From 958a22ff596553ac577385541acf50f24d111ece Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Wed, 12 Nov 2025 23:01:55 +0530 Subject: [PATCH 01/16] Enable gRPC ingress on KAS Currently this only works for nginx ingresses. --- .../gitlab/charts/kas/templates/ingress.yaml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/charts/gitlab/charts/kas/templates/ingress.yaml b/charts/gitlab/charts/kas/templates/ingress.yaml index 15934b4e75..73c1de5fbb 100644 --- a/charts/gitlab/charts/kas/templates/ingress.yaml +++ b/charts/gitlab/charts/kas/templates/ingress.yaml @@ -3,6 +3,9 @@ {{- $hostname := include "gitlab.kas.hostname" . -}} {{- $tlsSecret := include "kas.tlsSecret" . -}} {{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} +{{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} + +# Standard KAS Ingress apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} kind: Ingress metadata: @@ -96,5 +99,58 @@ spec: {{- else }} tls: [] {{- end }} +{{- if $isIngressProviderNginx }} +--- +# gRPC-specific KAS Ingress +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "fullname" . }}-grpc + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- if $.Values.global.kas.tls.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: https + {{- if $.Values.global.kas.tls.verify }} + nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' + nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "fullname" . }}.{{ $.Release.Namespace }}.svc + {{- if $.Values.global.kas.tls.caSecretName }} + nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace }}/{{ $.Values.global.kas.tls.caSecretName }} + {{- end }} + {{- end }} + {{- end }} + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ $hostname }} + http: + paths: + - path: /gitlab\.agent\.(.+) + pathType: Prefix + backend: + service: + name: {{ template "gitlab.kas.serviceName" . }} + port: + number: {{ .Values.service.externalPort }} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true")) }} + tls: + - hosts: + - {{ $hostname }} + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end }} {{- end -}} {{- end -}} -- GitLab From e2da84fac33c5806d67677a6a7dea576fdace0bd Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 13 Nov 2025 15:39:22 +0530 Subject: [PATCH 02/16] Enable SSL propagation when KAS backend supports --- charts/gitlab/charts/kas/templates/ingress.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/ingress.yaml b/charts/gitlab/charts/kas/templates/ingress.yaml index 73c1de5fbb..be97b026e8 100644 --- a/charts/gitlab/charts/kas/templates/ingress.yaml +++ b/charts/gitlab/charts/kas/templates/ingress.yaml @@ -113,11 +113,10 @@ metadata: annotations: {{ include "ingress.class.annotation" $ingressCfg }} kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/use-regex: "true" {{- if $.Values.global.kas.tls.enabled }} - nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/backend-protocol: "GRPCS" {{- if $.Values.global.kas.tls.verify }} nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "fullname" . }}.{{ $.Release.Namespace }}.svc @@ -125,6 +124,8 @@ metadata: nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace }}/{{ $.Values.global.kas.tls.caSecretName }} {{- end }} {{- end }} + {{- else }} + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" {{- end }} {{- include "gitlab.certmanager_annotations" . | nindent 4 }} {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} -- GitLab From d3397c55c432992bd173a2bde0552abdf7b9178c Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 13 Nov 2025 20:12:39 +0530 Subject: [PATCH 03/16] Fix pathType for KAS gRPC ingress --- charts/gitlab/charts/kas/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/kas/templates/ingress.yaml b/charts/gitlab/charts/kas/templates/ingress.yaml index be97b026e8..19ca3758fb 100644 --- a/charts/gitlab/charts/kas/templates/ingress.yaml +++ b/charts/gitlab/charts/kas/templates/ingress.yaml @@ -138,7 +138,7 @@ spec: http: paths: - path: /gitlab\.agent\.(.+) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: {{ template "gitlab.kas.serviceName" . }} -- GitLab From 93ce42cdb4576e7dd4564820aeafa8795ff3a763 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 13 Nov 2025 23:40:40 +0530 Subject: [PATCH 04/16] Fix test --- spec/configuration/ingress_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/configuration/ingress_spec.rb b/spec/configuration/ingress_spec.rb index 3ac8cdddeb..5fd968b4bc 100644 --- a/spec/configuration/ingress_spec.rb +++ b/spec/configuration/ingress_spec.rb @@ -54,6 +54,7 @@ describe 'GitLab Ingress configuration(s)' do %w[ test-gitlab-pages test-kas + test-kas-grpc test-webservice-default test-webservice-default-smartcard test-minio -- GitLab From f63d70a0a1659e81079592e0f6a349ffdfabdbb1 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Tue, 18 Nov 2025 10:30:57 +0530 Subject: [PATCH 05/16] Extract out gRPC ingress to a separate file --- .../charts/kas/templates/ingress-grpc.yaml | 60 +++++++++++++++++++ .../gitlab/charts/kas/templates/ingress.yaml | 57 ------------------ 2 files changed, 60 insertions(+), 57 deletions(-) create mode 100644 charts/gitlab/charts/kas/templates/ingress-grpc.yaml diff --git a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml new file mode 100644 index 0000000000..0c0496f409 --- /dev/null +++ b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml @@ -0,0 +1,60 @@ +{{- if .Values.global.kas.enabled -}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}} +{{- $hostname := include "gitlab.kas.hostname" . -}} +{{- $tlsSecret := include "kas.tlsSecret" . -}} +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} +{{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} +{{- if $isIngressProviderNginx }} +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "fullname" . }}-grpc + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + {{- if $.Values.global.kas.tls.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "GRPCS" + {{- if $.Values.global.kas.tls.verify }} + nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' + nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "fullname" . }}.{{ $.Release.Namespace }}.svc + {{- if $.Values.global.kas.tls.caSecretName }} + nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace }}/{{ $.Values.global.kas.tls.caSecretName }} + {{- end }} + {{- end }} + {{- else }} + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + {{- end }} + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ $hostname }} + http: + paths: + - path: /gitlab\.agent\.(.+) + pathType: ImplementationSpecific + backend: + service: + name: {{ template "gitlab.kas.serviceName" . }} + port: + number: {{ .Values.service.externalPort }} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true")) }} + tls: + - hosts: + - {{ $hostname }} + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/gitlab/charts/kas/templates/ingress.yaml b/charts/gitlab/charts/kas/templates/ingress.yaml index 19ca3758fb..15934b4e75 100644 --- a/charts/gitlab/charts/kas/templates/ingress.yaml +++ b/charts/gitlab/charts/kas/templates/ingress.yaml @@ -3,9 +3,6 @@ {{- $hostname := include "gitlab.kas.hostname" . -}} {{- $tlsSecret := include "kas.tlsSecret" . -}} {{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} -{{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} - -# Standard KAS Ingress apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} kind: Ingress metadata: @@ -99,59 +96,5 @@ spec: {{- else }} tls: [] {{- end }} -{{- if $isIngressProviderNginx }} ---- -# gRPC-specific KAS Ingress -apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} -kind: Ingress -metadata: - name: {{ template "fullname" . }}-grpc - namespace: {{ .Release.Namespace }} - labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} - {{- include "gitlab.commonLabels" . | nindent 4 }} - annotations: - {{ include "ingress.class.annotation" $ingressCfg }} - kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/use-regex: "true" - {{- if $.Values.global.kas.tls.enabled }} - nginx.ingress.kubernetes.io/backend-protocol: "GRPCS" - {{- if $.Values.global.kas.tls.verify }} - nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' - nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "fullname" . }}.{{ $.Release.Namespace }}.svc - {{- if $.Values.global.kas.tls.caSecretName }} - nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace }}/{{ $.Values.global.kas.tls.caSecretName }} - {{- end }} - {{- end }} - {{- else }} - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - {{- end }} - {{- include "gitlab.certmanager_annotations" . | nindent 4 }} - {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - {{ include "ingress.class.field" $ingressCfg }} - rules: - - host: {{ $hostname }} - http: - paths: - - path: /gitlab\.agent\.(.+) - pathType: ImplementationSpecific - backend: - service: - name: {{ template "gitlab.kas.serviceName" . }} - port: - number: {{ .Values.service.externalPort }} - {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true")) }} - tls: - - hosts: - - {{ $hostname }} - secretName: {{ $tlsSecret }} - {{- else }} - tls: [] - {{- end }} -{{- end }} {{- end -}} {{- end -}} -- GitLab From 869f861312b8c801f892bc9ce9f65772003338b1 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Tue, 18 Nov 2025 10:52:44 +0530 Subject: [PATCH 06/16] Fix tests --- spec/configuration/ingress_spec.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spec/configuration/ingress_spec.rb b/spec/configuration/ingress_spec.rb index 5fd968b4bc..b28b3bab20 100644 --- a/spec/configuration/ingress_spec.rb +++ b/spec/configuration/ingress_spec.rb @@ -97,6 +97,8 @@ describe 'GitLab Ingress configuration(s)' do ingress_names.each do |ingress_name| paths = get_paths(template, ingress_name) paths.each do |p| + next if p["pathType"] == "ImplementationSpecific" + expect(p["path"]).to end_with('/') end end @@ -119,6 +121,7 @@ describe 'GitLab Ingress configuration(s)' do ingress_names.each do |ingress_name| paths = get_paths(template, ingress_name) paths.each do |p| + next if p["pathType"] == "ImplementationSpecific" expect(p["path"]).to end_with('/*') end end -- GitLab From 982c154e54fd78f3f3b577f479319cf52933080b Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 27 Nov 2025 22:53:47 +0530 Subject: [PATCH 07/16] Add gRPC support for KAS with HAProxy --- charts/gitlab/charts/kas/templates/ingress-grpc.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml index 0c0496f409..437030d79e 100644 --- a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml +++ b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml @@ -4,7 +4,7 @@ {{- $tlsSecret := include "kas.tlsSecret" . -}} {{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} {{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} -{{- if $isIngressProviderNginx }} +{{- $isIngressProviderHAProxy := eq .Values.global.ingress.provider "haproxy" -}} apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} kind: Ingress metadata: @@ -16,6 +16,9 @@ metadata: annotations: {{ include "ingress.class.annotation" $ingressCfg }} kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if $isIngressProviderHAProxy }} + haproxy.org/server-proto: "h2" + {{- else if $isIngressProviderNginx }} nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/use-regex: "true" {{- if $.Values.global.kas.tls.enabled }} @@ -30,6 +33,7 @@ metadata: {{- else }} nginx.ingress.kubernetes.io/backend-protocol: "GRPC" {{- end }} + {{- end }} {{- include "gitlab.certmanager_annotations" . | nindent 4 }} {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} {{ $key }}: {{ $value | quote }} @@ -57,4 +61,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} -- GitLab From 9f4f84696937700f2909d506207a7794c54a4e04 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Fri, 28 Nov 2025 00:25:54 +0530 Subject: [PATCH 08/16] Fix rubocop error --- spec/configuration/ingress_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/configuration/ingress_spec.rb b/spec/configuration/ingress_spec.rb index b28b3bab20..5a7a8c20da 100644 --- a/spec/configuration/ingress_spec.rb +++ b/spec/configuration/ingress_spec.rb @@ -122,6 +122,7 @@ describe 'GitLab Ingress configuration(s)' do paths = get_paths(template, ingress_name) paths.each do |p| next if p["pathType"] == "ImplementationSpecific" + expect(p["path"]).to end_with('/*') end end -- GitLab From c1c2829984156d479aa2d3b4cbf5a733b6d393e8 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Fri, 28 Nov 2025 00:32:11 +0530 Subject: [PATCH 09/16] Ignore kube-score in gRPC ingress This is done because we are doing regex match which does not match any service name --- charts/gitlab/charts/kas/templates/ingress-grpc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml index 437030d79e..f5a9d26315 100644 --- a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml +++ b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml @@ -14,6 +14,7 @@ metadata: {{- include "gitlab.standardLabels" . | nindent 4 }} {{- include "gitlab.commonLabels" . | nindent 4 }} annotations: + kube-score/ignore: ingress-targets-service {{ include "ingress.class.annotation" $ingressCfg }} kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" {{- if $isIngressProviderHAProxy }} -- GitLab From 539c77fcb8d03fb132f87d95638fac7050f8090d Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Sun, 30 Nov 2025 18:23:40 +0530 Subject: [PATCH 10/16] Only create gRPC ingress with NGINX This is done because HAProxy does not work with regex This commit also removes cert manager annotations because this will use the same certificate as the main KAS ingress --- charts/gitlab/charts/kas/templates/ingress-grpc.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml index f5a9d26315..2384e1d697 100644 --- a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml +++ b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml @@ -4,7 +4,7 @@ {{- $tlsSecret := include "kas.tlsSecret" . -}} {{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} {{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} -{{- $isIngressProviderHAProxy := eq .Values.global.ingress.provider "haproxy" -}} +{{- if $isIngressProviderNginx }} apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} kind: Ingress metadata: @@ -17,9 +17,6 @@ metadata: kube-score/ignore: ingress-targets-service {{ include "ingress.class.annotation" $ingressCfg }} kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" - {{- if $isIngressProviderHAProxy }} - haproxy.org/server-proto: "h2" - {{- else if $isIngressProviderNginx }} nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/use-regex: "true" {{- if $.Values.global.kas.tls.enabled }} @@ -34,8 +31,6 @@ metadata: {{- else }} nginx.ingress.kubernetes.io/backend-protocol: "GRPC" {{- end }} - {{- end }} - {{- include "gitlab.certmanager_annotations" . | nindent 4 }} {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} @@ -62,3 +57,4 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} -- GitLab From 9702cef9f76a77ea1bcea1fd089fe67166195e5b Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Mon, 1 Dec 2025 14:22:46 +0530 Subject: [PATCH 11/16] Add documentation for gRPC support --- doc/charts/gitlab/kas/_index.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/doc/charts/gitlab/kas/_index.md b/doc/charts/gitlab/kas/_index.md index c315495a20..c12afe520f 100644 --- a/doc/charts/gitlab/kas/_index.md +++ b/doc/charts/gitlab/kas/_index.md @@ -63,6 +63,28 @@ This example uses `kas.my-other-domain.com` as the host for the KAS Ingress alon The rest of the services (including GitLab, Registry, MinIO, etc.) use the domain specified in `global.hosts.domain`. +### gRPC Ingress Support + +The KAS service supports gRPC traffic through the same port as WebSocket traffic, using path-based routing with regex matching to distinguish between the two protocols. + +#### Controller Support + +- **NGINX Ingress Controller**: Fully supported with automatic configuration +- **Other Controllers**: Any controller that supports regex-based path matching can be used + +#### Path Pattern + +The gRPC ingress uses the following path pattern: +``` +/gitlab\.agent\.(.+) +``` + +This pattern ensures proper routing of gRPC traffic to the KAS service while maintaining WebSocket functionality on the same port. + +#### Configuration + +No additional configuration is needed when using the NGINX Ingress Controller as it's automatically set up. For other controllers, ensure they support regex-based path matching and configure them to route the specified path pattern to the KAS service. + ### Installation command line options You can pass these parameters to the `helm install` command by using the `--set` flags. -- GitLab From 4296092f6de952938ed2c80505be231cacab8cf0 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Mon, 1 Dec 2025 14:33:02 +0530 Subject: [PATCH 12/16] Fix markdown linting errors in kas documentation - Capitalize 'Ingress' on line 77 - Add blank lines around code fence on line 78 - Add language identifier to code fence --- doc/charts/gitlab/kas/_index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/charts/gitlab/kas/_index.md b/doc/charts/gitlab/kas/_index.md index c12afe520f..e207b0017f 100644 --- a/doc/charts/gitlab/kas/_index.md +++ b/doc/charts/gitlab/kas/_index.md @@ -74,8 +74,9 @@ The KAS service supports gRPC traffic through the same port as WebSocket traffic #### Path Pattern -The gRPC ingress uses the following path pattern: -``` +The gRPC Ingress uses the following path pattern: + +```regex /gitlab\.agent\.(.+) ``` -- GitLab From 54274f305ac4fa3217247ac978f8e5db6f6074a4 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Mon, 1 Dec 2025 23:29:41 +0530 Subject: [PATCH 13/16] Add configurable gRPC Ingress for KAS --- .../gitlab/charts/kas/templates/ingress-grpc.yaml | 4 +++- doc/charts/gitlab/kas/_index.md | 13 ++++++++++++- spec/configuration/ingress_spec.rb | 3 +++ values.yaml | 3 +++ 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml index 2384e1d697..72ae4083fc 100644 --- a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml +++ b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml @@ -4,7 +4,7 @@ {{- $tlsSecret := include "kas.tlsSecret" . -}} {{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} {{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} -{{- if $isIngressProviderNginx }} +{{- if eq .Values.global.kas.ingress.grpc.enabled true }} apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} kind: Ingress metadata: @@ -17,6 +17,7 @@ metadata: kube-score/ignore: ingress-targets-service {{ include "ingress.class.annotation" $ingressCfg }} kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if $isIngressProviderNginx }} nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/use-regex: "true" {{- if $.Values.global.kas.tls.enabled }} @@ -31,6 +32,7 @@ metadata: {{- else }} nginx.ingress.kubernetes.io/backend-protocol: "GRPC" {{- end }} + {{- end }} {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} diff --git a/doc/charts/gitlab/kas/_index.md b/doc/charts/gitlab/kas/_index.md index e207b0017f..a919678709 100644 --- a/doc/charts/gitlab/kas/_index.md +++ b/doc/charts/gitlab/kas/_index.md @@ -84,7 +84,18 @@ This pattern ensures proper routing of gRPC traffic to the KAS service while mai #### Configuration -No additional configuration is needed when using the NGINX Ingress Controller as it's automatically set up. For other controllers, ensure they support regex-based path matching and configure them to route the specified path pattern to the KAS service. +To enable gRPC Ingress, set the following in your `values.yaml`: + +```yaml +global: + kas: + ingress: + grpc: + enabled: true +``` + +No additional configuration is needed when using the NGINX Ingress Controller as it's automatically set up. +For other controllers, add relevant annotations to support gRPC and ensure they support regex-based path matching and configure them to route the specified path pattern to the KAS service. ### Installation command line options diff --git a/spec/configuration/ingress_spec.rb b/spec/configuration/ingress_spec.rb index 5a7a8c20da..2d8d07dba9 100644 --- a/spec/configuration/ingress_spec.rb +++ b/spec/configuration/ingress_spec.rb @@ -74,6 +74,9 @@ describe 'GitLab Ingress configuration(s)' do enabled: true kas: enabled: true + ingress: + grpc: + enabled: true registry: enabled: true ))) diff --git a/values.yaml b/values.yaml index fb989359cb..bb485e7f39 100644 --- a/values.yaml +++ b/values.yaml @@ -646,6 +646,9 @@ global: enabled: true service: apiExternalPort: 8153 # port for connections from the GitLab backend + ingress: + grpc: + enabled: false tls: enabled: false verify: true -- GitLab From ad8e29c63185c0519a6c05a89eb630db018513da Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 4 Dec 2025 14:05:45 +0530 Subject: [PATCH 14/16] Ignore test for grpc ingress This is done because grpc path used in the ingress is a regex and they will not end with slash as the test expects --- spec/configuration/ingress_spec.rb | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/spec/configuration/ingress_spec.rb b/spec/configuration/ingress_spec.rb index 2d8d07dba9..87ed50a19f 100644 --- a/spec/configuration/ingress_spec.rb +++ b/spec/configuration/ingress_spec.rb @@ -4,6 +4,10 @@ require 'yaml' require 'hash_deep_merge' describe 'GitLab Ingress configuration(s)' do + def ignored_ingresses + ['test-kas-grpc'].freeze + end + def get_paths(template, ingress_name) template.dig("Ingress/#{ingress_name}", 'spec', 'rules', 0, 'http', 'paths') end @@ -64,6 +68,12 @@ describe 'GitLab Ingress configuration(s)' do let(:enable_all_ingress) do default_values.deep_merge(YAML.safe_load(%( + gitlab: + kas: + enabled: true + ingress: + grpc: + enabled: true global: appConfig: smartcard: @@ -72,11 +82,6 @@ describe 'GitLab Ingress configuration(s)' do enabled: true pages: enabled: true - kas: - enabled: true - ingress: - grpc: - enabled: true registry: enabled: true ))) @@ -97,11 +102,11 @@ describe 'GitLab Ingress configuration(s)' do template = HelmTemplate.new(enable_all_ingress) expect(template.exit_code).to eq(0) - ingress_names.each do |ingress_name| + ingress_under_test = ingress_names - ignored_ingresses + + ingress_under_test.each do |ingress_name| paths = get_paths(template, ingress_name) paths.each do |p| - next if p["pathType"] == "ImplementationSpecific" - expect(p["path"]).to end_with('/') end end @@ -121,11 +126,11 @@ describe 'GitLab Ingress configuration(s)' do template = HelmTemplate.new(asterisk) expect(template.exit_code).to eq(0) - ingress_names.each do |ingress_name| + ingress_under_test = ingress_names - ignored_ingresses + + ingress_under_test.each do |ingress_name| paths = get_paths(template, ingress_name) paths.each do |p| - next if p["pathType"] == "ImplementationSpecific" - expect(p["path"]).to end_with('/*') end end -- GitLab From f91e273cf74479d70733ea56c1185568b30bfab6 Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 4 Dec 2025 14:21:21 +0530 Subject: [PATCH 15/16] Move KAS gRPC enable field to non global value --- charts/gitlab/charts/kas/templates/ingress-grpc.yaml | 2 +- charts/gitlab/charts/kas/values.yaml | 2 ++ values.yaml | 3 --- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml index 72ae4083fc..3a46f0e199 100644 --- a/charts/gitlab/charts/kas/templates/ingress-grpc.yaml +++ b/charts/gitlab/charts/kas/templates/ingress-grpc.yaml @@ -4,7 +4,7 @@ {{- $tlsSecret := include "kas.tlsSecret" . -}} {{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} {{- $isIngressProviderNginx := eq .Values.global.ingress.provider "nginx" -}} -{{- if eq .Values.global.kas.ingress.grpc.enabled true }} +{{- if eq .Values.ingress.grpc.enabled true }} apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} kind: Ingress metadata: diff --git a/charts/gitlab/charts/kas/values.yaml b/charts/gitlab/charts/kas/values.yaml index e4c8593c00..142b4d37be 100644 --- a/charts/gitlab/charts/kas/values.yaml +++ b/charts/gitlab/charts/kas/values.yaml @@ -81,6 +81,8 @@ ingress: workspacesServerApiPath: /workspaces k8sApiPath: /k8s-proxy autoflowCodecServerApiPath: /autoflow/codec-server + grpc: + enabled: false maxReplicas: 10 maxUnavailable: 1 minReplicas: 2 diff --git a/values.yaml b/values.yaml index bb485e7f39..fb989359cb 100644 --- a/values.yaml +++ b/values.yaml @@ -646,9 +646,6 @@ global: enabled: true service: apiExternalPort: 8153 # port for connections from the GitLab backend - ingress: - grpc: - enabled: false tls: enabled: false verify: true -- GitLab From 1a2fa8b698f4f7f8458a9010f0d0a81d4bd66aef Mon Sep 17 00:00:00 2001 From: Ashvin Sharma Date: Thu, 4 Dec 2025 21:37:58 +0530 Subject: [PATCH 16/16] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Jason Plum --- doc/charts/gitlab/kas/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/kas/_index.md b/doc/charts/gitlab/kas/_index.md index a919678709..7aeb1e0866 100644 --- a/doc/charts/gitlab/kas/_index.md +++ b/doc/charts/gitlab/kas/_index.md @@ -87,7 +87,7 @@ This pattern ensures proper routing of gRPC traffic to the KAS service while mai To enable gRPC Ingress, set the following in your `values.yaml`: ```yaml -global: +gitlab: kas: ingress: grpc: -- GitLab