diff --git a/Changelog.md b/Changelog.md
index bec58acda..4bb828551 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -3,6 +3,13 @@
 This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https://
 gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab.
 
+## 18.7.0
+
+- gitlab: upgrade CE to v18.7.0
+- gitaly: upgrade to v18.7.0
+- gitlab-pages: upgrade to v18.7.0
+- gitlab-shell: upgrade to v14.45.5
+
 ## 18.6.2
 
 - gitlab: upgrade CE to v18.6.2
diff --git a/Dockerfile b/Dockerfile
index debfcd7c7..a5b4128c2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,16 @@
 FROM ubuntu:noble-20251013
 
-ARG VERSION=18.6.2
+ARG VERSION=18.7.0
 
 ENV GITLAB_VERSION=${VERSION} \
     RUBY_VERSION=3.2.9 \
     RUBY_SOURCE_SHA256SUM="abbad98db9aeb152773b0d35868e50003b8c467f3d06152577c4dfed9d88ed2a" \
     RUBYGEMS_VERSION=3.7.2 \
     GOLANG_VERSION=1.24.11 \
-    GITLAB_SHELL_VERSION=14.45.3 \
-    GITLAB_PAGES_VERSION=18.6.2 \
-    GITALY_SERVER_VERSION=18.6.2 \
+    GITLAB_SHELL_VERSION=14.45.5 \
+    GITLAB_PAGES_VERSION=18.7.0 \
+    GITALY_SERVER_VERSION=18.7.0 \
+    GITLAB_AGENT_VERSION=18.7.0 \
     GITLAB_USER="git" \
     GITLAB_HOME="/home/git" \
     GITLAB_LOG_DIR="/var/log/gitlab" \
@@ -21,6 +22,7 @@ ENV GITLAB_VERSION=${VERSION} \
 ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \
     GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \
     GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \
+    GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \
     GITLAB_DATA_DIR="${GITLAB_HOME}/data" \
     GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \
     GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime"
diff --git a/README.md b/README.md
index c0685382f..8b341f595 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# sameersbn/gitlab:18.6.2
+# sameersbn/gitlab:18.7.0
 
 [![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master)
 
@@ -54,6 +54,7 @@
     - [Piwik](#piwik)
     - [Feature flags](#feature-flags)
     - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md)
+    - [Gitlab KAS](#gitlab-kas)
     - [Available Configuration Parameters](#available-configuration-parameters)
 - [Maintenance](#maintenance)
     - [Creating Backups](#creating-backups)
@@ -128,7 +129,7 @@ Your docker host needs to have 1GB or more of available RAM to run GitLab. Pleas
 Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation.
 
 ```bash
-docker pull sameersbn/gitlab:18.6.2
+docker pull sameersbn/gitlab:18.7.0
 ```
 
 You can also pull the `latest` tag which is built from the repository *HEAD*
@@ -210,7 +211,7 @@ docker run --name gitlab -d \
     --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \
     --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 *Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options*
@@ -245,7 +246,7 @@ Volumes can be mounted in docker by specifying the `-v` option in the docker run
 ```bash
 docker run --name gitlab -d \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 ### Database
@@ -310,7 +311,7 @@ docker run --name gitlab -d \
     --env 'DB_NAME=gitlabhq_production' \
     --env 'DB_USER=gitlab' --env 'DB_PASS=password' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 ##### Linking to PostgreSQL Container
@@ -354,7 +355,7 @@ We are now ready to start the GitLab application.
 ```bash
 docker run --name gitlab -d --link gitlab-postgresql:postgresql \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 Here the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images:
@@ -392,7 +393,7 @@ The image can be configured to use an external redis server. The configuration s
 ```bash
 docker run --name gitlab -it --rm \
     --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 #### Linking to Redis Container
@@ -419,7 +420,7 @@ We are now ready to start the GitLab application.
 
 ```bash
 docker run --name gitlab -d --link gitlab-redis:redisio \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 #### Mail
@@ -432,7 +433,7 @@ If you are using Gmail then all you need to do is:
 docker run --name gitlab -d \
     --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified.
@@ -452,7 +453,7 @@ docker run --name gitlab -d \
     --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \
     --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified.
@@ -536,7 +537,7 @@ docker run --name gitlab -d \
     --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \
     --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.
@@ -552,7 +553,7 @@ docker run --name gitlab -d \
  --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
  --env 'NGINX_HSTS_MAXAGE=2592000' \
  --volume /srv/docker/gitlab/gitlab:/home/git/data \
- sameersbn/gitlab:18.6.2
+ sameersbn/gitlab:18.7.0
 ```
 
 If you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`.
@@ -575,7 +576,7 @@ docker run --name gitlab -d \
     --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \
     --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 Again, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates.
@@ -623,7 +624,7 @@ Let's assume we want to deploy our application to '/git'. GitLab needs to know t
 docker run --name gitlab -it --rm \
     --env 'GITLAB_RELATIVE_URL_ROOT=/git' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 GitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`.
@@ -850,14 +851,14 @@ Also the container processes seem to be executed as the host's user/group `1000`
 ```bash
 docker run --name gitlab -it --rm [options] \
     --env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \
-    sameersbn/gitlab:18.6.2
+    sameersbn/gitlab:18.7.0
 ```
 
 When changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command:
 
 ```bash
 docker run --name gitlab -d [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:sanitize
+    sameersbn/gitlab:18.7.0 app:sanitize
 ```
 
 #### Piwik
@@ -914,6 +915,80 @@ Configuring gitlab::feature_flags...
 ...
 ````
 
+#### Gitlab KAS
+
+GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true.  
+By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal).  
+You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`.
+
+You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist.
+
+Here is an example settings for kubernetes rc.yml:
+
+```yaml
+spec:
+  containers:
+  - name: gitlab
+  image: sameersbn/gitlab:latest
+  env:
+  - name: GITLAB_KAS_ENABLED
+    value: "true"
+  - name: GITLAB_AGENT_BUILTIN_KAS_ENABLED
+    value: "true"
+  - name: GITLAB_KAS_EXTERNAL
+    value: wss://gitlab.example.com/gitlab/-/kubernetes-agent/
+  - name: GITLAB_KAS_INTERNAL
+    value: grpc://127.0.0.1:8153
+  - name: GITLAB_KAS_PROXY
+    value: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/
+  - name: OWN_PRIVATE_API_URL
+    value: grpc://127.0.0.1:8155
+```
+
+and for docker-compose.yml:
+
+```yaml
+services:
+  gitlab:
+    image: sameersbn/gitlab:latest
+  environment:
+    - GITLAB_KAS_ENABLED=true
+    - GITLAB_AGENT_BUILTIN_KAS_ENABLED=true
+    - GITLAB_KAS_EXTERNAL=wss://gitlab.example.com/gitlab/-/kubernetes-agent/
+    - GITLAB_KAS_INTERNAL=grpc://127.0.0.1:8153
+    - GITLAB_KAS_PROXY=https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/
+    - OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155
+```
+
+or in another style:
+
+```yaml
+services:
+  gitlab:
+    image: sameersbn/gitlab:latest
+  environment:
+    GITLAB_KAS_ENABLED: "true"
+    GITLAB_AGENT_BUILTIN_KAS_ENABLED: "true"
+    GITLAB_KAS_EXTERNAL: wss://gitlab.example.com/gitlab/-/kubernetes-agent/
+    GITLAB_KAS_INTERNAL: grpc://127.0.0.1:8153
+    GITLAB_KAS_PROXY: https://gitlab.example.com/gitlab/-/kubernetes-agent/k8s-proxy/
+    OWN_PRIVATE_API_URL: grpc://127.0.0.1:8155
+```
+
+#### Built-in GitLab-Agent KAS
+
+To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled).
+
+You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist.  
+Authentication secret file will be set to same value of `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE` but you can overwrite it by setting [`GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_gitlab_authentication_secret_file).
+
+Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`.  
+You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
+
+Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting.
+
+See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail.
+
 #### Available Configuration Parameters
 
 *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)*
@@ -1236,6 +1311,52 @@ Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSO
 
 Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'`
 
+##### `GITLAB_KAS_ENABLED`
+
+Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false`
+
+##### `GITLAB_KAS_SECRET`
+
+File that contains the secret key for verifying access for GitLab KAS. This value will be used for `production.gitlab_kas.secret_file` in gitlab.yml. Defaults to `${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}`
+
+##### `GITLAB_KAS_EXTERNAL`
+
+User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"`
+
+##### `GITLAB_KAS_INTERNAL`
+
+Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"`
+
+##### `GITLAB_KAS_PROXY`
+
+The URL to the Kubernetes API proxy (used by GitLab users). No default.
+
+##### `GITLAB_AGENT_BUILTIN_KAS_ENABLED`
+
+Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled)
+
+##### `GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE`
+
+Websocket token secret file. Default to `${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret`
+
+##### `GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file used to connect to gitlab from KAS. Defaults to `${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}`.
+
+##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret`
+
+##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default.
+
+##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`
+
+Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default.
+
+NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
+
 ##### `GITLAB_LFS_ENABLED`
 
 Enable/Disable Git LFS support. Defaults to `true`.
@@ -2620,7 +2741,7 @@ Execute the rake task to create a backup.
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:backup:create
+    sameersbn/gitlab:18.7.0 app:rake gitlab:backup:create
 ```
 
 A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter.
@@ -2655,14 +2776,14 @@ you need to prepare the database:
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake db:setup
+    sameersbn/gitlab:18.7.0 app:rake db:setup
 ```
 
 Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`.
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore
+    sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore
 ```
 
 The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.
@@ -2671,7 +2792,7 @@ To avoid user interaction in the restore operation, specify the timestamp, date
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6
+    sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6
 ```
 
 When using `docker-compose` you may use the following command to execute the restore.
@@ -2720,7 +2841,7 @@ The `app:rake` command allows you to run gitlab rake tasks. To run a rake task s
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:env:info
+    sameersbn/gitlab:18.7.0 app:rake gitlab:env:info
 ```
 
 You can also use `docker exec` to run rake tasks on running gitlab instance. For example,
@@ -2733,7 +2854,7 @@ Similarly, to import bare repositories into GitLab project instance
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:import:repos
+    sameersbn/gitlab:18.7.0 app:rake gitlab:import:repos
 ```
 
 Or
@@ -2764,7 +2885,7 @@ Copy all the **bare** git repositories to the `repositories/` directory of the [
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:import:repos
+    sameersbn/gitlab:18.7.0 app:rake gitlab:import:repos
 ```
 
 Watch the logs and your repositories should be available into your new gitlab container.
@@ -2795,12 +2916,12 @@ To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure
 
 > **Note**
 >
-> Upgrading to `sameersbn/gitlab:18.6.2` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher.
+> Upgrading to `sameersbn/gitlab:18.7.0` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher.
 
 - **Step 1**: Update the docker image.
 
 ```bash
-docker pull sameersbn/gitlab:18.6.2
+docker pull sameersbn/gitlab:18.7.0
 ```
 
 - **Step 2**: Stop and remove the currently running image
@@ -2830,7 +2951,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are
 > **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.**
 
 ```bash
-docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.6.2
+docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.7.0
 ```
 
 ### Shell Access
@@ -2866,7 +2987,7 @@ You can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com
 ```yml
 services:
   gitlab:
-    image: sameersbn/gitlab:18.6.2
+    image: sameersbn/gitlab:18.7.0
     healthcheck:
       test: ["CMD", "/usr/local/sbin/healthcheck"]
       interval: 1m
diff --git a/VERSION b/VERSION
index fc558a423..fb67e3d51 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-18.6.2
+18.7.0
diff --git a/assets/build/install.sh b/assets/build/install.sh
index 817fd61cf..6b07cec7e 100755
--- a/assets/build/install.sh
+++ b/assets/build/install.sh
@@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git
 GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2
 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git
 GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git
+GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git
 
 GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse
 GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages
 GITLAB_GITALY_BUILD_DIR=/tmp/gitaly
+GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent
 
 RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz
 
@@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local
 # clean up
 rm -rf ${GITLAB_GITALY_BUILD_DIR}
 
+# download gitlab-agent (KAS)
+echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..."
+git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR}
+
+# install gitlab-agent (KAS)
+mkdir -p "${GITLAB_AGENT_INSTALL_DIR}"
+make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin
+chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR}
+
+# clean up
+rm -rf ${GITLAB_AGENT_BUILD_DIR}
+
 # remove go
 go clean --modcache
 rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT}
@@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 EOF
 
+# configure superisord to start gitlab-agent (KAS)
+cat > /etc/supervisor/conf.d/gitlab-kas.conf <<EOF
+[program:gitlab_kas]
+priority=5
+directory=${GITLAB_AGENT_INSTALL_DIR}
+environment=HOME=${GITLAB_HOME}
+command=/usr/local/bin/kas --configuration-file="${GITLAB_AGENT_INSTALL_DIR}/gitlab-kas_config.yaml"
+user=git
+autostart={{GITLAB_AGENT_BUILTIN_KAS_ENABLED}}
+autorestart=true
+stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
+stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
+EOF
+
 # configure supervisord to start mail_room
 cat > /etc/supervisor/conf.d/mail_room.conf <<EOF
 [program:mail_room]
diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml
new file mode 100644
index 000000000..a65dce7d2
--- /dev/null
+++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml
@@ -0,0 +1,95 @@
+# This is a configuration file for kas that contains the default values for the settings.
+# It DOES NOT contain all the possible configuration knobs.
+# The source of truth is kascfg.proto.
+# It contains all the fields and documentation them.
+# If you are looking for a setting, start from the ConfigurationFile message in:
+# - the proto file kascfg.proto.
+# - the generated documentation in kascfg_proto_docs.md.
+# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go.
+
+agent:
+  configuration:
+    max_configuration_file_size: 131072
+    poll_period: 300s
+  info_cache_error_ttl: 60s
+  info_cache_ttl: 300s
+  kubernetes_api:
+    allowed_agent_cache_error_ttl: 10s
+    allowed_agent_cache_ttl: 60s
+    listen:
+      address: 127.0.0.1:8154
+      listen_grace_period: 5s
+      network: tcp
+      shutdown_grace_period: 3600s
+    url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/
+    websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}}
+  listen:
+    address: 127.0.0.1:8150
+    connections_per_token_per_minute: 40000
+    listen_grace_period: 5s
+    max_connection_age: 7200s
+    network: tcp
+    websocket: true
+  receptive_agent:
+    poll_period: 60s
+  redis_conn_info_gc: 600s
+  redis_conn_info_refresh: 240s
+  redis_conn_info_ttl: 300s
+api:
+  listen:
+    address: 127.0.0.1:8153
+    listen_grace_period: 5s
+    max_connection_age: 7200s
+    network: tcp
+    authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}}  # required
+gitaly:
+  global_api_rate_limit:
+    bucket_size: 70
+    refill_rate_per_second: 30
+  per_server_api_rate_limit:
+    bucket_size: 40
+    refill_rate_per_second: 15
+gitlab:
+  address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}}
+  authentication_secret_file: {{GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}} # required
+  api_rate_limit:
+    bucket_size: 250
+    refill_rate_per_second: 50
+observability:
+  event_reporting_period: 300s
+  google_profiler: {}
+  listen:
+    address: 127.0.0.1:8151
+    network: tcp
+  liveness_probe:
+    url_path: /liveness
+  logging:
+    level: debug
+    grpc_level: debug
+  prometheus:
+    url_path: /metrics
+  readiness_probe:
+    url_path: /readiness
+  sentry: {}
+  usage_reporting_period: 10s
+private_api:
+  listen:
+    address: 0.0.0.0:8155
+    listen_grace_period: 5s
+    max_connection_age: 7200s
+    network: tcp
+    authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
+redis:
+  dial_timeout: 5s
+  key_prefix: gitlab-kas
+  network: tcp
+  write_timeout: 3s
+  server:
+    address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required
+workspaces:
+  listen:
+    address: 127.0.0.1:8160
+    listen_grace_period: 5s
+    network: tcp
+    shutdown_grace_period: 3600s
+
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 6961a63ce..8e05f3349 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -1174,6 +1174,22 @@ production: &base
     # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
     # secret_file: /home/git/gitlab/.gitlab_workhorse_secret
 
+  gitlab_kas:
+    enabled: {{GITLAB_KAS_ENABLED}}
+    # File that contains the secret key for verifying access for gitlab-kas.
+    # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app).
+    secret_file: {{GITLAB_KAS_SECRET}} # /home/git/gitlab/.gitlab_kas_secret
+
+    # The URL to the external KAS API (used by the Kubernetes agents)
+    external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com
+
+    # The URL to the internal KAS API (used by the GitLab backend)
+    internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153
+
+    # The URL to the Kubernetes API proxy (used by GitLab users)
+    external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil
+
+
   ## GitLab Elasticsearch settings
   elasticsearch:
     indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/
@@ -1358,7 +1374,7 @@ test:
         region: us-east-1
 
   gitlab:
-    host: localhost
+    host: 127.0.0.1
     port: 80
 
     content_security_policy:
diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb
index df5b5eeac..faa5ca586 100644
--- a/assets/runtime/config/gitlabhq/puma.rb
+++ b/assets/runtime/config/gitlabhq/puma.rb
@@ -34,34 +34,50 @@
 # Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
 # accepted protocols.
 bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
-bind 'tcp://127.0.0.1:8080'
 
 workers {{PUMA_WORKERS}}
 
 require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/lifecycle_events"
 
-on_restart do
-  # Signal application hooks that we're about to restart
-  Gitlab::Cluster::LifecycleEvents.do_before_master_restart
-end
+if Gem::Version.new(Puma::Const::PUMA_VERSION) < Gem::Version.new('7.0')
+  Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
 
-before_fork do
-  # Signal to the puma killer
-  Gitlab::Cluster::PumaWorkerKillerInitializer.start(@config.options, puma_per_worker_max_memory_mb: {{PUMA_PER_WORKER_MAX_MEMORY_MB}}, puma_master_max_memory_mb: {{PUMA_MASTER_MAX_MEMORY_MB}}) unless ENV['DISABLE_PUMA_WORKER_KILLER']
+  on_restart do
+    # Signal application hooks that we're about to restart
+    Gitlab::Cluster::LifecycleEvents.do_before_master_restart
+  end
 
-  # Signal application hooks that we're about to fork
-  Gitlab::Cluster::LifecycleEvents.do_before_fork
-end
+  on_worker_boot do
+    # Signal application hooks of worker start
+    Gitlab::Cluster::LifecycleEvents.do_worker_start
+  end
 
-Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
-on_worker_boot do
-  # Signal application hooks of worker start
-  Gitlab::Cluster::LifecycleEvents.do_worker_start
+  on_worker_shutdown do
+    # Signal application hooks that a worker is shutting down
+    Gitlab::Cluster::LifecycleEvents.do_worker_stop
+  end
+else
+  Gitlab::Cluster::LifecycleEvents.set_puma_worker_count(3)
+
+  before_restart do
+    # Signal application hooks that we're about to restart
+    Gitlab::Cluster::LifecycleEvents.do_before_master_restart
+  end
+
+  before_worker_boot do
+    # Signal application hooks of worker start
+    Gitlab::Cluster::LifecycleEvents.do_worker_start
+  end
+
+  before_worker_shutdown do
+    # Signal application hooks that a worker is shutting down
+    Gitlab::Cluster::LifecycleEvents.do_worker_stop
+  end
 end
 
-on_worker_shutdown do
-  # Signal application hooks that a worker is shutting down
-  Gitlab::Cluster::LifecycleEvents.do_worker_stop
+before_fork do
+  # Signal application hooks that we're about to fork
+  Gitlab::Cluster::LifecycleEvents.do_before_fork
 end
 
 # Preload the application before starting the workers; this conflicts with
@@ -87,11 +103,10 @@
   json_formatter.call(str)
 end
 
-lowlevel_error_handler do |ex, env|
-  if Raven.configuration.capture_allowed?
-    Raven.capture_exception(ex, tags: { 'handler': 'puma_low_level' }, extra: { puma_env: env })
-  end
+require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma/error_handler"
+
+error_handler = Gitlab::Puma::ErrorHandler.new(ENV['RAILS_ENV'] == 'production')
 
-  # note the below is just a Rack response
-  [500, {}, ["An error has occurred and reported in the system's low-level error handler."]]
+lowlevel_error_handler do |ex, env, status_code|
+  error_handler.execute(ex, env, status_code)
 end
diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab
index 185ee0451..680e9ea71 100644
--- a/assets/runtime/config/nginx/gitlab
+++ b/assets/runtime/config/nginx/gitlab
@@ -84,6 +84,54 @@ server {
     proxy_pass http://gitlab-workhorse;
   }
 
+  #start-builtin-kas
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8150;
+  }
+
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8154;
+  }
+  #end-builtin-kas
+
   error_page 404 /404.html;
   error_page 422 /422.html;
   error_page 500 /500.html;
diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl
index b52b86a67..33ce94bac 100644
--- a/assets/runtime/config/nginx/gitlab-ssl
+++ b/assets/runtime/config/nginx/gitlab-ssl
@@ -131,6 +131,54 @@ server {
     proxy_pass http://gitlab-workhorse;
   }
 
+  #start-builtin-kas
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8150;
+  }
+
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8154;
+  }
+  #end-builtin-kas
+
   error_page 404 /404.html;
   error_page 422 /422.html;
   error_page 500 /500.html;
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 483446924..34d084bc1 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -682,3 +682,19 @@ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_P
 ## Feature Flags
 GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-}
 GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-}
+
+## Gitlab KAS
+GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}
+GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"}
+GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"}
+GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-}
+
+## gitlab-agent KAS (built-in one)
+GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
+GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret}
+GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret}
+GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-}
+GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE:-${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
+GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false}
+
+GITLAB_KAS_SECRET=${GITLAB_KAS_SECRET:-${GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE}}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index d714f8c80..50f025075 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -29,6 +29,7 @@ GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf"
 GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf"
 GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config"
 GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
+GITLAB_KAS_CONFIG="${GITLAB_AGENT_INSTALL_DIR}/gitlab-kas_config.yaml"
 
 # Compares two version strings `a` and `b`
 # Returns
@@ -363,6 +364,39 @@ gitlab_configure_monitoring() {
     GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT
 }
 
+gitlab_configure_gitlab_kas() {
+  echo "Configuring gitlab::KAS..."
+
+  update_template ${GITLAB_CONFIG} \
+    GITLAB_KAS_ENABLED \
+    GITLAB_KAS_EXTERNAL \
+    GITLAB_KAS_INTERNAL \
+    GITLAB_KAS_SECRET \
+    GITLAB_KAS_PROXY
+
+  printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}"
+  if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
+    update_template ${GITLAB_KAS_CONFIG} \
+      GITLAB_RELATIVE_URL_ROOT \
+      GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+      GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+      GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \
+      GITLAB_AGENT_KAS_GITLAB_AUTHENTICATION_SECRET_FILE \
+      REDIS_HOST \
+      REDIS_PORT \
+      GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE
+  fi
+
+  if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then
+    exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}"
+    exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}"
+    # TODO: Once this image supports redis password authentication, write the password to a file here
+  fi
+
+  # enable/disable startup of gitlab-kas : set autostart entry in supervisor config using GITLAB_AGENT_BUILTIN_KAS_ENABLED
+  update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_AGENT_BUILTIN_KAS_ENABLED
+}
+
 gitlab_configure_gitlab_workhorse() {
   echo "Configuring gitlab::gitlab-workhorse..."
   update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \
@@ -931,6 +965,23 @@ gitlab_configure_secrets() {
     exec_as_git openssl rand -base64 -out "${pages_secret}" 32
     chmod 600 "${pages_secret}"
   fi
+
+  if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  fi
+  
+  # KAS secret for private_api is not required so this can be empty string,
+  # but empty string is not match to "is file" condition so we don't care the case
+  if [[ ! -f "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  fi
+  
+  if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72
+    chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}
+  fi
 }
 
 gitlab_configure_sidekiq() {
@@ -1552,12 +1603,19 @@ nginx_configure_gitlab_real_ip() {
 
 nginx_configure_gitlab() {
   echo "Configuring nginx::gitlab..."
+  if [[ ! ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
+    sed -i "/#start-builtin-kas/,/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG}
+  else
+    sed -i "/#start-builtin-kas/d" ${GITLAB_NGINX_CONFIG}
+    sed -i "/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG}
+  fi
   update_template ${GITLAB_NGINX_CONFIG} \
     GITLAB_HOME \
     GITLAB_INSTALL_DIR \
     GITLAB_LOG_DIR \
     GITLAB_HOST \
     GITLAB_PORT \
+    GITLAB_RELATIVE_URL_ROOT \
     NGINX_PROXY_BUFFERING \
     NGINX_ACCEL_BUFFERING \
     NGINX_X_FORWARDED_PROTO \
@@ -1980,6 +2038,10 @@ install_configuration_templates() {
   fi
 
   install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
+  
+  if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
+    install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640
+  fi
 }
 
 configure_gitlab() {
@@ -2041,6 +2103,7 @@ configure_gitlab() {
   gitlab_configure_pages
   gitlab_configure_sentry
   generate_healthcheck_script
+  gitlab_configure_gitlab_kas
   gitlab_configure_content_security_policy
 
   # remove stale gitlab.socket
@@ -2283,6 +2346,7 @@ execute_raketask() {
     /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
     supervisorctl stop gitlab_extensions:*
     supervisorctl stop gitlab:*
+    supervisorctl stop gitlab_kas
     interactive=true
     for arg in $@
     do
diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
index 21ddc5832..8c249db1c 100644
--- a/contrib/docker-swarm/docker-compose.yml
+++ b/contrib/docker-swarm/docker-compose.yml
@@ -20,7 +20,7 @@ services:
 
   gitlab:
     restart: always
-    image: sameersbn/gitlab:18.6.2
+    image: sameersbn/gitlab:18.7.0
     depends_on:
       - redis
       - postgresql
diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml
index 8938757e2..e7fe1d4bf 100644
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -62,7 +62,7 @@ services:
       - traefik-public
 
   gitlab:
-    image: sameersbn/gitlab:18.6.2
+    image: sameersbn/gitlab:18.7.0
     depends_on:
       - redis
       - postgresql
diff --git a/docker-compose.yml b/docker-compose.yml
index 52d87375c..cc74b2440 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,7 +21,7 @@ services:
 
   gitlab:
     restart: always
-    image: sameersbn/gitlab:18.6.2
+    image: sameersbn/gitlab:18.7.0
     depends_on:
       - redis
       - postgresql
diff --git a/docs/container_registry.md b/docs/container_registry.md
index f0f99189b..0a0671bfa 100644
--- a/docs/container_registry.md
+++ b/docs/container_registry.md
@@ -291,7 +291,7 @@ Execute the rake task with a removeable container.
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:backup:create
+    sameersbn/gitlab:18.7.0 app:rake gitlab:backup:create
 ```
 
 ### Restoring Backups
@@ -308,7 +308,7 @@ Execute the rake task to restore a backup. Make sure you run the container in in
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore
+    sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore
 ```
 
 The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.
@@ -317,7 +317,7 @@ To avoid user interaction in the restore operation, specify the timestamp of the
 
 ```bash
 docker run --name gitlab -it --rm [OPTIONS] \
-    sameersbn/gitlab:18.6.2 app:rake gitlab:backup:restore BACKUP=1417624827
+    sameersbn/gitlab:18.7.0 app:rake gitlab:backup:restore BACKUP=1417624827
 ```
 
 ## Upgrading from an existing GitLab installation
@@ -327,7 +327,7 @@ If you want enable this feature for an existing instance of GitLab you need to d
 - **Step 1**: Update the docker image.
 
 ```bash
-docker pull sameersbn/gitlab:18.6.2
+docker pull sameersbn/gitlab:18.7.0
 ```
 
 - **Step 2**: Stop and remove the currently running image
@@ -381,7 +381,7 @@ docker run --name gitlab -d [PREVIOUS_OPTIONS] \
 --env 'GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt' \
 --env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \
 --link registry:registry
-sameersbn/gitlab:18.6.2
+sameersbn/gitlab:18.7.0
 ```
 
 [storage-config]: https://docs.docker.com/registry/configuration/#storage
diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml
index b65c86b6d..451aa5cfe 100644
--- a/docs/docker-compose-keycloak.yml
+++ b/docs/docker-compose-keycloak.yml
@@ -20,7 +20,7 @@ services:
 
   gitlab:
     restart: always
-    image: sameersbn/gitlab:18.6.2
+    image: sameersbn/gitlab:18.7.0
     depends_on:
       - redis
       - postgresql
diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml
index cd9f99527..b14727075 100644
--- a/docs/docker-compose-registry.yml
+++ b/docs/docker-compose-registry.yml
@@ -20,7 +20,7 @@ services:
 
   gitlab:
     restart: always
-    image: sameersbn/gitlab:18.6.2
+    image: sameersbn/gitlab:18.7.0
     volumes:
       - gitlab-data:/home/git/data:Z
       - gitlab-logs:/var/log/gitlab
diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml
index eb4ee606e..0b88ea69f 100644
--- a/kubernetes/gitlab-rc.yml
+++ b/kubernetes/gitlab-rc.yml
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
       - name: gitlab
-        image: sameersbn/gitlab:18.6.2
+        image: sameersbn/gitlab:18.7.0
         env:
         - name: TZ
           value: Asia/Kolkata