root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-02-07 21:18:28 +00:00
parent 6a7fcb14aa
commit 2001877ccc
12 changed files with 136 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GITALY_SERVER_VERSION
View File

@ -1 +1 @@
6a00f3acce45365ac71798296667385efe8a72bc
269b04ae5248eea05fe2d6ca02e33fdd3f6cee76

2
app/assets/javascripts/clusters_list/components/install_agent_modal.vue
View File

@ -408,8 +408,6 @@ export default {
<gl-button
v-if="isEmptyStateModal"
variant="confirm"
category="secondary"
:data-track-action="$options.EVENT_ACTIONS_CLICK"
:data-track-label="$options.EVENT_LABEL_MODAL"
data-track-property="done"

10
app/controllers/projects/refs_controller.rb
View File

@ -18,7 +18,7 @@ class Projects::RefsController < Projects::ApplicationController
respond_to do |format|
format.html do
new_path =
case params[:destination]
case permitted_params[:destination]
when "tree"
project_tree_path(@project, @id)
when "blob"
@ -45,7 +45,7 @@ class Projects::RefsController < Projects::ApplicationController
def logs_tree
tree_summary = ::Gitlab::TreeSummary.new(
@commit, @project, current_user,
path: @path, offset: params[:offset], limit: 25)
path: @path, offset: permitted_params[:offset], limit: 25)
respond_to do |format|
format.html { render_404 }
@ -62,6 +62,10 @@ class Projects::RefsController < Projects::ApplicationController
private
def validate_ref_id
return not_found if params[:id].present? && params[:id] !~ Gitlab::PathRegex.git_reference_regex
return not_found if permitted_params[:id].present? && permitted_params[:id] !~ Gitlab::PathRegex.git_reference_regex
end
def permitted_params
params.permit(:id, :offset, :destination)
end
end

20
data/deprecations/14-8-protect-cns-chs.yml Normal file
View File

@ -0,0 +1,20 @@
- name: "Container Network and Host Security"
announcement_milestone: "14.8"
announcement_date: "2022-02-22"
removal_milestone: "15.0"
removal_date: "2022-05-22"
breaking_change: true
reporter: sam.white
body: | # Do not modify this line, instead modify the lines below.
All functionality related to GitLab's Container Network Security and Container Host Security categories is deprecated in GitLab 14.8 and scheduled for removal in GitLab 15.0. Users who need a replacement for this functionality are encouraged to evaluate the following open source projects as potential solutions that can be installed and managed outside of GitLab: [AppArmor](https://gitlab.com/apparmor/apparmor), [Cilium](https://github.com/cilium/cilium), [Falco](https://github.com/falcosecurity/falco), [FluentD](https://github.com/fluent/fluentd), [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/). To integrate these technologies into GitLab, add the desired Helm charts into your copy of the [Cluster Management Project Template](https://docs.gitlab.com/ee/user/clusters/management_project_template.html). Deploy these Helm charts in production by calling commands through the GitLab [Secure CI/CD Tunnel](https://docs.gitlab.com/ee/user/clusters/agent/repository.html#run-kubectl-commands-using-the-cicd-tunnel).
As part of this change, the following specific capabilities within GitLab are now deprecated, and are scheduled for removal in GitLab 15.0:
- The **Security & Compliance > Threat Monitoring** page.
- The `Network Policy` security policy type, as found on the **Security & Compliance > Policies** page.
- The ability to manage integrations with the following technologies through GitLab: AppArmor, Cilium, Falco, FluentD, and Pod Security Policies.
- All APIs related to the above functionality.
For additional context, or to provide feedback regarding this change, please reference our open [deprecation issue](https://gitlab.com/groups/gitlab-org/-/epics/7476).
# The following items are not published on the docs page, but may be used in the future.
stage: "Protect"

6
doc/administration/packages/container_registry.md
View File

@ -662,14 +662,14 @@ configurable in future releases.
The Registry server listens on localhost at port `5000` by default,
which is the address for which the Registry server should accept connections.
In the examples below we set the Registry's port to `5001`.
In the examples below we set the Registry's port to `5010`.
**Omnibus GitLab**
1. Open `/etc/gitlab/gitlab.rb` and set `registry['registry_http_addr']`:
```ruby
registry['registry_http_addr'] = "localhost:5001"
registry['registry_http_addr'] = "localhost:5010"
```
1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
@ -681,7 +681,7 @@ In the examples below we set the Registry's port to `5001`.
```yaml
http:
addr: localhost:5001
addr: localhost:5010
```
1. Save the file and restart the Registry server.

107
doc/api/merge_requests.md
View File

@ -13,41 +13,6 @@ info: To determine the technical writer assigned to the Stage/Group associated w
Every API call to merge requests must be authenticated.
**Important notes:**
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/29984) in GitLab 12.8, the mergeability (`merge_status`)
of each merge request is checked asynchronously when a request is made to this endpoint. Poll this API endpoint
to get updated status. This affects the `has_conflicts` property as it is dependent on the `merge_status`. It returns
`false` unless `merge_status` is `cannot_be_merged`.
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31890) in GitLab 13.0, listing merge requests may
not proactively update `merge_status` (which also affects the `has_conflicts`), as this can be an expensive operation.
If you need the value of these fields from this endpoint, set the `with_merge_status_recheck` parameter to
`true` in the query.
- `references.relative` is relative to the group or project that the merge request is being requested. When the merge request
is fetched from its project, `relative` format would be the same as `short` format, and when requested across groups or projects, it is expected to be the same as `full` format.
- If `approvals_before_merge` is not provided, it inherits the value from the target project. If provided, the following conditions must hold for it to take effect:
- The target project's `approvals_before_merge` must be greater than zero. A
value of zero disables approvals for that project.
- The provided value of `approvals_before_merge` must be greater than the
target project's `approvals_before_merge`.
This API returns `HTTP 201 Created` for a successful response.
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46190) in GitLab 13.6,
diffs associated with the set of changes have the same size limitations applied as other diffs
returned by the API or viewed via the UI. When these limits impact the results, the `overflow`
field contains a value of `true`. Diff data without these limits applied can be retrieved by
adding the `access_raw_diffs` parameter, accessing diffs not from the database but from Gitaly directly.
This approach is generally slower and more resource-intensive, but isn't subject to size limits
placed on database-backed diffs. [Limits inherent to Gitaly](../development/diffs.md#diff-limits)
still apply.
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/349031) in GitLab 14.7,
field `merge_user` can be either user who merged this merge request,
user who set it to merge when pipeline succeeds or `null`.
Field `merged_by` (user who merged this merge request or `null`) has been deprecated.
## List merge requests
Get all merge requests the authenticated user has access to. By
@ -241,6 +206,14 @@ the `approvals_before_merge` parameter:
]
```
### Merge requests list response notes
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31890) in GitLab 13.0, listing merge requests may
not proactively update `merge_status` (which also affects the `has_conflicts`), as this can be an expensive operation.
If you need the value of these fields from this endpoint, set the `with_merge_status_recheck` parameter to
`true` in the query.
- For notes on merge request object fields, read [Single merge request response notes](#single-merge-request-response-notes).
## List project merge requests
Get all merge requests for this project.
@ -421,16 +394,6 @@ Parameters:
]
```
The `merge_status` field may hold one of the following values:
| Value | Interpretation |
|----------------------------|-----------------------------------------------------------------------|
| `unchecked` | We have not checked this yet |
| `checking` | We are currently checking if the merge request can be merged |
| `can_be_merged` | This merge request can be merged without conflict |
| `cannot_be_merged` | There are merge conflicts between the source and target branches |
| `cannot_be_merged_recheck` | Currently unchecked. Before the current changes, there were conflicts |
Users on [GitLab Premium or higher](https://about.gitlab.com/pricing/) also see
the `approvals_before_merge` parameter:
@ -445,6 +408,8 @@ the `approvals_before_merge` parameter:
]
```
For important notes on response data, read [Merge requests list response notes](#merge-requests-list-response-notes).
## List group merge requests
Get all merge requests for this group and its subgroups.
@ -627,6 +592,8 @@ the `approvals_before_merge` parameter:
]
```
For important notes on response data, read [Merge requests list response notes](#merge-requests-list-response-notes).
## Get single MR
Shows information about a single merge request.
@ -805,7 +772,26 @@ the `approvals_before_merge` parameter:
}
```
The `diff_refs` in the response correspond to the latest diff version of the merge request.
### Single merge request response notes
- The `merge_status` field may hold one of the following values:
- `unchecked`: We have not checked this yet.
- `checking`: We are currently checking if the merge request can be merged.
- `can_be_merged`: This merge request can be merged without conflict.
- `cannot_be_merged`: There are merge conflicts between the source and target branches.
- `cannot_be_merged_recheck`: Currently unchecked. Before the current changes, there were conflicts.
- The `diff_refs` in the response correspond to the latest diff version of the merge request.
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/29984) in GitLab 12.8, the mergeability (`merge_status`)
of each merge request is checked asynchronously when a request is made to this endpoint. Poll this API endpoint
to get updated status. This affects the `has_conflicts` property as it is dependent on the `merge_status`. It returns
`false` unless `merge_status` is `cannot_be_merged`.
- `references.relative` is relative to the group or project that the merge request is being requested. When the merge
request is fetched from its project, `relative` format would be the same as `short` format, and when requested across
groups or projects, it is expected to be the same as `full` format.
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/349031) in GitLab 14.7,
field `merge_user` can be either user who merged this merge request,
user who set it to merge when pipeline succeeds or `null`.
Field `merged_by` (user who merged this merge request or `null`) has been deprecated.
## Get single MR participants
@ -885,6 +871,15 @@ Parameters:
Shows information about the merge request including its files and changes.
[Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46190) in GitLab 13.6,
diffs associated with the set of changes have the same size limitations applied as other diffs
returned by the API or viewed via the UI. When these limits impact the results, the `overflow`
field contains a value of `true`. Diff data without these limits applied can be retrieved by
adding the `access_raw_diffs` parameter, accessing diffs not from the database but from Gitaly directly.
This approach is generally slower and more resource-intensive, but isn't subject to size limits
placed on database-backed diffs. [Limits inherent to Gitaly](../development/diffs.md#diff-limits)
still apply.
```plaintext
GET /projects/:id/merge_requests/:merge_request_iid/changes
```
@ -1117,8 +1112,16 @@ POST /projects/:id/merge_requests
| `remove_source_branch` | boolean | no | Flag indicating if a merge request should remove the source branch when merging. |
| `allow_collaboration` | boolean | no | Allow commits from members who can merge to the target branch. |
| `allow_maintainer_to_push` | boolean | no | Alias of `allow_collaboration`. |
| `approvals_before_merge` **(PREMIUM)** | integer | no | Number of approvals required before this can be merged (see below). |
| `squash` | boolean | no | Squash commits into a single commit when merging. |
If `approvals_before_merge` is not provided, it inherits the value from the target project. If provided, the following conditions must hold for it to take effect:
- The target project's `approvals_before_merge` must be greater than zero. A
value of zero disables approvals for that project.
- The provided value of `approvals_before_merge` must be greater than the
target project's `approvals_before_merge`.
```json
{
"id": 1,
@ -1251,6 +1254,8 @@ the `approvals_before_merge` parameter:
}
```
For important notes on response data, read [Single merge request response notes](#single-merge-request-response-notes).
## Update MR
Updates an existing merge request. You can change the target branch, title, or even close the MR.
@ -1430,6 +1435,8 @@ the `approvals_before_merge` parameter:
}
```
For important notes on response data, read [Single merge request response notes](#single-merge-request-response-notes).
## Delete a merge request
Only for administrators and project owners. Deletes the merge request in question.
@ -1624,6 +1631,8 @@ the `approvals_before_merge` parameter:
}
```
For important notes on response data, read [Single merge request response notes](#single-merge-request-response-notes).
## Merge to default merge ref path
Merge the changes between the merge request source and target branches into `refs/merge-requests/:iid/merge`
@ -1821,6 +1830,8 @@ the `approvals_before_merge` parameter:
}
```
For important notes on response data, read [Single merge request response notes](#single-merge-request-response-notes).
## Rebase a merge request
Automatically rebase the `source_branch` of the merge request against its
@ -2130,6 +2141,8 @@ the `approvals_before_merge` parameter:
}
```
For important notes on response data, read [Single merge request response notes](#single-merge-request-response-notes).
## Unsubscribe from a merge request
Unsubscribes the authenticated user from a merge request to not receive
@ -2298,6 +2311,8 @@ the `approvals_before_merge` parameter:
}
```
For important notes on response data, read [Single merge request response notes](#single-merge-request-response-notes).
## Create a to-do item
Manually creates a to-do item for the current user on a merge request.

3
doc/api/projects.md
View File

@ -1258,7 +1258,6 @@ POST /projects
| `requirements_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, `enabled` or `public` |
| `resolve_outdated_diff_discussions` | boolean | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
| `shared_runners_enabled` | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
| `show_default_award_emojis` | boolean | **{dotted-circle}** No | Show default award emojis. |
| `snippets_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
| `snippets_enabled` | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
| `squash_option` | string | **{dotted-circle}** No | One of `never`, `always`, `default_on`, or `default_off`. |
@ -1336,7 +1335,6 @@ POST /projects/user/:user_id
| `requirements_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, `enabled` or `public` |
| `resolve_outdated_diff_discussions` | boolean | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
| `shared_runners_enabled` | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
| `show_default_award_emojis` | boolean | **{dotted-circle}** No | Show default award emojis. |
| `snippets_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
| `snippets_enabled` | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
| `squash_commit_template` | string | **{dotted-circle}** No | [Template](../user/project/merge_requests/commit_templates.md) used to create squash commit message in merge requests. _([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345275) in GitLab 14.6.)_ |
@ -1437,7 +1435,6 @@ Supported attributes:
| `restrict_user_defined_variables` | boolean | **{dotted-circle}** No | Allow only users with the Maintainer role to pass user-defined variables when triggering a pipeline. For example when the pipeline is triggered in the UI, with the API, or by a trigger token. |
| `service_desk_enabled` | boolean | **{dotted-circle}** No | Enable or disable Service Desk feature. |
| `shared_runners_enabled` | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
| `show_default_award_emojis` | boolean | **{dotted-circle}** No | Show default award emojis. |
| `snippets_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
| `snippets_enabled` | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
| `squash_commit_template` | string | **{dotted-circle}** No | [Template](../user/project/merge_requests/commit_templates.md) used to create squash commit message in merge requests. _([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345275) in GitLab 14.6.)_ |

9
doc/architecture/blueprints/object_storage/index.md
View File

@ -89,20 +89,23 @@ replaced by a mock implementation. Furthermore, the presence of a
shared disk, both in CI and in local development, often hides broken
implementations until we deploy on an HA environment.
Shipping MinIO as part of the product will reduce the differences
One consideration we can take is to investigate shipping MinIO as part of the product. This could reduce the differences
between a cloud and a local installation, standardizing our file
storage on a single technology.
The removal of local disk operations will reduce the complexity of
The removal of local disk operations would reduce the complexity of
development as well as mitigate several security attack vectors as
we no longer write user-provided data on the local storage.
It will also reduce human errors as we will always run a local object
It would also reduce human errors as we will always run a local object
storage in development mode and any local file disk access should
raise a red flag during the merge request review.
This effort is described in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/6099).
Before considering any specific third-party technology, the
open source software licensing implications should be considered. As of 23 April 2021, [MinIO is subject to the AGPL v3 license](https://github.com/minio/minio/commit/069432566fcfac1f1053677cc925ddafd750730a). GitLab Legal must be consulted before any decision is taken to ship MinIO as proposed in this blueprint.
### Enable direct upload by default on every upload
Because every group of features requires its own bucket, we don't have

4
doc/development/changelog.md
View File

@ -101,7 +101,9 @@ EE: true
- _Any_ contribution from a community member, no matter how small, **may** have
a changelog entry regardless of these guidelines if the contributor wants one.
- Any [GLEX experiment](experiment_guide/gitlab_experiment.md) changes **should not** have a changelog entry.
- [Modifying](feature_flags/#changelog) a feature flag (flag removal, default-on setting).
For more information, see
[how to handle changelog entries with feature flags](feature_flags/index.md#changelog).
## Writing good changelog entries

21
doc/update/deprecations.md
View File

@ -727,6 +727,27 @@ The `merged_by` field in the [merge request API](https://docs.gitlab.com/ee/api/
## 14.8
### Container Network and Host Security
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
All functionality related to GitLab's Container Network Security and Container Host Security categories is deprecated in GitLab 14.8 and scheduled for removal in GitLab 15.0. Users who need a replacement for this functionality are encouraged to evaluate the following open source projects as potential solutions that can be installed and managed outside of GitLab: [AppArmor](https://gitlab.com/apparmor/apparmor), [Cilium](https://github.com/cilium/cilium), [Falco](https://github.com/falcosecurity/falco), [FluentD](https://github.com/fluent/fluentd), [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/). To integrate these technologies into GitLab, add the desired Helm charts into your copy of the [Cluster Management Project Template](https://docs.gitlab.com/ee/user/clusters/management_project_template.html). Deploy these Helm charts in production by calling commands through the GitLab [Secure CI/CD Tunnel](https://docs.gitlab.com/ee/user/clusters/agent/repository.html#run-kubectl-commands-using-the-cicd-tunnel).
As part of this change, the following specific capabilities within GitLab are now deprecated, and are scheduled for removal in GitLab 15.0:
- The **Security & Compliance > Threat Monitoring** page.
- The `Network Policy` security policy type, as found on the **Security & Compliance > Policies** page.
- The ability to manage integrations with the following technologies through GitLab: AppArmor, Cilium, Falco, FluentD, and Pod Security Policies.
- All APIs related to the above functionality.
For additional context, or to provide feedback regarding this change, please reference our open [deprecation issue](https://gitlab.com/groups/gitlab-org/-/epics/7476).
**Planned removal milestone: 15.0 (2022-05-22)**
### Deprecate Geo Admin UI Routes
In GitLab 13.0, we introduced new project and design replication details routes in the Geo Admin UI. These routes are `/admin/geo/replication/projects` and `/admin/geo/replication/designs`. We kept the legacy routes and redirected them to the new routes. In GitLab 15.0, we will remove support for the legacy routes `/admin/geo/projects` and `/admin/geo/designs`. Please update any bookmarks or scripts that may use the legacy routes.

9
spec/controllers/projects/refs_controller_spec.rb
View File

@ -55,6 +55,15 @@ RSpec.describe Projects::RefsController do
end
end
context 'when offset has an invalid format' do
it 'renders JSON' do
xhr_get(:json, offset: { wrong: :format })
expect(response).to be_successful
expect(json_response).to be_kind_of(Array)
end
end
context 'when json is requested' do
it 'renders JSON' do
expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original

9
spec/frontend/clusters_list/components/install_agent_modal_spec.js
View File

@ -309,12 +309,13 @@ describe('InstallAgentModal', () => {
describe('when KAS is disabled', () => {
const i18n = I18N_AGENT_MODAL.empty_state;
beforeEach(() => {
beforeEach(async () => {
apolloProvider = createMockApollo([
[getAgentConfigurations, jest.fn().mockResolvedValue(kasDisabledErrorResponse)],
]);
return mockSelectedAgentResponse();
createWrapper();
await waitForPromises();
});
it('renders empty state image', () => {
@ -328,8 +329,8 @@ describe('InstallAgentModal', () => {
});
it('renders a cancel button', () => {
expect(findActionButton().isVisible()).toBe(true);
expect(findActionButton().text()).toBe(i18n.done);
expect(findCancelButton().isVisible()).toBe(true);
expect(findCancelButton().text()).toBe(i18n.done);
});
it("doesn't render a secondary button", () => {