From 59354fc5784dfd598fd02ed87eef9104f99f10d2 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 21 May 2025 06:14:27 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- GITLAB_KAS_VERSION | 2 +- .../pages/projects/boards/index.js | 13 ++++++-- .../agents/authorizations/ci_access/finder.rb | 7 ++-- .../ci_access/refresh_service.rb | 16 +++++---- .../application_settings/_cluster_agents.haml | 2 +- doc/development/documentation/workflow.md | 15 +++++++-- doc/user/clusters/agent/ci_cd_workflow.md | 8 +++-- locale/gitlab.pot | 2 +- .../authorizations/ci_access/finder_spec.rb | 30 +++++++++++------ .../ci_access/refresh_service_spec.rb | 33 +++++++++++++++++-- 10 files changed, 99 insertions(+), 29 deletions(-) diff --git a/GITLAB_KAS_VERSION b/GITLAB_KAS_VERSION index 63bdec12ed7..4232fe0d411 100644 --- a/GITLAB_KAS_VERSION +++ b/GITLAB_KAS_VERSION @@ -1 +1 @@ -2039843d4917d0d6fba15ca9af9664f68949bdc4 +b7b08437cea99e8346cc4ce9dd69e39e9468d0be diff --git a/app/assets/javascripts/pages/projects/boards/index.js b/app/assets/javascripts/pages/projects/boards/index.js index df1aa2cee5b..02ae84eef2e 100644 --- a/app/assets/javascripts/pages/projects/boards/index.js +++ b/app/assets/javascripts/pages/projects/boards/index.js @@ -1,14 +1,23 @@ import { addShortcutsExtension } from '~/behaviors/shortcuts'; import ShortcutsNavigation from '~/behaviors/shortcuts/shortcuts_navigation'; import initBoards from '~/boards'; +import { ISSUE_WIT_FEEDBACK_BADGE } from '~/work_items/constants'; addShortcutsExtension(ShortcutsNavigation); initBoards(); -if (gon.features.workItemsViewPreference) { +let feedback = {}; + +if (gon.features.workItemViewForIssues) { + feedback = { + ...ISSUE_WIT_FEEDBACK_BADGE, + }; +} + +if (gon.features.workItemsViewPreference || gon.features.workItemViewForIssues) { import(/* webpackChunkName: 'work_items_feedback' */ '~/work_items_feedback') .then(({ initWorkItemsFeedback }) => { - initWorkItemsFeedback(); + initWorkItemsFeedback(feedback); }) .catch({}); } diff --git a/app/finders/clusters/agents/authorizations/ci_access/finder.rb b/app/finders/clusters/agents/authorizations/ci_access/finder.rb index 0209cb357e5..65ae3dc45ea 100644 --- a/app/finders/clusters/agents/authorizations/ci_access/finder.rb +++ b/app/finders/clusters/agents/authorizations/ci_access/finder.rb @@ -38,9 +38,12 @@ module Clusters .where(project_id: project.id) .joins(agent: :project) .preload(agent: :project) - .where(cluster_agents: { projects: { namespace_id: namespace_ids } }) .with_available_ci_access_fields(project) + unless organization_agents_enabled? + query = query.where(cluster_agents: { projects: { namespace_id: namespace_ids } }) + end + query = query.where(agent_id: agent.id) if agent query.to_a end @@ -64,7 +67,6 @@ module Clusters .joins(cte_join_sources) .joins(agent: :project) .with_available_ci_access_fields(project) - .where(projects: { namespace_id: all_namespace_ids }) .order( Arel.sql( 'agent_id, array_position(ARRAY(SELECT id FROM ordered_ancestors)::bigint[], ' \ @@ -74,6 +76,7 @@ module Clusters .select('DISTINCT ON (agent_id) agent_group_authorizations.*') .preload(agent: :project) + query = query.where(projects: { namespace_id: all_namespace_ids }) unless organization_agents_enabled? query = query.where(agent_id: agent.id) if agent query.to_a end diff --git a/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb b/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb index 68d603edb64..c9622b3c042 100644 --- a/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb +++ b/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb @@ -10,7 +10,7 @@ module Clusters AUTHORIZED_ENTITY_LIMIT = 500 delegate :project, to: :agent, private: true - delegate :root_ancestor, to: :project, private: true + delegate :root_ancestor, :organization, to: :project, private: true def initialize(agent, config:) @agent = agent @@ -59,10 +59,8 @@ module Clusters return unless organization_agents_enabled? if organization_configuration - organization_id = agent.project.organization_id - agent.ci_access_organization_authorizations.upsert_all( - [{ agent_id: agent.id, organization_id: organization_id, config: organization_configuration }], + [{ agent_id: agent.id, organization_id: organization.id, config: organization_configuration }], unique_by: [:agent_id] ) else @@ -107,11 +105,17 @@ module Clusters end def allowed_projects - root_ancestor.all_projects + if organization_agents_enabled? + organization.projects + else + root_ancestor.all_projects + end end def allowed_groups - if group_root_ancestor? + if organization_agents_enabled? + organization.groups + elsif group_root_ancestor? root_ancestor.self_and_descendants else ::Group.none diff --git a/app/views/admin/application_settings/_cluster_agents.haml b/app/views/admin/application_settings/_cluster_agents.haml index f639b954715..5990aaf813c 100644 --- a/app/views/admin/application_settings/_cluster_agents.haml +++ b/app/views/admin/application_settings/_cluster_agents.haml @@ -11,7 +11,7 @@ = render_if_exists 'admin/application_settings/cluster_agents_receptive_enabled', form: f .form-group - - help_text = s_('ClusterAgents|Allow configuring agents to be authorized for the entire instance.') + - help_text = s_('ClusterAgents|Allow configuring agents to be authorized for the entire instance and across top level groups.') - help_link = link_to _('Learn more.'), help_page_path('user/clusters/agent/ci_cd_workflow.md', anchor: 'authorize-all-projects-in-your-gitlab-instance-to-access-the-agent'), target: '_blank', rel: 'noopener noreferrer' = f.gitlab_ui_checkbox_component :organization_cluster_agent_authorization_enabled, s_('ClusterAgents|Enable instance level authorization'), help_text: '%{help_text} %{help_link}'.html_safe % { help_text: help_text, help_link: help_link } diff --git a/doc/development/documentation/workflow.md b/doc/development/documentation/workflow.md index 397cb8bdac8..bf19ea6481f 100644 --- a/doc/development/documentation/workflow.md +++ b/doc/development/documentation/workflow.md @@ -24,9 +24,9 @@ for a milestone when: Documentation is not typically required when a **backend feature** is added or changed. -## Branch naming +## Pipelines and branch naming -The [CI/CD pipeline for the main GitLab project](../pipelines/_index.md) is configured to +The [CI/CD pipelines for the `gitlab` and `gitlab-runner` projects](../pipelines/_index.md) are configured to run shorter, faster pipelines on merge requests that contain only documentation changes. If you submit documentation-only changes to Omnibus, Charts, or Operator, @@ -38,6 +38,17 @@ to make the shorter pipeline run, you must follow these guidelines when naming y | Starting with `docs-` | `docs-update-api-issues` | | Ending in `-docs` | `123-update-api-issues-docs` | +Additionally, changes to these files in the `gitlab` project automatically trigger a long pipeline +because some code tests use these files as examples: + +- `doc/_index.md` +- `doc/api/settings.md` + +When you edit these pages, the long pipeline appears the same as in a code MR, +but you do not need any additional approvals. If the `pre-merge-checks` job fails on merge with a +`Expected latest pipeline (link) to be a tier-3 pipeline!` message, add the `~"pipeline::tier-3"` +label to the MR and run a new pipeline. + ## Moving content When you move content to a new location, and edit the content in the same merge request, diff --git a/doc/user/clusters/agent/ci_cd_workflow.md b/doc/user/clusters/agent/ci_cd_workflow.md index 5753445c8ed..a319f3813fd 100644 --- a/doc/user/clusters/agent/ci_cd_workflow.md +++ b/doc/user/clusters/agent/ci_cd_workflow.md @@ -70,6 +70,7 @@ Authorization configuration can take one or two minutes to propagate. - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6. - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/356831) to allow authorizing projects in a user namespace in GitLab 15.7. +- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/377932) to allow the authorization of groups that belong to different top-level groups in GitLab 18.1. {{< /history >}} @@ -85,7 +86,8 @@ To authorize the GitLab project where you keep Kubernetes manifests to access th - id: path/to/project ``` - - Authorized projects must have the same top-level group or user namespace as the agent's configuration project. + - Authorized projects must have the same top-level group or user namespace as the agent's configuration project, unless the + [instance level authorization](#authorize-all-projects-in-your-gitlab-instance-to-access-the-agent) application setting is enabled. - You can install additional agents into the same cluster to accommodate additional hierarchies. - You can authorize up to 500 projects. @@ -100,6 +102,7 @@ After making these changes: {{< history >}} - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6. +- [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/377932) to allow the authorization of groups that belong to different top-level groups in GitLab 18.1. {{< /history >}} @@ -115,7 +118,8 @@ To authorize all of the GitLab projects in a group or subgroup to access the age - id: path/to/group/subgroup ``` - - Authorized groups must have the same top-level group as the agent's configuration project. + - Authorized groups must have the same top-level group as the agent's configuration project, unless the + [instance level authorization](#authorize-all-projects-in-your-gitlab-instance-to-access-the-agent) application setting is enabled. - You can install additional agents into the same cluster to accommodate additional hierarchies. - All of the subgroups of an authorized group also have access to the same agent (without being specified individually). - You can authorize up to 500 groups. diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 81b1c95550d..10c7d3996c4 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -13734,7 +13734,7 @@ msgstr "" msgid "ClusterAgents|Allow configuring agents in receptive mode." msgstr "" -msgid "ClusterAgents|Allow configuring agents to be authorized for the entire instance." +msgid "ClusterAgents|Allow configuring agents to be authorized for the entire instance and across top level groups." msgstr "" msgid "ClusterAgents|An error occurred while loading your agent" diff --git a/spec/finders/clusters/agents/authorizations/ci_access/finder_spec.rb b/spec/finders/clusters/agents/authorizations/ci_access/finder_spec.rb index 9166439837d..99c48c7b8ea 100644 --- a/spec/finders/clusters/agents/authorizations/ci_access/finder_spec.rb +++ b/spec/finders/clusters/agents/authorizations/ci_access/finder_spec.rb @@ -54,13 +54,18 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::Finder, feature_categ describe 'project authorizations' do context 'when initialized without an agent' do context 'agent configuration project does not share a root namespace with the given project' do - let(:unrelated_agent) { create(:cluster_agent) } - - before do - create(:agent_ci_access_project_authorization, agent: unrelated_agent, project: requesting_project) - end + let_it_be(:unrelated_agent) { create(:cluster_agent) } + let_it_be(:project_authorization) { create(:agent_ci_access_project_authorization, agent: unrelated_agent, project: requesting_project) } it { is_expected.to be_empty } + + context 'when the organization authorization application setting is enabled' do + before do + stub_application_setting(organization_cluster_agent_authorization_enabled: true) + end + + it { is_expected.to match_array([project_authorization]) } + end end context 'agent configuration project shares a root namespace, but does not belong to an ancestor of the given project' do @@ -135,13 +140,18 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::Finder, feature_categ describe 'authorized groups' do context 'when initialized without an agent' do context 'agent configuration project is outside the requesting project hierarchy' do - let(:unrelated_agent) { create(:cluster_agent) } - - before do - create(:agent_ci_access_group_authorization, agent: unrelated_agent, group: top_level_group) - end + let_it_be(:unrelated_agent) { create(:cluster_agent) } + let_it_be(:project_authorization) { create(:agent_ci_access_group_authorization, agent: unrelated_agent, group: top_level_group) } it { is_expected.to be_empty } + + context 'when the organization authorization application setting is enabled' do + before do + stub_application_setting(organization_cluster_agent_authorization_enabled: true) + end + + it { is_expected.to match_array([project_authorization]) } + end end context 'multiple agents are authorized for the same group' do diff --git a/spec/services/clusters/agents/authorizations/ci_access/refresh_service_spec.rb b/spec/services/clusters/agents/authorizations/ci_access/refresh_service_spec.rb index 9fcb13fcf3d..0e0fb2b6b42 100644 --- a/spec/services/clusters/agents/authorizations/ci_access/refresh_service_spec.rb +++ b/spec/services/clusters/agents/authorizations/ci_access/refresh_service_spec.rb @@ -14,6 +14,9 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu let_it_be(:modified_project) { create(:project, namespace: root_ancestor) } let_it_be(:added_project) { create(:project, path: 'project-path-with-UPPERCASE', namespace: root_ancestor) } + let_it_be(:user_project_outside_of_hierarchy) { create(:project) } + let_it_be(:group_project_outside_of_hierarchy) { create(:project, :in_group) } + let(:project) { create(:project, namespace: root_ancestor) } let(:agent) { create(:cluster_agent, project: project) } @@ -61,7 +64,7 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu end context 'config contains groups outside of the configuration project hierarchy' do - let(:project) { create(:project, namespace: create(:group)) } + let(:project) { group_project_outside_of_hierarchy } it 'removes all authorizations' do expect(subject).to be_truthy @@ -70,7 +73,7 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu end context 'configuration project does not belong to a group' do - let(:project) { create(:project) } + let(:project) { user_project_outside_of_hierarchy } it 'removes all authorizations' do expect(subject).to be_truthy @@ -92,6 +95,19 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu 'protected_branches_only' => 'true' }) end + context 'when the organization authorization application setting is enabled' do + let(:project) { group_project_outside_of_hierarchy } + + before do + stub_application_setting(organization_cluster_agent_authorization_enabled: true) + end + + it 'allows authorizing groups outside of the configuration project hierarchy' do + expect(subject).to be_truthy + expect(agent.ci_access_authorized_groups).to contain_exactly(added_group, modified_group) + end + end + context 'config contains too many groups' do before do stub_const("#{described_class}::AUTHORIZED_ENTITY_LIMIT", 1) @@ -131,6 +147,19 @@ RSpec.describe Clusters::Agents::Authorizations::CiAccess::RefreshService, featu end end + context 'when the organization authorization application setting is enabled' do + let(:project) { group_project_outside_of_hierarchy } + + before do + stub_application_setting(organization_cluster_agent_authorization_enabled: true) + end + + it 'allows authorizing groups outside of the configuration project hierarchy' do + expect(subject).to be_truthy + expect(agent.ci_access_authorized_groups).to contain_exactly(added_group, modified_group) + end + end + context 'project does not belong to a group, and is authorizing itself' do let(:root_ancestor) { create(:namespace) } let(:added_project) { project }