From e57fa9d0af75b2ad7619ffb73567378a683f20e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Cunha?= <j.a.cunha@gmail.com>
Date: Tue, 25 Oct 2022 21:16:57 +0200
Subject: [PATCH] Expand KAS TLS documentation section

This MR clarifies how to set up KAS to talk through TLS through all its
endpoints, except the metrics one and activating Redis TLS two way
communication. These will be worked on separately.
---
 doc/charts/gitlab/kas/index.md | 43 ++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md
index 2a222cb385..78cc02d441 100644
--- a/doc/charts/gitlab/kas/index.md
+++ b/doc/charts/gitlab/kas/index.md
@@ -119,9 +119,13 @@ You can pass these parameters to the `helm install` command by using the `--set`
 | `deployment.minReadySeconds`              | `0`                                                   | Minimum number of seconds that must pass before a `kas` pod is considered ready.                                                                                                                   |
 | `deployment.strategy`                     | `{}`                                                  | Allows one to configure the update strategy utilized by the deployment.                                                                                                                            |
 
-## Enable TLS communication between `kas` pods
+## Enable TLS communication
 
-Enable communication when you want your `kas` pods to communicate with each other over TLS:
+Enable TLS communication between your `kas` pods and other GitLab chart components.
+
+Prerequisite:
+
+- You need at least [GitLab 15.5.1 to use this feature](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/101571#note_1146419137). You can set your GitLab version with `global.gitlabVersion: master`. If you need to force an image update after an initial deployment, also set `global.image.pullPolicy: Always`.
 
 1. Create the certificate authority and certificates that your `kas` pods will trust.
 1. Configure your chart to use the trusted certificates.
@@ -131,9 +135,18 @@ Enable communication when you want your `kas` pods to communicate with each othe
 To create a certificate authority (CA) and the required certificates, follow the steps in
 [Use TLS between components of the GitLab chart](../../../advanced/internal-tls/index.md).
 
-### Configure chart values
+### Chart configuration values
+
+To configure `kas` to use the certificates you created, set the following values.
 
-For `kas` to use the certificates you created, set the value of `global.certificates.customCAs` and `gitlab.kas.privateApi.tls`.
+| Value | Description |
+|-------|-------------|
+| `global.certificates.customCAs` | Shares your CA with your GitLab components. |
+| `global.appConfig.gitlab_kas.internalUrl` | Enables `grpcs` communication between the GitLab Webservice and `kas`. |
+| `gitlab.kas.privateApi.tls.enabled` | Mounts the certificates volume and enables TLS communication between `kas` pods. |
+| `gitlab.kas.privateApi.tls.secretName` | Specifies which Kubernetes TLS secret stores your certificates. |
+| `gitlab.kas.customConfig` | Configures `kas` to expose its ports by using `grpcs`. |
+| `gitlab.kas.ingress` | Configures `kas` Ingress to verify the proxied SSL certificate. |
 
 For example, you could use this `values.yaml` file to deploy your chart:
 
@@ -147,6 +160,9 @@ For example, you could use this `values.yaml` file to deploy your chart:
        - secret: *internal-ca
      hosts:
        domain: gitlab.example.com # Your gitlab domain
+     appConfig:
+       gitlab_kas:
+         internalUrl: "grpcs://RELEASE-kas.NAMESPACE.svc:8153" # Replace RELEASE and NAMESPACE with your chart's release and namespace 
 
    gitlab:
      kas:
@@ -154,6 +170,25 @@ For example, you could use this `values.yaml` file to deploy your chart:
          tls:
            enabled: true
            secretName: *internal-tls
+       customConfig:
+         api:
+           listen:
+             certificate_file: /etc/kas/tls.crt
+             key_file: /etc/kas/tls.key
+         agent:
+           listen:
+             certificate_file: /etc/kas/tls.crt
+             key_file: /etc/kas/tls.key
+           kubernetes_api:
+             listen:
+               certificate_file: /etc/kas/tls.crt
+               key_file: /etc/kas/tls.key
+       ingress:
+         annotations:
+           nginx.ingress.kubernetes.io/backend-protocol: https
+           nginx.ingress.kubernetes.io/proxy-ssl-name: RELEASE-kas.NAMESPACE.svc # Replace RELEASE and NAMESPACE with your chart's release and namespace
+           nginx.ingress.kubernetes.io/proxy-ssl-secret: NAMESPACE/CA-SECRET-NAME # Replace NAMESPACE and CA-SECRET-NAME with your chart's namespace and CA secret name. The same you used for &internal-ca.
+           nginx.ingress.kubernetes.io/proxy-ssl-verify: on
    ```
 
 ## Test the `kas` chart
-- 
GitLab