Add latest changes from gitlab-org/gitlab@master

3 files changed, 138 insertions, 8 deletions

diff --git a/doc/administration/audit_event_streaming/index.md b/doc/administration/audit_event_streaming/index.md
index acf6d3c02e0..8f40dc6c34c 100644
--- a/doc/administration/audit_event_streaming/index.md
+++ b/doc/administration/audit_event_streaming/index.md
@@ -261,9 +261,13 @@ To delete Google Cloud Logging streaming destinations to a top-level group:
 > - [Feature flag `ff_external_audit_events`](https://gitlab.com/gitlab-org/gitlab/-/issues/393772) enabled by default in GitLab 16.2.
 > - Instance streaming destinations [made generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/393772) in GitLab 16.4. [Feature flag `ff_external_audit_events`](https://gitlab.com/gitlab-org/gitlab/-/issues/417708) removed.
 
+Manage streaming destinations for an entire instance.
+
+### HTTP destinations
+
 Manage HTTP streaming destinations for an entire instance.
 
-### Add a new HTTP destination
+#### Add a new HTTP destination
 
 Add a new HTTP streaming destination to an instance.
 
@@ -285,7 +289,7 @@ To add a streaming destination for an instance:
    20 headers per streaming destination.
 1. After all headers have been filled out, select **Add** to add the new streaming destination.
 
-### List HTTP destinations
+#### List HTTP destinations
 
 Prerequisites:
 
@@ -299,7 +303,7 @@ To list the streaming destinations for an instance:
 1. On the main area, select **Streams** tab.
 1. Select the stream to expand it and see all the custom HTTP headers.
 
-### Update an HTTP destination
+#### Update an HTTP destination
 
 Prerequisites:
 
@@ -329,7 +333,7 @@ To update a instance streaming destination's custom HTTP headers:
    20 headers per streaming destination.
 1. Select **Save** to update the streaming destination.
 
-### Delete an HTTP destination
+#### Delete an HTTP destination
 
 Delete streaming destinations for an entire instance. When the last destination is successfully deleted, streaming is
 disabled for the instance.
@@ -360,7 +364,7 @@ To delete only the custom HTTP headers for a streaming destination:
 1. To the right of the header, select **Delete** (**{remove}**).
 1. Select **Save** to update the streaming destination.
 
-### Verify event authenticity
+#### Verify event authenticity
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/398107) in GitLab 16.1 [with a flag](../feature_flags.md) named `ff_external_audit_events`. Disabled by default.
 > - [Feature flag `ff_external_audit_events`](https://gitlab.com/gitlab-org/gitlab/-/issues/393772) enabled by default in GitLab 16.2.
@@ -384,7 +388,7 @@ To list streaming destinations for an instance and see the verification tokens:
 1. On the main area, select the **Streams** tab.
 1. View the verification token on the right side of each item.
 
-### Update event filters
+#### Update event filters
 
 > Event type filtering in the UI with a defined list of audit event types [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415013) in GitLab 16.3.
 
@@ -404,7 +408,7 @@ To update a streaming destination's event filters:
 1. Select the dropdown list and select or clear the required event types.
 1. Select **Save** to update the event filters.
 
-### Override default content type header
+#### Override default content type header
 
 By default, streaming destinations use a `content-type` header of `application/x-www-form-urlencoded`. However, you
 might want to set the `content-type` header to something else. For example ,`application/json`.
@@ -414,6 +418,84 @@ To override the `content-type` header default value for an instance streaming de
 - The [GitLab UI](#update-an-http-destination-1).
 - The [GraphQL API](graphql_api.md#update-streaming-destinations).
 
+### Google Cloud Logging destinations
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131851) in GitLab 16.5.
+
+Manage Google Cloud Logging destinations for an entire instance.
+
+#### Prerequisites
+
+Before setting up Google Cloud Logging streaming audit events, you must:
+
+1. Create a service account for Google Cloud with the appropriate credentials and permissions. This account is used to configure audit log streaming authentication.
+   For more information, see [Creating and managing service accounts in the Google Cloud documentation](https://cloud.google.com/iam/docs/service-accounts-create#creating).
+1. Enable the **Logs Writer** role for the service account to enable logging on Google Cloud. For more information, see [Access control with IAM](https://cloud.google.com/logging/docs/access-control#logging.logWriter).
+1. Create a JSON key for the service account. For more information, see [Creating a service account key](https://cloud.google.com/iam/docs/keys-create-delete#creating).
+
+#### Add a new Google Cloud Logging destination
+
+Prerequisites:
+
+- Administrator access on the instance.
+
+To add Google Cloud Logging streaming destinations to an instance:
+
+1. On the left sidebar, select **Search or go to**.
+1. Select **Admin Area**.
+1. On the left sidebar, select **Monitoring > Audit Events**.
+1. On the main area, select **Streams** tab.
+1. Select **Add streaming destination** and select **Google Cloud Logging** to show the section for adding destinations.
+1. Enter the Google project ID, Google client email, log ID, and Google private key to add.
+1. Select **Add** to add the new streaming destination.
+
+#### List Google Cloud Logging destinations
+
+Prerequisites:
+
+- Administrator access on the instance.
+
+To list Google Cloud Logging streaming destinations for an instance:
+
+1. On the left sidebar, select **Search or go to**.
+1. Select **Admin Area**.
+1. On the left sidebar, select **Monitoring > Audit Events**.
+1. On the main area, select **Streams** tab.
+1. Select the Google Cloud Logging stream to expand and see all the fields.
+
+#### Update a Google Cloud Logging destination
+
+Prerequisites:
+
+- Administrator access on the instance.
+
+To update Google Cloud Logging streaming destinations to an instance:
+
+1. On the left sidebar, select **Search or go to**.
+1. Select **Admin Area**.
+1. On the left sidebar, select **Monitoring > Audit Events**.
+1. On the main area, select **Streams** tab.
+1. Select the Google Cloud Logging stream to expand.
+1. Enter the Google project ID, Google client email, and log ID to update.
+1. Select **Add a new private key** and enter a Google private key to update the private key.
+1. Select **Save** to update the streaming destination.
+
+#### Delete a Google Cloud Logging streaming destination
+
+Prerequisites:
+
+- Administrator access on the instance.
+
+To delete Google Cloud Logging streaming destinations to an instance:
+
+1. On the left sidebar, select **Search or go to**.
+1. Select **Admin Area**.
+1. On the left sidebar, select **Monitoring > Audit Events**.
+1. On the main area, select **Streams** tab.
+1. Select the Google Cloud Logging stream to expand.
+1. Select **Delete destination**.
+1. Confirm by selecting **Delete destination** in the dialog.
+
 ## Payload schema
 
 > Documentation for an audit event streaming schema was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358149) in GitLab 15.3.
diff --git a/doc/administration/geo/disaster_recovery/bring_primary_back.md b/doc/administration/geo/disaster_recovery/bring_primary_back.md
index fe05b52cec9..5f2cbd4d03b 100644
--- a/doc/administration/geo/disaster_recovery/bring_primary_back.md
+++ b/doc/administration/geo/disaster_recovery/bring_primary_back.md
@@ -55,7 +55,7 @@ To bring the former **primary** site up to date:
    [block all the writes to this site](planned_failover.md#prevent-updates-to-the-primary-site)
    during this procedure.
 
-1. [Set up database replication](../setup/database.md). In this case, the **secondary** site
+1. [Set up Geo](../setup/index.md). In this case, the **secondary** site
    refers to the former **primary** site.
    1. If [PgBouncer](../../postgresql/pgbouncer.md) was enabled on the **current secondary** site
       (when it was a primary site) disable it by editing `/etc/gitlab/gitlab.rb`
diff --git a/doc/administration/raketasks/check.md b/doc/administration/raketasks/check.md
index 9ced19b53b7..ec28b6bee67 100644
--- a/doc/administration/raketasks/check.md
+++ b/doc/administration/raketasks/check.md
@@ -283,6 +283,54 @@ I, [2020-06-11T17:18:15.575711 #27148]  INFO -- : Done!
 
 <!-- vale gitlab.SentenceSpacing = YES -->
 
+## Reset encrypted tokens when they can't be recovered
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131893) in GitLab 16.6.
+
+WARNING:
+This operation is dangerous and can result in data-loss. Proceed with extreme caution.
+You must have knowledge about GitLab internals before you perform this operation.
+
+In some cases, encrypted tokens can no longer be recovered and cause issues.
+Most often, runner registration tokens for groups and projects might be broken on very large instances.
+
+To reset broken tokens:
+
+1. Identify the database models that have broken encrypted tokens. For example, it can be `Group` and `Project`.
+1. Identify the broken tokens. For example `runners_token`.
+1. To reset broken tokens, run `gitlab:doctor:reset_encrypted_tokens` with `VERBOSE=true MODEL_NAMES=Model1,Model2 TOKEN_NAMES=broken_token1,broken_token2`. For example:
+
+    ```shell
+    VERBOSE=true MODEL_NAMES=Project,Group TOKEN_NAMES=runners_token bundle exec rake gitlab:doctor:reset_encrypted_tokens
+    ```
+
+    You will see every action this task would try to perform:
+
+    ```plain
+    I, [2023-09-26T16:20:23.230942 #88920]  INFO -- : Resetting runners_token on Project, Group if they can not be read
+    I, [2023-09-26T16:20:23.230975 #88920]  INFO -- : Executing in DRY RUN mode, no records will actually be updated
+    D, [2023-09-26T16:20:30.151585 #88920] DEBUG -- : > Fix Project[1].runners_token
+    I, [2023-09-26T16:20:30.151617 #88920]  INFO -- : Checked 1/9 Projects
+    D, [2023-09-26T16:20:30.151873 #88920] DEBUG -- : > Fix Project[3].runners_token
+    D, [2023-09-26T16:20:30.152975 #88920] DEBUG -- : > Fix Project[10].runners_token
+    I, [2023-09-26T16:20:30.152992 #88920]  INFO -- : Checked 11/29 Projects
+    I, [2023-09-26T16:20:30.153230 #88920]  INFO -- : Checked 21/29 Projects
+    I, [2023-09-26T16:20:30.153882 #88920]  INFO -- : Checked 29 Projects
+    D, [2023-09-26T16:20:30.195929 #88920] DEBUG -- : > Fix Group[22].runners_token
+    I, [2023-09-26T16:20:30.196125 #88920]  INFO -- : Checked 1/19 Groups
+    D, [2023-09-26T16:20:30.196192 #88920] DEBUG -- : > Fix Group[25].runners_token
+    D, [2023-09-26T16:20:30.197557 #88920] DEBUG -- : > Fix Group[82].runners_token
+    I, [2023-09-26T16:20:30.197581 #88920]  INFO -- : Checked 11/19 Groups
+    I, [2023-09-26T16:20:30.198455 #88920]  INFO -- : Checked 19 Groups
+    I, [2023-09-26T16:20:30.198462 #88920]  INFO -- : Done!
+    ```
+
+1. If you are confident that this operation resets the correct tokens, disable dry-run mode and run the operation again:
+
+    ```shell
+    DRY_RUN=false VERBOSE=true MODEL_NAMES=Project,Group TOKEN_NAMES=runners_token bundle exec rake gitlab:doctor:reset_encrypted_tokens
+    ```
+
 ## Troubleshooting
 
 The following are solutions to problems you might discover using the Rake tasks documented