Allow cleartext communication with KAS in production

https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66135 Changelog: fixed

Allow cleartext communication with KAS in production
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66135 Changelog: fixed
81c5fdae · Tiger · Tiger Watson · bd7f09e2 · 81c5fdae · 81c5fdae
Commit 81c5fdae authored Jul 14, 2021 by Tiger Committed by Tiger Watson Jul 14, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

lib/gitlab/kas/client.rb lib/gitlab/kas/client.rb +4 -4

spec/lib/gitlab/kas/client_spec.rb spec/lib/gitlab/kas/client_spec.rb +18 -1

No files found.
--- a/lib/gitlab/kas/client.rb
+++ b/lib/gitlab/kas/client.rb
@@ -49,14 +49,14 @@ module Gitlab
      end

      def kas_endpoint_url
-        Gitlab::Kas.internal_url.delete_prefix('grpc://')
+        Gitlab::Kas.internal_url.sub(%r{^grpc://|^grpcs://}, '')
      end

      def credentials
-        if Rails.env.test? || Rails.env.development?
-          :this_channel_is_insecure
-        else
+        if URI(Gitlab::Kas.internal_url).scheme == 'grpcs'
          GRPC::Core::ChannelCredentials.new
+        else
+          :this_channel_is_insecure
        end
      end


--- a/spec/lib/gitlab/kas/client_spec.rb
+++ b/spec/lib/gitlab/kas/client_spec.rb
@@ -30,10 +30,11 @@ RSpec.describe Gitlab::Kas::Client do

  describe 'gRPC calls' do
    let(:token) { instance_double(JSONWebToken::HMACToken, encoded: 'test-token') }
+    let(:kas_url) { 'grpc://example.kas.internal' }

    before do
      allow(Gitlab::Kas).to receive(:enabled?).and_return(true)
-      allow(Gitlab::Kas).to receive(:internal_url).and_return('grpc://example.kas.internal')
+      allow(Gitlab::Kas).to receive(:internal_url).and_return(kas_url)

      expect(JSONWebToken::HMACToken).to receive(:new)
        .with(Gitlab::Kas.secret)
@@ -80,5 +81,21 @@ RSpec.describe Gitlab::Kas::Client do

      it { expect(subject).to eq(agent_configurations) }
    end
+
+    describe 'with grpcs' do
+      let(:stub) { instance_double(Gitlab::Agent::ConfigurationProject::Rpc::ConfigurationProject::Stub) }
+      let(:kas_url) { 'grpcs://example.kas.internal' }
+
+      it 'uses a ChannelCredentials object' do
+        expect(Gitlab::Agent::ConfigurationProject::Rpc::ConfigurationProject::Stub).to receive(:new)
+          .with('example.kas.internal', instance_of(GRPC::Core::ChannelCredentials), timeout: described_class::TIMEOUT)
+          .and_return(stub)
+
+        allow(stub).to receive(:list_agent_config_files)
+          .and_return(double(config_files: []))
+
+        described_class.new.list_agent_config_files(project: project)
+      end
+    end
  end
 end