diff --git a/Dockerfile b/Dockerfile
index 7712fb6be..faeae14c6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,7 @@ ENV GITLAB_VERSION=${VERSION} \
     GITLAB_SHELL_VERSION=14.45.3 \
     GITLAB_PAGES_VERSION=18.5.1 \
     GITALY_SERVER_VERSION=18.5.1 \
+    GITLAB_AGENT_VERSION=18.5.1 \
     GITLAB_USER="git" \
     GITLAB_HOME="/home/git" \
     GITLAB_LOG_DIR="/var/log/gitlab" \
@@ -21,6 +22,7 @@ ENV GITLAB_VERSION=${VERSION} \
 ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \
     GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \
     GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \
+    GITLAB_AGENT_INSTALL_DIR="${GITLAB_HOME}/gitlab-agent" \
     GITLAB_DATA_DIR="${GITLAB_HOME}/data" \
     GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \
     GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime"
diff --git a/README.md b/README.md
index 5ecf8e454..b8df6945b 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,7 @@
     - [Piwik](#piwik)
     - [Feature flags](#feature-flags)
     - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md)
+    - [Gitlab KAS](#Gitlab-KAS)
     - [Available Configuration Parameters](#available-configuration-parameters)
 - [Maintenance](#maintenance)
     - [Creating Backups](#creating-backups)
@@ -914,6 +915,27 @@ Configuring gitlab::feature_flags...
 ...
 ````
 
+#### Gitlab KAS
+
+GitLab agent server for Kubernetes (KAS) is disabled by default, but you can enable it by setting configuration parameter [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled) to true.  
+By default, built-in `gitlab-kas` is also enabled once you enable KAS feature. But you can use an external installation of KAS by setting internal URL for the GitLab backend. Corresponding configuration parameter is [`GITLAB_KAS_INTERNAL`](#gitlab_kas_internal).  
+You can specify user-facing URL by setting [`GITLAB_KAS_EXTERNAL`](#gitlab_kas_external). If you set up proxy URL, use `GITLAB_KAS_PROXY`.
+
+You can specify custom secret file by setting [`GITLAB_KAS_SECRET`](#gitlab_kas_secret). This secret file will be generated if they don't exist.
+
+#### Built-in GitLab-Agent KAS
+
+To control whether launch built-in `gitlab-kas` on container startup or not, you can use configuration parameter [`GITLAB_AGENT_BUILTIN_KAS_ENABLED`](#gitlab_agent_builtin_kas_enabled).
+
+You can specify custom secret file by setting [`GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_api_listen_authentication_secret_file) and [`GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`](#gitlab_agent_kas_private_api_listen_authentication_secret_file). These secret files also be generated if they don't exist.
+
+Built-in KAS communicates to redis. The host and ports are set using `REDIS_HOST` and `REDIS_PORT`.  
+You can specify the password file path in `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`, but please do not set the parameter. We still do not support password authentication for Redis. The password file should contain the redis authentication password, but this is not currently done because there is no way to specify the redis password. So please let this parameter empty. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
+
+Also note that KAS requires that environment variable `OWN_PRIVATE_API_URL` is set (e.g. `OWN_PRIVATE_API_URL=grpc://127.0.0.1:8155`). If not, the KAS service will keep restarting.
+
+See [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html) for more detail.
+
 #### Available Configuration Parameters
 
 *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)*
@@ -1236,6 +1258,44 @@ Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSO
 
 Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'`
 
+##### `GITLAB_KAS_ENABLED`
+
+Enable/Disable GitLab agent server for Kubernetes (KAS). See details on [official documentation](https://docs.gitlab.com/ee/administration/clusters/kas.html). Defaults to `false`
+
+##### `GITLAB_KAS_SECRET`
+
+File that contains the secret key for verifying access for GitLab KAS. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_secret`
+
+##### `GITLAB_KAS_EXTERNAL`
+
+User-facing URL for the in-cluster agent. Defaults to `"wss://kas.example.com"`
+
+##### `GITLAB_KAS_INTERNAL`
+
+Internal URL for the GitLab backend. Defaults to `"grpc://localhost:8153"`
+
+##### `GITLAB_KAS_PROXY`
+
+The URL to the Kubernetes API proxy (used by GitLab users). No default.
+
+#### `GITLAB_AGENT_BUILTIN_KAS_ENABLED`
+
+Control startup behavior of built-in KAS. `autostart` value in supervisor configuration for KAS will be set to this value. Default to [`GITLAB_KAS_ENABLED`](#gitlab_kas_enabled)
+
+##### `GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file to verify JWT token, for built-in KAS API. If not exist, an secret file will be generated on startup. Defaults to `${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret`
+
+##### `GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE`
+
+An authentication secret file to verify JWT token, for built-in KAS internal API. If not exists, an secret file will be generated on startup. This is not "required", so please leave blank if you don't need it. No default.
+
+##### `GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE`
+
+Path for the file that contains redis password to be used by built-in KAS. This is not "required", so please leave blank if you don't need it. No default.
+
+NOTE: We currently do not support password authentication between gitlab and redis. See [sameersbn/gitlab#1026](https://github.com/sameersbn/docker-gitlab/pull/1026)
+
 ##### `GITLAB_LFS_ENABLED`
 
 Enable/Disable Git LFS support. Defaults to `true`.
diff --git a/assets/build/install.sh b/assets/build/install.sh
index 817fd61cf..6b07cec7e 100755
--- a/assets/build/install.sh
+++ b/assets/build/install.sh
@@ -5,10 +5,12 @@ GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git
 GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2
 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git
 GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git
+GITLAB_AGENT_URL=https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent.git
 
 GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse
 GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages
 GITLAB_GITALY_BUILD_DIR=/tmp/gitaly
+GITLAB_AGENT_BUILD_DIR=/tmp/gitlab-agent
 
 RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz
 
@@ -171,6 +173,18 @@ make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local
 # clean up
 rm -rf ${GITLAB_GITALY_BUILD_DIR}
 
+# download gitlab-agent (KAS)
+echo "Downloading gitlab-agent v.${GITLAB_AGENT_VERSION}..."
+git clone -q -b v${GITLAB_AGENT_VERSION} --depth 1 ${GITLAB_AGENT_URL} ${GITLAB_AGENT_BUILD_DIR}
+
+# install gitlab-agent (KAS)
+mkdir -p "${GITLAB_AGENT_INSTALL_DIR}"
+make -C ${GITLAB_AGENT_BUILD_DIR} kas TARGET_DIRECTORY=/usr/local/bin
+chown -R ${GITLAB_USER}: ${GITLAB_AGENT_INSTALL_DIR}
+
+# clean up
+rm -rf ${GITLAB_AGENT_BUILD_DIR}
+
 # remove go
 go clean --modcache
 rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT}
@@ -411,6 +425,20 @@ stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
 EOF
 
+# configure superisord to start gitlab-agent (KAS)
+cat > /etc/supervisor/conf.d/gitlab-kas.conf <<EOF
+[program:gitlab_kas]
+priority=5
+directory=${GITLAB_AGENT_INSTALL_DIR}
+environment=HOME=${GITLAB_HOME}
+command=/usr/local/bin/kas --configuration-file="${GITLAB_AGENT_INSTALL_DIR}/gitlab-kas_config.yaml"
+user=git
+autostart={{GITLAB_AGENT_BUILTIN_KAS_ENABLED}}
+autorestart=true
+stdout_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
+stderr_logfile=${GITLAB_LOG_DIR}/supervisor/%(program_name)s.log
+EOF
+
 # configure supervisord to start mail_room
 cat > /etc/supervisor/conf.d/mail_room.conf <<EOF
 [program:mail_room]
diff --git a/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml
new file mode 100755
index 000000000..06d7efc69
--- /dev/null
+++ b/assets/runtime/config/gitlab-agent/gitlab-kas_config.yaml
@@ -0,0 +1,95 @@
+# This is a configuration file for kas that contains the default values for the settings.
+# It DOES NOT contain all the possible configuration knobs.
+# The source of truth is kascfg.proto.
+# It contains all the fields and documentation them.
+# If you are looking for a setting, start from the ConfigurationFile message in:
+# - the proto file kascfg.proto.
+# - the generated documentation in kascfg_proto_docs.md.
+# Correctness of this file is enforced by a unit test in kascfg_defaults_test.go.
+
+agent:
+  configuration:
+    max_configuration_file_size: 131072
+    poll_period: 300s
+  info_cache_error_ttl: 60s
+  info_cache_ttl: 300s
+  kubernetes_api:
+    allowed_agent_cache_error_ttl: 10s
+    allowed_agent_cache_ttl: 60s
+    listen:
+      address: 127.0.0.1:8154
+      listen_grace_period: 5s
+      network: tcp
+      shutdown_grace_period: 3600s
+    url_path_prefix: {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/
+    websocket_token_secret_file: {{GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}}
+  listen:
+    address: 127.0.0.1:8150
+    connections_per_token_per_minute: 40000
+    listen_grace_period: 5s
+    max_connection_age: 7200s
+    network: tcp
+    websocket: true
+  receptive_agent:
+    poll_period: 60s
+  redis_conn_info_gc: 600s
+  redis_conn_info_refresh: 240s
+  redis_conn_info_ttl: 300s
+api:
+  listen:
+    address: 127.0.0.1:8153
+    listen_grace_period: 5s
+    max_connection_age: 7200s
+    network: tcp
+    authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}}  # required
+gitaly:
+  global_api_rate_limit:
+    bucket_size: 70
+    refill_rate_per_second: 30
+  per_server_api_rate_limit:
+    bucket_size: 40
+    refill_rate_per_second: 15
+gitlab:
+  address: http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}}
+  authentication_secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # required
+  api_rate_limit:
+    bucket_size: 250
+    refill_rate_per_second: 50
+observability:
+  event_reporting_period: 300s
+  google_profiler: {}
+  listen:
+    address: 127.0.0.1:8151
+    network: tcp
+  liveness_probe:
+    url_path: /liveness
+  logging:
+    level: debug
+    grpc_level: debug
+  prometheus:
+    url_path: /metrics
+  readiness_probe:
+    url_path: /readiness
+  sentry: {}
+  usage_reporting_period: 10s
+private_api:
+  listen:
+    address: 0.0.0.0:8155
+    listen_grace_period: 5s
+    max_connection_age: 7200s
+    network: tcp
+    authentication_secret_file: {{GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}}
+redis:
+  dial_timeout: 5s
+  key_prefix: gitlab-kas
+  network: tcp
+  write_timeout: 3s
+  server:
+    address: "{{REDIS_HOST}}:{{REDIS_PORT}}" # required
+workspaces:
+  listen:
+    address: 127.0.0.1:8160
+    listen_grace_period: 5s
+    network: tcp
+    shutdown_grace_period: 3600s
+
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 9d562de66..4fb96ee26 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -1173,6 +1173,22 @@ production: &base
     # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
     # secret_file: /home/git/gitlab/.gitlab_workhorse_secret
 
+  gitlab_kas:
+    enabled: {{GITLAB_KAS_ENABLED}}
+    # File that contains the secret key for verifying access for gitlab-kas.
+    # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app).
+    secret_file: {{GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}} # /home/git/gitlab/.gitlab_kas_secret
+
+    # The URL to the external KAS API (used by the Kubernetes agents)
+    external_url: {{GITLAB_KAS_EXTERNAL}} # wss://kas.example.com
+
+    # The URL to the internal KAS API (used by the GitLab backend)
+    internal_url: {{GITLAB_KAS_INTERNAL}} # grpc://localhost:8153
+
+    # The URL to the Kubernetes API proxy (used by GitLab users)
+    external_k8s_proxy_url: {{GITLAB_KAS_PROXY}} # https://localhost:8154 # default: nil
+
+
   ## GitLab Elasticsearch settings
   elasticsearch:
     indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/
@@ -1357,7 +1373,7 @@ test:
         region: us-east-1
 
   gitlab:
-    host: localhost
+    host: 127.0.0.1
     port: 80
 
     content_security_policy:
diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab
index 75001235e..43f8456ea 100644
--- a/assets/runtime/config/nginx/gitlab
+++ b/assets/runtime/config/nginx/gitlab
@@ -84,6 +84,54 @@ server {
     proxy_pass http://gitlab-workhorse;
   }
 
+  #start-builtin-kas
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8150;
+  }
+
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8154;
+  }
+  #end-builtin-kas
+
   error_page 404 /404.html;
   error_page 422 /422.html;
   error_page 500 /500.html;
diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl
index 1057e0926..15f12008e 100644
--- a/assets/runtime/config/nginx/gitlab-ssl
+++ b/assets/runtime/config/nginx/gitlab-ssl
@@ -131,6 +131,54 @@ server {
     proxy_pass http://gitlab-workhorse;
   }
 
+  #start-builtin-kas
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8150;
+  }
+
+  location {{GITLAB_RELATIVE_URL_ROOT}}/-/kubernetes-agent/k8s-proxy/ {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://127.0.0.1:8154;
+  }
+  #end-builtin-kas
+
   error_page 404 /404.html;
   error_page 422 /422.html;
   error_page 500 /500.html;
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index d3269e8ee..4dd2a518f 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -680,3 +680,16 @@ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_P
 ## Feature Flags
 GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-}
 GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-}
+
+## Gitlab KAS
+GITLAB_KAS_ENABLED=${GITLAB_KAS_ENABLED:-false}
+GITLAB_KAS_EXTERNAL=${GITLAB_KAS_EXTERNAL:-"wss://kas.example.com"}
+GITLAB_KAS_INTERNAL=${GITLAB_KAS_INTERNAL:-"grpc://127.0.0.1:8153"}
+GITLAB_KAS_PROXY=${GITLAB_KAS_PROXY:-}
+
+## gitlab-agent KAS (built-in one)
+GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_api_secret}
+GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE=${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_private_api_secret}
+GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE=${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE:-${GITLAB_INSTALL_DIR}/.gitlab_kas_websocket_token_secret}
+GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE=${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE:-}
+GITLAB_AGENT_BUILTIN_KAS_ENABLED=${GITLAB_AGENT_BUILTIN_KAS_ENABLED:-false}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 2315bfc1a..4d5148b9e 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -29,6 +29,7 @@ GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf"
 GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf"
 GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config"
 GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
+GITLAB_KAS_CONFIG="${GITLAB_AGENT_INSTALL_DIR}/gitlab-kas_config.yaml"
 
 # Compares two version strings `a` and `b`
 # Returns
@@ -363,6 +364,38 @@ gitlab_configure_monitoring() {
     GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT
 }
 
+gitlab_configure_gitlab_kas() {
+  echo "Configuring gitlab::KAS..."
+
+  update_template ${GITLAB_CONFIG} \
+    GITLAB_KAS_ENABLED \
+    GITLAB_KAS_EXTERNAL \
+    GITLAB_KAS_INTERNAL \
+    GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+    GITLAB_KAS_PROXY
+
+  printf "Configuring gitlab-agent::KAS (enabled: %s)\n" "${GITLAB_AGENT_BUILTIN_KAS_ENABLED}"
+  if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
+    update_template ${GITLAB_KAS_CONFIG} \
+      GITLAB_RELATIVE_URL_ROOT \
+      GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+      GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE \
+      GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE \
+      REDIS_HOST \
+      REDIS_PORT \
+      GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE
+  fi
+
+  if [[ -n ${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE} ]]; then
+    exec_as_git touch "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}"
+    exec_as_git chmod 600 "${GITLAB_AGENT_KAS_REDIS_PASSWORD_FILE}"
+    # TODO: Once this image supports redis password authentication, write the password to a file here
+  fi
+
+  # enable/disable startup of gitlab-kas : set autostart entry in supervisor config using GITLAB_AGENT_BUILTIN_KAS_ENABLED
+  update_template /etc/supervisor/conf.d/gitlab-kas.conf GITLAB_AGENT_BUILTIN_KAS_ENABLED
+}
+
 gitlab_configure_gitlab_workhorse() {
   echo "Configuring gitlab::gitlab-workhorse..."
   update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \
@@ -931,6 +964,23 @@ gitlab_configure_secrets() {
     exec_as_git openssl rand -base64 -out "${pages_secret}" 32
     chmod 600 "${pages_secret}"
   fi
+
+  if [[ ! -f "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_AGENT_KAS_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  fi
+  
+  # KAS secret for private_api is not required so this can be empty string,
+  # but empty string is not match to "is file" condition so we don't care the case
+  if [[ ! -f "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}" 32
+    chmod 600 ${GITLAB_AGENT_KAS_PRIVATE_API_LISTEN_AUTHENTICATION_SECRET_FILE}
+  fi
+  
+  if [[ ! -f "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" ]]; then
+    exec_as_git openssl rand -base64 -out "${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}" 72
+    chmod 600 ${GITLAB_AGENT_KAS_WEBSOCKET_TOKEN_SECRET_FILE}
+  fi
 }
 
 gitlab_configure_sidekiq() {
@@ -1551,12 +1601,19 @@ nginx_configure_gitlab_real_ip() {
 
 nginx_configure_gitlab() {
   echo "Configuring nginx::gitlab..."
+  if [[ ! ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
+    sed -i "/#start-builtin-kas/,/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG}
+  else
+    sed -i "/#start-builtin-kas/d" ${GITLAB_NGINX_CONFIG}
+    sed -i "/#end-builtin-kas/d" ${GITLAB_NGINX_CONFIG}
+  fi
   update_template ${GITLAB_NGINX_CONFIG} \
     GITLAB_HOME \
     GITLAB_INSTALL_DIR \
     GITLAB_LOG_DIR \
     GITLAB_HOST \
     GITLAB_PORT \
+    GITLAB_RELATIVE_URL_ROOT \
     NGINX_PROXY_BUFFERING \
     NGINX_ACCEL_BUFFERING \
     NGINX_X_FORWARDED_PROTO \
@@ -1979,6 +2036,10 @@ install_configuration_templates() {
   fi
 
   install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
+  
+  if [[ ${GITLAB_AGENT_BUILTIN_KAS_ENABLED} == true ]]; then
+    install_template ${GITLAB_USER}: gitlab-agent/gitlab-kas_config.yaml ${GITLAB_KAS_CONFIG} 0640
+  fi
 }
 
 configure_gitlab() {
@@ -2040,6 +2101,7 @@ configure_gitlab() {
   gitlab_configure_pages
   gitlab_configure_sentry
   generate_healthcheck_script
+  gitlab_configure_gitlab_kas
   gitlab_configure_content_security_policy
 
   # remove stale gitlab.socket
@@ -2277,6 +2339,7 @@ execute_raketask() {
     /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
     supervisorctl stop gitlab_extensions:*
     supervisorctl stop gitlab:*
+    supervisorctl stop gitlab_kas
     interactive=true
     for arg in $@
     do