diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-18 06:17:36 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-18 06:17:36 +0300 |
| commit | 20b517258a70b3bd1cb0d17cb77565a82ce098b5 (patch) | |
| tree | e38311e4511c23085eccdf91e678365f0947a053 | |
| parent | 51d1545877fb481aa14498a18b004867f28d7cce (diff) | |
Add latest changes from gitlab-org/gitlab@master
33 files changed, 331 insertions, 62 deletions
diff --git a/.rubocop_todo/rails/include_url_helper.yml b/.rubocop_todo/rails/include_url_helper.yml index 6a34c58ecf6..dcafeafb9f0 100644 --- a/.rubocop_todo/rails/include_url_helper.yml +++ b/.rubocop_todo/rails/include_url_helper.yml @@ -19,14 +19,7 @@ Rails/IncludeUrlHelper: - app/models/integrations/redmine.rb - app/models/integrations/webex_teams.rb - app/models/integrations/youtrack.rb - - app/presenters/alert_management/alert_presenter.rb - - app/presenters/environment_presenter.rb - app/presenters/gitlab/blame_presenter.rb - - app/presenters/merge_request_presenter.rb - - app/presenters/project_presenter.rb - - app/presenters/release_presenter.rb - - app/presenters/releases/evidence_presenter.rb - - ee/app/helpers/license_helper.rb - ee/app/models/integrations/github.rb - ee/spec/helpers/ee/projects/security/configuration_helper_spec.rb - ee/spec/lib/banzai/filter/cross_project_issuable_information_filter_spec.rb diff --git a/app/assets/javascripts/blob/template_selector.js b/app/assets/javascripts/blob/template_selector.js index 9fa70ce3c62..b7d3c164e67 100644 --- a/app/assets/javascripts/blob/template_selector.js +++ b/app/assets/javascripts/blob/template_selector.js @@ -78,7 +78,12 @@ export default class TemplateSelector { setEditorContent(file, { skipFocus } = {}) { if (!file) return; - const newValue = file.content; + let newValue = file.content; + + const urlParams = new URLSearchParams(window.location.search); + if (urlParams.has('issue[description]')) { + newValue += `\n${urlParams.get('issue[description]')}`; + } this.editor.setValue(newValue, 1); diff --git a/app/controllers/clusters/clusters_controller.rb b/app/controllers/clusters/clusters_controller.rb index c12ceca9c3b..e25956804ce 100644 --- a/app/controllers/clusters/clusters_controller.rb +++ b/app/controllers/clusters/clusters_controller.rb @@ -18,6 +18,15 @@ class Clusters::ClustersController < Clusters::BaseController helper_method :token_in_session STATUS_POLLING_INTERVAL = 10_000 + AWS_CSP_DOMAINS = %w[https://ec2.ap-east-1.amazonaws.com https://ec2.ap-northeast-1.amazonaws.com https://ec2.ap-northeast-2.amazonaws.com https://ec2.ap-northeast-3.amazonaws.com https://ec2.ap-south-1.amazonaws.com https://ec2.ap-southeast-1.amazonaws.com https://ec2.ap-southeast-2.amazonaws.com https://ec2.ca-central-1.amazonaws.com https://ec2.eu-central-1.amazonaws.com https://ec2.eu-north-1.amazonaws.com https://ec2.eu-west-1.amazonaws.com https://ec2.eu-west-2.amazonaws.com https://ec2.eu-west-3.amazonaws.com https://ec2.me-south-1.amazonaws.com https://ec2.sa-east-1.amazonaws.com https://ec2.us-east-1.amazonaws.com https://ec2.us-east-2.amazonaws.com https://ec2.us-west-1.amazonaws.com https://ec2.us-west-2.amazonaws.com https://ec2.af-south-1.amazonaws.com https://iam.amazonaws.com].freeze + + content_security_policy do |p| + next if p.directives.blank? + + default_connect_src = p.directives['connect-src'] || p.directives['default-src'] + connect_src_values = Array.wrap(default_connect_src) | AWS_CSP_DOMAINS + p.connect_src(*connect_src_values) + end def index @clusters = cluster_list diff --git a/app/presenters/alert_management/alert_presenter.rb b/app/presenters/alert_management/alert_presenter.rb index b692935d229..659e991e9d8 100644 --- a/app/presenters/alert_management/alert_presenter.rb +++ b/app/presenters/alert_management/alert_presenter.rb @@ -3,7 +3,6 @@ module AlertManagement class AlertPresenter < Gitlab::View::Presenter::Delegated include IncidentManagement::Settings - include ActionView::Helpers::UrlHelper presents ::AlertManagement::Alert delegator_override_with Gitlab::Utils::StrongMemoize # This module inclusion is expected. See https://gitlab.com/gitlab-org/gitlab/-/issues/352884. diff --git a/app/presenters/environment_presenter.rb b/app/presenters/environment_presenter.rb index 6c8da86187c..fe828fb9fd8 100644 --- a/app/presenters/environment_presenter.rb +++ b/app/presenters/environment_presenter.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class EnvironmentPresenter < Gitlab::View::Presenter::Delegated - include ActionView::Helpers::UrlHelper - presents ::Environment, as: :environment def path diff --git a/app/presenters/merge_request_presenter.rb b/app/presenters/merge_request_presenter.rb index 8450679dd79..2dc2ecad1b4 100644 --- a/app/presenters/merge_request_presenter.rb +++ b/app/presenters/merge_request_presenter.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true class MergeRequestPresenter < Gitlab::View::Presenter::Delegated - include ActionView::Helpers::UrlHelper include GitlabRoutingHelper include MarkupHelper include TreeHelper @@ -290,6 +289,11 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated def user_can_fork_project? can?(current_user, :fork_project, project) end + + # Avoid including ActionView::Helpers::UrlHelper + def link_to(*args) + ApplicationController.helpers.link_to(*args) + end end MergeRequestPresenter.prepend_mod_with('MergeRequestPresenter') diff --git a/app/presenters/project_presenter.rb b/app/presenters/project_presenter.rb index 9e64d2d43a2..89f0accdc5b 100644 --- a/app/presenters/project_presenter.rb +++ b/app/presenters/project_presenter.rb @@ -2,7 +2,6 @@ class ProjectPresenter < Gitlab::View::Presenter::Delegated include ActionView::Helpers::NumberHelper - include ActionView::Helpers::UrlHelper include GitlabRoutingHelper include StorageHelper include TreeHelper @@ -473,6 +472,11 @@ class ProjectPresenter < Gitlab::View::Presenter::Delegated project.topics.map(&:name) end end + + # Avoid including ActionView::Helpers::UrlHelper + def content_tag(*args) + ActionController::Base.helpers.content_tag(*args) + end end ProjectPresenter.prepend_mod_with('ProjectPresenter') diff --git a/app/presenters/release_presenter.rb b/app/presenters/release_presenter.rb index dac42af38bf..f62c09a395d 100644 --- a/app/presenters/release_presenter.rb +++ b/app/presenters/release_presenter.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class ReleasePresenter < Gitlab::View::Presenter::Delegated - include ActionView::Helpers::UrlHelper - presents ::Release, as: :release # TODO: Remove `delegate` as it's redundant due to SimpleDelegator. diff --git a/app/presenters/releases/evidence_presenter.rb b/app/presenters/releases/evidence_presenter.rb index bdc053a303b..f7da6ceb8fe 100644 --- a/app/presenters/releases/evidence_presenter.rb +++ b/app/presenters/releases/evidence_presenter.rb @@ -2,8 +2,6 @@ module Releases class EvidencePresenter < Gitlab::View::Presenter::Delegated - include ActionView::Helpers::UrlHelper - presents ::Releases::Evidence, as: :evidence def filepath diff --git a/app/services/projects/destroy_service.rb b/app/services/projects/destroy_service.rb index 95af5a6863f..d96330ba22e 100644 --- a/app/services/projects/destroy_service.rb +++ b/app/services/projects/destroy_service.rb @@ -37,7 +37,7 @@ module Projects system_hook_service.execute_hooks_for(project, :destroy) log_info("Project \"#{project.full_path}\" was deleted") - publish_project_deleted_event_for(project) if Feature.enabled?(:publish_project_deleted_event, default_enabled: :yaml) + publish_project_deleted_event_for(project) current_user.invalidate_personal_projects_count diff --git a/app/views/shared/access_tokens/_form.html.haml b/app/views/shared/access_tokens/_form.html.haml index a52b7236137..7e6e8e06397 100644 --- a/app/views/shared/access_tokens/_form.html.haml +++ b/app/views/shared/access_tokens/_form.html.haml @@ -19,8 +19,9 @@ .row = f.label :name, _('Token name'), class: 'label-bold col-md-12' .col-md-6 + - resource_type = resource.is_a?(Group) ? "group" : "project" = f.text_field :name, class: 'form-control gl-form-input', required: true, data: { qa_selector: 'access_token_name_field' }, :'aria-describedby' => 'access_token_help_text' - %span.form-text.text-muted.col-md-12#access_token_help_text= _('For example, the application using the token or the purpose of the token.') + %span.form-text.text-muted.col-md-12#access_token_help_text= _("For example, the application using the token or the purpose of the token. Do not give sensitive information for the name of the token, as it will be visible to all %{resource_type} members.") % { resource_type: resource_type } .row .form-group.col-md-6 diff --git a/config/feature_flags/development/publish_project_deleted_event.yml b/config/feature_flags/development/publish_project_deleted_event.yml deleted file mode 100644 index 1287ebe9f66..00000000000 --- a/config/feature_flags/development/publish_project_deleted_event.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: publish_project_deleted_event -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78862 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351073 -milestone: '14.8' -type: development -group: group::pipeline insights -default_enabled: false diff --git a/data/deprecations/data/deprecations/14-9-secure-and-protect-analyzer-bump.yml.yml b/data/deprecations/14-8-secure-and-protect-analyzer-bump.yml index 8f1d030f47c..4adfb35cbb8 100644 --- a/data/deprecations/data/deprecations/14-9-secure-and-protect-analyzer-bump.yml.yml +++ b/data/deprecations/14-8-secure-and-protect-analyzer-bump.yml @@ -1,8 +1,8 @@ - name: "Secure and Protect analyzer major version update" # The name of the feature to be deprecated announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated. announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. - removal_milestone: "15.00" # The milestone when this feature is planned to be removed - removal_date: # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. + removal_milestone: "15.0" # The milestone when this feature is planned to be removed + removal_date: "2022-05-22" # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. breaking_change: true # If this deprecation is a breaking change, set this value to true reporter: NicoleSchwartz # GitLab username of the person reporting the deprecation body: | # Do not modify this line, instead modify the lines below. @@ -20,9 +20,10 @@ - Coverage-guided fuzz testing: version 2 - Dependency Scanning: version 2 - Dynamic Application Security Testing (DAST): version 2 + - Infrastructure as Code (IaC) Scanning: version 1 - License Scanning: version 3 - Secret Detection: version 3 - - Static Application Security Testing (SAST): version 2, except security-code-scan which is version 3 + - Static Application Security Testing (SAST): version 2 of [all analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks), except `gosec` which is currently at version 3 - `bandit`: version 2 - `brakeman`: version 2 - `eslint`: version 2 @@ -33,7 +34,7 @@ - `nodejs-scan`: version 2 - `phpcs-security-audit`: version 2 - `pmd-apex`: version 2 - - `security-code-scan`: version 3 + - `security-code-scan`: version 2 - `semgrep`: version 2 - `sobelow`: version 2 - `spotbugs`: version 2 diff --git a/doc/ci/cloud_services/index.md b/doc/ci/cloud_services/index.md index a80231a04c2..1493a930099 100644 --- a/doc/ci/cloud_services/index.md +++ b/doc/ci/cloud_services/index.md @@ -18,6 +18,13 @@ GitLab CI/CD supports [OpenID Connect (OIDC)](https://openid.net/connect/faq/) t The original implementation of `CI_JOB_JWT` supports [HashiCorp Vault integration](../examples/authenticating-with-hashicorp-vault/). The updated implementation of `CI_JOB_JWT_V2` supports additional cloud providers with OIDC including AWS, GCP, and Vault. +NOTE: +Configuring OIDC enables JWT token access to the target environments for all pipelines. +When you configure OIDC for a pipeline, you should complete a software supply chain security +review for the pipeline, focusing on the additional access. You can use the [software supply chain security awareness assessment](https://about.gitlab.com/quiz/software-supply-chain-security/) +as a starting point, and for more information about supply chain attacks, see +[How a DevOps Platform helps protect against supply chain attacks](https://about.gitlab.com/blog/2021/04/28/devops-platform-supply-chain-attacks/). + WARNING: The `CI_JOB_JWT_V2` variable is under development [(alpha)](../../policy/alpha-beta-support.md#alpha-features) and is not yet suitable for production use. diff --git a/doc/ci/environments/img/environments_list_v14_3.png b/doc/ci/environments/img/environments_list_v14_3.png Binary files differdeleted file mode 100644 index 8fdb85338e7..00000000000 --- a/doc/ci/environments/img/environments_list_v14_3.png +++ /dev/null diff --git a/doc/ci/environments/img/environments_list_v14_8.png b/doc/ci/environments/img/environments_list_v14_8.png Binary files differnew file mode 100644 index 00000000000..df439fb96dc --- /dev/null +++ b/doc/ci/environments/img/environments_list_v14_8.png diff --git a/doc/ci/environments/index.md b/doc/ci/environments/index.md index 63bdd279927..e39419fc26b 100644 --- a/doc/ci/environments/index.md +++ b/doc/ci/environments/index.md @@ -35,7 +35,7 @@ To view a list of environments and deployments: 1. On the left sidebar, select **Deployments > Environments**. The environments are displayed. -  +  1. To view a list of deployments for an environment, select the environment name, for example, `staging`. diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index d05e1626c6c..9f86fb8fa47 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -1292,7 +1292,7 @@ See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564 ### Secure and Protect analyzer major version update WARNING: -This feature will be changed or removed in 15.00 +This feature will be changed or removed in 15.0 as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). Before updating GitLab, review the details carefully to determine if you need to make any changes to your code, settings, or workflow. @@ -1311,9 +1311,10 @@ Specifically, the following are being deprecated and will no longer be updated a - Coverage-guided fuzz testing: version 2 - Dependency Scanning: version 2 - Dynamic Application Security Testing (DAST): version 2 +- Infrastructure as Code (IaC) Scanning: version 1 - License Scanning: version 3 - Secret Detection: version 3 -- Static Application Security Testing (SAST): version 2, except security-code-scan which is version 3 +- Static Application Security Testing (SAST): version 2 of [all analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks), except `gosec` which is currently at version 3 - `bandit`: version 2 - `brakeman`: version 2 - `eslint`: version 2 @@ -1324,12 +1325,12 @@ Specifically, the following are being deprecated and will no longer be updated a - `nodejs-scan`: version 2 - `phpcs-security-audit`: version 2 - `pmd-apex`: version 2 - - `security-code-scan`: version 3 + - `security-code-scan`: version 2 - `semgrep`: version 2 - `sobelow`: version 2 - `spotbugs`: version 2 -**Planned removal milestone: 15.00 ()** +**Planned removal milestone: 15.0 (2022-05-22)** ### Support for gRPC-aware proxy deployed between Gitaly and rest of GitLab diff --git a/doc/user/infrastructure/clusters/connect/new_eks_cluster.md b/doc/user/infrastructure/clusters/connect/new_eks_cluster.md new file mode 100644 index 00000000000..282b3ed7bd0 --- /dev/null +++ b/doc/user/infrastructure/clusters/connect/new_eks_cluster.md @@ -0,0 +1,119 @@ +--- +stage: Configure +group: Configure +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Create a new EKS cluster through IaC + +Learn how to create a new cluster on Amazon Elastic Kubernetes Service (EKS) through +[Infrastructure as Code (IaC)](../../index.md). + +This process combines the AWS and Kubernetes Terraform providers to help you create EKS clusters +and connect them to GitLab using the [GitLab agent for Kubernetes](../../../clusters/agent/index.md). + +This document describes how to set up a Kubernetes cluster on EKS by importing an example project to get you started. +You can then modify the project files according to your needs. + +**Prerequisites:** + +- An Amazon Web Services (AWS) account, with a set of configured + [security credentials](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-prereqs.html). +- [Configured GitLab Runners](https://docs.gitlab.com/runner/install/) to run the infrastructure pipeline from GitLab CI/CD. + +**Steps:** + +1. [Import the example project](#import-the-example-project). +1. [Register the Agent](#register-the-agent). +1. [Configure your project](#configure-your-project). +1. [Provision your cluster](#provision-your-cluster). + +## Import the example project + +To create a new cluster from GitLab using Infrastructure as Code, it is necessary +to create a project to manage the cluster from. In this tutorial, we import a pre-configured +sample project to help you get started. + +Start by [importing the example project by URL](../../../project/import/repo_by_url.md). Use `https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks.git` as the URL. + +This project provides you with the following resources: + +- An Amazon [Virtual Private Cloud (VPC)](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/vpc.tf). +- An Amazon [Elastic Kubernetes Service (EKS)](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/eks.tf) cluster. +- The [GitLab agent for Kubernetes](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/agent.tf) installed into the cluster. + +## Register the Agent + +To create an Agent in GitLab: + +1. From your project's sidebar, select **Infrastructure > Kubernetes clusters**. +1. Select **Actions**. +1. From the **Select an Agent** dropdown list, select `eks-agent` and select **Register an Agent**. +1. GitLab generates a registration token for this Agent. Securely store this secret token, as you will need it to [configure your project](#configure-your-project) below. +1. GitLab provides you with a KAS address, which will also be needed when configuring your project below. + +## Configure your project + +Use CI/CD environment variables to configure your project as detailed below. + +**Required configuration:** + +1. On the left sidebar, select **Settings > CI/CD**. +1. Expand **Variables**. +1. Set the variable `AWS_ACCESS_KEY_ID` to your AWS access key ID. +1. Set the variable `AWS_SECRET_ACCESS_KEY` to your AWS secret access key. +1. Set the variable `TF_VAR_agent_token` to the Agent token displayed in the previous step. +1. Set the variable `TF_VAR_kas_address` to the KAS address displayed in the previous step. + +**Optional configuration:** + +The file [`variables.tf`](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/variables.tf) +contains other variables that you can override according to your needs: + +- `TF_VAR_region`: Set your cluster's region. +- `TF_VAR_cluster_name`: Set your cluster's name. +- `TF_VAR_cluster_version`: Set the version of Kubernetes. +- `TF_VAR_instance_type`: Set the instance type for the Kubernetes nodes. +- `TF_VAR_instance_count`: Set the number of Kubernetes nodes. +- `TF_VAR_agent_version`: Set the version of the GitLab Agent. +- `TF_VAR_agent_namespace`: Set the Kubernetes namespace for the GitLab Agent. + +Refer to the [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) and the [Kubernetes Terraform provider](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs) documentation for further resource options. + +## Provision your cluster + +After configuring your project, manually trigger the provisioning of your cluster. In GitLab: + +1. From your project's sidebar, go to **CI/CD > Pipelines**. +1. Select the dropdown icon (**{angle-down}**) next to the play icon (**{play}**). +1. Select **deploy** to manually trigger the deployment job. + +When the pipeline finishes successfully, you can see your new cluster: + +- In AWS: from the [EKS console](https://console.aws.amazon.com/eks/home) select **Amazon EKS > Clusters**. +- In GitLab: from your project's sidebar, select **Infrastructure > Kubernetes clusters**. + +## Removing the cluster + +A cleanup job is not included in your pipeline by default. To remove all created resources, you +need to modify your GitLab CI/CD template before running the cleanup job. + +To remove all resources: + +1. Add the following to your `.gitlab-ci.yml`: + + ```yaml + stages: + - init + - validate + - build + - deploy + - cleanup + + destroy: + extends: .destroy + needs: [] + ``` + +1. From your project's sidebar, go to **CI/CD > Pipelines** and select the most recent pipeline. +1. Click the play icon (**{play}**) for the `destroy` job. diff --git a/doc/user/infrastructure/iac/index.md b/doc/user/infrastructure/iac/index.md index 6fef1aa7879..8ccd4eb45fd 100644 --- a/doc/user/infrastructure/iac/index.md +++ b/doc/user/infrastructure/iac/index.md @@ -105,12 +105,13 @@ owned by GitLab, where everyone can contribute. The [documentation of the provider](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs) is available as part of the official Terraform provider documentation. -## Create a new cluster through IaC (DEPRECATED) +## Create a new cluster through IaC -Learn how to [create a new cluster on Google Kubernetes Engine (GKE)](../clusters/connect/new_gke_cluster.md). +- Learn how to [create a new cluster on Amazon Elastic Kubernetes Service (EKS)](../clusters/connect/new_eks_cluster.md). +- Learn how to [create a new cluster on Google Kubernetes Engine (GKE)](../clusters/connect/new_gke_cluster.md) (DEPRECATED). NOTE: -The linked tutorial connects the cluster to GitLab through cluster certificates, +The linked GKE tutorial connects the cluster to GitLab through cluster certificates, and this method was [deprecated](https://gitlab.com/groups/gitlab-org/configure/-/epics/8) in GitLab 14.5. You can still create a cluster through IaC and then connect it to GitLab through the [agent](../../clusters/agent/index.md), the default and fully supported diff --git a/doc/user/project/clusters/add_eks_clusters.md b/doc/user/project/clusters/add_eks_clusters.md index e14a71a7e10..023ffed3d81 100644 --- a/doc/user/project/clusters/add_eks_clusters.md +++ b/doc/user/project/clusters/add_eks_clusters.md @@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w > - [Deprecated](https://gitlab.com/groups/gitlab-org/configure/-/epics/8) in GitLab 14.5. WARNING: -This feature was deprecated in GitLab 14.5. Use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated) +This feature was deprecated in GitLab 14.5. Use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac) to create new clusters. Through GitLab, you can create new clusters and add existing clusters hosted on Amazon Elastic @@ -23,7 +23,7 @@ use the [GitLab Agent](../../clusters/agent/index.md). ## Create a new EKS cluster -To create a new cluster from GitLab, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated). +To create a new cluster from GitLab, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac). ### How to create a new cluster on EKS through cluster certificates (DEPRECATED) diff --git a/doc/user/project/clusters/add_remove_clusters.md b/doc/user/project/clusters/add_remove_clusters.md index a0fca517f2e..6c0f319de67 100644 --- a/doc/user/project/clusters/add_remove_clusters.md +++ b/doc/user/project/clusters/add_remove_clusters.md @@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w WARNING: This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/327908) in GitLab 14.0. -To create a new cluster use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated). +To create a new cluster use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac). NOTE: Every new Google Cloud Platform (GCP) account receives @@ -29,7 +29,7 @@ in a few clicks. > [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/327908) in GitLab 14.0. -As of GitLab 14.0, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated) +As of GitLab 14.0, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac) to **safely create new clusters from GitLab**. Creating clusters from GitLab using cluster certificates is still available on the diff --git a/doc/user/project/issues/managing_issues.md b/doc/user/project/issues/managing_issues.md index 155d6260a5c..aafd1135bf2 100644 --- a/doc/user/project/issues/managing_issues.md +++ b/doc/user/project/issues/managing_issues.md @@ -160,6 +160,8 @@ To regenerate the email address: ### Using a URL with prefilled values +> Ability to use both `issuable_template` and `issue[description]` in the same URL [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/340529) in GitLab 14.8. + To link directly to the new issue page with prefilled fields, use query string parameters in a URL. You can embed a URL in an external HTML page to create issues with certain fields prefilled. @@ -168,8 +170,8 @@ HTML page to create issues with certain fields prefilled. | -------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | Title | `issue[title]` | Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). | | Issue type | `issue[issue_type]` | Either `incident` or `issue`. | -| Description template | `issuable_template` | Cannot be used at the same time as `issue[description]`. Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). | -| Description | `issue[description]` | Cannot be used at the same time as `issuable_template`. Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). | +| Description template | `issuable_template` | Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). | +| Description | `issue[description]` | Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). If used in combination with `issuable_template` or a [default issue template](../description_templates.md#set-a-default-template-for-merge-requests-and-issues), the `issue[description]` value is appended to the template. | | Confidential | `issue[confidential]` | If `true`, the issue is marked as confidential. | Adapt these examples to form your new issue URL with prefilled fields. diff --git a/lefthook.yml b/lefthook.yml index ce4aa14ea69..f2b02045368 100644 --- a/lefthook.yml +++ b/lefthook.yml @@ -42,7 +42,7 @@ pre-push: tags: documentation style files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD glob: 'doc/*.md' - run: if command -v vale 2> /dev/null; then vale --config .vale.ini --minAlertLevel error {files}; else echo "Vale not found. Install Vale"; fi + run: 'if command -v vale > /dev/null 2>&1; then if ! vale --config .vale.ini --minAlertLevel error {files}; then echo "ERROR: Fix any linting errors and make sure you are using the latest version of Vale."; fi; else echo "ERROR: Vale not found. For more information, see https://docs.errata.ai/vale/install."; fi' gettext: skip: true # This is disabled by default. You can enable this check by adding skip: false in lefhook-local.yml https://github.com/evilmartians/lefthook/blob/master/docs/full_guide.md#skipping-commands tags: backend frontend view haml diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index 78ba0916808..0d4b913b7a0 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -15,7 +15,7 @@ module Gitlab directives = { 'default_src' => "'self'", 'base_uri' => "'self'", - 'connect_src' => "'self'", + 'connect_src' => ContentSecurityPolicy::Directives.connect_src, 'font_src' => "'self'", 'form_action' => "'self' https: http:", 'frame_ancestors' => "'self'", diff --git a/lib/gitlab/content_security_policy/directives.rb b/lib/gitlab/content_security_policy/directives.rb index 3b958f8c92e..4ad420f9e2f 100644 --- a/lib/gitlab/content_security_policy/directives.rb +++ b/lib/gitlab/content_security_policy/directives.rb @@ -7,6 +7,10 @@ module Gitlab module ContentSecurityPolicy module Directives + def self.connect_src + "'self'" + end + def self.frame_src "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html" end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 37f8a3fd7b4..a6b52e80b19 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -15700,7 +15700,7 @@ msgstr "" msgid "For each job, re-use the project workspace. If the workspace doesn't exist, use %{code_open}git clone%{code_close}." msgstr "" -msgid "For example, the application using the token or the purpose of the token." +msgid "For example, the application using the token or the purpose of the token. Do not give sensitive information for the name of the token, as it will be visible to all %{resource_type} members." msgstr "" msgid "For files larger than this limit, only index the file name. The file content is neither indexed nor searchable." diff --git a/qa/qa/service/praefect_manager.rb b/qa/qa/service/praefect_manager.rb index 8ffb7c47652..c364b00629c 100644 --- a/qa/qa/service/praefect_manager.rb +++ b/qa/qa/service/praefect_manager.rb @@ -327,6 +327,22 @@ module QA end end + def accept_dataloss_for_project(project_id, authoritative_storage) + repository_hash = "#{Digest::SHA256.hexdigest(project_id.to_s)}" + repository = "@hashed/#{repository_hash[0, 2]}/#{repository_hash[2, 2]}/#{repository_hash}.git" + + cmd = %{ + docker exec #{@praefect} \ + praefect \ + -config /var/opt/gitlab/praefect/config.toml \ + accept-dataloss \ + --virtual-storage=default \ + --repository=#{repository} \ + --authoritative-storage=#{authoritative_storage} + } + shell(cmd) + end + def wait_for_health_check_all_nodes wait_for_gitaly_health_check(@primary_node) wait_for_gitaly_health_check(@secondary_node) @@ -415,6 +431,27 @@ module QA Support::Waiter.wait_until(sleep_interval: 1) { replication_queue_incomplete_count == 0 && replicated?(project_id) } end + def wait_for_replication_to_node(project_id, node) + Support::Waiter.wait_until(sleep_interval: 1) do + result = [] + shell sql_to_docker_exec_cmd(%{ + select * from replication_queue + where state = 'ready' + and job ->> 'change' = 'update' + and job ->> 'target_node_storage' = '#{node}' + and job ->> 'relative_path' = '#{Digest::SHA256.hexdigest(project_id.to_s)}.git'; + }) do |line| + result << line.strip + QA::Runtime::Logger.debug(line.strip) + end + # The result should look like this when all items are replicated + # id | state | created_at | updated_at | attempt | lock_id | job | meta + # ----+-------+------------+------------+---------+---------+-----+------ + # (0 rows) + result[2] == '(0 rows)' + end + end + def replication_pending? result = [] shell sql_to_docker_exec_cmd( diff --git a/qa/qa/specs/features/api/3_create/gitaly/praefect_dataloss_spec.rb b/qa/qa/specs/features/api/3_create/gitaly/praefect_dataloss_spec.rb index 6e2a34afb3e..5b02cc4646c 100644 --- a/qa/qa/specs/features/api/3_create/gitaly/praefect_dataloss_spec.rb +++ b/qa/qa/specs/features/api/3_create/gitaly/praefect_dataloss_spec.rb @@ -52,6 +52,53 @@ module QA expect(project_data_loss).to include('gitaly3, assigned host, unhealthy') end end + + it 'allows admin resolve scenario where data cannot be recovered', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/352708' do + # Ensure everything is in sync before begining test + praefect_manager.wait_for_project_synced_across_all_storages(project.id) + + Resource::Repository::Commit.fabricate_via_api! do |commit| + commit.project = project + commit.commit_message = 'accept-dataloss-1' + commit.add_files([ + { file_path: "new_file-#{SecureRandom.hex(8)}.txt", content: 'Add a commit to gitaly1,gitaly2,gitaly3' } + ]) + end + + praefect_manager.wait_for_replication_to_node(project.id, praefect_manager.primary_node) + praefect_manager.stop_primary_node + Resource::Repository::Commit.fabricate_via_api! do |commit| + commit.project = project + commit.commit_message = 'accept-dataloss-2' + commit.add_files([ + { file_path: "new_file-#{SecureRandom.hex(8)}.txt", content: 'Add a commit to gitaly2,gitaly3' } + ]) + end + + praefect_manager.wait_for_replication_to_node(project.id, praefect_manager.secondary_node) + praefect_manager.stop_secondary_node + Resource::Repository::Commit.fabricate_via_api! do |commit| + commit.project = project + commit.commit_message = 'accept-dataloss-3' + commit.add_files([ + { file_path: "new_file-#{SecureRandom.hex(8)}.txt", content: 'Add a commit to gitaly3' } + ]) + end + + # Confirms that they want to accept dataloss, using gitaly2 as authoritative storage to use as a base + praefect_manager.accept_dataloss_for_project(project.id, praefect_manager.secondary_node) + + # Restart nodes, and allow replication to apply dataloss changes + praefect_manager.start_all_nodes + praefect_manager.wait_for_project_synced_across_all_storages(project.id) + + # Validate that gitaly2 was accepted as the authorative storage + aggregate_failures "validate correct set of commits available" do + expect(project.commits.map { |commit| commit[:message].chomp }).to include('accept-dataloss-1') + expect(project.commits.map { |commit| commit[:message].chomp }).to include('accept-dataloss-2') + expect(project.commits.map { |commit| commit[:message].chomp }).not_to include('accept-dataloss-3') + end + end end end end diff --git a/spec/features/clusters/cluster_detail_page_spec.rb b/spec/features/clusters/cluster_detail_page_spec.rb index 06e3e00db7d..09e042b00cc 100644 --- a/spec/features/clusters/cluster_detail_page_spec.rb +++ b/spec/features/clusters/cluster_detail_page_spec.rb @@ -36,6 +36,20 @@ RSpec.describe 'Clusterable > Show page' do expect(page).not_to have_selector('[data-testid="cluster-environments-tab"]') end + + context 'content-security policy' do + it 'has AWS domains in the CSP' do + visit cluster_path + + expect(response_headers['Content-Security-Policy']).to include(::Clusters::ClustersController::AWS_CSP_DOMAINS.join(' ')) + end + + it 'keeps existing connect-src in the CSP' do + visit cluster_path + + expect(response_headers['Content-Security-Policy']).to include("connect-src #{Gitlab::ContentSecurityPolicy::Directives.connect_src}") + end + end end shared_examples 'editing a GCP cluster' do diff --git a/spec/features/issues/form_spec.rb b/spec/features/issues/form_spec.rb index b26f65316c5..d67562e32fc 100644 --- a/spec/features/issues/form_spec.rb +++ b/spec/features/issues/form_spec.rb @@ -5,7 +5,7 @@ require 'spec_helper' RSpec.describe 'New/edit issue', :js do include ActionView::Helpers::JavaScriptHelper - let_it_be(:project) { create(:project) } + let_it_be(:project) { create(:project, :repository) } let_it_be(:user) { create(:user) } let_it_be(:user2) { create(:user) } let_it_be(:milestone) { create(:milestone, project: project) } @@ -310,6 +310,53 @@ RSpec.describe 'New/edit issue', :js do end end + describe 'new issue with query parameters' do + before do + project.repository.create_file( + current_user, + '.gitlab/issue_templates/test_template.md', + 'description from template', + message: 'Add test_template.md', + branch_name: project.default_branch_or_main + ) + end + + after do + project.repository.delete_file( + current_user, + '.gitlab/issue_templates/test_template.md', + message: 'Remove test_template.md', + branch_name: project.default_branch_or_main + ) + end + + it 'leaves the description blank if no query parameters are specified' do + visit new_project_issue_path(project) + + expect(find('#issue_description').value).to be_empty + end + + it 'fills the description from the issue[description] query parameter' do + visit new_project_issue_path(project, issue: { description: 'description from query parameter' }) + + expect(find('#issue_description').value).to match('description from query parameter') + end + + it 'fills the description from the issuable_template query parameter' do + visit new_project_issue_path(project, issuable_template: 'test_template') + wait_for_requests + + expect(find('#issue_description').value).to match('description from template') + end + + it 'fills the description from the issuable_template and issue[description] query parameters' do + visit new_project_issue_path(project, issuable_template: 'test_template', issue: { description: 'description from query parameter' }) + wait_for_requests + + expect(find('#issue_description').value).to match('description from template\ndescription from query parameter') + end + end + describe 'edit issue' do before do visit edit_project_issue_path(project, issue) diff --git a/spec/services/projects/destroy_service_spec.rb b/spec/services/projects/destroy_service_spec.rb index d60ec8c2958..3d361f76af2 100644 --- a/spec/services/projects/destroy_service_spec.rb +++ b/spec/services/projects/destroy_service_spec.rb @@ -36,18 +36,6 @@ RSpec.describe Projects::DestroyService, :aggregate_failures do destroy_project(project, user, {}) end - - context 'when feature flag publish_project_deleted_event is disabled' do - before do - stub_feature_flags(publish_project_deleted_event: false) - end - - it 'does not publish an event' do - expect(Gitlab::EventStore).not_to receive(:publish).with(event_type(Projects::ProjectDeletedEvent)) - - destroy_project(project, user, {}) - end - end end shared_examples 'deleting the project with pipeline and build' do diff --git a/spec/support/shared_examples/models/atomic_internal_id_shared_examples.rb b/spec/support/shared_examples/models/atomic_internal_id_shared_examples.rb index fe85daa7235..bb15a3054ac 100644 --- a/spec/support/shared_examples/models/atomic_internal_id_shared_examples.rb +++ b/spec/support/shared_examples/models/atomic_internal_id_shared_examples.rb @@ -155,7 +155,7 @@ RSpec.shared_examples 'AtomicInternalId' do |validate_presence: true| end def expect_iid_to_be_set_and_rollback - ActiveRecord::Base.transaction(requires_new: true) do + instance.transaction(requires_new: true) do instance.save! expect(read_internal_id).not_to be_nil |
