root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2025-05-21 06:14:27 +00:00
parent 65edff9059
commit 59354fc578
10 changed files with 99 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GITLAB_KAS_VERSION
View File

@ -1 +1 @@
2039843d4917d0d6fba15ca9af9664f68949bdc4
b7b08437cea99e8346cc4ce9dd69e39e9468d0be

13
app/assets/javascripts/pages/projects/boards/index.js
View File

@ -1,14 +1,23 @@
import { addShortcutsExtension } from '~/behaviors/shortcuts';
import ShortcutsNavigation from '~/behaviors/shortcuts/shortcuts_navigation';
import initBoards from '~/boards';
import { ISSUE_WIT_FEEDBACK_BADGE } from '~/work_items/constants';
addShortcutsExtension(ShortcutsNavigation);
initBoards();
if (gon.features.workItemsViewPreference) {
let feedback = {};
if (gon.features.workItemViewForIssues) {
feedback = {
...ISSUE_WIT_FEEDBACK_BADGE,
};
}
if (gon.features.workItemsViewPreference || gon.features.workItemViewForIssues) {
import(/* webpackChunkName: 'work_items_feedback' */ '~/work_items_feedback')
.then(({ initWorkItemsFeedback }) => {
initWorkItemsFeedback();
initWorkItemsFeedback(feedback);
})
.catch({});
}

7
app/finders/clusters/agents/authorizations/ci_access/finder.rb
View File

@ -38,9 +38,12 @@ module Clusters
.where(project_id: project.id)
.joins(agent: :project)
.preload(agent: :project)
.where(cluster_agents: { projects: { namespace_id: namespace_ids } })
.with_available_ci_access_fields(project)
unless organization_agents_enabled?
query = query.where(cluster_agents: { projects: { namespace_id: namespace_ids } })
end
query = query.where(agent_id: agent.id) if agent
query.to_a
end
@ -64,7 +67,6 @@ module Clusters
.joins(cte_join_sources)
.joins(agent: :project)
.with_available_ci_access_fields(project)
.where(projects: { namespace_id: all_namespace_ids })
.order(
Arel.sql(
'agent_id, array_position(ARRAY(SELECT id FROM ordered_ancestors)::bigint[], ' \
@ -74,6 +76,7 @@ module Clusters
.select('DISTINCT ON (agent_id) agent_group_authorizations.*')
.preload(agent: :project)
query = query.where(projects: { namespace_id: all_namespace_ids }) unless organization_agents_enabled?
query = query.where(agent_id: agent.id) if agent
query.to_a
end

16
app/services/clusters/agents/authorizations/ci_access/refresh_service.rb
View File

@ -10,7 +10,7 @@ module Clusters
AUTHORIZED_ENTITY_LIMIT = 500
delegate :project, to: :agent, private: true
delegate :root_ancestor, to: :project, private: true
delegate :root_ancestor, :organization, to: :project, private: true
def initialize(agent, config:)
@agent = agent
@ -59,10 +59,8 @@ module Clusters
return unless organization_agents_enabled?
if organization_configuration
organization_id = agent.project.organization_id
agent.ci_access_organization_authorizations.upsert_all(
[{ agent_id: agent.id, organization_id: organization_id, config: organization_configuration }],
[{ agent_id: agent.id, organization_id: organization.id, config: organization_configuration }],
unique_by: [:agent_id]
)
else
@ -107,11 +105,17 @@ module Clusters
end
def allowed_projects
root_ancestor.all_projects
if organization_agents_enabled?
organization.projects
else
root_ancestor.all_projects
end
end
def allowed_groups
if group_root_ancestor?
if organization_agents_enabled?
organization.groups
elsif group_root_ancestor?
root_ancestor.self_and_descendants
else
::Group.none

2
app/views/admin/application_settings/_cluster_agents.haml
View File

@ -11,7 +11,7 @@
= render_if_exists 'admin/application_settings/cluster_agents_receptive_enabled', form: f
.form-group
- help_text = s_('ClusterAgents|Allow configuring agents to be authorized for the entire instance.')
- help_text = s_('ClusterAgents|Allow configuring agents to be authorized for the entire instance and across top level groups.')
- help_link = link_to _('Learn more.'), help_page_path('user/clusters/agent/ci_cd_workflow.md', anchor: 'authorize-all-projects-in-your-gitlab-instance-to-access-the-agent'), target: '_blank', rel: 'noopener noreferrer'
= f.gitlab_ui_checkbox_component :organization_cluster_agent_authorization_enabled, s_('ClusterAgents|Enable instance level authorization'),
help_text: '%{help_text} %{help_link}'.html_safe % { help_text: help_text, help_link: help_link }

15
doc/development/documentation/workflow.md
View File

@ -24,9 +24,9 @@ for a milestone when:
Documentation is not typically required when a **backend feature** is added or changed.
## Branch naming
## Pipelines and branch naming
The [CI/CD pipeline for the main GitLab project](../pipelines/_index.md) is configured to
The [CI/CD pipelines for the `gitlab` and `gitlab-runner` projects](../pipelines/_index.md) are configured to
run shorter, faster pipelines on merge requests that contain only documentation changes.
If you submit documentation-only changes to Omnibus, Charts, or Operator,
@ -38,6 +38,17 @@ to make the shorter pipeline run, you must follow these guidelines when naming y
| Starting with `docs-` | `docs-update-api-issues` |
| Ending in `-docs` | `123-update-api-issues-docs` |
Additionally, changes to these files in the `gitlab` project automatically trigger a long pipeline
because some code tests use these files as examples:
- `doc/_index.md`
- `doc/api/settings.md`
When you edit these pages, the long pipeline appears the same as in a code MR,
but you do not need any additional approvals. If the `pre-merge-checks` job fails on merge with a
`Expected latest pipeline (link) to be a tier-3 pipeline!` message, add the `~"pipeline::tier-3"`
label to the MR and run a new pipeline.
## Moving content
When you move content to a new location, and edit the content in the same merge request,

8
doc/user/clusters/agent/ci_cd_workflow.md
View File

@ -70,6 +70,7 @@ Authorization configuration can take one or two minutes to propagate.
- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6.
- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/356831) to allow authorizing projects in a user namespace in GitLab 15.7.
- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/377932) to allow the authorization of groups that belong to different top-level groups in GitLab 18.1.
{{< /history >}}
@ -85,7 +86,8 @@ To authorize the GitLab project where you keep Kubernetes manifests to access th
- id: path/to/project
```
- Authorized projects must have the same top-level group or user namespace as the agent's configuration project.
- Authorized projects must have the same top-level group or user namespace as the agent's configuration project, unless the
[instance level authorization](#authorize-all-projects-in-your-gitlab-instance-to-access-the-agent) application setting is enabled.
- You can install additional agents into the same cluster to accommodate additional hierarchies.
- You can authorize up to 500 projects.
@ -100,6 +102,7 @@ After making these changes:
{{< history >}}
- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6.
- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/377932) to allow the authorization of groups that belong to different top-level groups in GitLab 18.1.
{{< /history >}}
@ -115,7 +118,8 @@ To authorize all of the GitLab projects in a group or subgroup to access the age
- id: path/to/group/subgroup
```
- Authorized groups must have the same top-level group as the agent's configuration project.
- Authorized groups must have the same top-level group as the agent's configuration project, unless the
[instance level authorization](#authorize-all-projects-in-your-gitlab-instance-to-access-the-agent) application setting is enabled.
- You can install additional agents into the same cluster to accommodate additional hierarchies.
- All of the subgroups of an authorized group also have access to the same agent (without being specified individually).
- You can authorize up to 500 groups.

2
locale/gitlab.pot
View File

@ -13734,7 +13734,7 @@ msgstr ""
msgid "ClusterAgents|Allow configuring agents in receptive mode."
msgstr ""
msgid "ClusterAgents|Allow configuring agents to be authorized for the entire instance."
msgid "ClusterAgents|Allow configuring agents to be authorized for the entire instance and across top level groups."
msgstr ""
msgid "ClusterAgents|An error occurred while loading your agent"

30
spec/finders/clusters/agents/authorizations/ci_access/finder_spec.rb
View File

@ -54,13 +54,18 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::Finder, feature_categ
describe 'project authorizations' do
context 'when initialized without an agent' do
context 'agent configuration project does not share a root namespace with the given project' do
let(:unrelated_agent) { create(:cluster_agent) }
before do
create(:agent_ci_access_project_authorization, agent: unrelated_agent, project: requesting_project)
end
let_it_be(:unrelated_agent) { create(:cluster_agent) }
let_it_be(:project_authorization) { create(:agent_ci_access_project_authorization, agent: unrelated_agent, project: requesting_project) }
it { is_expected.to be_empty }
context 'when the organization authorization application setting is enabled' do
before do
stub_application_setting(organization_cluster_agent_authorization_enabled: true)
end
it { is_expected.to match_array([project_authorization]) }
end
end
context 'agent configuration project shares a root namespace, but does not belong to an ancestor of the given project' do
@ -135,13 +140,18 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::Finder, feature_categ
describe 'authorized groups' do
context 'when initialized without an agent' do
context 'agent configuration project is outside the requesting project hierarchy' do
let(:unrelated_agent) { create(:cluster_agent) }
before do
create(:agent_ci_access_group_authorization, agent: unrelated_agent, group: top_level_group)
end
let_it_be(:unrelated_agent) { create(:cluster_agent) }
let_it_be(:project_authorization) { create(:agent_ci_access_group_authorization, agent: unrelated_agent, group: top_level_group) }
it { is_expected.to be_empty }
context 'when the organization authorization application setting is enabled' do
before do
stub_application_setting(organization_cluster_agent_authorization_enabled: true)
end
it { is_expected.to match_array([project_authorization]) }
end
end
context 'multiple agents are authorized for the same group' do

33
spec/services/clusters/agents/authorizations/ci_access/refresh_service_spec.rb
View File

@ -14,6 +14,9 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu
let_it_be(:modified_project) { create(:project, namespace: root_ancestor) }
let_it_be(:added_project) { create(:project, path: 'project-path-with-UPPERCASE', namespace: root_ancestor) }
let_it_be(:user_project_outside_of_hierarchy) { create(:project) }
let_it_be(:group_project_outside_of_hierarchy) { create(:project, :in_group) }
let(:project) { create(:project, namespace: root_ancestor) }
let(:agent) { create(:cluster_agent, project: project) }
@ -61,7 +64,7 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu
end
context 'config contains groups outside of the configuration project hierarchy' do
let(:project) { create(:project, namespace: create(:group)) }
let(:project) { group_project_outside_of_hierarchy }
it 'removes all authorizations' do
expect(subject).to be_truthy
@ -70,7 +73,7 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu
end
context 'configuration project does not belong to a group' do
let(:project) { create(:project) }
let(:project) { user_project_outside_of_hierarchy }
it 'removes all authorizations' do
expect(subject).to be_truthy
@ -92,6 +95,19 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu
'protected_branches_only' => 'true' })
end
context 'when the organization authorization application setting is enabled' do
let(:project) { group_project_outside_of_hierarchy }
before do
stub_application_setting(organization_cluster_agent_authorization_enabled: true)
end
it 'allows authorizing groups outside of the configuration project hierarchy' do
expect(subject).to be_truthy
expect(agent.ci_access_authorized_groups).to contain_exactly(added_group, modified_group)
end
end
context 'config contains too many groups' do
before do
stub_const("#{described_class}::AUTHORIZED_ENTITY_LIMIT", 1)
@ -131,6 +147,19 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu
end
end
context 'when the organization authorization application setting is enabled' do
let(:project) { group_project_outside_of_hierarchy }
before do
stub_application_setting(organization_cluster_agent_authorization_enabled: true)
end
it 'allows authorizing groups outside of the configuration project hierarchy' do
expect(subject).to be_truthy
expect(agent.ci_access_authorized_groups).to contain_exactly(added_group, modified_group)
end
end
context 'project does not belong to a group, and is authorizing itself' do
let(:root_ancestor) { create(:namespace) }
let(:added_project) { project }