diff options
Diffstat (limited to 'config')
23 files changed, 114 insertions, 251 deletions
diff --git a/config/feature_categories.yml b/config/feature_categories.yml index fb261377532..0f36e3e1727 100644 --- a/config/feature_categories.yml +++ b/config/feature_categories.yml @@ -9,7 +9,6 @@ --- - accessibility_testing - advanced_deployments -- alert_management - analysis - api - attack_emulation @@ -21,7 +20,7 @@ - boards - chatops - cloud_native_installation -- cluster_cost_optimization +- cluster_cost_management - code_analytics - code_quality - code_review @@ -47,6 +46,7 @@ - epics - error_tracking - feature_flags +- five_minute_production_app - foundations - fuzz_testing - gdk @@ -59,9 +59,10 @@ - helm_chart_registry - importers - incident_management +- infrastructure - infrastructure_as_code +- insider_threat - insights -- instance_statistics - integrations - interactive_application_security_testing - internationalization @@ -75,8 +76,11 @@ - load_testing - logging - malware_scanning +- memory - merge_trains - metrics +- mlops +- mobile_signing_deployment - navigation - omnibus_package - package_registry @@ -114,7 +118,7 @@ - tracing - usability_testing - users -- value_stream_analytics +- value_stream_management - vulnerability_database - vulnerability_management - web_firewall diff --git a/config/feature_flags/development/burnup_charts.yml b/config/feature_flags/development/burnup_charts.yml deleted file mode 100644 index 3fcc0b33b3f..00000000000 --- a/config/feature_flags/development/burnup_charts.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: burnup_charts -introduced_by_url: -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/268350 -milestone: '13.6' -type: development -group: group::project management -default_enabled: true diff --git a/config/feature_flags/development/http_integrations_list.yml b/config/feature_flags/development/cd_skipped_deployment_status.yml index 3567f7b446d..45d9538ebfc 100644 --- a/config/feature_flags/development/http_integrations_list.yml +++ b/config/feature_flags/development/cd_skipped_deployment_status.yml @@ -1,8 +1,7 @@ ---- -name: http_integrations_list -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45993 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/255502 +name: cd_skipped_deployment_status +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46614 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/283884 milestone: '13.6' type: development -group: group::health +group: group::release default_enabled: false diff --git a/config/feature_flags/development/ci_auto_cancel_all_pipelines.yml b/config/feature_flags/development/ci_auto_cancel_all_pipelines.yml index e20baf93500..7dfc6146b08 100644 --- a/config/feature_flags/development/ci_auto_cancel_all_pipelines.yml +++ b/config/feature_flags/development/ci_auto_cancel_all_pipelines.yml @@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/275997 milestone: '13.6' type: development group: group::pipeline authoring -default_enabled: false +default_enabled: true diff --git a/config/feature_flags/development/ci_bridge_dependency_variables.yml b/config/feature_flags/development/ci_bridge_dependency_variables.yml index db23a30d2cb..54670f93601 100644 --- a/config/feature_flags/development/ci_bridge_dependency_variables.yml +++ b/config/feature_flags/development/ci_bridge_dependency_variables.yml @@ -4,4 +4,4 @@ introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46530 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/273734 type: development group: group::pipeline authoring -default_enabled: false +default_enabled: true diff --git a/config/feature_flags/development/pg_hint_plan_for_issuables.yml b/config/feature_flags/development/ci_live_trace_use_fog_attributes.yml index 06d20c404c5..ff3ea9474ac 100644 --- a/config/feature_flags/development/pg_hint_plan_for_issuables.yml +++ b/config/feature_flags/development/ci_live_trace_use_fog_attributes.yml @@ -1,8 +1,8 @@ --- -name: pg_hint_plan_for_issuables -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46289 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/273528 +name: ci_live_trace_use_fog_attributes +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47536 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/285079 milestone: '13.6' type: development -group: group::project planning +group: group::testing default_enabled: false diff --git a/config/feature_flags/development/ci_variable_expansion_in_rules_changes.yml b/config/feature_flags/development/core_security_mr_widget_counts.yml index a3a66295896..23a671d427c 100644 --- a/config/feature_flags/development/ci_variable_expansion_in_rules_changes.yml +++ b/config/feature_flags/development/core_security_mr_widget_counts.yml @@ -1,7 +1,8 @@ --- -name: ci_variable_expansion_in_rules_changes -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45037 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/267192 +name: core_security_mr_widget_counts +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47656 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/284097 +milestone: '13.7' type: development -group: group::pipeline authoring -default_enabled: true +group: group::static analysis +default_enabled: false diff --git a/config/feature_flags/development/lfs_chunked_encoding.yml b/config/feature_flags/development/lfs_chunked_encoding.yml new file mode 100644 index 00000000000..c9eb8506fdc --- /dev/null +++ b/config/feature_flags/development/lfs_chunked_encoding.yml @@ -0,0 +1,8 @@ +--- +name: lfs_chunked_encoding +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/jobs/864043673 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/285581 +milestone: '13.6' +type: development +group: +default_enabled: false diff --git a/config/feature_flags/development/saml_group_links.yml b/config/feature_flags/development/saml_group_links.yml index cb02b426b29..3b427bd83fa 100644 --- a/config/feature_flags/development/saml_group_links.yml +++ b/config/feature_flags/development/saml_group_links.yml @@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/267020 milestone: '13.6' type: development group: group::access -default_enabled: false +default_enabled: true diff --git a/config/feature_flags/development/unified_diff_lines.yml b/config/feature_flags/development/unified_diff_lines.yml deleted file mode 100644 index e295893acc4..00000000000 --- a/config/feature_flags/development/unified_diff_lines.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: unified_diff_lines -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40131 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/241188 -milestone: '13.4' -type: development -group: group::source code -default_enabled: true diff --git a/config/feature_flags/development/usage_data_incident_management_alert_create_incident.yml b/config/feature_flags/development/usage_data_incident_management_alert_create_incident.yml new file mode 100644 index 00000000000..63432e2f476 --- /dev/null +++ b/config/feature_flags/development/usage_data_incident_management_alert_create_incident.yml @@ -0,0 +1,8 @@ +--- +name: usage_data_incident_management_alert_create_incident +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48087 +rollout_issue_url: +milestone: '13.7' +type: development +group: group::monitor +default_enabled: true diff --git a/config/feature_flags/development/pages_serve_from_artifacts_archive.yml b/config/feature_flags/development/usage_data_incident_management_alerts_total_unique_counts.yml index 4cc29601e48..38e94e74399 100644 --- a/config/feature_flags/development/pages_serve_from_artifacts_archive.yml +++ b/config/feature_flags/development/usage_data_incident_management_alerts_total_unique_counts.yml @@ -1,8 +1,8 @@ --- -name: pages_serve_from_artifacts_archive -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46320 +name: usage_data_incident_management_alerts_total_unique_counts +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48087 rollout_issue_url: -group: group::release management -milestone: '13.4' +milestone: '13.7' type: development +group: group::monitor default_enabled: false diff --git a/config/feature_flags/development/usage_data_incident_management_incidents_total_unique_counts.yml b/config/feature_flags/development/usage_data_incident_management_incidents_total_unique_counts.yml new file mode 100644 index 00000000000..1bb602730e7 --- /dev/null +++ b/config/feature_flags/development/usage_data_incident_management_incidents_total_unique_counts.yml @@ -0,0 +1,8 @@ +--- +name: usage_data_incident_management_incidents_total_unique_counts +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48087 +rollout_issue_url: +milestone: '13.7' +type: development +group: group::monitor +default_enabled: false diff --git a/config/feature_flags/development/suggest_pipeline.yml b/config/feature_flags/development/usage_data_static_site_editor_commits.yml index 69c14e24303..a1d790b3505 100644 --- a/config/feature_flags/development/suggest_pipeline.yml +++ b/config/feature_flags/development/usage_data_static_site_editor_commits.yml @@ -1,8 +1,8 @@ --- -name: suggest_pipeline -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45926 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/267492 +name: usage_data_static_site_editor_commits +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47309 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/284082 milestone: '13.6' type: development -group: group::expansion -default_enabled: true +group: group::static_site_editor +default_enabled: false diff --git a/config/feature_flags/development/usage_data_static_site_editor_merge_requests.yml b/config/feature_flags/development/usage_data_static_site_editor_merge_requests.yml new file mode 100644 index 00000000000..b68e4d12915 --- /dev/null +++ b/config/feature_flags/development/usage_data_static_site_editor_merge_requests.yml @@ -0,0 +1,8 @@ +--- +name: usage_data_static_site_editor_merge_requests +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47309 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/284083 +milestone: '13.6' +type: development +group: group::static_site_editor +default_enabled: false diff --git a/config/feature_flags/development/codequality_mr_diff.yml b/config/feature_flags/development/user_search_secondary_email.yml index ca6846b9390..65e0fd8ce97 100644 --- a/config/feature_flags/development/codequality_mr_diff.yml +++ b/config/feature_flags/development/user_search_secondary_email.yml @@ -1,8 +1,8 @@ --- -name: codequality_mr_diff -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47938 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/284140 +name: user_search_secondary_email +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47587 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/282137 milestone: '13.7' type: development -group: group::testing +group: group::access default_enabled: false diff --git a/config/feature_flags/development/zip_pages_deployments.yml b/config/feature_flags/development/zip_pages_deployments.yml deleted file mode 100644 index 34aa5c03fdc..00000000000 --- a/config/feature_flags/development/zip_pages_deployments.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: zip_pages_deployments -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/42834 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/245308 -milestone: '13.5' -type: development -group: group::release management -default_enabled: true diff --git a/config/feature_flags/ops/product_analytics_tracking.yml b/config/feature_flags/ops/product_analytics_tracking.yml new file mode 100644 index 00000000000..82635ad0640 --- /dev/null +++ b/config/feature_flags/ops/product_analytics_tracking.yml @@ -0,0 +1,8 @@ +--- +name: product_analytics_tracking +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46482 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/285519 +milestone: '13.7' +type: ops +group: group::product analytics +default_enabled: false diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 022f372a608..723937c5987 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -532,6 +532,9 @@ Settings.cron_jobs['member_invitation_reminder_emails_worker']['job_class'] = 'M Settings.cron_jobs['schedule_merge_request_cleanup_refs_worker'] ||= Settingslogic.new({}) Settings.cron_jobs['schedule_merge_request_cleanup_refs_worker']['cron'] ||= '* * * * *' Settings.cron_jobs['schedule_merge_request_cleanup_refs_worker']['job_class'] = 'ScheduleMergeRequestCleanupRefsWorker' +Settings.cron_jobs['manage_evidence_worker'] ||= Settingslogic.new({}) +Settings.cron_jobs['manage_evidence_worker']['cron'] ||= '0 * * * *' +Settings.cron_jobs['manage_evidence_worker']['job_class'] = 'Releases::ManageEvidenceWorker' Gitlab.ee do Settings.cron_jobs['active_user_count_threshold_worker'] ||= Settingslogic.new({}) diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 58bf3f6013c..6cc4fe25765 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -1,191 +1,3 @@ # frozen_string_literal: true -# Specs for this file can be found on: -# * spec/lib/gitlab/throttle_spec.rb -# * spec/requests/rack_attack_global_spec.rb -module Gitlab::Throttle - def self.settings - Gitlab::CurrentSettings.current_application_settings - end - - # Returns true if we should use the Admin Area protected paths throttle - def self.protected_paths_enabled? - self.settings.throttle_protected_paths_enabled? - end - - def self.omnibus_protected_paths_present? - Rack::Attack.throttles.key?('protected paths') - end - - def self.bypass_header - env_value = ENV['GITLAB_THROTTLE_BYPASS_HEADER'] - return unless env_value.present? - - "HTTP_#{env_value.upcase.tr('-', '_')}" - end - - def self.unauthenticated_options - limit_proc = proc { |req| settings.throttle_unauthenticated_requests_per_period } - period_proc = proc { |req| settings.throttle_unauthenticated_period_in_seconds.seconds } - { limit: limit_proc, period: period_proc } - end - - def self.authenticated_api_options - limit_proc = proc { |req| settings.throttle_authenticated_api_requests_per_period } - period_proc = proc { |req| settings.throttle_authenticated_api_period_in_seconds.seconds } - { limit: limit_proc, period: period_proc } - end - - def self.authenticated_web_options - limit_proc = proc { |req| settings.throttle_authenticated_web_requests_per_period } - period_proc = proc { |req| settings.throttle_authenticated_web_period_in_seconds.seconds } - { limit: limit_proc, period: period_proc } - end - - def self.protected_paths_options - limit_proc = proc { |req| settings.throttle_protected_paths_requests_per_period } - period_proc = proc { |req| settings.throttle_protected_paths_period_in_seconds.seconds } - - { limit: limit_proc, period: period_proc } - end -end - -class Rack::Attack - # Order conditions by how expensive they are: - # 1. The most expensive is the `req.unauthenticated?` and - # `req.authenticated_user_id` as it performs an expensive - # DB/Redis query to validate the request - # 2. Slightly less expensive is the need to query DB/Redis - # to unmarshal settings (`Gitlab::Throttle.settings`) - # - # We deliberately skip `/-/health|liveness|readiness` - # from Rack Attack as they need to always be accessible - # by Load Balancer and additional measure is implemented - # (token and whitelisting) to prevent abuse. - throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req| - if !req.should_be_skipped? && - Gitlab::Throttle.settings.throttle_unauthenticated_enabled && - req.unauthenticated? - req.ip - end - end - - throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req| - if req.api_request? && - Gitlab::Throttle.settings.throttle_authenticated_api_enabled - req.authenticated_user_id([:api]) - end - end - - # Product analytics feature is in experimental stage. - # At this point we want to limit amount of events registered - # per application (aid stands for application id). - throttle('throttle_product_analytics_collector', limit: 100, period: 60) do |req| - if req.product_analytics_collector_request? - req.params['aid'] - end - end - - throttle('throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req| - if req.web_request? && - Gitlab::Throttle.settings.throttle_authenticated_web_enabled - req.authenticated_user_id([:api, :rss, :ics]) - end - end - - throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req| - if req.post? && - !req.should_be_skipped? && - req.protected_path? && - Gitlab::Throttle.protected_paths_enabled? && - req.unauthenticated? - req.ip - end - end - - throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req| - if req.post? && - req.api_request? && - req.protected_path? && - Gitlab::Throttle.protected_paths_enabled? - req.authenticated_user_id([:api]) - end - end - - throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req| - if req.post? && - req.web_request? && - req.protected_path? && - Gitlab::Throttle.protected_paths_enabled? - req.authenticated_user_id([:api, :rss, :ics]) - end - end - - safelist('throttle_bypass_header') do |req| - Gitlab::Throttle.bypass_header.present? && - req.get_header(Gitlab::Throttle.bypass_header) == '1' - end - - class Request - def unauthenticated? - !(authenticated_user_id([:api, :rss, :ics]) || authenticated_runner_id) - end - - def authenticated_user_id(request_formats) - request_authenticator.user(request_formats)&.id - end - - def authenticated_runner_id - request_authenticator.runner&.id - end - - def api_request? - path.start_with?('/api') - end - - def api_internal_request? - path =~ %r{^/api/v\d+/internal/} - end - - def health_check_request? - path =~ %r{^/-/(health|liveness|readiness)} - end - - def product_analytics_collector_request? - path.start_with?('/-/collector/i') - end - - def should_be_skipped? - api_internal_request? || health_check_request? - end - - def web_request? - !api_request? && !health_check_request? - end - - def protected_path? - !protected_path_regex.nil? - end - - def protected_path_regex - path =~ protected_paths_regex - end - - private - - def request_authenticator - @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(self) - end - - def protected_paths - Gitlab::CurrentSettings.current_application_settings.protected_paths - end - - def protected_paths_regex - Regexp.union(protected_paths.map { |path| /\A#{Regexp.escape(path)}/ }) - end - end -end - -::Rack::Attack.extend_if_ee('::EE::Gitlab::Rack::Attack') -::Rack::Attack::Request.prepend_if_ee('::EE::Gitlab::Rack::Attack::Request') +Gitlab::RackAttack.configure(::Rack::Attack) diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb index e89c6b1b794..7b0a8f0d7dd 100644 --- a/config/initializers/rack_attack_logging.rb +++ b/config/initializers/rack_attack_logging.rb @@ -6,7 +6,7 @@ ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, r req = payload[:request] case req.env['rack.attack.match_type'] - when :throttle, :blocklist + when :throttle, :blocklist, :track rack_attack_info = { message: 'Rack_Attack', env: req.env['rack.attack.match_type'], diff --git a/config/object_store_settings.rb b/config/object_store_settings.rb index 767fcd7579c..7ac2559073e 100644 --- a/config/object_store_settings.rb +++ b/config/object_store_settings.rb @@ -3,6 +3,13 @@ class ObjectStoreSettings SUPPORTED_TYPES = %w(artifacts external_diffs lfs uploads packages dependency_proxy terraform_state pages).freeze ALLOWED_OBJECT_STORE_OVERRIDES = %w(bucket enabled proxy_download).freeze + # To ensure the one Workhorse credential matches the Rails config, we + # enforce consolidated settings on those accelerated + # endpoints. Technically dependency_proxy and terraform_state fall + # into this category, but they will likely be handled by Workhorse in + # the future. + WORKHORSE_ACCELERATED_TYPES = SUPPORTED_TYPES - %w(pages) + # pages may be enabled but use legacy disk storage # we don't need to raise an error in that case ALLOWED_INCOMPLETE_TYPES = %w(pages).freeze @@ -123,6 +130,10 @@ class ObjectStoreSettings missing_bucket_for(store_type) end + # If a storage type such as Pages defines its own connection and does not + # use Workhorse acceleration, we allow it to override the consolidated form. + next if allowed_storage_specific_settings?(store_type, section.to_h) + # Map bucket (external name) -> remote_directory (internal representation) target_config['remote_directory'] = target_config.delete('bucket') target_config['consolidated_settings'] = true @@ -139,7 +150,7 @@ class ObjectStoreSettings return false unless settings.dig('object_store', 'enabled') return false unless settings.dig('object_store', 'connection').present? - SUPPORTED_TYPES.each do |store| + WORKHORSE_ACCELERATED_TYPES.each do |store| # to_h is needed because something strange happens to # Settingslogic#dig when stub_storage_settings is run in tests: # @@ -168,4 +179,15 @@ class ObjectStoreSettings raise message end end + + def allowed_storage_specific_settings?(store_type, section) + return false if WORKHORSE_ACCELERATED_TYPES.include?(store_type) + + has_object_store_configured?(section) + end + + def has_object_store_configured?(section) + # Omnibus defaults to an empty hash for connection + section.dig('object_store', 'enabled') && section.dig('object_store', 'connection').present? + end end diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml index 2c1bb3c75e1..e4b601bc006 100644 --- a/config/sidekiq_queues.yml +++ b/config/sidekiq_queues.yml @@ -32,6 +32,8 @@ - 1 - - analytics_instance_statistics_counter_job - 1 +- - approve_blocked_users + - 1 - - authorized_keys - 2 - - authorized_project_update @@ -58,8 +60,6 @@ - 1 - - create_commit_signature - 2 -- - create_evidence - - 2 - - create_github_webhook - 2 - - create_note_diff_file @@ -94,6 +94,8 @@ - 1 - - disallow_two_factor_for_subgroups - 1 +- - elastic_association_indexer + - 1 - - elastic_commit_indexer - 1 - - elastic_delete_project @@ -250,6 +252,8 @@ - 1 - - project_service - 1 +- - project_template_export + - 1 - - project_update_repository_storage - 1 - - prometheus_create_default_alerts @@ -290,6 +294,8 @@ - 1 - - repository_update_remote_mirror - 1 +- - requirements_management_import_requirements_csv + - 1 - - requirements_management_process_requirements_reports - 1 - - security_scans |