Add latest changes from gitlab-org/gitlab@master

4 files changed, 84 insertions, 23 deletions

diff --git a/doc/user/clusters/agent/user_access.md b/doc/user/clusters/agent/user_access.md
index 21dc249b1d1..a1e98a2db76 100644
--- a/doc/user/clusters/agent/user_access.md
+++ b/doc/user/clusters/agent/user_access.md
@@ -151,15 +151,66 @@ Prerequisite:
 
 - You have an agent configured with the `user_access` entry.
 
-To grant Kubernetes API access:
+### Configure local access with the GitLab CLI (recommended)
+
+You can use the [GitLab CLI `glab`](../../../editor_extensions/gitlab_cli/index.md) to create or update
+a Kubernetes configuration file to access the agent Kubernetes API.
+
+Use `glab cluster agent` commands to manage cluster connections:
+
+1. View a list of all the agents associated with your project:
+
+```shell
+glab cluster agent list --repo '<group>/<project>'
+
+# If your current working directory is the Git repository of the project with the agent, you can omit the --repo option:
+glab cluster agent list
+```
+
+1. Use the numerical agent ID presented in the first column of the output to update your `kubeconfig`:
+
+```shell
+glab cluster agent update-kubeconfig --repo '<group>/<project>' --agent '<agent-id>' --use-context
+```
+
+1. Verify the update with `kubectl` or your preferred Kubernetes tooling:
+
+```shell
+kubectl get nodes
+```
+
+The `update-kubeconfig` command sets `glab cluster agent get-token` as a
+[credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins)
+for Kubernetes tools to retrieve a token. The `get-token` command creates and
+returns a personal access token that is valid until the end of the current day.
+Kubernetes tools cache the token until it expires, the API returns an authorization error, or the process exits. Expect all subsequent calls to your Kubernetes tooling to create a new token.
+
+The `glab cluster agent update-kubeconfig` command supports a number of command line flags. You can view all supported flags with `glab cluster agent update-kubeconfig --help`.
+
+Some examples:
+
+```shell
+# When the current working directory is the Git repository where the agent is registered the --repo / -R flag can be omitted
+glab cluster agent update-kubeconfig --agent '<agent-id>'
+
+# When the --use-context option is specified the `current-context` of the kubeconfig file is changed to the agent context
+glab cluster agent update-kubeconfig --agent '<agent-id>' --use-context
+
+# The --kubeconfig flag can be used to specify an alternative kubeconfig path
+glab cluster agent update-kubeconfig --agent '<agent-id>' --kubeconfig ~/gitlab.kubeconfig
+```
+
+### Configure local access manually using a personal access token
+
+You can configure access to a Kubernetes cluster using a long-lived personal access token following these steps:
 
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Operate > Kubernetes clusters** and retrieve the numerical ID of the agent you want to access. You need the ID to construct the full API token.
 1. Create a [personal access token](../../profile/personal_access_tokens.md) with the `k8s_proxy` scope. You need the access token to construct the full API token.
-1. Construct `kube config` entries to access the cluster:
-   1. Make sure that the proper `kube config` is selected.
+1. Construct `kubeconfig` entries to access the cluster:
+   1. Make sure that the proper `kubeconfig` is selected.
       For example, you can set the `KUBECONFIG` environment variable.
-   1. Add the GitLab KAS proxy cluster to the `kube config`:
+   1. Add the GitLab KAS proxy cluster to the `kubeconfig`:
 
       ```shell
       kubectl config set-cluster <cluster_name> --server "https://kas.gitlab.com/k8s-proxy"
diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index 444afd3442b..70af800b180 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -54,7 +54,8 @@ To set up SSO with Azure as your identity provider:
 1. You should set the following attributes:
    - **Unique User Identifier (Name identifier)** to `user.objectID`.
    - **nameid-format** to `persistent`. For more information, see how to [manage user SAML identity](#manage-user-saml-identity).
-   - **Additional claims** to [supported attributes](#user-attributes).
+   - **email** to `user.mail` or similar.
+   - **Additional claims** to [supported attributes](#configure-assertions).
 
 1. Make sure the identity provider is set to have provider-initiated calls
    to link existing GitLab accounts.
@@ -98,7 +99,7 @@ To set up Google Workspace as your identity provider:
    - For **Last name**: `last_name`.
    - For **Name ID format**: `EMAIL`.
    - For **NameID**: `Basic Information > Primary email`.
-     For more information, see [manage user SAML identity](#manage-user-saml-identity).
+     For more information, see [supported attributes](#configure-assertions).
 
 1. Make sure the identity provider is set to have provider-initiated calls
    to link existing GitLab accounts.
@@ -134,6 +135,8 @@ To set up SSO with Okta as your identity provider:
 1. Set these values:
    - For **Application username (NameID)**: **Custom** `user.getInternalProperty("id")`.
    - For **Name ID Format**: `Persistent`. For more information, see [manage user SAML identity](#manage-user-saml-identity).
+   - For **email**: `user.email` or similar.
+   - For additional **Attribute Statements**, see [supported attributes](#configure-assertions).
 
 1. Make sure the identity provider is set to have provider-initiated calls
    to link existing GitLab accounts.
@@ -170,10 +173,28 @@ To set up OneLogin as your identity provider:
    | **Identity provider single sign-on URL**             | **SAML 2.0 Endpoint**            |
 
 1. For **NameID**, use `OneLogin ID`. For more information, see [manage user SAML identity](#manage-user-saml-identity).
-
+1. Configure [required and supported attributes](#configure-assertions).
 1. Make sure the identity provider is set to have provider-initiated calls
    to link existing GitLab accounts.
 
+### Configure assertions
+
+At minimum, you must configure the following assertions:
+
+1. [NameID](#manage-user-saml-identity).
+1. Email.
+
+Optionally, you can pass user information to GitLab as attributes in the SAML assertion.
+
+- The user's email address can be an **email** or **mail** attribute.
+- The username can be either a **username** or **nickname** attribute. You should specify only
+  one of these.
+
+For more information, see the [attributes available for self-managed GitLab instances](../../../integration/saml.md#configure-assertions).
+
+NOTE:
+Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are not supported. For more information on configuring required attribute names in the SAML identity provider's settings, see [example group SAML and SCIM configurations](../../../user/group/saml_sso/example_saml_config.md).
+
 ### Use metadata
 
 To configure some identity providers, you need a GitLab metadata URL.
@@ -253,19 +274,6 @@ When a user tries to sign in with Group SSO, GitLab attempts to find or create a
   - Create a new account with another email address.
   - Sign-in to their existing account to link the SAML identity.
 
-### User attributes
-
-You can pass user information to GitLab as attributes in the SAML assertion.
-
-- The user's email address can be an **email** or **mail** attribute.
-- The username can be either a **username** or **nickname** attribute. You should specify only
-  one of these.
-
-For more information, see the [attributes available for self-managed GitLab instances](../../../integration/saml.md#configure-assertions).
-
-NOTE:
-Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are not supported. For more information on configuring required attribute names in the SAML identity provider's settings, see [example group SAML and SCIM configurations](../../../user/group/saml_sso/example_saml_config.md).
-
 ### Link SAML to your existing GitLab.com account
 
 > **Remember me** checkbox [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/121569) in GitLab 15.7.
diff --git a/doc/user/packages/generic_packages/index.md b/doc/user/packages/generic_packages/index.md
index 938093f2a27..1416dcde14f 100644
--- a/doc/user/packages/generic_packages/index.md
+++ b/doc/user/packages/generic_packages/index.md
@@ -33,7 +33,7 @@ Prerequisites:
 - You must [authenticate with the API](../../../api/rest/index.md#authentication).
   If authenticating with a deploy token, it must be configured with the `write_package_registry`
   scope. If authenticating with a personal access token or project access token, it must be
-  configured with the `api` scope.
+  configured with the `api` scope. Project access tokens must have at least the Developer role.
 - You must call this API endpoint serially when attempting to upload multiple files under the
   same package name and version. Attempts to concurrently upload multiple files into
   a new package name and version may face partial failures with
@@ -142,7 +142,9 @@ If multiple packages have the same name, version, and filename, then the most re
 
 Prerequisites:
 
-- You need to [authenticate with the API](../../../api/rest/index.md#authentication). If authenticating with a deploy token, it must be configured with the `read_package_registry` and/or `write_package_registry` scope.
+- You need to [authenticate with the API](../../../api/rest/index.md#authentication). 
+  - If authenticating with a deploy token, it must be configured with the `read_package_registry` and/or `write_package_registry` scope. 
+  - Project access tokens require the `read_api` scope and at least the `Reporter` role.
 
 ```plaintext
 GET /projects/:id/packages/generic/:package_name/:package_version/:file_name
diff --git a/doc/user/project/integrations/gitlab_slack_application.md b/doc/user/project/integrations/gitlab_slack_application.md
index 6f70305ce8b..67a6916c3b6 100644
--- a/doc/user/project/integrations/gitlab_slack_application.md
+++ b/doc/user/project/integrations/gitlab_slack_application.md
@@ -74,7 +74,7 @@ You can use slash commands to run common GitLab operations. Replace `<project>`
 - You must authorize your Slack user on GitLab.com when you run your first slash command.
 - You can [create a shorter project alias](#create-a-project-alias-for-slash-commands) for slash commands.
 
-**For [Slack slash commands](slack_slash_commands.md) on self-managed GitLab, [Mattermost slash commands](mattermost_slash_commands.md), and [ChatOps](../../../ci/chatops/index.md)**, replace `/gitlab` with the slash command trigger name configured for your integration.
+**For [Slack slash commands](slack_slash_commands.md) on self-managed GitLab and [Mattermost slash commands](mattermost_slash_commands.md), replace `/gitlab` with the slash command trigger name configured for your integration.
 
 The following slash commands are available: