Add latest changes from gitlab-org/gitlab@master

app/assets/images/confluence.svg

@@ -0,0 +1 @@
+<svg height="16" width="16" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><linearGradient id="a"><stop offset="0" stop-color="#344563"/><stop offset=".68" stop-color="#637088"/><stop offset="1" stop-color="#7a869a"/></linearGradient><linearGradient id="b" gradientUnits="userSpaceOnUse" x1="14.873" x2="5.739" xlink:href="#a" y1="15.883" y2="10.625"/><linearGradient id="c" gradientUnits="userSpaceOnUse" x1="-168376" x2="-168177" xlink:href="#a" y1="-6722.4" y2="-6493.53"/><path d="m1.517 11.68c-.15.243-.32.53-.453.757a.462.462 0 0 0 .155.63l3.013 1.863a.466.466 0 0 0 .645-.158l.445-.735c1.197-1.97 2.402-1.732 4.571-.703l2.995 1.424a.468.468 0 0 0 .626-.232l1.448-3.24a.466.466 0 0 0 -.229-.606c-.633-.298-1.89-.89-3.016-1.434-4.089-2.004-7.551-1.86-10.2 2.434z" fill="url(#b)"/><path d="m14.479 4.315c.15-.243.324-.53.456-.758a.46.46 0 0 0 -.158-.63l-3.025-1.857a.464.464 0 0 0 -.644.158 22.81 22.81 0 0 1 -.446.736c-1.196 1.972-2.4 1.733-4.567.703l-2.993-1.424a.468.468 0 0 0 -.625.231l-1.437 3.246a.46.46 0 0 0 .225.607c.633.298 1.892.89 3.014 1.435 4.097 1.99 7.556 1.858 10.199-2.446z" fill="url(#c)"/></svg>

app/controllers/projects/confluences_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class Projects::ConfluencesController < Projects::ApplicationController
+  before_action :ensure_confluence
+
+  def show
+  end
+
+  private
+
+  def ensure_confluence
+    render_404 unless project.has_confluence?
+  end
+end

app/views/layouts/nav/sidebar/_project.html.haml

@@ -294,11 +294,11 @@
       = render 'layouts/nav/sidebar/analytics_links', links: project_analytics_navbar_links(@project, current_user)
 
       - if project_nav_tab?(:confluence)
-        - confluence_url = @project.confluence_service.confluence_url
+        - confluence_url = project_wikis_confluence_path(@project)
         = nav_link do
           = link_to confluence_url, class: 'shortcuts-confluence' do
             .nav-icon-container
-              = sprite_icon('external-link')
+              = image_tag 'confluence.svg', alt: _('Confluence')
             %span.nav-item-name
               = _('Confluence')
           %ul.sidebar-sub-level-items.is-fly-out-only

app/views/projects/confluences/show.html.haml

@@ -0,0 +1,13 @@
+- breadcrumb_title _('Confluence')
+- page_title _('Confluence')
+= render layout: 'shared/empty_states/wikis_layout', locals: { image_path: 'illustrations/wiki_login_empty.svg' } do
+  %h4
+    = s_('WikiEmpty|Confluence is enabled')
+  %p
+    - wiki_confluence_epic_link_url = 'https://gitlab.com/groups/gitlab-org/-/epics/3629'
+    - wiki_confluence_epic_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: wiki_confluence_epic_link_url }
+    = s_("WikiEmpty|You've enabled the Confluence Workspace integration. Your wiki will be viewable directly within Confluence. We are hard at work integrating Confluence more seamlessly into GitLab. If you'd like to stay up to date, follow our %{wiki_confluence_epic_link_start}Confluence epic%{wiki_confluence_epic_link_end}.").html_safe % { wiki_confluence_epic_link_start: wiki_confluence_epic_link_start, wiki_confluence_epic_link_end: '</a>'.html_safe }
+  = link_to @project.confluence_service.confluence_url, target: '_blank', rel: 'noopener noreferrer', class: 'btn btn-success external-url', title: s_('WikiEmpty|Go to Confluence') do
+    = sprite_icon('external-link')
+    = s_('WikiEmpty|Go to Confluence')
+

changelogs/unreleased/220934-confluence-wiki-icon.yml

@@ -0,0 +1,5 @@
+---
+title: Use a Confluence icon for the project Confluence integration nav item
+merge_request: 36780
+author:
+type: changed

changelogs/unreleased/cluster-applications-0-24-2.yml

@@ -0,0 +1,5 @@
+---
+title: Update cluster-applications to 0.24.2
+merge_request: 36768
+author:
+type: added

changelogs/unreleased/secret-detection-remove-extra-job.yml

@@ -0,0 +1,5 @@
+---
+title: Remove extra Secret-Detection job on merge requests
+merge_request: 36884
+author:
+type: fixed

config/routes/wiki.rb

@@ -5,6 +5,9 @@ scope(controller: :wikis) do
     get :new
     get '/', to: redirect { |params, request| "#{request.path}/home" }
     post '/', to: 'wikis#create'
+    scope '-' do
+      resource :confluence, only: :show
+    end
   end
 
   scope(path: 'wikis/*id', as: :wiki, format: false) do

doc/user/clusters/applications.md

@@ -984,21 +984,20 @@ Major upgrades might require additional setup steps, please consult
 the official [upgrade guide](https://docs.cilium.io/en/stable/install/upgrade/) for more
 information.
 
-By default, Cilium drops all disallowed packets upon policy
-deployment. In
-[auditmode](https://docs.cilium.io/en/v1.8/gettingstarted/policy-creation/?highlight=policy-audit#enable-policy-audit-mode),
-however, Cilium doesn't drop disallowed packets. You can use
-`policy-verdict` log to observe policy-related decisions. You can
-enable audit mode by adding the following to
+By default, Cilium's [audit
+mode](https://docs.cilium.io/en/v1.8/gettingstarted/policy-creation/?highlight=policy-audit#enable-policy-audit-mode)
+is enabled. In audit mode, Cilium doesn't drop disallowed packets. You
+can use `policy-verdict` log to observe policy-related decisions. You
+can disable audit mode by adding the following to
 `.gitlab/managed-apps/cilium/values.yaml`:
 
 ```yaml
 config:
-  policyAuditMode: true
+  policyAuditMode: false
 
 agent:
   monitor:
-    eventTypes: ["drop", "policy-verdict"]
+    eventTypes: ["drop"]
 ```
 
 The Cilium monitor log for traffic is logged out by the
@@ -1453,6 +1452,45 @@ podAnnotations:
 
 The only information to be changed here is the profile name which is `profile-one` in this example. Refer to the [AppArmor tutorial](https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod) for more information on how AppArmor is integrated in Kubernetes.
 
+#### Using PodSecurityPolicy in your deployments
+
+NOTE: **Note:**
+To enable AppArmor annotations on a Pod Security Policy you must first
+load the correspondingAppArmor profile.
+
+[Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)are
+resources at the cluster level that control security-related
+properties of deployed pods. You can use such a policy to enable
+loaded AppArmor profiles and apply necessary pod restrictions across a
+cluster. You can deploy a new policy by adding the following
+to`.gitlab/managed-apps/apparmor/values.yaml`:
+
+```yaml
+securityPolicies:
+  example:
+    defaultProfile: profile-one
+    allowedProfiles:
+    - profile-one
+    - profile-two
+    spec:
+      privileged: false
+      seLinux:
+        rule: RunAsAny
+      supplementalGroups:
+        rule: RunAsAny
+      runAsUser:
+        rule: RunAsAny
+      fsGroup:
+        rule: RunAsAny
+      volumes:
+        - '*'
+```
+
+This example creates a single policy named `example` with the provided
+specification, and enables [AppArmor
+annotations](https://kubernetes.io/docs/tutorials/clusters/apparmor/#podsecuritypolicy-annotations)on
+it.
+
 NOTE: **Note:**
 Support for installing the AppArmor managed application is provided by the GitLab Container Security group.
 If you run into unknown issues, please [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new) and ping at least 2 people from the [Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group).

lib/gitlab/ci/templates/Managed-Cluster-Applications.gitlab-ci.yml

@@ -1,6 +1,6 @@
 apply:
   stage: deploy
-  image: "registry.gitlab.com/gitlab-org/cluster-integration/cluster-applications:v0.23.0"
+  image: "registry.gitlab.com/gitlab-org/cluster-integration/cluster-applications:v0.24.2"
   environment:
     name: production
   variables:

lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml

@@ -31,7 +31,7 @@ secret_detection:
   rules:
     - if: $SECRET_DETECTION_DISABLED
       when: never
-    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH &&
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsecret_detection\b/
   script:
     - git fetch origin $CI_DEFAULT_BRANCH $CI_BUILD_REF_NAME

locale/gitlab.pot

@@ -26435,12 +26435,18 @@ msgstr ""
 msgid "WikiEmpty|A wiki is where you can store all the details about your project. This can include why you've created it, its principles, how to use it, and so on."
 msgstr ""
 
+msgid "WikiEmpty|Confluence is enabled"
+msgstr ""
+
 msgid "WikiEmpty|Create your first page"
 msgstr ""
 
 msgid "WikiEmpty|Enable the Confluence Wiki integration"
 msgstr ""
 
+msgid "WikiEmpty|Go to Confluence"
+msgstr ""
+
 msgid "WikiEmpty|Suggest wiki improvement"
 msgstr ""
 
@@ -26462,6 +26468,9 @@ msgstr ""
 msgid "WikiEmpty|You must be a project member in order to add wiki pages."
 msgstr ""
 
+msgid "WikiEmpty|You've enabled the Confluence Workspace integration. Your wiki will be viewable directly within Confluence. We are hard at work integrating Confluence more seamlessly into GitLab. If you'd like to stay up to date, follow our %{wiki_confluence_epic_link_start}Confluence epic%{wiki_confluence_epic_link_end}."
+msgstr ""
+
 msgid "WikiHistoricalPage|This is an old version of this page."
 msgstr ""
 

spec/features/projects/confluence/user_views_confluence_page_spec.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'User views the Confluence page' do
+  let_it_be(:user) { create(:user) }
+  let(:project) { create(:project, :public) }
+
+  before do
+    sign_in(user)
+  end
+
+  it 'shows the page when the Confluence integration is enabled' do
+    service = create(:confluence_service, project: project)
+
+    visit project_wikis_confluence_path(project)
+
+    element = page.find('.row.empty-state')
+
+    expect(element).to have_link('Go to Confluence', href: service.confluence_url)
+  end
+
+  it 'does not show the page when the Confluence integration disabled' do
+    visit project_wikis_confluence_path(project)
+
+    expect(page).to have_gitlab_http_status(:not_found)
+  end
+end

spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb

@@ -120,7 +120,7 @@ RSpec.describe 'layouts/nav/sidebar/_project' do
       let(:active) { true }
 
       it 'shows the Confluence tab' do
-        expect(rendered).to have_link('Confluence', href: service.confluence_url)
+        expect(rendered).to have_link('Confluence', href: project_wikis_confluence_path(project))
       end
 
       it 'does not show the GitLab wiki tab' do