diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-26 09:10:55 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-26 09:10:55 +0300 |
| commit | 5fe91268ac281aaa1a4dc2d7c0210fdbf55839ad (patch) | |
| tree | 5a5a1b832a2e14191c6522d1c271773c34078138 | |
| parent | 9c590535c8a57a5ae4e6d5796ae3f8bdc808b07f (diff) | |
Add latest changes from gitlab-org/gitlab@master
| -rw-r--r-- | .gitlab/ci/rules.gitlab-ci.yml | 10 | ||||
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.checksum | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 6 | ||||
| -rw-r--r-- | app/controllers/concerns/preview_markdown.rb | 2 | ||||
| -rw-r--r-- | app/finders/clusters/agent_authorizations_finder.rb | 30 | ||||
| -rw-r--r-- | config/feature_flags/development/agent_authorization_include_descendants.yml | 8 | ||||
| -rw-r--r-- | doc/user/clusters/agent/ci_cd_workflow.md | 10 | ||||
| -rw-r--r-- | doc/user/clusters/agent/install/index.md | 2 | ||||
| -rw-r--r-- | qa/Gemfile | 2 | ||||
| -rw-r--r-- | qa/Gemfile.lock | 2 | ||||
| -rw-r--r-- | spec/finders/clusters/agent_authorizations_finder_spec.rb | 16 |
12 files changed, 30 insertions, 62 deletions
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index ed065ef8056..27b563dd74f 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -850,6 +850,8 @@ - <<: *if-merge-request-labels-run-all-jest - <<: *if-merge-request-labels-frontend-and-feature-flag - <<: *if-merge-request + changes: ["{package.json,yarn.lock}"] + - <<: *if-merge-request changes: [".gitlab/ci/rules.gitlab-ci.yml", ".gitlab/ci/frontend.gitlab-ci.yml"] - <<: *if-automated-merge-request changes: *code-backstage-patterns @@ -868,6 +870,9 @@ - <<: *if-merge-request-labels-frontend-and-feature-flag when: never - <<: *if-merge-request + changes: ["{package.json,yarn.lock}"] + when: never + - <<: *if-merge-request changes: [".gitlab/ci/rules.gitlab-ci.yml", ".gitlab/ci/frontend.gitlab-ci.yml"] when: never - <<: *if-merge-request @@ -878,6 +883,8 @@ - !reference [".strict-ee-only-rules", rules] - <<: *if-merge-request-labels-as-if-foss - <<: *if-merge-request-labels-run-all-jest + - <<: *if-merge-request + changes: ["{package.json,yarn.lock}"] - <<: *if-security-merge-request changes: *code-backstage-patterns @@ -887,6 +894,9 @@ - !reference [".frontend:rules:minimal-default-rules", rules] - <<: *if-merge-request-labels-run-all-jest when: never + - <<: *if-merge-request + changes: ["{package.json,yarn.lock}"] + when: never - <<: *if-fork-merge-request when: never - <<: *if-merge-request @@ -340,7 +340,7 @@ gem 'pg_query', '~> 2.1.4' gem 'premailer-rails', '~> 1.10.3' # LabKit: Tracing and Correlation -gem 'gitlab-labkit', '~> 0.24.0' +gem 'gitlab-labkit', '~> 0.26.0' gem 'thrift', '>= 0.16.0' # I18n diff --git a/Gemfile.checksum b/Gemfile.checksum index ffc1425bb52..9455e6360e6 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -205,7 +205,7 @@ {"name":"gitlab-dangerfiles","version":"3.6.1","platform":"ruby","checksum":"f7b69b093d52acb89095d411cb7b8849f5f3b9e76f8baa4c99b5671f1564865f"}, {"name":"gitlab-experiment","version":"0.7.1","platform":"ruby","checksum":"166dddb3aa83428bcaa93c35684ed01dc4d61f321fd2ae40b020806dc54a7824"}, {"name":"gitlab-fog-azure-rm","version":"1.3.0","platform":"ruby","checksum":"2fef5317d6515f95f803099afa860fe3019ce6e1907bf49f66b5e06468a617b5"}, -{"name":"gitlab-labkit","version":"0.24.0","platform":"ruby","checksum":"8f16e5aa4e0a05be58958fe880bdd53c84b659a081ea9981d2b510922a4a0548"}, +{"name":"gitlab-labkit","version":"0.26.0","platform":"ruby","checksum":"718f1a8fe685780c2d78ecb25cc626e58e8b866a9f59565a5f705a1b84109517"}, {"name":"gitlab-license","version":"2.2.1","platform":"ruby","checksum":"39fcf6be8b2887df8afe01b5dcbae8d08b7c5d937ff56b0fb40484a8c4f02d30"}, {"name":"gitlab-mail_room","version":"0.0.9","platform":"ruby","checksum":"6700374b5c0aa9d9ad4e711aeb677f0b7d415a6d01d3baa699efab25349d851c"}, {"name":"gitlab-markup","version":"1.8.1","platform":"ruby","checksum":"ab1f9fd016977497c2af25b76341dea670533014f406861834a0bd99f646707b"}, diff --git a/Gemfile.lock b/Gemfile.lock index b210e4afd7f..877afac4509 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -569,14 +569,14 @@ GEM fog-json (~> 1.2.0) mime-types ms_rest_azure (~> 0.12.0) - gitlab-labkit (0.24.0) + gitlab-labkit (0.26.0) actionpack (>= 5.0.0, < 8.0.0) activesupport (>= 5.0.0, < 8.0.0) grpc (>= 1.37) jaeger-client (~> 1.1.0) opentracing (~> 0.4) pg_query (~> 2.1) - redis (> 3.0.0, < 5.0.0) + redis (> 3.0.0, < 6.0.0) gitlab-license (2.2.1) gitlab-mail_room (0.0.9) gitlab-markup (1.8.1) @@ -1632,7 +1632,7 @@ DEPENDENCIES gitlab-dangerfiles (~> 3.6.1) gitlab-experiment (~> 0.7.1) gitlab-fog-azure-rm (~> 1.3.0) - gitlab-labkit (~> 0.24.0) + gitlab-labkit (~> 0.26.0) gitlab-license (~> 2.2.1) gitlab-mail_room (~> 0.0.9) gitlab-markup (~> 1.8.0) diff --git a/app/controllers/concerns/preview_markdown.rb b/app/controllers/concerns/preview_markdown.rb index 79b3fa28660..7af114313a1 100644 --- a/app/controllers/concerns/preview_markdown.rb +++ b/app/controllers/concerns/preview_markdown.rb @@ -41,7 +41,7 @@ module PreviewMarkdown case controller_name when 'wikis' then { pipeline: :wiki, wiki: wiki, page_slug: params[:id] } when 'snippets' then { skip_project_check: true } - when 'groups' then { group: group } + when 'groups' then { group: group, issuable_reference_expansion_enabled: true } when 'projects' then projects_filter_params when 'timeline_events' then timeline_events_filter_params else {} diff --git a/app/finders/clusters/agent_authorizations_finder.rb b/app/finders/clusters/agent_authorizations_finder.rb index 8b939f5d646..70c0868cc7f 100644 --- a/app/finders/clusters/agent_authorizations_finder.rb +++ b/app/finders/clusters/agent_authorizations_finder.rb @@ -24,15 +24,7 @@ module Clusters # rubocop: disable CodeReuse/ActiveRecord def project_authorizations - namespace_ids = if project.group - if include_descendants? - all_namespace_ids - else - ancestor_namespace_ids - end - else - project.namespace_id - end + namespace_ids = project.group ? all_namespace_ids : project.namespace_id Clusters::Agents::ProjectAuthorization .where(project_id: project.id) @@ -57,35 +49,21 @@ module Clusters authorizations[:group_id].eq(ordered_ancestors_cte.table[:id]) ).join_sources - authorized_groups = Clusters::Agents::GroupAuthorization + Clusters::Agents::GroupAuthorization .with(ordered_ancestors_cte.to_arel) .joins(cte_join_sources) .joins(agent: :project) .with_available_ci_access_fields(project) + .where(projects: { namespace_id: all_namespace_ids }) .order(Arel.sql('agent_id, array_position(ARRAY(SELECT id FROM ordered_ancestors)::bigint[], agent_group_authorizations.group_id)')) .select('DISTINCT ON (agent_id) agent_group_authorizations.*') .preload(agent: :project) - - authorized_groups = if include_descendants? - authorized_groups.where(projects: { namespace_id: all_namespace_ids }) - else - authorized_groups.where('projects.namespace_id IN (SELECT id FROM ordered_ancestors)') - end - - authorized_groups.to_a + .to_a end # rubocop: enable CodeReuse/ActiveRecord - def ancestor_namespace_ids - project.ancestors.select(:id) - end - def all_namespace_ids project.root_ancestor.self_and_descendants.select(:id) end - - def include_descendants? - Feature.enabled?(:agent_authorization_include_descendants, project) - end end end diff --git a/config/feature_flags/development/agent_authorization_include_descendants.yml b/config/feature_flags/development/agent_authorization_include_descendants.yml deleted file mode 100644 index 17d3a484395..00000000000 --- a/config/feature_flags/development/agent_authorization_include_descendants.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: agent_authorization_include_descendants -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95774 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/371310 -milestone: '15.5' -type: development -group: group::configure -default_enabled: false diff --git a/doc/user/clusters/agent/ci_cd_workflow.md b/doc/user/clusters/agent/ci_cd_workflow.md index b82c557a2b7..a5486eaee1d 100644 --- a/doc/user/clusters/agent/ci_cd_workflow.md +++ b/doc/user/clusters/agent/ci_cd_workflow.md @@ -58,7 +58,8 @@ Authorization configuration can take one or two minutes to propagate. ### Authorize the agent to access your projects -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6. To authorize the agent to access the GitLab project where you keep Kubernetes manifests: @@ -72,7 +73,7 @@ To authorize the agent to access the GitLab project where you keep Kubernetes ma - id: path/to/project ``` - - The Kubernetes projects must be in the same group hierarchy as the project where the agent's configuration is. + - Authorized projects must have the same root group as the agent's configuration project. - You can install additional agents into the same cluster to accommodate additional hierarchies. - You can authorize up to 100 projects. @@ -81,7 +82,8 @@ Choose the context to run `kubectl` commands from your CI/CD scripts. ### Authorize the agent to access projects in your groups -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6. To authorize the agent to access all of the GitLab projects in a group or subgroup: @@ -95,7 +97,7 @@ To authorize the agent to access all of the GitLab projects in a group or subgro - id: path/to/group/subgroup ``` - - The Kubernetes projects must be in the same group hierarchy as the project where the agent's configuration is. + - Authorized groups must have the same root group as the agent's configuration project. - You can install additional agents into the same cluster to accommodate additional hierarchies. - All of the subgroups of an authorized group also have access to the same agent (without being specified individually). - You can authorize up to 100 groups. diff --git a/doc/user/clusters/agent/install/index.md b/doc/user/clusters/agent/install/index.md index 19628419784..b8dfc777551 100644 --- a/doc/user/clusters/agent/install/index.md +++ b/doc/user/clusters/agent/install/index.md @@ -45,6 +45,8 @@ For configuration settings, the agent uses a YAML file in the GitLab project. Yo - You use [a GitOps workflow](../gitops.md#gitops-workflow-steps). - You use [a GitLab CI/CD workflow](../ci_cd_workflow.md#gitlab-cicd-workflow-steps) and want to authorize a different project to use the agent. +Otherwise it is optional. + To create an agent configuration file: 1. Choose a name for your agent. The agent name follows the diff --git a/qa/Gemfile b/qa/Gemfile index a5a5da6aac4..92023bee998 100644 --- a/qa/Gemfile +++ b/qa/Gemfile @@ -7,7 +7,7 @@ gem 'activesupport', '~> 6.1.4.7' # This should stay in sync with the root's Gem gem 'allure-rspec', '~> 2.18.0' gem 'capybara', '~> 3.37.1' gem 'capybara-screenshot', '~> 1.0.26' -gem 'rake', '~> 13' +gem 'rake', '~> 13', '>= 13.0.6' gem 'rspec', '~> 3.11' gem 'selenium-webdriver', '~> 4.5' gem 'airborne', '~> 0.3.7', require: false # airborne is messing with rspec sandboxed mode so not requiring by default diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock index 71125538eff..5e6b1531aff 100644 --- a/qa/Gemfile.lock +++ b/qa/Gemfile.lock @@ -323,7 +323,7 @@ DEPENDENCIES parallel_tests (~> 3.13) pry-byebug (~> 3.10.1) rainbow (~> 3.1.1) - rake (~> 13) + rake (~> 13, >= 13.0.6) rest-client (~> 2.1.0) rotp (~> 6.2.0) rspec (~> 3.11) diff --git a/spec/finders/clusters/agent_authorizations_finder_spec.rb b/spec/finders/clusters/agent_authorizations_finder_spec.rb index 2d90f32adc5..f680792d6c4 100644 --- a/spec/finders/clusters/agent_authorizations_finder_spec.rb +++ b/spec/finders/clusters/agent_authorizations_finder_spec.rb @@ -64,14 +64,6 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do let!(:project_authorization) { create(:agent_project_authorization, agent: non_ancestor_agent, project: requesting_project) } it { is_expected.to match_array([project_authorization]) } - - context 'agent_authorization_include_descendants feature flag is disabled' do - before do - stub_feature_flags(agent_authorization_include_descendants: false) - end - - it { is_expected.to be_empty } - end end context 'with project authorizations present' do @@ -138,14 +130,6 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do let!(:group_authorization) { create(:agent_group_authorization, agent: non_ancestor_agent, group: bottom_level_group) } it { is_expected.to match_array([group_authorization]) } - - context 'agent_authorization_include_descendants feature flag is disabled' do - before do - stub_feature_flags(agent_authorization_include_descendants: false) - end - - it { is_expected.to be_empty } - end end it_behaves_like 'access_as' do |