Gitlab Cloud Hybrid Setup - gitlab-shell installation?

Folks, I am looking to see if anyone else has attempted to build the Cloud Hybrid Reference architecture on bare metal Kubernetes.

Gitlab Version 14.7.1
Ubuntu Linux 20.04

Architecture described here:

I have it mostly working except for the most important item - shell operations initiated from the Gitlab WebUI return 401 - Unauthorized. So none of my repositories can be used.

This issue is not confined to the WebUI - commandline git commands also fail with the same error.

Deployment instructions put gitaly, postgres, and redis on a physical server, and gitlab webservice, sidekiq, gitlab-shell, gitlab-workhorse on the Kubernetes Cluster.

I have determined that the key issue is the failure of the authorization call
/api/v4/internal/allowed. All of the tokens have been checked multiple times, e.g. by successfully calling the internal API using curl -H "Gitlab-Shared-Secret: " …

The operation of gitlab requires that git/gitaly [bare metal server] calls back to the server [on K8S] for authorization. But since the gitlab-shell is not deployed on the server at present it is not clear how to configure the token. Attempting to add it in the gitlab.rb file doesn’t make a difference since gitlab-shell is not running.

So, it seems that I should proceed by configuring gitlab-shell to run on the bare metal server where the other Omnibus applications reside, but I can’t see how to do this.

Any suggestions?

Update: I determined that in this configuration the gitlab shared secret is not being passed in the POST data as it should be according to the troubleshooting page

All of the ‘advice’ points to checking that the secret_token is correct, but none advises on why it might be missing altogether.