Add latest changes from gitlab-org/gitlab@master

9 files changed, 97 insertions, 32 deletions

diff --git a/changelogs/unreleased/docs-document-auto-devops-docker-build-secret-forwarding.yml b/changelogs/unreleased/docs-document-auto-devops-docker-build-secret-forwarding.yml
new file mode 100644
index 00000000000..6b7146d7acb
--- /dev/null
+++ b/changelogs/unreleased/docs-document-auto-devops-docker-build-secret-forwarding.yml
@@ -0,0 +1,5 @@
+---
+title: Document forwarding CI variables to docker build in Auto DevOps
+merge_request: 16783
+author:
+type: added
diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md
index 0cbd85fc568..3ced926a530 100644
--- a/doc/topics/autodevops/index.md
+++ b/doc/topics/autodevops/index.md
@@ -734,6 +734,40 @@ Avoid passing secrets as Docker build arguments if possible, as they may be
 persisted in your image. See
 [this discussion](https://github.com/moby/moby/issues/13490) for details.
 
+### Passing secrets to `docker build` (beta)
+
+CI environment variables can be passed as [build
+secrets](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) to the `docker build` command by listing them comma separated by name in the
+`AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` variable. For example, in order to forward the variables `CI_COMMIT_SHA` and `CI_ENVIRONMENT_NAME`, one would set `AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` to `CI_COMMIT_SHA,CI_ENVIRONMENT_NAME`.
+
+Unlike build arguments, these are not persisted by Docker in the final image
+(though you can still persist them yourself, so be careful).
+
+In projects:
+
+- Without a `Dockerfile`, these are available automatically as environment
+  variables.
+- With a `Dockerfile`, the following is required:
+
+  1. Activate the experimental `Dockerfile` syntax by adding the following
+     to the top of the file:
+
+     ```Dockerfile
+     # syntax = docker/dockerfile:experimental
+     ```
+
+  1. To make secrets available in any `RUN $COMMAND` in the `Dockerfile`, mount
+     the secret file and source it prior to running `$COMMAND`:
+
+     ```Dockerfile
+     RUN --mount=type=secret,id=auto-devops-build-secrets . /run/secrets/auto-devops-build-secrets && $COMMAND
+     ```
+
+NOTE: **Note:**
+When `AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` is set, Auto DevOps
+enables the experimental [Docker BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/)
+feature to use the `--secret` flag.
+
 ### Custom Helm Chart
 
 Auto DevOps uses [Helm](https://helm.sh/) to deploy your application to Kubernetes.
@@ -827,6 +861,7 @@ applications.
 | `ADDITIONAL_HOSTS`                      | Fully qualified domain names specified as a comma-separated list that are added to the ingress hosts. |
 | `<ENVIRONMENT>_ADDITIONAL_HOSTS`        | For a specific environment, the fully qualified domain names specified as a comma-separated list that are added to the ingress hosts. This takes precedence over `ADDITIONAL_HOSTS`. |
 | `AUTO_DEVOPS_BUILD_IMAGE_EXTRA_ARGS`    | Extra arguments to be passed to the `docker build` command. Note that using quotes will not prevent word splitting. [More details](#passing-arguments-to-docker-build). |
+| `AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` | A [comma-separated list of CI variable names](#passing-secrets-to-docker-build-beta) to be passed to the `docker build` command as secrets. |
 | `AUTO_DEVOPS_CHART`                     | Helm Chart used to deploy your apps. Defaults to the one [provided by GitLab](https://gitlab.com/gitlab-org/charts/auto-deploy-app). |
 | `AUTO_DEVOPS_CHART_REPOSITORY`          | Helm Chart repository used to search for charts. Defaults to `https://charts.gitlab.io`. |
 | `AUTO_DEVOPS_CHART_REPOSITORY_NAME`     | From Gitlab 11.11, used to set the name of the helm repository. Defaults to `gitlab`. |
@@ -1168,6 +1203,27 @@ There is no documented way of using private container registry with Auto DevOps.
 We strongly advise using GitLab Container Registry with Auto DevOps in order to
 simplify configuration and prevent any unforeseen issues.
 
+### Installing Helm behind a proxy
+
+GitLab does not yet support installing [Helm as a GitLab-managed App](../../user/clusters/applications.md#helm) when
+behind a proxy. Users who wish to do so must inject their proxy settings
+into the installation pods at runtime, for example by using a
+[`PodPreset`](https://kubernetes.io/docs/concepts/workloads/pods/podpreset/):
+
+```yml
+apiVersion: settings.k8s.io/v1alpha1
+kind: PodPreset
+metadata:
+  name: gitlab-managed-apps-default-proxy
+  namespace: gitlab-managed-apps
+spec:
+   env:
+    - name: http_proxy
+      value: "PUT_YOUR_HTTP_PROXY_HERE"
+    - name: https_proxy
+      value: "PUT_YOUR_HTTPS_PROXY_HERE"
+```
+
 ## Troubleshooting
 
 - Auto Build and Auto Test may fail in detecting your language/framework. There
diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md
index e43b1ca6826..17d430cf1f2 100644
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -67,6 +67,11 @@ required to install all the other applications. It is installed in its
 own pod inside the cluster which can run the `helm` CLI in a safe
 environment.
 
+NOTE: **Note:**
+Installing Helm as a GitLab-managed App behind a proxy is not supported,
+but a [workaround](../../topics/autodevops/index.md#installing-helm-behind-a-proxy)
+is available.
+
 ### Cert-Manager
 
 > Introduced in GitLab 11.6 for project- and group-level clusters.
diff --git a/doc/user/project/pipelines/job_artifacts.md b/doc/user/project/pipelines/job_artifacts.md
index ef90899c512..3c15d41e1ba 100644
--- a/doc/user/project/pipelines/job_artifacts.md
+++ b/doc/user/project/pipelines/job_artifacts.md
@@ -9,11 +9,11 @@ type: reference, howto
 > - In GitLab 8.17, builds were renamed to jobs.
 > - The artifacts browser will be available only for new artifacts that are sent to GitLab using GitLab Runner version 1.0 and up. It will not be possible to browse old artifacts already uploaded to GitLab.
 
-Artifacts are a list of files and directories which created by a job
+Job artifacts are a list of files and directories created by a job
 once it finishes. This feature is [enabled by default](../../../administration/job_artifacts.md) in all
 GitLab installations.
 
-Job artifacts that are created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI.
+Job artifacts created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI or the [GitLab API](../../../api/jobs.md#get-job-artifacts).
 
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For an overview, watch the video [GitLab CI Pipeline, Artifacts, and Environments](https://www.youtube.com/watch?v=PCKDICEe10s).
@@ -78,7 +78,7 @@ one HTML file that you can view directly online when
 ## Downloading artifacts
 
 If you need to download the whole archive, there are buttons in various places
-inside GitLab that make that possible.
+in the GitLab UI to do this:
 
 1. While on the pipelines page, you can see the download icon for each job's
    artifacts archive in the right corner:
diff --git a/qa/qa.rb b/qa/qa.rb
index fed2dbeade3..6e87129641a 100644
--- a/qa/qa.rb
+++ b/qa/qa.rb
@@ -275,6 +275,7 @@ module QA
         autoload :Edit, 'qa/page/project/wiki/edit'
         autoload :New, 'qa/page/project/wiki/new'
         autoload :Show, 'qa/page/project/wiki/show'
+        autoload :GitAccess, 'qa/page/project/wiki/git_access'
       end
 
       module WebIDE
diff --git a/qa/qa/page/project/wiki/git_access.rb b/qa/qa/page/project/wiki/git_access.rb
new file mode 100644
index 00000000000..28cb21be4e3
--- /dev/null
+++ b/qa/qa/page/project/wiki/git_access.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module QA
+  module Page
+    module Project
+      module Wiki
+        class GitAccess < Page::Base
+          include Page::Component::LegacyClonePanel
+        end
+      end
+    end
+  end
+end
diff --git a/qa/qa/resource/repository/wiki_push.rb b/qa/qa/resource/repository/wiki_push.rb
index 06cca85cbb2..8edaff70ac6 100644
--- a/qa/qa/resource/repository/wiki_push.rb
+++ b/qa/qa/resource/repository/wiki_push.rb
@@ -21,14 +21,7 @@ module QA
         end
 
         def repository_http_uri
-          @repository_http_uri ||= begin
-            wiki.visit!
-            Page::Project::Wiki::Show.act do
-              click_clone_repository
-              choose_repository_clone_http
-              repository_location.uri
-            end
-          end
+          @repository_http_uri ||= wiki.repository_http_location.uri
         end
 
         def repository_ssh_uri
diff --git a/qa/qa/resource/wiki.rb b/qa/qa/resource/wiki.rb
index 0a776f22e25..6e3648dba0b 100644
--- a/qa/qa/resource/wiki.rb
+++ b/qa/qa/resource/wiki.rb
@@ -12,6 +12,15 @@ module QA
         end
       end
 
+      attribute :repository_http_location do
+        Page::Project::Wiki::Show.perform(&:click_clone_repository)
+
+        Page::Project::Wiki::GitAccess.perform do |git_access|
+          git_access.choose_repository_clone_http
+          git_access.repository_location
+        end
+      end
+
       def fabricate!
         project.visit!
 
diff --git a/qa/qa/specs/features/browser_ui/2_plan/issue/mentions_spec.rb b/qa/qa/specs/features/browser_ui/2_plan/issue/mentions_spec.rb
index 925c601f869..e3fd835bb01 100644
--- a/qa/qa/specs/features/browser_ui/2_plan/issue/mentions_spec.rb
+++ b/qa/qa/specs/features/browser_ui/2_plan/issue/mentions_spec.rb
@@ -3,29 +3,12 @@
 module QA
   context 'Plan', :smoke do
     describe 'mention' do
-      let(:user) do
-        Resource::User.fabricate_via_api! do |user|
-          user.name = "bob"
-          user.password = "1234test"
-        end
-      end
-
       before do
-        QA::Runtime::Env.personal_access_token = QA::Runtime::Env.admin_personal_access_token
-
-        unless QA::Runtime::Env.personal_access_token
-          Runtime::Browser.visit(:gitlab, Page::Main::Login)
-          Page::Main::Login.perform(&:sign_in_using_admin_credentials)
-        end
-
-        QA::Runtime::Env.personal_access_token = nil
-
-        Page::Main::Menu.perform(&:sign_out) if Page::Main::Menu.perform { |p| p.has_personal_area?(wait: 0) }
-
         Runtime::Browser.visit(:gitlab, Page::Main::Login)
-
         Page::Main::Login.perform(&:sign_in_using_credentials)
 
+        @user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_1, Runtime::Env.gitlab_qa_password_1)
+
         project = Resource::Project.fabricate_via_api! do |resource|
           resource.name = 'project-to-test-mention'
         end
@@ -33,7 +16,7 @@ module QA
 
         Page::Project::Show.perform(&:go_to_members_settings)
         Page::Project::Settings::Members.perform do |members|
-          members.add_member(user.username)
+          members.add_member(@user.username)
         end
 
         issue = Resource::Issue.fabricate_via_api! do |issue|
@@ -45,7 +28,7 @@ module QA
 
       it 'user mentions another user in an issue' do
         Page::Project::Issue::Show.perform do |show|
-          at_username = "@#{user.username}"
+          at_username = "@#{@user.username}"
 
           show.select_all_activities_filter
           show.comment(at_username)