Add latest changes from gitlab-org/gitlab@master

5 files changed, 198 insertions, 1 deletions

diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md
index fd3cbb2ad05..87422f1ddeb 100644
--- a/doc/administration/packages/container_registry.md
+++ b/doc/administration/packages/container_registry.md
@@ -1285,6 +1285,33 @@ specified in its configuration and allows the operation.
 GitLab background jobs processing (through Sidekiq) also interacts with Registry.
 These jobs talk directly to Registry to handle image deletion.
 
+## Migrate from a third-party registry
+
+Using external container registries in GitLab was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/376217)
+in GitLab 15.8 and the end of support occurred in GitLab 16.0. See the [deprecation notice](../../update/deprecations.md#use-of-third-party-container-registries-is-deprecated) for more details.
+
+The integration is not disabled in GitLab 16.0, but support for debugging and fixing issues
+is no longer provided. Additionally, the integration is no longer being developed or
+enhanced with new features. Third-party registry functionality might be completely removed
+after the new GitLab Container Registry version is available for self-managed (see epic [5521](https://gitlab.com/groups/gitlab-org/-/epics/5521)). Only the GitLab Container Registry is planned to be supported.
+
+This section has guidance for administrators migrating from third-party registries
+to the GitLab Container Registry. If the third-party container registry you are using is not listed here,
+you can describe your use cases in [the feedback issue](https://gitlab.com/gitlab-org/container-registry/-/issues/958).
+
+For all of the instructions provided below, you should try them first on a test environment.
+Make sure everything continues to work as expected before replicating it in production.
+
+### Docker Distribution Registry
+
+The [Docker Distribution Registry](https://docs.docker.com/registry/) was donated to the CNCF
+and is now known as the [Distribution Registry](https://github.com/distribution/distribution).
+This registry is the open source implementation that the GitLab Container Registry is based on.
+The GitLab Container Registry is compatible with the basic functionality provided by the Distribution Registry,
+including all the supported storage backends. To migrate to the GitLab Container Registry
+you can follow the instructions on this page, and use the same storage backend as the Distribution Registry.
+The GitLab Container Registry should accept the same configuration that you are using for the Distribution Registry.
+
 ## Troubleshooting
 
 Before diving in to the following sections, here's some basic troubleshooting:
diff --git a/doc/ci/docker/using_kaniko.md b/doc/ci/docker/using_kaniko.md
index 32f95052980..b7affe28984 100644
--- a/doc/ci/docker/using_kaniko.md
+++ b/doc/ci/docker/using_kaniko.md
@@ -134,7 +134,7 @@ before_script:
   - |
     echo "-----BEGIN CERTIFICATE-----
     ...
-    -----END CERTIFICATE-----" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt
+    -----END CERTIFICATE-----" >> /kaniko/ssl/certs/ca-certificates.crt
 ```
 
 ## Video walkthrough of a working example
diff --git a/doc/ci/troubleshooting.md b/doc/ci/troubleshooting.md
index c56ca439c83..fb33ad5500f 100644
--- a/doc/ci/troubleshooting.md
+++ b/doc/ci/troubleshooting.md
@@ -328,6 +328,23 @@ When you rerun a job, uses the same configuration each time. If you update confi
 including separate files added with [`include`](yaml/index.md#include), you must
 start a new pipeline to use the new configuration.
 
+### Unable to pull image from another project
+
+When a runner tries to pull an image from a private project, the job could fail with the following error:
+
+```shell
+WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.example.com/path/to/project, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
+```
+
+This error can happen if the following are both true:
+
+- The **Allow access to this project with a CI_JOB_TOKEN** option is enabled in the private project
+  hosting the image.
+- The job attempting to fetch the image is running for a project that is not listed in
+  the private project's allowlist.
+
+The recommended solution is to [add your project to the private project's job token scope allowlist](jobs/ci_job_token.md#add-a-project-to-the-job-token-scope-allowlist).
+
 ## Pipeline warnings
 
 Pipeline configuration warnings are shown when you:
diff --git a/doc/development/identity_verification.md b/doc/development/identity_verification.md
new file mode 100644
index 00000000000..14a944807a8
--- /dev/null
+++ b/doc/development/identity_verification.md
@@ -0,0 +1,111 @@
+---
+stage: Data Science
+group: Anti-Abuse
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Identity verification development
+
+For information on this feature that are not development-specific, see the [feature documentation](../security/identity_verification.md).
+
+## Feature flags
+
+Because of the many registration paths and multiple verification stages, identity verification has several feature flags.
+
+Before you enable these features, ensure [hard email confirmation](../security/user_email_confirmation.md) is enabled and [Arkose](../integration/arkose.md#configuration) is configured properly.
+
+
+| Feature flag name | Description |
+|---------|-------------|
+| `identity_verification` | Turns on email verification for all registration paths |
+| `identity_verification_phone_number` | Turns on phone verification for medium risk users for all flows (the Arkose challenge flag for the specific flow and the `identity_verification` flag must be enabled for this to have effect) |
+| `identity_verification_credit_card` | Turns on credit card verification for high risk users for all flows (the Arkose challenge flag for the specific flow and the `identity_verification` flag must be enabled for this to have effect) |
+| `arkose_labs_signup_challenge` | Enables Arkose challenge for all flows, except the Trial and OAuth flows |
+| `arkose_labs_trial_signup_challenge` | Enables Arkose challenge for the Trial flow (the `arkose_labs_signup_challenge` flag must be enabled as well for this to have effect) |
+| `arkose_labs_oauth_signup_challenge` | Enables Arkose challenge for the OAuth flow |
+
+## Logging
+
+You can triage and debug issues raised by identity verification with the [GitLab production logs](https://log.gprd.gitlab.net).
+
+### View logs associated to a user and email verification
+
+To view logs associated to the [email stage](../security/identity_verification.md#email-verification) for a user:
+
+- Query the GitLab production logs with the following KQL:
+
+  ```plaintext
+  KQL: json.controller:"IdentityVerificationController" AND json.username:replace_username_here
+  ```
+
+Valuable debugging information can be found in the `json.action` and `json.location` columns.
+
+### View logs associated to a user and phone verification
+
+To view logs associated to the [phone stage](../security/identity_verification.md#phone-number-verification) for a user:
+
+- Query the GitLab production logs with the following KQL:
+
+  ```plaintext
+  KQL: json.message: "IdentityVerification::Phone" AND json.username:replace_username_here
+  ```
+
+On rows where `json.event` is `Failed Attempt`, you can find valuable debugging information in the `json.reason` column such as:
+
+| Reason  | Description |
+|---------|-------------|
+ | `invalid_phone_number` | Either there was a typo in the phone number, or the user used a VOIP number. GitLab does not allow users to sign up with non-mobile phone numbers. |
+| `invalid_code` | The user entered an incorrect verification code. |
+| `rate_limited` | The user had 10 or more failed attempts, so they were rate-limited for one hour. |
+| `related_to_banned_user` | The user tried a phone number already related to a banned user. |
+
+### View logs associated to a user and credit card verification
+
+To view logs associated to the [credit card stage](../security/identity_verification.md#credit-card-verification) for a user:
+
+- Query the GitLab production logs with the following KQL:
+
+  ```plaintext
+  KQL: json.message: "IdentityVerification::CreditCard" AND json.username:replace_username_here
+  ```
+
+On rows where `json.event` is `Failed Attempt`, you can find valuable debugging information in the `json.reason` column such as:
+
+| Reason  | Description |
+|---------|-------------|
+| `rate_limited` | The user had 10 or more failed attempts, so they were rate-limited for one hour. |
+| `related_to_banned_user` | The user tried a credit card number already related to a banned user. |
+
+### View logs associated with high-risk users
+
+To view logs associated with the [credit card stage](../security/identity_verification.md#credit-card-verification) for high-risk users:
+
+- Query the GitLab production logs with the following KQL:
+
+  ```plaintext
+  json.controller:"SubscriptionsController" AND json.action:"payment_form" AND json.params.value:"cc_registration_validation"
+  ```
+
+## Code walkthrough
+
+<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
+For a walkthrough and high level explanation of the code, see [Identity Verification - Code walkthrough](https://www.youtube.com/watch?v=DIsnMiNzND8).
+
+## QA Integration
+
+For end-to-end production and staging tests to function properly, GitLab [allows QA users to bypass identity verification](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117633).
+
+## Additional resources
+
+<!-- markdownlint-disable MD044 -->
+The [Anti-abuse team](https://about.gitlab.com/handbook/engineering/development/data-science/anti-abuse/#team-members) owns identity verification. You can join our channel on Slack: [#g_anti-abuse](https://gitlab.slack.com/archives/C03EH5HCLPR).
+<!-- markdownlint-enable MD044 -->
+
+For help with Telesign:
+
+<!-- markdownlint-disable MD044 -->
+- Telesign/GitLab collaboration channel on Slack: [#gitlab-telesign-support](https://gitlab.slack.com/archives/C052EAXB6BY)
+<!-- markdownlint-enable MD044 -->
+- Telesign support contact: `support@telesign.com`
+- [Telesign portal](https://teleportal.telesign.com/)
+- [Telesign documentation](https://developer.telesign.com/enterprise/docs/get-started-with-docs)
diff --git a/doc/security/identity_verification.md b/doc/security/identity_verification.md
new file mode 100644
index 00000000000..cf2beaf229f
--- /dev/null
+++ b/doc/security/identity_verification.md
@@ -0,0 +1,42 @@
+---
+stage: Anti-Abuse
+group: Anti-Abuse
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Identity verification **(FREE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95722) in GitLab 15.4 [with a flag](../administration/feature_flags.md) named `identity_verification`. Disabled by default.
+
+FLAG:
+On self-managed GitLab, by default this feature is not available.
+This feature is not ready for production use.
+
+Identity verification provides multiple layers of GitLab account security.
+Depending on your [risk score](../integration/arkose.md), you might be required to perform up to
+three stages of verification to register an account:
+
+- **All users** - Email verification.
+- **Medium-risk users** - Phone number verification.
+- **High-risk users** - Credit card verification.
+
+## Email verification
+
+To register an account, you must provide a valid email address.
+See [Account email verification](email_verification.md).
+
+## Phone number verification
+
+In addition to email verification, you might have to provide a valid phone number and verify a one-time code.
+
+You cannot verify an account with a phone number associated with a banned user.
+
+## Credit card verification
+
+In addition to email and phone number verification, you might have to provide a valid credit card number.
+
+You cannot verify an account with a credit card number associated with a banned user.
+
+## Related topics
+
+- [Identity verification development documentation](../development/identity_verification.md)