, K8S_PROXY_PATH)
  uri.scheme = uri.scheme.in?(%w[grpcs wss]) ? 'https' : 'http'
  uri.to_s
end

.tunnel_ws_url ⇒ Object

# File 'lib/gitlab/kas.rb', line 82

def tunnel_ws_url
  return tunnel_url if ws?
  return tunnel_url.sub('https', 'wss') if ssl?

  tunnel_url.sub('http', 'ws')
end

.verify_api_request(request_headers) ⇒ Object

# File 'lib/gitlab/kas.rb', line 15

def verify_api_request(request_headers)
  decode_jwt(request_headers[INTERNAL_API_KAS_REQUEST_HEADER], issuer: JWT_ISSUER, audience: JWT_AUDIENCE)
rescue JWT::DecodeError
  nil
end