root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-04-25 18:14:49 +00:00
parent 0980186fa9
commit ed03fc701a
197 changed files with 2707 additions and 1923 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab/CODEOWNERS
View File

@ -304,7 +304,7 @@ Dangerfile
/ee/spec/services/software_license_policies/**
/spec/finders/security/license_compliance_jobs_finder_spec.rb
^[Secure::Static Analysis] @gitlab-org/secure/static-analysis
[Secure::Secret Detection] @gitlab-org/secure/secret-detection
/ee/lib/gitlab/checks/secrets_check.rb
/ee/spec/lib/gitlab/checks/secrets_check_spec.rb
/ee/spec/support/shared_contexts/secrets_check_shared_contexts.rb

1
.rubocop_todo/gitlab/avoid_gitlab_instance_checks.yml
View File

@ -26,7 +26,6 @@ Gitlab/AvoidGitlabInstanceChecks:
- 'app/models/release_highlight.rb'
- 'app/policies/base_policy.rb'
- 'app/workers/container_registry/cleanup_worker.rb'
- 'app/workers/container_registry/migration/guard_worker.rb'
- 'app/workers/container_registry/record_data_repair_detail_worker.rb'
- 'app/workers/gitlab_service_ping_worker.rb'
- 'app/workers/users/deactivate_dormant_users_worker.rb'

1
.rubocop_todo/gitlab/strong_memoize_attr.yml
View File

@ -230,7 +230,6 @@ Gitlab/StrongMemoizeAttr:
- 'app/workers/concerns/packages/cleanup_artifact_worker.rb'
- 'app/workers/container_expiration_policies/cleanup_container_repository_worker.rb'
- 'app/workers/container_registry/delete_container_repository_worker.rb'
- 'app/workers/container_registry/migration/enqueuer_worker.rb'
- 'app/workers/database/batched_background_migration/execution_worker.rb'
- 'app/workers/database/batched_background_migration/single_database_worker.rb'
- 'app/workers/error_tracking_issue_link_worker.rb'

3
.rubocop_todo/layout/line_length.yml
View File

@ -609,7 +609,6 @@ Layout/LineLength:
- 'app/workers/concerns/limited_capacity/worker.rb'
- 'app/workers/concerns/project_import_options.rb'
- 'app/workers/concerns/worker_attributes.rb'
- 'app/workers/container_registry/migration/guard_worker.rb'
- 'app/workers/database/batched_background_migration/single_database_worker.rb'
- 'app/workers/error_tracking_issue_link_worker.rb'
- 'app/workers/gitlab/import/stuck_import_job.rb'
@ -4746,8 +4745,6 @@ Layout/LineLength:
- 'spec/workers/concerns/project_import_options_spec.rb'
- 'spec/workers/container_expiration_policies/cleanup_container_repository_worker_spec.rb'
- 'spec/workers/container_expiration_policy_worker_spec.rb'
- 'spec/workers/container_registry/migration/guard_worker_spec.rb'
- 'spec/workers/container_registry/migration/observer_worker_spec.rb'
- 'spec/workers/create_pipeline_worker_spec.rb'
- 'spec/workers/dependency_proxy/image_ttl_group_policy_worker_spec.rb'
- 'spec/workers/deployments/hooks_worker_spec.rb'

1
.rubocop_todo/layout/multiline_operation_indentation.yml
View File

@ -33,7 +33,6 @@ Layout/MultilineOperationIndentation:
- 'app/services/webauthn/authenticate_service.rb'
- 'app/validators/feature_flag_strategies_validator.rb'
- 'app/workers/container_expiration_policies/cleanup_container_repository_worker.rb'
- 'app/workers/container_registry/migration/guard_worker.rb'
- 'config/initializers/devise_dynamic_password_length_validation.rb'
- 'danger/utility_css/Dangerfile'
- 'ee/app/controllers/projects/integrations/jira/issues_controller.rb'

1
.rubocop_todo/lint/redundant_cop_disable_directive.yml
View File

@ -61,7 +61,6 @@ Lint/RedundantCopDisableDirective:
- 'app/workers/authorized_project_update/user_refresh_over_user_range_worker.rb'
- 'app/workers/bulk_imports/entity_worker.rb'
- 'app/workers/ci/track_failed_build_worker.rb'
- 'app/workers/container_registry/migration/enqueuer_worker.rb'
- 'app/workers/create_note_diff_file_worker.rb'
- 'app/workers/database/batched_background_migration/execution_worker.rb'
- 'app/workers/import_issues_csv_worker.rb'

1
.rubocop_todo/rails/avoid_time_comparison.yml
View File

@ -3,7 +3,6 @@ Rails/AvoidTimeComparison:
Details: grace period
Exclude:
- 'app/services/packages/mark_package_files_for_destruction_service.rb'
- 'app/workers/container_registry/migration/enqueuer_worker.rb'
- 'app/workers/gitlab/import/advance_stage.rb'
- 'ee/app/services/incident_management/pending_escalations/process_service.rb'
- 'ee/app/services/phone_verification/users/send_verification_code_service.rb'

1
.rubocop_todo/rails/time_zone.yml
View File

@ -41,7 +41,6 @@ Rails/TimeZone:
- 'lib/quality/seeders/issues.rb'
- 'lib/tasks/gitlab/assets.rake'
- 'lib/tasks/gitlab/cleanup.rake'
- 'lib/tasks/gitlab/list_repos.rake'
- 'spec/lib/api/helpers_spec.rb'
- 'spec/lib/gitlab/analytics/cycle_analytics/base_query_builder_spec.rb'
- 'spec/lib/gitlab/app_json_logger_spec.rb'

2
.rubocop_todo/rspec/context_wording.yml
View File

@ -2995,8 +2995,6 @@ RSpec/ContextWording:
- 'spec/workers/concerns/application_worker_spec.rb'
- 'spec/workers/container_expiration_policies/cleanup_container_repository_worker_spec.rb'
- 'spec/workers/container_expiration_policy_worker_spec.rb'
- 'spec/workers/container_registry/migration/enqueuer_worker_spec.rb'
- 'spec/workers/container_registry/migration/guard_worker_spec.rb'
- 'spec/workers/create_commit_signature_worker_spec.rb'
- 'spec/workers/database/ci_namespace_mirrors_consistency_check_worker_spec.rb'
- 'spec/workers/database/ci_project_mirrors_consistency_check_worker_spec.rb'

3
.rubocop_todo/rspec/named_subject.yml
View File

@ -3591,9 +3591,6 @@ RSpec/NamedSubject:
- 'spec/workers/concerns/worker_context_spec.rb'
- 'spec/workers/container_expiration_policies/cleanup_container_repository_worker_spec.rb'
- 'spec/workers/container_expiration_policy_worker_spec.rb'
- 'spec/workers/container_registry/migration/enqueuer_worker_spec.rb'
- 'spec/workers/container_registry/migration/guard_worker_spec.rb'
- 'spec/workers/container_registry/migration/observer_worker_spec.rb'
- 'spec/workers/counters/cleanup_refresh_worker_spec.rb'
- 'spec/workers/create_commit_signature_worker_spec.rb'
- 'spec/workers/database/drop_detached_partitions_worker_spec.rb'

2
.rubocop_todo/sidekiq_load_balancing/worker_data_consistency.yml
View File

@ -73,8 +73,6 @@ SidekiqLoadBalancing/WorkerDataConsistency:
- 'app/workers/container_expiration_policy_worker.rb'
- 'app/workers/container_registry/cleanup_worker.rb'
- 'app/workers/container_registry/delete_container_repository_worker.rb'
- 'app/workers/container_registry/migration/enqueuer_worker.rb'
- 'app/workers/container_registry/migration/guard_worker.rb'
- 'app/workers/counters/cleanup_refresh_worker.rb'
- 'app/workers/create_commit_signature_worker.rb'
- 'app/workers/create_note_diff_file_worker.rb'

1
.rubocop_todo/style/guard_clause.yml
View File

@ -210,7 +210,6 @@ Style/GuardClause:
- 'app/validators/x509_certificate_credentials_validator.rb'
- 'app/workers/clusters/agents/delete_expired_events_worker.rb'
- 'app/workers/concerns/application_worker.rb'
- 'app/workers/container_registry/migration/guard_worker.rb'
- 'app/workers/deployments/hooks_worker.rb'
- 'app/workers/deployments/link_merge_request_worker.rb'
- 'app/workers/google_cloud/create_cloudsql_instance_worker.rb'

4
.rubocop_todo/style/inline_disable_annotation.yml
View File

@ -851,9 +851,6 @@ Style/InlineDisableAnnotation:
- 'app/workers/container_expiration_policies/cleanup_container_repository_worker.rb'
- 'app/workers/container_expiration_policy_worker.rb'
- 'app/workers/container_registry/cleanup_worker.rb'
- 'app/workers/container_registry/migration/enqueuer_worker.rb'
- 'app/workers/container_registry/migration/guard_worker.rb'
- 'app/workers/container_registry/migration/observer_worker.rb'
- 'app/workers/container_registry/record_data_repair_detail_worker.rb'
- 'app/workers/counters/cleanup_refresh_worker.rb'
- 'app/workers/create_note_diff_file_worker.rb'
@ -3116,7 +3113,6 @@ Style/InlineDisableAnnotation:
- 'spec/views/projects/project_members/index.html.haml_spec.rb'
- 'spec/workers/concerns/cronjob_queue_spec.rb'
- 'spec/workers/concerns/worker_attributes_spec.rb'
- 'spec/workers/container_registry/migration/observer_worker_spec.rb'
- 'spec/workers/object_storage/delete_stale_direct_uploads_worker_spec.rb'
- 'spec/workers/projects/delete_branch_worker_spec.rb'
- 'spec/workers/redis_migration_worker_spec.rb'

17
app/assets/javascripts/ci/pipeline_editor/components/drawer/ui/demo_job_pill.vue
View File

@ -1,17 +0,0 @@
<script>
export default {
props: {
jobName: {
type: String,
required: true,
},
},
};
</script>
<template>
<div
class="gl-w-13 gl-h-6 gl-font-sm gl-bg-white gl-shadow-inner-1-blue-500 gl-text-center gl-text-truncate gl-rounded-pill gl-px-4 gl-py-2 gl-relative gl-z-index-1 gl-transition-duration-slow gl-transition-timing-function-ease"
>
{{ jobName }}
</div>
</template>

18
app/assets/javascripts/design_management/components/toolbar/index.vue
View File

@ -4,7 +4,9 @@ import { GlButton, GlIcon, GlTooltipDirective, GlSkeletonLoader } from '@gitlab/
import permissionsQuery from 'shared_queries/design_management/design_permissions.query.graphql';
import { isLoggedIn } from '~/lib/utils/common_utils';
import { __, s__, sprintf } from '~/locale';
import { TYPE_DESIGN } from '~/import/constants';
import timeagoMixin from '~/vue_shared/mixins/timeago';
import ImportedBadge from '~/vue_shared/components/imported_badge.vue';
import { DESIGNS_ROUTE_NAME } from '../../router/constants';
import DeleteButton from '../delete_button.vue';
import DesignTodoButton from '../design_todo_button.vue';
@ -25,6 +27,7 @@ export default {
DeleteButton,
DesignTodoButton,
CloseButton,
ImportedBadge,
},
directives: {
GlTooltip: GlTooltipDirective,
@ -117,6 +120,9 @@ export default {
issueTitle() {
return this.design.issue.title;
},
isImported() {
return this.design.imported;
},
toggleCommentsButtonLabel() {
return this.isSidebarOpen
? this.$options.i18n.hideCommentsButtonLabel
@ -124,6 +130,7 @@ export default {
},
},
DESIGNS_ROUTE_NAME,
TYPE_DESIGN,
};
</script>
@ -136,12 +143,21 @@ export default {
>
<div class="gl-overflow-hidden gl-display-flex gl-mr-3">
<gl-skeleton-loader v-if="isLoading" :lines="1" />
<h2 v-else class="gl-display-flex gl-overflow-hidden gl-m-0 gl-font-base">
<h2
v-else
class="gl-display-flex gl-align-items-center gl-overflow-hidden gl-m-0 gl-font-base"
>
<span class="gl-text-truncate gl-text-gray-900 gl-text-decoration-none">
{{ issueTitle }}
</span>
<gl-icon name="chevron-right" class="gl-text-gray-200 gl-flex-shrink-0" />
<span class="gl-text-truncate gl-font-weight-normal">{{ filename }}</span>
<imported-badge
v-if="isImported"
:importable-type="$options.TYPE_DESIGN"
size="sm"
class="gl-ml-2"
/>
</h2>
<small v-if="updatedAt" class="gl-text-gray-500">{{ updatedText }}</small>
</div>

2
app/assets/javascripts/import/constants.js
View File

@ -1,6 +1,8 @@
import { convertObjectPropsToCamelCase } from '~/lib/utils/common_utils';
import { __, s__ } from '~/locale';
export const TYPE_DESIGN = 'design';
export const BULK_IMPORT_STATIC_ITEMS = {
badges: __('Badge'),
boards: s__('IssueBoards|Board'),

2
app/assets/javascripts/invite_members/components/invite_members_modal.vue
View File

@ -192,7 +192,7 @@ export default {
return this.invalidFeedbackMessage ? null : this.$options.labels.placeHolder;
},
shouldShowSeatOverageNotification() {
return this.errorReason === BLOCKED_SEAT_OVERAGES_ERROR_REASON;
return this.errorReason === BLOCKED_SEAT_OVERAGES_ERROR_REASON && this.addSeatsHref;
},
},
watch: {

117
app/assets/javascripts/security_configuration/components/continous_container_registry_scan.vue Normal file
View File

@ -0,0 +1,117 @@
<script>
import { GlToggle, GlLink, GlAlert, GlLoadingIcon } from '@gitlab/ui';
import SetContainerScanningForRegistry from '~/security_configuration/graphql/set_container_scanning_for_registry.graphql';
import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
import { __, s__ } from '~/locale';
import { helpPagePath } from '~/helpers/help_page_helper';
export default {
components: { GlToggle, GlLink, GlAlert, GlLoadingIcon },
mixins: [glFeatureFlagsMixin()],
inject: ['containerScanningForRegistryEnabled', 'projectFullPath'],
i18n: {
title: s__('CVS|Continuous Container Scanning'),
description: s__(
'CVS|Scan for vulnerabilities when a container image or the advisory database is updated.',
),
learnMore: __('Learn more'),
},
props: {
feature: {
type: Object,
required: true,
},
},
data() {
return {
toggleValue: this.containerScanningForRegistryEnabled,
errorMessage: '',
isRunningMutation: false,
};
},
computed: {
isFeatureConfigured() {
return this.feature.available && this.feature.configured;
},
},
methods: {
reportError(error) {
this.errorMessage = error;
},
clearError() {
this.errorMessage = '';
},
async toggleCVS(checked) {
const oldValue = this.toggleValue;
try {
this.isRunningMutation = true;
this.toggleValue = checked;
this.clearError();
const { data } = await this.$apollo.mutate({
mutation: SetContainerScanningForRegistry,
variables: {
input: {
projectPath: this.projectFullPath,
enable: checked,
},
},
});
const { errors } = data.setContainerScanningForRegistry;
if (errors.length > 0) {
throw new Error(errors[0].message);
} else {
this.toggleValue =
data.setContainerScanningForRegistry.containerScanningForRegistryEnabled;
}
} catch (error) {
this.toggleValue = oldValue;
this.reportError(error);
} finally {
this.isRunningMutation = false;
}
},
},
CVSHelpPagePath: helpPagePath(
'user/application_security/continuous_vulnerability_scanning/index',
),
};
</script>
<template>
<div v-if="glFeatures.containerScanningForRegistry">
<h4 class="gl-font-base gl-mt-6">
{{ $options.i18n.title }}
</h4>
<gl-alert
v-if="errorMessage"
class="gl-mb-5 gl-mt-2"
variant="danger"
@dismiss="errorMessage = ''"
>{{ errorMessage }}</gl-alert
>
<div class="gl-display-flex gl-align-items-center">
<gl-toggle
:disabled="!isFeatureConfigured || isRunningMutation"
:value="toggleValue"
:label="s__('CVS|Toggle CVS')"
label-position="hidden"
@change="toggleCVS"
/>
<gl-loading-icon v-if="isRunningMutation" inline class="gl-ml-3" />
</div>
<p class="gl-mb-0 gl-mt-5">
{{ $options.i18n.description }}
<gl-link :href="$options.CVSHelpPagePath" target="_blank">{{
$options.i18n.learnMore
}}</gl-link>
<br />
</p>
</div>
</template>

2
app/assets/javascripts/security_configuration/components/feature_card.vue
View File

@ -218,5 +218,7 @@ export default {
{{ $options.i18n.configurationGuide }}
</gl-button>
</div>
<component :is="feature.slotComponent" v-if="feature.slotComponent" :feature="feature" />
</gl-card>
</template>

9
app/assets/javascripts/security_configuration/constants.js
View File

@ -8,12 +8,15 @@ import {
REPORT_TYPE_SAST,
REPORT_TYPE_SAST_IAC,
REPORT_TYPE_SECRET_DETECTION,
REPORT_TYPE_CONTAINER_SCANNING,
} from '~/vue_shared/security_reports/constants';
import configureSastMutation from './graphql/configure_sast.mutation.graphql';
import configureSastIacMutation from './graphql/configure_iac.mutation.graphql';
import configureSecretDetectionMutation from './graphql/configure_secret_detection.mutation.graphql';
import ContinuousContainerRegistryScan from './components/continous_container_registry_scan.vue';
/**
* Translations for Security Configuration Page
* Make sure to add new scanner translations to the SCANNER_NAMES_MAP below.
@ -61,6 +64,12 @@ export const SCANNER_NAMES_MAP = {
GENERIC: s__('ciReport|Manually added'),
};
export const securityFeatures = {
[REPORT_TYPE_CONTAINER_SCANNING]: {
slotComponent: ContinuousContainerRegistryScan,
},
};
export const featureToMutationMap = {
[REPORT_TYPE_SAST]: {
mutationId: 'configureSast',

8
app/assets/javascripts/security_configuration/index.js
View File

@ -4,6 +4,7 @@ import createDefaultClient from '~/lib/graphql';
import { parseBooleanDataAttributes } from '~/lib/utils/dom_utils';
import SecurityConfigurationApp from './components/app.vue';
import { augmentFeatures } from './utils';
import { securityFeatures } from './constants';
export const initSecurityConfiguration = (el) => {
if (!el) {
@ -25,9 +26,13 @@ export const initSecurityConfiguration = (el) => {
autoDevopsHelpPagePath,
autoDevopsPath,
vulnerabilityTrainingDocsPath,
containerScanningForRegistryEnabled,
} = el.dataset;
const { augmentedSecurityFeatures } = augmentFeatures(features ? JSON.parse(features) : []);
const { augmentedSecurityFeatures } = augmentFeatures(
securityFeatures,
features ? JSON.parse(features) : [],
);
return new Vue({
el,
@ -39,6 +44,7 @@ export const initSecurityConfiguration = (el) => {
autoDevopsHelpPagePath,
autoDevopsPath,
vulnerabilityTrainingDocsPath,
containerScanningForRegistryEnabled,
},
render(createElement) {
return createElement(SecurityConfigurationApp, {

4
app/assets/javascripts/security_configuration/utils.js
View File

@ -10,10 +10,11 @@ import { REPORT_TYPE_DAST } from '~/vue_shared/security_reports/constants';
* This function takes the nested securityFeatures config and flattens it to the top level object.
* It then filters out any scanner features that lack a security config for rednering in the UI
* @param [{}] features
* @param {Object} securityFeatures Object containing client side UI options
* @returns {Object} Object with enriched features from constants divided into Security and Compliance Features
*/
export const augmentFeatures = (features = []) => {
export const augmentFeatures = (securityFeatures, features = []) => {
const featuresByType = features.reduce((acc, feature) => {
acc[feature.type] = convertObjectPropsToCamelCase(feature, { deep: true });
return acc;
@ -30,6 +31,7 @@ export const augmentFeatures = (features = []) => {
const augmented = {
...feature,
...featuresByType[feature.type],
...securityFeatures[feature.type],
};
// Secondary layer copies some values from the first layer

9
app/assets/javascripts/vue_shared/components/imported_badge.vue
View File

@ -3,8 +3,10 @@ import { GlBadge, GlTooltipDirective } from '@gitlab/ui';
import { __, s__, sprintf } from '~/locale';
import { TYPE_EPIC, TYPE_ISSUE, TYPE_MERGE_REQUEST } from '~/issues/constants';
import { TYPE_DESIGN } from '~/import/constants';
const importableTypeText = {
[TYPE_DESIGN]: __('design'),
[TYPE_EPIC]: __('epic'),
[TYPE_ISSUE]: __('issue'),
[TYPE_MERGE_REQUEST]: __('merge request'),
@ -23,6 +25,11 @@ export default {
required: false,
default: '',
},
size: {
type: String,
required: false,
default: undefined,
},
},
computed: {
title() {
@ -35,7 +42,7 @@ export default {
</script>
<template>
<gl-badge v-gl-tooltip="title">
<gl-badge v-gl-tooltip="title" :size="size">
{{ __('Imported') }}
</gl-badge>
</template>

51
app/assets/stylesheets/framework/filters.scss
View File

@ -99,11 +99,22 @@
.value {
display: inline-block;
padding: 2px 7px;
@include gl-font-sm;
color: $gl-text-color;
}
.name,
.operator,
.value-container,
.value {
display: inline-flex;
align-self: center;
align-items: center;
height: 24px;
}
.name {
background-color: $gray-50;
color: $gl-text-color-secondary;
border-radius: 2px 0 0 2px;
margin-right: 1px;
text-transform: capitalize;
@ -111,7 +122,6 @@
.operator {
background-color: $gray-50;
color: $gl-text-color;
margin-right: 1px;
}
@ -119,10 +129,9 @@
display: flex;
align-items: center;
background-color: $gray-50;
color: $gl-text-color;
border-radius: 0 2px 2px 0;
margin-right: 5px;
padding-right: 8px;
margin-right: 4px;
padding-right: 4px;
}
.value {
@ -130,7 +139,8 @@
}
.remove-token {
display: inline-block;
display: inline-flex;
align-self: center;
padding-left: 8px;
padding-right: 0;
@ -199,11 +209,6 @@
background-color: $white;
border-radius: $border-radius-default;
@include media-breakpoint-down(sm) {
flex: 1 1 auto;
margin-bottom: 10px;
}
&.focus,
&.focus:hover {
@include gl-focus;
@ -237,23 +242,6 @@
box-shadow: none;
}
}
.clear-search-icon {
right: 10px;
color: $gray-darkest;
}
.clear-search {
width: 35px;
background-color: $white;
border: 0;
outline: none;
z-index: 1;
&:hover .clear-search-icon {
color: $gray-800;
}
}
}
.filtered-search-box-input-container {
@ -339,13 +327,6 @@
}
@include media-breakpoint-down(sm) {
.issues-details-filters,
.epics-details-filters {
padding-top: $gl-padding-8;
padding-bottom: $gl-padding-8;
background-color: $white;
}
.filtered-search-block .boards-switcher {
margin-right: 0;
margin-bottom: $gl-input-padding;

27
app/controllers/projects/blob_controller.rb
View File

@ -205,16 +205,7 @@ class Projects::BlobController < Projects::ApplicationController
def editor_variables
@branch_name = params[:branch_name]
@file_path =
if action_name.to_s == 'create'
params[:file_name] = params[:file].original_filename if params[:file].present?
File.join(@path, params[:file_name])
elsif params[:file_path].present?
params[:file_path]
else
@path
end
@file_path = fetch_file_path
params[:content] = params[:file] if params[:file].present?
@ -228,6 +219,22 @@ class Projects::BlobController < Projects::ApplicationController
}
end
def fetch_file_path
file_params = params.permit(:file, :file_name)
if action_name.to_s == 'create'
file_name = file_params[:file].present? ? file_params[:file].original_filename : file_params[:file_name]
return if file_name.nil?
return File.join(@path, file_name)
end
return file_params[:file_path] if file_params[:file_path].present?
@path
end
def validate_diff_params
return if params[:full]

2
app/controllers/projects/issue_links_controller.rb
View File

@ -13,7 +13,7 @@ module Projects
private
def authorize_admin_issue_link!
render_403 unless can?(current_user, :admin_issue_link, @project)
render_403 unless can?(current_user, :admin_issue_link, issue)
end
def authorize_issue_link_association!

2
app/finders/group_members_finder.rb
View File

@ -35,7 +35,7 @@ class GroupMembersFinder < UnionFinder
groups = groups_by_relations(include_relations)
members = all_group_members(groups)
members = members.distinct_on_user_with_max_access_level if static_roles_only?
members = members.distinct_on_user_with_max_access_level(group) if static_roles_only?
filter_members(members)
end

12
app/graphql/resolvers/analytics/cycle_analytics/stages_resolver.rb
View File

@ -6,8 +6,10 @@ module Resolvers
class StagesResolver < BaseResolver
type [Types::Analytics::CycleAnalytics::ValueStreams::StageType], null: true
def resolve
list_stages({ value_stream: object })
argument :id, ID, required: false, description: 'Value stream stage id.'
def resolve(id: nil)
list_stages(stage_params(id: id).merge(value_stream: object))
end
private
@ -23,6 +25,12 @@ module Resolvers
def namespace
object.project.project_namespace
end
def stage_params(id: nil)
list_params = {}
list_params[:stage_ids] = [::GitlabSchema.parse_gid(id).model_id] if id
list_params
end
end
end
end

19
app/graphql/resolvers/analytics/cycle_analytics/value_streams_resolver.rb
View File

@ -6,11 +6,20 @@ module Resolvers
class ValueStreamsResolver < BaseResolver
type Types::Analytics::CycleAnalytics::ValueStreamType.connection_type, null: true
def resolve
# FOSS only have default value stream available
[
::Analytics::CycleAnalytics::ValueStream.build_default_value_stream(object.project_namespace)
]
argument :id, ID, required: false, description: 'Value stream id.'
# ignore id in FOSS
def resolve(id: nil)
::Analytics::CycleAnalytics::ValueStreams::ListService
.new(**service_params(id: id))
.execute
.payload[:value_streams]
end
private
def service_params(*)
{ parent: object.project_namespace, current_user: current_user, params: {} }
end
end
end

3
app/graphql/resolvers/concerns/work_items/look_ahead_preloads.rb
View File

@ -41,7 +41,8 @@ module WorkItems
labels: :labels,
milestone: { milestone: [:project, :group] },
subscribed: [:assignees, :award_emoji, { notes: [:author, :award_emoji] }],
award_emoji: { award_emoji: :awardable }
award_emoji: { award_emoji: :awardable },
related_merge_requests: { merge_requests_closing_issues: { merge_request: [:target_project, :author] } }
}
end

27
app/graphql/types/analytics/cycle_analytics/value_streams/stage_type.rb
View File

@ -8,6 +8,11 @@ module Types
class StageType < BaseObject
graphql_name 'ValueStreamStage'
field :id,
type: ::Types::GlobalIDType[::Analytics::CycleAnalytics::Stage],
null: false,
description: "ID of the value stream."
field :name,
GraphQL::Types::String,
null: false,
@ -33,6 +38,16 @@ module Types
null: false,
description: 'End event identifier.'
field :start_event_html_description,
GraphQL::Types::String,
null: false,
description: 'HTML description of the start event.'
field :end_event_html_description,
GraphQL::Types::String,
null: false,
description: 'HTML description of the end event.'
def start_event_identifier
events_enum[object.start_event_identifier]
end
@ -41,9 +56,21 @@ module Types
events_enum[object.end_event_identifier]
end
def start_event_html_description
stage_entity.start_event_html_description
end
def end_event_html_description
stage_entity.end_event_html_description
end
def events_enum
Gitlab::Analytics::CycleAnalytics::StageEvents.to_enum.with_indifferent_access
end
def stage_entity
@stage_entity ||= ::Analytics::CycleAnalytics::StageEntity.new(object)
end
end
# rubocop: enable Graphql/AuthorizeTypes
end

18
app/graphql/types/work_items/related_merge_request_type.rb Normal file
View File

@ -0,0 +1,18 @@
# frozen_string_literal: true
module Types
module WorkItems
class RelatedMergeRequestType < BaseObject
graphql_name 'WorkItemRelatedMergeRequest'
authorize :read_merge_request_closing_issue
field :closes_work_item, GraphQL::Types::Boolean,
null: false,
description: 'Whether the related merge request will close the work item when it is merged.'
field :merge_request, Types::MergeRequestType,
null: true,
description: 'Related merge request.'
end
end
end

13
app/graphql/types/work_items/widgets/development_type.rb
View File

@ -11,6 +11,19 @@ module Types
description 'Represents a development widget'
implements Types::WorkItems::WidgetInterface
field :related_merge_requests,
Types::WorkItems::RelatedMergeRequestType.connection_type,
null: true,
description: 'Merge requests related to the work item.'
def related_merge_requests
if object.related_merge_requests.loaded?
object.related_merge_requests
else
object.related_merge_requests.preload_merge_request_for_authorization
end
end
end
# rubocop:enable Graphql/AuthorizeTypes
end

21
app/helpers/breadcrumbs_helper.rb
View File

@ -31,8 +31,8 @@ module BreadcrumbsHelper
@breadcrumb_collapsed_links[location] << link
end
def push_to_schema_breadcrumb(text, link)
list_item = schema_list_item(text, link, schema_breadcrumb_list.size + 1)
def push_to_schema_breadcrumb(text, link, avatar = nil)
list_item = schema_list_item(text, link, schema_breadcrumb_list.size + 1, avatar)
schema_breadcrumb_list.push(list_item)
end
@ -41,10 +41,20 @@ module BreadcrumbsHelper
{
'@context': 'https://schema.org',
'@type': 'BreadcrumbList',
'itemListElement': build_item_list_elements
'itemListElement': build_item_list_elements&.map { |item| item.except('avatar') }
}.to_json
end
def breadcrumbs_as_json
schema_breadcrumb_list.map do |breadcrumb|
{
text: breadcrumb['name'],
href: breadcrumb['item'],
avatarPath: breadcrumb['avatar']
}
end.to_json
end
private
def schema_breadcrumb_list
@ -64,12 +74,13 @@ module BreadcrumbsHelper
schema_breadcrumb_list.push(last_element)
end
def schema_list_item(text, link, position)
def schema_list_item(text, link, position, avatar = nil)
{
'@type' => 'ListItem',
'position' => position,
'name' => text,
'item' => ensure_absolute_link(link)
'item' => ensure_absolute_link(link),
'avatar' => avatar
}
end

4
app/helpers/groups_helper.rb
View File

@ -59,13 +59,13 @@ module GroupsHelper
full_title << breadcrumb_list_item(group_title_link(parent, hidable: false))
end
push_to_schema_breadcrumb(simple_sanitize(parent.name), group_path(parent))
push_to_schema_breadcrumb(simple_sanitize(parent.name), group_path(parent), parent.try(:avatar_url))
end
full_title << render("layouts/nav/breadcrumbs/collapsed_inline_list", location: :before, title: _("Show all breadcrumbs"))
full_title << breadcrumb_list_item(group_title_link(group))
push_to_schema_breadcrumb(simple_sanitize(group.name), group_path(group))
push_to_schema_breadcrumb(simple_sanitize(group.name), group_path(group), group.try(:avatar_url))
full_title.join.html_safe
end

2
app/helpers/projects_helper.rb
View File

@ -892,7 +892,7 @@ module ProjectsHelper
def build_project_breadcrumb_link(project)
project_name = simple_sanitize(project.name)
push_to_schema_breadcrumb(project_name, project_path(project))
push_to_schema_breadcrumb(project_name, project_path(project), project.try(:avatar_url))
link_to project_path(project), class: 'gl-display-inline-flex!' do
icon = render Pajamas::AvatarComponent.new(project, alt: project.name, size: 16, class: 'avatar-tile') if project.avatar_url && !Rails.env.test?

7
app/models/analytics/cycle_analytics/stage.rb
View File

@ -21,6 +21,13 @@ module Analytics
alias_attribute :parent_id, :group_id
alias_attribute :value_stream_id, :group_value_stream_id
def to_global_id
return super if persisted?
# Returns default name as the id for built in stages at the FOSS level
name
end
def self.distinct_stages_within_hierarchy(namespace)
# Looking up the whole hierarchy including all kinds (type) of Namespace records.
# We're doing a custom traversal_ids query because:

1
app/models/ci/pipeline_schedule.rb
View File

@ -96,7 +96,6 @@ module Ci
end
def expand_short_ref
return if Feature.disabled?(:enforce_full_refs_for_pipeline_schedules, project)
return if ref.blank? || VALID_REF_FORMAT_REGEX.match?(ref) || ambiguous_ref?
# In case the ref doesn't exist default to the initial value

1
app/models/issue.rb
View File

@ -75,6 +75,7 @@ class Issue < ApplicationRecord
has_many :merge_requests_closing_issues,
class_name: 'MergeRequestsClosingIssues',
inverse_of: :issue,
dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent
has_many :issue_assignees

22
app/models/member.rb
View File

@ -183,9 +183,27 @@ class Member < ApplicationRecord
scope :with_source_id, ->(source_id) { where(source_id: source_id) }
scope :including_source, -> { includes(:source) }
scope :distinct_on_user_with_max_access_level, -> do
scope :distinct_on_user_with_max_access_level, -> (for_object) do
valid_objects = %w[Project Namespace]
obj_class = if for_object.is_a?(Group)
'Namespace'
else
for_object.class.name
end
raise ArgumentError, "Invalid object: #{obj_class}" unless valid_objects.include?(obj_class)
# in case a user has same access_level in multiple groups/project, we always want to retrieve the one
# that belongs to the object we request for
order = <<~SQL
user_id, invite_email,
CASE WHEN source_id = #{for_object.id} and source_type = '#{obj_class}'
THEN access_level + 1 ELSE access_level END DESC,
expires_at DESC, created_at ASC
SQL
distinct_members = select('DISTINCT ON (user_id, invite_email) *')
.order('user_id, invite_email, access_level DESC, expires_at DESC, created_at ASC')
.order(Arel.sql(order))
unscoped.from(distinct_members, :members)
end

1
app/models/merge_request.rb
View File

@ -96,6 +96,7 @@ class MergeRequest < ApplicationRecord
has_many :merge_requests_closing_issues,
class_name: 'MergeRequestsClosingIssues',
inverse_of: :merge_request,
dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent
has_many :merge_requests_closing_issues_closes_work_item,
-> { closes_work_item },

4
app/models/merge_requests_closing_issues.rb
View File

@ -26,6 +26,10 @@ class MergeRequestsClosingIssues < ApplicationRecord
end
class << self
def preload_merge_request_for_authorization
preload(merge_request: [:target_project, :author])
end
def closing_count_for_collection(ids, current_user)
closing_merge_requests(ids, current_user).group(:issue_id).pluck('issue_id', Arel.sql('COUNT(*) as count'))
end

3
app/models/work_items/widgets/development.rb
View File

@ -3,6 +3,9 @@
module WorkItems
module Widgets
class Development < Base
def related_merge_requests
work_item.merge_requests_closing_issues
end
end
end
end

4
app/policies/issue_policy.rb
View File

@ -109,6 +109,10 @@ class IssuePolicy < IssuablePolicy
enable :admin_issue_relation
end
rule { can?(:guest_access) & can?(:read_issue) & is_project_member }.policy do
enable :admin_issue_link
end
rule { support_bot & service_desk_enabled }.enable :admin_issue_relation
rule { can_read_crm_contacts }.policy do

14
app/policies/merge_requests_closing_issues_policy.rb Normal file
View File

@ -0,0 +1,14 @@
# frozen_string_literal: true
# rubocop:disable Gitlab/NamespacedClass -- Model and policy will be renamed
# TODO: https://gitlab.com/gitlab-org/gitlab/-/issues/456869
class MergeRequestsClosingIssuesPolicy < BasePolicy
condition(:can_read_issue) { can?(:read_issue, @subject.issue) }
condition(:can_read_merge_request) { can?(:read_merge_request, @subject.merge_request) }
rule { can_read_issue & can_read_merge_request }.policy do
enable :read_merge_request_closing_issue
end
end
# rubocop:enable Gitlab/NamespacedClass

1
app/policies/project_policy.rb
View File

@ -381,7 +381,6 @@ class ProjectPolicy < BasePolicy
enable :admin_label
enable :admin_milestone
enable :admin_issue_board_list
enable :admin_issue_link
enable :read_commit_status
enable :read_build
enable :read_container_image

19
app/serializers/linked_project_issue_entity.rb
View File

@ -4,10 +4,11 @@ class LinkedProjectIssueEntity < LinkedIssueEntity
include Gitlab::Utils::StrongMemoize
expose :relation_path, override: true do |issue|
# Make sure the user can admin both the current issue AND the
# referenced issue projects in order to return the removal link.
if can_admin_issue_link_on_current_project? && can_admin_issue_link?(issue.project)
project_issue_link_path(issuable.project, issuable.iid, issue.issue_link_id)
# Make sure the user can admin the links on both issues
# in order to return the removal link.
if can_admin_issue_link?(issuable) && can_admin_issue_link?(issue)
project_issue_link_path(issuable.project, issuable.iid,
issue.issue_link_id)
end
end
@ -17,13 +18,7 @@ class LinkedProjectIssueEntity < LinkedIssueEntity
private
def can_admin_issue_link_on_current_project?
strong_memoize(:can_admin_on_current_project) do
can_admin_issue_link?(issuable.project)
end
end
def can_admin_issue_link?(project)
Ability.allowed?(current_user, :admin_issue_link, project)
def can_admin_issue_link?(issue)
Ability.allowed?(current_user, :admin_issue_link, issue)
end
end

9
app/services/analytics/cycle_analytics/stages/list_service.rb
View File

@ -7,7 +7,10 @@ module Analytics
def execute
return forbidden unless allowed?
success(build_default_stages)
stages = build_default_stages
# In FOSS, stages are not persisted, we match them by name
stages = stages.select { |stage| params[:stage_ids].include?(stage.name) } if filter_by_stage_ids?
success(stages)
end
private
@ -19,6 +22,10 @@ module Analytics
def success(stages)
ServiceResponse.success(payload: { stages: stages })
end
def filter_by_stage_ids?
params[:stage_ids].present?
end
end
end
end

40
app/services/analytics/cycle_analytics/value_streams/list_service.rb Normal file
View File

@ -0,0 +1,40 @@
# frozen_string_literal: true
module Analytics
module CycleAnalytics
module ValueStreams
class ListService
include Gitlab::Allowable
def initialize(parent:, current_user:, params: {})
@parent = parent
@current_user = current_user
@params = params
end
def execute
return forbidden unless can?(current_user, :read_cycle_analytics, parent.project)
value_stream = ::Analytics::CycleAnalytics::ValueStream
.build_default_value_stream(parent)
success([value_stream])
end
private
attr_reader :parent, :current_user, :params
def success(value_streams)
ServiceResponse.success(payload: { value_streams: value_streams })
end
def forbidden
ServiceResponse.error(message: 'Forbidden', payload: {})
end
end
end
end
end
Analytics::CycleAnalytics::ValueStreams::ListService.prepend_mod

3
app/services/ci/pipeline_schedules/base_save_service.rb
View File

@ -16,8 +16,7 @@ module Ci
return forbidden_to_save unless allowed_to_save?
return forbidden_to_save_variables unless allowed_to_save_variables?
unless valid_ref_format? || Feature.disabled?(:enforce_full_refs_for_pipeline_schedules,
schedule.project)
unless valid_ref_format?
schedule.expand_short_ref
return ServiceResponse.error(payload: schedule, message: INVALID_REF_MESSAGE) unless valid_ref_format?
end

6
app/services/files/create_service.rb
View File

@ -12,6 +12,12 @@ module Files
private
def validate!
super
raise_error(_('You must provide a file path')) if @file_path.nil?
end
def create_transformed_commit(content_or_lfs_pointer)
repository.create_file(
current_user,

106
app/services/import/bitbucket_service.rb Normal file
View File

@ -0,0 +1,106 @@
# frozen_string_literal: true
# Imports a project from Bitbucket Cloud using
# username and app password (not OAuth)
module Import
class BitbucketService < Import::BaseService
attr_reader :current_user, :params
# @param [User] current_user
# @param [Hash] params
# @option params [String] bitbucket_username - Bitbucket Cloud username
# @option params [String] bitbucket_app_password - Bitbucket Cloud user app password
def initialize(current_user, params)
@current_user = current_user
@params = params
end
# rubocop:disable Style/IfUnlessModifier -- line becomes too long
def execute
unless authorized?
return log_and_return_error("You don't have permissions to import this project", :unauthorized)
end
unless bitbucket_user.present?
return log_and_return_error('Unable to authorize with Bitbucket. Check your credentials', :unauthorized)
end
if bitbucket_repo.error
return log_and_return_error(
Kernel.format("Project %{repo_path} could not be found", repo_path: normalized_repo_path),
:unprocessable_entity
)
end
project = create_project
track_access_level('bitbucket')
if project.persisted?
success(project)
elsif project.errors[:import_source_disabled].present?
error(project.errors[:import_source_disabled], :forbidden)
else
log_and_return_error(project_save_error(project), :unprocessable_entity)
end
rescue StandardError => e
log_and_return_error("Import failed due to an error: #{e}", :bad_request)
end
# rubocop:enable Style/IfUnlessModifier
private
def client
@client ||= Bitbucket::Client.new(credentials)
end
def credentials
{
username: params[:bitbucket_username],
app_password: params[:bitbucket_app_password]
}
end
def create_project
Gitlab::BitbucketImport::ProjectCreator.new(
bitbucket_repo,
project_name,
target_namespace,
current_user,
credentials
).execute
end
def bitbucket_repo
@bitbucket_repo ||= client.repo(normalized_repo_path)
end
def bitbucket_user
@bitbucket_user = client.user
end
def normalized_repo_path
@normalized_repo_path ||= params[:repo_path].to_s.gsub('___', '/')
end
def project_name
@project_name ||= params[:new_name].presence || bitbucket_repo.name
end
def target_namespace
@target_namespace ||= find_or_create_namespace(params[:target_namespace], current_user.namespace_path)
end
def log_and_return_error(message, error_type)
log_error(message)
error(_(message), error_type)
end
def log_error(message)
Gitlab::Import::Logger.error(
message: 'BitBucket Cloud import failed',
error: message
)
end
end
end

4
app/services/issue_links/create_service.rb
View File

@ -25,6 +25,10 @@ module IssueLinks
def link_class
IssueLink
end
def issuables_no_permission_error_message
_("Couldn't link issues. You must have at least the Guest role in both projects.")
end
end
end

4
app/services/users/activity_service.rb
View File

@ -33,7 +33,9 @@ module Users
return if user.last_activity_on == today
lease = Gitlab::ExclusiveLease.new("activity_service:#{user.id}", timeout: LEASE_TIMEOUT)
return unless lease.try_obtain
# Skip transaction checks for exclusive lease as it is breaking system specs.
# See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/441536
return unless Gitlab::ExclusiveLease.skipping_transaction_check { lease.try_obtain }
user.update_attribute(:last_activity_on, today)

2
app/views/layouts/header/_super_sidebar_logged_out.haml
View File

@ -8,7 +8,7 @@
= brand_header_logo
- if Gitlab.com_and_canary?
= gl_badge_tag({ variant: :success, size: :sm }, { href: Gitlab::Saas.canary_toggle_com_url, data: { testid: 'canary_badge_link' }, target: :_blank, rel: 'noopener noreferrer', class: 'canary-badge' }) do
= _('Next')
= s_('GitLab Next|Next')
%ul.gl-list-style-none.gl-p-0.gl-m-0.gl-display-flex.gl-gap-3.gl-align-items-center.gl-flex-grow-1
- if Gitlab.com?

5
app/views/layouts/nav/breadcrumbs/_breadcrumbs.html.haml
View File

@ -1,4 +1,6 @@
- hide_top_links = @hide_top_links || false
- if !hide_top_links && @header_title && @header_title_url
- push_to_schema_breadcrumb(@header_title, @header_title_url)
- unless @skip_current_level_breadcrumb
- push_to_schema_breadcrumb(@breadcrumb_title, breadcrumb_title_link)
@ -18,3 +20,6 @@
:plain
#{schema_breadcrumb_json}
= yield :header_content
- if Feature.enabled?(:vue_page_breadcrumbs)
#js-vue-page-breadcrumbs{ data: { breadcrumbs_json: breadcrumbs_as_json } }

13
app/views/shared/issuable/_search_bar.html.haml
View File

@ -7,8 +7,8 @@
- block_css_class = type != :productivity_analytics ? 'row-content-block second-block' : ''
.issues-filters
.issues-details-filters.filtered-search-block.d-flex.flex-column.flex-lg-row{ class: block_css_class }
.d-flex.flex-column.flex-md-row.flex-grow-1.mb-lg-0.mb-md-2.mb-sm-0.gl-w-full
.issues-details-filters.filtered-search-block.gl-display-flex.gl-flex-direction-column.gl-lg-flex-direction-row.gl-gap-3{ class: block_css_class }
.gl-display-flex.gl-flex-direction-column.gl-md-flex-direction-row.gl-flex-grow-1.gl-w-full
= form_tag page_filter_path, method: :get, class: 'filter-form js-filter-form gl-w-full' do
- if params[:search].present?
= hidden_field_tag :search, params[:search]
@ -18,13 +18,13 @@
- c.with_label do
%span.gl-sr-only
= _('Select all')
.issues-other-filters.filtered-search-wrapper.d-flex.flex-column.flex-md-row
.issues-other-filters.filtered-search-wrapper.gl-display-flex.gl-flex-direction-column.gl-md-flex-direction-row
.filtered-search-box
- if type != :boards
- text = tag.span(sprite_icon('history'), class: "d-md-none") + tag.span(_('Recent searches'), class: "d-none d-md-inline")
- text = tag.span(sprite_icon('history')) + tag.span(_('Recent searches'), class: "gl-sr-only")
= dropdown_tag(text,
options: { wrapper_class: "filtered-search-history-dropdown-wrapper",
toggle_class: "gl-button btn btn-default filtered-search-history-dropdown-toggle-button",
toggle_class: "gl-button btn btn-default filtered-search-history-dropdown-toggle-button gl-pl-4! gl-pr-5!",
dropdown_class: "filtered-search-history-dropdown",
content_class: "filtered-search-history-dropdown-content" }) do
.js-filtered-search-history-dropdown{ data: { full_path: search_history_storage_prefix } }
@ -205,8 +205,7 @@
= render_if_exists 'shared/issuable/filter_epic', type: type
%button.clear-search.hidden.gl-rounded-base{ type: 'button' }
= sprite_icon('close', size: 16, css_class: 'clear-search-icon')
= render Pajamas::ButtonComponent.new(category: :tertiary, size: :small, icon: 'clear', icon_classes: "clear-search-icon", button_options: { class: 'clear-search hidden gl-align-self-center gl-mr-1 has-tooltip', title: _('Clear') })
.filter-dropdown-container.gl-display-flex.gl-flex-direction-column.gl-md-flex-direction-row.gl-align-items-flex-start
- if type != :productivity_analytics && show_sorting_dropdown
= render 'shared/issuable/sort_dropdown'

2
app/views/shared/issuable/_sort_dropdown.html.haml
View File

@ -3,7 +3,7 @@
- items = issuable_sort_options(viewing_issues, viewing_merge_requests)
- selected = issuable_sort_option_overrides[@sort] || @sort
.gl-ml-3
%div
.btn-group{ role: 'group' }
= gl_redirect_listbox_tag(items, selected, class: 'btn-group', data: { placement: 'right' })
= issuable_sort_direction_button(@sort)

27
app/workers/all_queues.yml
View File

@ -2847,33 +2847,6 @@
:weight: 1
:idempotent: true
:tags: []
- :name: container_registry_migration_enqueuer
:worker_name: ContainerRegistry::Migration::EnqueuerWorker
:feature_category: :container_registry
:has_external_dependencies: false
:urgency: :low
:resource_boundary: :unknown
:weight: 1
:idempotent: true
:tags: []
- :name: container_registry_migration_guard
:worker_name: ContainerRegistry::Migration::GuardWorker
:feature_category: :container_registry
:has_external_dependencies: false
:urgency: :low
:resource_boundary: :unknown
:weight: 1
:idempotent: true
:tags: []
- :name: container_registry_migration_observer
:worker_name: ContainerRegistry::Migration::ObserverWorker
:feature_category: :container_registry
:has_external_dependencies: false
:urgency: :low
:resource_boundary: :unknown
:weight: 1
:idempotent: true
:tags: []
- :name: counters_cleanup_refresh
:worker_name: Counters::CleanupRefreshWorker
:feature_category: :not_owned

30
app/workers/concerns/update_repository_storage_worker.rb
View File

@ -13,30 +13,10 @@ module UpdateRepositoryStorageWorker
LEASE_TIMEOUT = 30.minutes.to_i
# `container_id` and `new_repository_storage_key` arguments have been deprecated.
# `repository_storage_move_id` is now a mandatory argument.
# We are using *args for backwards compatability. Previously defined as:
# perform(container_id, new_repository_storage_key, repository_storage_move_id = nil)
def perform(*args)
if args.length == 1
repository_storage_move_id = args[0]
else
container_id, new_repository_storage_key, repository_storage_move_id = *args
end
def perform(repository_storage_move_id)
repository_storage_move = find_repository_storage_move(repository_storage_move_id)
repository_storage_move =
if repository_storage_move_id
find_repository_storage_move(repository_storage_move_id)
else
# maintain compatibility with workers queued before release
container = find_container(container_id)
container.repository_storage_moves.create!(
source_storage_name: container.repository_storage,
destination_storage_name: new_repository_storage_key
)
end
container_id ||= repository_storage_move.container_id
container_id = repository_storage_move.container_id
# Use exclusive lock to prevent multiple storage migrations at the same time
#
@ -73,10 +53,6 @@ module UpdateRepositoryStorageWorker
raise NotImplementedError
end
def find_container(container_id)
raise NotImplementedError
end
def update_repository_storage(repository_storage_move)
raise NotImplementedError
end

21
app/workers/container_registry/migration/enqueuer_worker.rb
View File

@ -1,21 +0,0 @@
# frozen_string_literal: true
module ContainerRegistry
module Migration
class EnqueuerWorker
include ApplicationWorker
DEFAULT_LEASE_TIMEOUT = 30.minutes.to_i.freeze
data_consistency :always
feature_category :container_registry
urgency :low
deduplicate :until_executing, ttl: DEFAULT_LEASE_TIMEOUT
idempotent!
# No-op; in the process of removing this worker.
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/409873
def perform; end
end
end
end

20
app/workers/container_registry/migration/guard_worker.rb
View File

@ -1,20 +0,0 @@
# frozen_string_literal: true
module ContainerRegistry
module Migration
class GuardWorker
include ApplicationWorker
data_consistency :always
feature_category :container_registry
urgency :low
worker_resource_boundary :unknown
deduplicate :until_executed, ttl: 5.minutes
idempotent!
# No-op; in the process of removing this worker.
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/409873
def perform; end
end
end
end

19
app/workers/container_registry/migration/observer_worker.rb
View File

@ -1,19 +0,0 @@
# frozen_string_literal: true
module ContainerRegistry
module Migration
class ObserverWorker
include ApplicationWorker
data_consistency :sticky
feature_category :container_registry
urgency :low
deduplicate :until_executed, including_scheduled: true
idempotent!
# No-op; in the process of removing this worker.
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/409873
def perform; end
end
end
end

5
app/workers/projects/update_repository_storage_worker.rb
View File

@ -14,11 +14,6 @@ module Projects
::Projects::RepositoryStorageMove.find(repository_storage_move_id)
end
override :find_container
def find_container(container_id)
Project.find(container_id)
end
override :update_repository_storage
def update_repository_storage(repository_storage_move)
::Projects::UpdateRepositoryStorageService.new(repository_storage_move).execute

5
app/workers/snippets/update_repository_storage_worker.rb
View File

@ -14,11 +14,6 @@ module Snippets
Snippets::RepositoryStorageMove.find(repository_storage_move_id)
end
override :find_container
def find_container(container_id)
Snippet.find(container_id)
end
override :update_repository_storage
def update_repository_storage(repository_storage_move)
::Snippets::UpdateRepositoryStorageService.new(repository_storage_move).execute

9
config/feature_flags/beta/container_scanning_continuous_vulnerability_scans.yml
View File

@ -1,9 +0,0 @@
---
name: container_scanning_continuous_vulnerability_scans
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/435435
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141023
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/437162
milestone: '16.8'
group: group::composition analysis
type: beta
default_enabled: true

8
config/feature_flags/development/activity_filter_has_remediations.yml
View File

@ -1,8 +0,0 @@
---
name: activity_filter_has_remediations
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135009
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/429262
milestone: '16.6'
type: development
group: group::threat insights
default_enabled: true

9
config/feature_flags/development/enforce_full_refs_for_pipeline_schedules.yml
View File

@ -1,9 +0,0 @@
---
name: enforce_full_refs_for_pipeline_schedules
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/435357
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146764
rollout_issue_url: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17604
milestone: '16.11'
group: group::pipeline execution
type: development
default_enabled: false

9
config/feature_flags/wip/vue_page_breadcrumbs.yml Normal file
View File

@ -0,0 +1,9 @@
---
name: vue_page_breadcrumbs
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/358113
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149813
rollout_issue_url:
milestone: '17.0'
group: group::foundations
type: wip
default_enabled: false

1
config/known_invalid_graphql_queries.yml
View File

@ -1,3 +1,4 @@
---
filenames:
- ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql
- app/assets/javascripts/security_configuration/graphql/set_container_scanning_for_registry.graphql

6
config/sidekiq_queues.yml
View File

@ -231,12 +231,6 @@
- 1
- - compliance_management_violation_export_mailer
- 1
- - container_registry_migration_enqueuer
- 1
- - container_registry_migration_guard
- 1
- - container_registry_migration_observer
- 1
- - container_repository
- 1
- - container_repository_delete

17
db/migrate/20240419205606_remove_source_package_name_column_from_sbom_components.rb Normal file
View File

@ -0,0 +1,17 @@
# frozen_string_literal: true
class RemoveSourcePackageNameColumnFromSbomComponents < Gitlab::Database::Migration[2.2]
disable_ddl_transaction!
milestone '17.0'
INDEX = 'index_source_package_names_on_component_and_purl'
def up
remove_concurrent_index_by_name :sbom_components, name: INDEX
end
def down
add_concurrent_index :sbom_components, [:component_type, :source_package_name, :purl_type], name: INDEX
end
end

35
db/migrate/20240421143211_remove_container_registry_migration_workers.rb Normal file
View File

@ -0,0 +1,35 @@
# frozen_string_literal: true
class RemoveContainerRegistryMigrationWorkers < Gitlab::Database::Migration[2.2]
DEPRECATED_JOB_CLASSES = %w[
ContainerRegistry::Migration::EnqueuerWorker
ContainerRegistry::Migration::GuardWorker
ContainerRegistry::Migration::ObserverWorker
]
milestone '17.0'
disable_ddl_transaction!
def up
# The job has been scheduled via sidekiq-cron, so we are removing
# it from the scheduled worker using the keys removed from 1_settings.rb
# in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147228
cron_job_keys = %w[
container_registry_migration_guard_worker
container_registry_migration_observer_worker
container_registry_migration_enqueuer_worker
]
cron_job_keys.each do |job_key|
job_to_remove = Sidekiq::Cron::Job.find(job_key)
job_to_remove.destroy if job_to_remove
end
# Removes scheduled instances from Sidekiq queues
sidekiq_remove_jobs(job_klasses: DEPRECATED_JOB_CLASSES)
end
def down
# This migration removes any instances of deprecated workers and cannot be undone.
end
end

1
db/schema_migrations/20240419205606 Normal file
View File

@ -0,0 +1 @@
500df9d05f7efdbd5b60ba8b41b2f5dae3ffc114c5c3886a661fd6670201f2ab

1
db/schema_migrations/20240421143211 Normal file
View File

@ -0,0 +1 @@
50752a69861c764792680261b3403e965e5b213cf4f8656a7dc8899c66d4bcea

4
db/structure.sql
View File

@ -1206,7 +1206,7 @@ PARTITION BY LIST (partition_id);
CREATE TABLE p_ci_finished_build_ch_sync_events (
build_id bigint NOT NULL,
partition bigint DEFAULT 1 NOT NULL,
partition bigint DEFAULT 2 NOT NULL,
build_finished_at timestamp without time zone NOT NULL,
processed boolean DEFAULT false NOT NULL
)
@ -27378,8 +27378,6 @@ CREATE INDEX index_sop_schedules_on_sop_configuration_id ON security_orchestrati
CREATE INDEX index_sop_schedules_on_user_id ON security_orchestration_policy_rule_schedules USING btree (user_id);
CREATE INDEX index_source_package_names_on_component_and_purl ON sbom_components USING btree (component_type, source_package_name, purl_type);
CREATE INDEX index_spam_logs_on_user_id ON spam_logs USING btree (user_id);
CREATE INDEX index_sprints_iterations_cadence_id ON sprints USING btree (iterations_cadence_id);

2
doc/.vale/gitlab/Badges-Tiers.yml
View File

@ -6,7 +6,7 @@
extends: existence
message: "Tiers should be capitalized, comma-separated, and ordered lowest to highest without `and`."
link: https://docs.gitlab.com/ee/development/documentation/styleguide/#available-product-tier-badges
level: error
level: suggestion
scope: raw
raw:
- (?<=\n\*\*Tier:\*\*)[^\n]*(and|free|premium|ultimate|, Free|Ultimate,)

12
doc/administration/clusters/kas.md
View File

@ -168,18 +168,6 @@ In Linux package installations, find the logs in `/var/log/gitlab/gitlab-kas/`.
You can also [troubleshoot issues with individual agents](../../user/clusters/agent/troubleshooting.md).
### GitOps: failed to get project information
If you get the following error message:
```json
{"level":"warn","time":"2020-10-30T08:37:26.123Z","msg":"GitOps: failed to get project info","agent_id":4,"project_id":"root/kas-manifest001","error":"error kind: 0; status: 404"}
```
The project specified by the manifest (`root/kas-manifest001`)
doesn't exist or the project where the manifest is kept is private. To fix this issue,
ensure the project path is correct and that the project's visibility is [set to public](../../user/public_access.md).
### Configuration file not found
If you get the following error message:

137
doc/administration/operations/moving_repositories.md
View File

@ -257,140 +257,3 @@ For Gitaly targets (use [recommended approach](#recommended-approach-in-all-case
sudo -u git sh -c 'rsync -a --delete /var/opt/gitlab/git-data/repositories/. \
git@newserver:/mnt/gitlab/repositories'
```
<!--- start_remove The following content will be removed on remove_date: '2024-05-16' -->
### Thousands of Git repositories: use one `rsync` per repository
WARNING:
The Rake task `gitlab:list_repos` was
[deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/384361) in GitLab 16.4 and is planned for
removal in 17.0. Use [backup and restore](#recommended-approach-in-all-cases) instead.
WARNING:
Using `rsync` to migrate Git data can cause data loss and repository corruption.
[These instructions are being reviewed](https://gitlab.com/gitlab-org/gitlab/-/issues/270422).
Every time you start an `rsync` job it must:
- Inspect all files in the source directory.
- Inspect all files in the target directory.
- Decide whether or not to copy files.
If the source or target directory has many contents, this startup phase of `rsync` can become a burden for your GitLab
server. You can reduce the workload of `rsync` by dividing its work into smaller pieces, and sync one repository at a
time.
In addition to `rsync` we use [GNU Parallel](https://www.gnu.org/software/parallel/).
This utility is not included in GitLab, so you must install it yourself with `apt`
or `yum`.
This process:
- Doesn't clean up repositories at the target location that no longer exist at the source.
- Only works for Gitaly targets. Use [recommended approach](#recommended-approach-in-all-cases) for Gitaly Cluster targets.
#### Parallel `rsync` for all repositories known to GitLab
WARNING:
The Rake task `gitlab:list_repos` was
[deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/384361) in GitLab 16.4 and is planned for
removal in 17.0. Use [backup and restore](#recommended-approach-in-all-cases) instead.
WARNING:
Using `rsync` to migrate Git data can cause data loss and repository corruption.
[These instructions are being reviewed](https://gitlab.com/gitlab-org/gitlab/-/issues/270422).
This syncs repositories with 10 `rsync` processes at a time. We keep
track of progress so that the transfer can be restarted if necessary.
First we create a new directory, owned by `git`, to hold transfer
logs. We assume the directory is empty before we start the transfer
procedure, and that we are the only ones writing files in it.
```shell
# Omnibus
sudo mkdir /var/opt/gitlab/transfer-logs
sudo chown git:git /var/opt/gitlab/transfer-logs
# Source
sudo -u git -H mkdir /home/git/transfer-logs
```
We seed the process with a list of the directories we want to copy.
```shell
# Omnibus
sudo -u git sh -c 'gitlab-rake gitlab:list_repos > /var/opt/gitlab/transfer-logs/all-repos-$(date +%s).txt'
# Source
cd /home/git/gitlab
sudo -u git -H sh -c 'bundle exec rake gitlab:list_repos > /home/git/transfer-logs/all-repos-$(date +%s).txt'
```
Now we can start the transfer. The command below is idempotent, and
the number of jobs done by GNU Parallel should converge to zero. If it
does not, some repositories listed in `all-repos-1234.txt` may have been
deleted/renamed before they could be copied.
```shell
# Omnibus
sudo -u git sh -c '
cat /var/opt/gitlab/transfer-logs/* | sort | uniq -u |\
/usr/bin/env JOBS=10 \
/opt/gitlab/embedded/service/gitlab-rails/bin/parallel-rsync-repos \
/var/opt/gitlab/transfer-logs/success-$(date +%s).log \
/var/opt/gitlab/git-data/repositories \
/mnt/gitlab/repositories
'
# Source
cd /home/git/gitlab
sudo -u git -H sh -c '
cat /home/git/transfer-logs/* | sort | uniq -u |\
/usr/bin/env JOBS=10 \
bin/parallel-rsync-repos \
/home/git/transfer-logs/success-$(date +%s).log \
/home/git/repositories \
/mnt/gitlab/repositories
'
```
#### Parallel `rsync` only for repositories with recent activity
WARNING:
The Rake task `gitlab:list_repos` was
[deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/384361) in GitLab 16.4 and is planned for
removal in 17.0. Use [backup and restore](#recommended-approach-in-all-cases) instead.
WARNING:
Using `rsync` to migrate Git data can cause data loss and repository corruption.
[These instructions are being reviewed](https://gitlab.com/gitlab-org/gitlab/-/issues/270422).
Suppose you have already done one sync that started after 2015-10-1 12:00 UTC.
Then you might only want to sync repositories that were changed by using GitLab
after that time. You can use the `SINCE` variable to tell `rake gitlab:list_repos`
to only print repositories with recent activity.
```shell
# Omnibus
sudo gitlab-rake gitlab:list_repos SINCE='2015-10-1 12:00 UTC' |\
sudo -u git \
/usr/bin/env JOBS=10 \
/opt/gitlab/embedded/service/gitlab-rails/bin/parallel-rsync-repos \
success-$(date +%s).log \
/var/opt/gitlab/git-data/repositories \
/mnt/gitlab/repositories
# Source
cd /home/git/gitlab
sudo -u git -H bundle exec rake gitlab:list_repos SINCE='2015-10-1 12:00 UTC' |\
sudo -u git -H \
/usr/bin/env JOBS=10 \
bin/parallel-rsync-repos \
success-$(date +%s).log \
/home/git/repositories \
/mnt/gitlab/repositories
```
<!--- end_remove -->

2
doc/administration/reference_architectures/10k_users.md
View File

@ -40,7 +40,7 @@ specifically the [Before you start](index.md#before-you-start) and [Deciding whi
| Sidekiq<sup>7</sup> | 4 | 4 vCPU, 15 GB memory | `n1-standard-4` | `m5.xlarge` | `D4s v3` |
| GitLab Rails<sup>7</sup> | 3 | 32 vCPU, 28.8 GB memory | `n1-highcpu-32` | `c5.9xlarge` | `F32s v2` |
| Monitoring node | 1 | 4 vCPU, 3.6 GB memory | `n1-highcpu-4` | `c5.xlarge` | `F4s v2` |
| Object storage <sup>4</sup> | - | - | - | - | - |
| Object storage<sup>4</sup> | - | - | - | - | - |
**Footnotes:**

13
doc/administration/reference_architectures/1k_users.md
View File

@ -23,9 +23,16 @@ For a full list of reference architectures, see
> can follow a [modified hybrid reference architecture](#cloud-native-hybrid-reference-architecture-with-helm-charts).
> - **Unsure which Reference Architecture to use?** [Go to this guide for more info](index.md#deciding-which-architecture-to-use).
| Users | Configuration | GCP | AWS | Azure |
|--------------|-------------------------|----------------|--------------|----------|
| Up to 1,000 or 20 RPS | 8 vCPU, 7.2 GB memory | `n1-highcpu-8` | `c5.2xlarge` | `F8s v2` |
| Users | Configuration | GCP | AWS | Azure |
|--------------|----------------------|----------------|--------------|----------|
| Up to 1,000 or 20 RPS | 8 vCPU, 16 GB memory | `n1-standard-8`<sup>1</sup> | `c5.2xlarge` | `F8s v2` |
**Footnotes:**
<!-- Disable ordered list rule https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md#md029---ordered-list-item-prefix -->
<!-- markdownlint-disable MD029 -->
1. For GCP, the closest and equivalent standard machine type has been selected that matches the recommended requirement of 8 vCPU and 16 GB of RAM. A [custom machine type](https://cloud.google.com/compute/docs/instances/creating-instance-with-custom-machine-type) can also be used if desired.
<!-- markdownlint-enable MD029 -->
```plantuml
@startuml 1k

6
doc/administration/reference_architectures/2k_users.md
View File

@ -1134,10 +1134,10 @@ services where applicable):
| Service | Nodes | Configuration | GCP | AWS |
|-----------------------------|-------|------------------------|-----------------|-------------|
| PostgreSQL <sup>1</sup> | 1 | 2 vCPU, 7.5 GB memory | `n1-standard-2` | `m5.large` |
| Redis <sup>2</sup> | 1 | 1 vCPU, 3.75 GB memory | `n1-standard-1` | `m5.large` |
| PostgreSQL<sup>1</sup> | 1 | 2 vCPU, 7.5 GB memory | `n1-standard-2` | `m5.large` |
| Redis<sup>2</sup> | 1 | 1 vCPU, 3.75 GB memory | `n1-standard-1` | `m5.large` |
| Gitaly | 1 | 4 vCPU, 15 GB memory | `n1-standard-4` | `m5.xlarge` |
| Object storage <sup>3</sup> | - | - | - | - |
| Object storage<sup>3</sup> | - | - | - | - |
**Footnotes:**

2
doc/administration/reference_architectures/3k_users.md
View File

@ -39,7 +39,7 @@ For a full list of reference architectures, see
| Sidekiq<sup>7</sup> | 2 | 4 vCPU, 15 GB memory | `n1-standard-4` | `m5.xlarge` | `D2s v3` |
| GitLab Rails<sup>7</sup> | 3 | 8 vCPU, 7.2 GB memory | `n1-highcpu-8` | `c5.2xlarge` | `F8s v2` |
| Monitoring node | 1 | 2 vCPU, 1.8 GB memory | `n1-highcpu-2` | `c5.large` | `F2s v2` |
| Object storage <sup>4</sup> | - | - | - | - | - |
| Object storage<sup>4</sup> | - | - | - | - | - |
**Footnotes:**

17
doc/administration/reference_architectures/index.md
View File

@ -208,12 +208,17 @@ Before implementing a reference architecture, refer to the following requirement
### Supported CPUs
These reference architectures were built and tested on Google Cloud Platform (GCP) using the
[Intel Xeon E5 v3 (Haswell)](https://cloud.google.com/compute/docs/cpu-platforms)
CPU platform as the lowest common denominator baseline ([Sysbench benchmark](https://gitlab.com/gitlab-org/quality/performance/-/wikis/Reference-Architectures/GCP-CPU-Benchmarks)).
Newer, similarly-sized CPUs are supported and may have improved performance as a result.
The reference architectures are built and tested across various cloud providers, primarily GCP and AWS, with
CPU targets being the lowest common denominator to ensure the widest range of compatibility:
ARM CPUs are supported for Linux package environments as well as for any [Cloud Provider services](#cloud-provider-services) where applicable.
- The [`n1` series](https://cloud.google.com/compute/docs/general-purpose-machines#n1_machines) for GCP.
- The [`m5` series](https://aws.amazon.com/ec2/instance-types/) for AWS.
Depending on other requirements such as memory or network bandwidth as well as cloud provider availability, different machine types are used accordingly throughout the architectures, but it is expected that the target CPUs above should perform well.
If you want, you can select a newer machine type series and have improved performance as a result.
Additionally, ARM CPUs are supported for Linux package environments as well as for any [Cloud Provider services](#cloud-provider-services) where applicable.
NOTE:
Any "burstable" instance types are not recommended due to inconsistent performance.
@ -758,6 +763,8 @@ You can find a full history of changes [on the GitLab project](https://gitlab.co
**2024:**
- [2024-04](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149528): Updated 20 RPS / 1,000 User architecture specs to follow recommended memory target of 16 GB.
- [2024-04](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148313): Updated Reference Architecture titles to include RPS for further clarity and to help right sizing.
- [2024-02](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145436): Updated recommended sizings for Load Balancer nodes if deployed on VMs. Also added notes on network bandwidth considerations.
- [2024-02](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143539): Remove the Sidekiq Max Concurrency setting in examples as this is deprecated and no longer required to be set explicitly.
- [2024-02](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143539): Adjusted the Sidekiq recommendations on 2k to disable Sidekiq on Rails nodes and updated architecture diagram.

5
doc/api/code_suggestions.md
View File

@ -17,11 +17,6 @@ DETAILS:
> - Requirement to generate a JWT before calling this endpoint was [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127863) in GitLab 16.3.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/416371) in GitLab 16.8. [Feature flag `code_suggestions_completion_api`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138174) removed.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, an administrator can [enable the feature flag](../administration/feature_flags.md) named `code_suggestions_completion_api`.
On GitLab.com and GitLab Dedicated, this feature is not available.
This feature is not ready for production use.
```plaintext
POST /code_suggestions/completions
```

132
doc/api/graphql/reference/index.md
View File

@ -15144,6 +15144,29 @@ The edge type for [`WorkItem`](#workitem).
| <a id="workitemedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
| <a id="workitemedgenode"></a>`node` | [`WorkItem`](#workitem) | The item at the end of the edge. |
#### `WorkItemRelatedMergeRequestConnection`
The connection type for [`WorkItemRelatedMergeRequest`](#workitemrelatedmergerequest).
##### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="workitemrelatedmergerequestconnectionedges"></a>`edges` | [`[WorkItemRelatedMergeRequestEdge]`](#workitemrelatedmergerequestedge) | A list of edges. |
| <a id="workitemrelatedmergerequestconnectionnodes"></a>`nodes` | [`[WorkItemRelatedMergeRequest]`](#workitemrelatedmergerequest) | A list of nodes. |
| <a id="workitemrelatedmergerequestconnectionpageinfo"></a>`pageInfo` | [`PageInfo!`](#pageinfo) | Information to aid in pagination. |
#### `WorkItemRelatedMergeRequestEdge`
The edge type for [`WorkItemRelatedMergeRequest`](#workitemrelatedmergerequest).
##### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="workitemrelatedmergerequestedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
| <a id="workitemrelatedmergerequestedgenode"></a>`node` | [`WorkItemRelatedMergeRequest`](#workitemrelatedmergerequest) | The item at the end of the edge. |
#### `WorkItemTimelogConnection`
The connection type for [`WorkItemTimelog`](#workitemtimelog).
@ -16793,7 +16816,6 @@ Represents a list for an issue board.
| <a id="boardlistposition"></a>`position` | [`Int`](#int) | Position of list within the board. |
| <a id="boardlisttitle"></a>`title` | [`String!`](#string) | Title of the list. |
| <a id="boardlisttotalissueweight"></a>`totalIssueWeight` | [`BigInt`](#bigint) | Total weight of all issues in the list, encoded as a string. |
| <a id="boardlisttotalweight"></a>`totalWeight` **{warning-solid}** | [`Int`](#int) | **Deprecated** in GitLab 16.2. Use `totalIssueWeight`. |
#### Fields with arguments
@ -20958,7 +20980,6 @@ GPG signature for a signed commit.
| <a id="grouptwofactorgraceperiod"></a>`twoFactorGracePeriod` | [`Int`](#int) | Time before two-factor authentication is enforced. |
| <a id="groupuserpermissions"></a>`userPermissions` | [`GroupPermissions!`](#grouppermissions) | Permissions for the current user on the resource. |
| <a id="groupvaluestreamanalytics"></a>`valueStreamAnalytics` | [`ValueStreamAnalytics`](#valuestreamanalytics) | Information about Value Stream Analytics within the group. |
| <a id="groupvaluestreams"></a>`valueStreams` | [`ValueStreamConnection`](#valuestreamconnection) | Value streams available to the group. (see [Connections](#connections)) |
| <a id="groupvisibility"></a>`visibility` | [`String`](#string) | Visibility of the namespace. |
| <a id="groupvulnerabilityscanners"></a>`vulnerabilityScanners` | [`VulnerabilityScannerConnection`](#vulnerabilityscannerconnection) | Vulnerability scanners reported on the project vulnerabilities of the group and its subgroups. (see [Connections](#connections)) |
| <a id="groupweburl"></a>`webUrl` | [`String!`](#string) | Web URL of the group. |
@ -21853,6 +21874,22 @@ four standard [pagination arguments](#pagination-arguments):
| ---- | ---- | ----------- |
| <a id="groupreleasessort"></a>`sort` | [`GroupReleaseSort`](#groupreleasesort) | Sort group releases by given criteria. |
##### `Group.remoteDevelopmentClusterAgents`
Cluster agents in the namespace with remote development capabilities.
Returns [`ClusterAgentConnection`](#clusteragentconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="groupremotedevelopmentclusteragentsfilter"></a>`filter` | [`NamespaceClusterAgentFilter!`](#namespaceclusteragentfilter) | Filter the types of cluster agents to return. |
##### `Group.runnerCloudProvisioning`
Information used for provisioning the runner on a cloud provider. Returns `null` if `:google_cloud_support_feature_flag` feature flag is disabled, or the GitLab instance is not a SaaS instance.
@ -22027,6 +22064,22 @@ Returns [`ValueStreamDashboardCount`](#valuestreamdashboardcount).
| <a id="groupvaluestreamdashboardusageoverviewidentifier"></a>`identifier` | [`ValueStreamDashboardMetric!`](#valuestreamdashboardmetric) | Type of counts to retrieve. |
| <a id="groupvaluestreamdashboardusageoverviewtimeframe"></a>`timeframe` | [`Timeframe!`](#timeframe) | Counts recorded during this time frame, usually from beginning of the month until the end of the month (the system runs monthly aggregations). |
##### `Group.valueStreams`
Value streams available to the group.
Returns [`ValueStreamConnection`](#valuestreamconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="groupvaluestreamsid"></a>`id` | [`ID`](#id) | Value stream id. |
##### `Group.vulnerabilities`
Vulnerabilities reported on the projects in the group and its subgroups.
@ -25202,6 +25255,22 @@ four standard [pagination arguments](#pagination-arguments):
| <a id="namespaceprojectswithissuesenabled"></a>`withIssuesEnabled` | [`Boolean`](#boolean) | Return only projects with issues enabled. |
| <a id="namespaceprojectswithmergerequestsenabled"></a>`withMergeRequestsEnabled` | [`Boolean`](#boolean) | Return only projects with merge requests enabled. |
##### `Namespace.remoteDevelopmentClusterAgents`
Cluster agents in the namespace with remote development capabilities.
Returns [`ClusterAgentConnection`](#clusteragentconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="namespaceremotedevelopmentclusteragentsfilter"></a>`filter` | [`NamespaceClusterAgentFilter!`](#namespaceclusteragentfilter) | Filter the types of cluster agents to return. |
##### `Namespace.scanExecutionPolicies`
Scan Execution Policies of the namespace.
@ -26510,7 +26579,6 @@ Represents generic policy violation information.
| <a id="projectuseraccessauthorizedagents"></a>`userAccessAuthorizedAgents` | [`ClusterAgentAuthorizationUserAccessConnection`](#clusteragentauthorizationuseraccessconnection) | Authorized cluster agents for the project through user_access keyword. (see [Connections](#connections)) |
| <a id="projectuserpermissions"></a>`userPermissions` | [`ProjectPermissions!`](#projectpermissions) | Permissions for the current user on the resource. |
| <a id="projectvaluestreamanalytics"></a>`valueStreamAnalytics` | [`ValueStreamAnalytics`](#valuestreamanalytics) | Information about Value Stream Analytics within the project. |
| <a id="projectvaluestreams"></a>`valueStreams` | [`ValueStreamConnection`](#valuestreamconnection) | Value streams available to the project. (see [Connections](#connections)) |
| <a id="projectvisibility"></a>`visibility` | [`String`](#string) | Visibility of the project. |
| <a id="projectvulnerabilityimages"></a>`vulnerabilityImages` | [`VulnerabilityContainerImageConnection`](#vulnerabilitycontainerimageconnection) | Container images reported on the project vulnerabilities. (see [Connections](#connections)) |
| <a id="projectvulnerabilityscanners"></a>`vulnerabilityScanners` | [`VulnerabilityScannerConnection`](#vulnerabilityscannerconnection) | Vulnerability scanners reported on the project vulnerabilities. (see [Connections](#connections)) |
@ -27988,6 +28056,22 @@ four standard [pagination arguments](#pagination-arguments):
| <a id="projecttimelogsstarttime"></a>`startTime` | [`Time`](#time) | List timelogs within a time range where the logged time is equal to or after startTime. |
| <a id="projecttimelogsusername"></a>`username` | [`String`](#string) | List timelogs for a user. |
##### `Project.valueStreams`
Value streams available to the project.
Returns [`ValueStreamConnection`](#valuestreamconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="projectvaluestreamsid"></a>`id` | [`ID`](#id) | Value stream id. |
##### `Project.visibleForks`
Visible forks of the project.
@ -30492,7 +30576,20 @@ fields relate to interactions between the two entities.
| <a id="valuestreamname"></a>`name` | [`String!`](#string) | Name of the value stream. |
| <a id="valuestreamnamespace"></a>`namespace` | [`Namespace!`](#namespace) | Namespace the value stream belongs to. |
| <a id="valuestreamproject"></a>`project` **{warning-solid}** | [`Project`](#project) | **Introduced** in GitLab 15.6. **Status**: Experiment. Project the value stream belongs to, returns empty if it belongs to a group. |
| <a id="valuestreamstages"></a>`stages` | [`[ValueStreamStage!]`](#valuestreamstage) | Value Stream stages. |
#### Fields with arguments
##### `ValueStream.stages`
Value Stream stages.
Returns [`[ValueStreamStage!]`](#valuestreamstage).
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="valuestreamstagesid"></a>`id` | [`ID`](#id) | Value stream stage id. |
### `ValueStreamAnalytics`
@ -30544,10 +30641,13 @@ Represents a recorded measurement (object count) for the requested group.
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="valuestreamstagecustom"></a>`custom` | [`Boolean!`](#boolean) | Whether the stage is customized. |
| <a id="valuestreamstageendeventhtmldescription"></a>`endEventHtmlDescription` | [`String!`](#string) | HTML description of the end event. |
| <a id="valuestreamstageendeventidentifier"></a>`endEventIdentifier` | [`ValueStreamStageEvent!`](#valuestreamstageevent) | End event identifier. |
| <a id="valuestreamstageendeventlabel"></a>`endEventLabel` | [`Label`](#label) | Label associated with end event. |
| <a id="valuestreamstagehidden"></a>`hidden` | [`Boolean!`](#boolean) | Whether the stage is hidden. |
| <a id="valuestreamstageid"></a>`id` | [`AnalyticsCycleAnalyticsStageID!`](#analyticscycleanalyticsstageid) | ID of the value stream. |
| <a id="valuestreamstagename"></a>`name` | [`String!`](#string) | Name of the stage. |
| <a id="valuestreamstagestarteventhtmldescription"></a>`startEventHtmlDescription` | [`String!`](#string) | HTML description of the start event. |
| <a id="valuestreamstagestarteventidentifier"></a>`startEventIdentifier` | [`ValueStreamStageEvent!`](#valuestreamstageevent) | Start event identifier. |
| <a id="valuestreamstagestarteventlabel"></a>`startEventLabel` | [`Label`](#label) | Label associated with start event. |
@ -31287,6 +31387,15 @@ Check permissions for the current user on a work item.
| <a id="workitempermissionssetworkitemmetadata"></a>`setWorkItemMetadata` | [`Boolean!`](#boolean) | If `true`, the user can perform `set_work_item_metadata` on this resource. |
| <a id="workitempermissionsupdateworkitem"></a>`updateWorkItem` | [`Boolean!`](#boolean) | If `true`, the user can perform `update_work_item` on this resource. |
### `WorkItemRelatedMergeRequest`
#### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="workitemrelatedmergerequestclosesworkitem"></a>`closesWorkItem` | [`Boolean!`](#boolean) | Whether the related merge request will close the work item when it is merged. |
| <a id="workitemrelatedmergerequestmergerequest"></a>`mergeRequest` | [`MergeRequest`](#mergerequest) | Related merge request. |
### `WorkItemStateCountsType`
Represents total number of work items for the represented states.
@ -31469,6 +31578,7 @@ Represents a development widget.
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="workitemwidgetdevelopmentfeatureflags"></a>`featureFlags` | [`FeatureFlagConnection`](#featureflagconnection) | Feature flags associated with the work item. (see [Connections](#connections)) |
| <a id="workitemwidgetdevelopmentrelatedmergerequests"></a>`relatedMergeRequests` | [`WorkItemRelatedMergeRequestConnection`](#workitemrelatedmergerequestconnection) | Merge requests related to the work item. (see [Connections](#connections)) |
| <a id="workitemwidgetdevelopmenttype"></a>`type` | [`WorkItemWidgetType`](#workitemwidgettype) | Widget type. |
### `WorkItemWidgetHealthStatus`
@ -33581,6 +33691,14 @@ Different toggles for changing mutator behavior.
| <a id="mutationoperationmoderemove"></a>`REMOVE` | Performs a removal operation. |
| <a id="mutationoperationmodereplace"></a>`REPLACE` | Performs a replace operation. |
### `NamespaceClusterAgentFilter`
Possible filter types for remote development cluster agents in a namespace.
| Value | Description |
| ----- | ----------- |
| <a id="namespaceclusteragentfilteravailable"></a>`AVAILABLE` | Cluster agents in the namespace that can be used for hosting workspaces. |
### `NamespaceProjectSort`
Values for sorting projects.
@ -34763,6 +34881,12 @@ A `AlertManagementHttpIntegrationID` is a global ID. It is encoded as a string.
An example `AlertManagementHttpIntegrationID` is: `"gid://gitlab/AlertManagement::HttpIntegration/1"`.
### `AnalyticsCycleAnalyticsStageID`
A `AnalyticsCycleAnalyticsStageID` is a global ID. It is encoded as a string.
An example `AnalyticsCycleAnalyticsStageID` is: `"gid://gitlab/Analytics::CycleAnalytics::Stage/1"`.
### `AnalyticsCycleAnalyticsValueStreamID`
A `AnalyticsCycleAnalyticsValueStreamID` is a global ID. It is encoded as a string.

34
doc/api/import.md
View File

@ -222,6 +222,40 @@ curl --request POST \
}'
```
## Import repository from Bitbucket Cloud
Import your projects from Bitbucket Cloud to GitLab using the API.
Prerequisites:
- For more information, see [prerequisites for Bitbucket Cloud importer](../user/project/import/bitbucket.md).
```plaintext
POST /import/bitbucket
```
| Attribute | Type | Required | Description |
|--------------------------|---------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `bitbucket_username` | string | yes | Bitbucket username |
| `bitbucket_app_password` | string | yes | Bitbucket app password |
| `repo_path` | string | yes | Path to repository |
| `target_namespace` | string | yes | Namespace to import repository into. Supports subgroups like `/namespace/subgroup` |
| `new_name` | string | no | Name of the new project. Also used as the new path so must not start or end with a special character and must not contain consecutive special characters. Between GitLab 15.1 and GitLab 16.9, the project path [was copied](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88845) from Bitbucket instead. In GitLab 16.10, the behavior was [changed back](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145793) to the original behavior. |
```shell
curl --request POST \
--url "https://gitlab.example.com/api/v4/import/bitbucket" \
--header "content-type: application/json" \
--header "PRIVATE-TOKEN: <your_access_token>" \
--data '{
"bitbucket_username": "bitbucket_username",
"bitbucket_app_password": "bitbucket_app_password",
"repo_path": "username/my_project"
"target_namespace": "my_group/my_subgroup"
"new_name": "new_project_name"
}'
```
## Related topics
- [Group migration by direct transfer API](bulk_imports.md).

4
doc/architecture/blueprints/gitlab_agent_deployments/index.md
View File

@ -28,7 +28,7 @@ This blueprint describes how the association is established and how these domain
- The proposed architecture can be used in [Organization-level Environment dashboard](https://gitlab.com/gitlab-org/gitlab/-/issues/241506).
- The cluster resources and events can be visualized per [GitLab Environment](../../../ci/environments/index.md).
An environment-specific view scoped to the resources managed either directly or indirectly by a deployment commit.
- Support both [GitOps mode](../../../user/clusters/agent/gitops/agent.md#gitops-configuration-reference) and [CI Access mode](../../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent).
- Support both GitOps mode and [CI Access mode](../../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent).
### Non-Goals
@ -86,7 +86,7 @@ flowchart LR
- [GitLab Project](../../../user/project/working_with_projects.md) and GitLab Environment have 1-to-many relationship.
- GitLab Project and Agent have 1-to-many _direct_ relationship. Only one project can own a specific agent.
- [GitOps mode](../../../user/clusters/agent/gitops/agent.md#gitops-configuration-reference)
- GitOps mode
- GitLab Project and Agent do _NOT_ have many-to-many _indirect_ relationship yet. This will be supported in [Manifest projects outside of the Agent configuration project](https://gitlab.com/groups/gitlab-org/-/epics/7704).
- [CI Access mode](../../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent)
- GitLab Project and Agent have many-to-many _indirect_ relationship. The project owning the agent can [share the access with the other proejcts](../../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent-to-access-projects-in-your-groups). (NOTE: Technically, only running jobs inside the project are allowed to access the cluster due to job-token authentication.)

4
doc/development/documentation/testing/vale.md
View File

@ -183,7 +183,9 @@ document:
Whenever possible, exclude only the problematic rule and lines.
For more information, see
Ignore statements do not work for Vale rules with the `raw` scope. For more information, see this [issue](https://github.com/errata-ai/vale/issues/194).
For more information on Vale scoping rules, see
[Vale's documentation](https://vale.sh/docs/topics/scoping/).
## Show Vale warnings on push

29
doc/install/requirements.md
View File

@ -38,37 +38,22 @@ NOTE:
CPU requirements are dependent on the number of users and expected workload. Your exact needs may be more, depending on your workload. Your workload is influenced by factors such as - but not limited to - how active your users are, how much automation you use, mirroring, and repository/change size.
The following is the recommended minimum CPU hardware guidance for a handful of example GitLab user base sizes.
Refer below for CPU recommendations depending on user count / load:
- **4 cores** is the **recommended** minimum number of cores and supports up to 500 users
- 8 cores supports up to 1000 users
- More users? Consult the [reference architectures page](../administration/reference_architectures/index.md)
- Up to 20 Requests per Second (RPS) or 1000 users - 8 vCPU.
- More users or load? Consult the [reference architectures page](../administration/reference_architectures/index.md).
### Memory
Memory requirements are dependent on the number of users and expected workload. Your exact needs may be more, depending on your workload. Your workload is influenced by factors such as - but not limited to - how active your users are, how much automation you use, mirroring, and repository/change size.
The following is the recommended minimum Memory hardware guidance for a handful of example GitLab user base sizes.
Refer below for Memory recommendations depending on user count / load:
- **4 GB RAM** is the **required** minimum memory size and supports up to 500 users
- 8 GB RAM supports up to 1000 users
- More users? Consult the [reference architectures page](../administration/reference_architectures/index.md)
For smaller installations, you should:
- Have at least 2 GB of swap on your server, even if you have enough available RAM. Having swap helps to reduce the chance of
errors occurring if your available memory changes.
- Configure the kernel's swappiness setting to a low value like `10` to make the most of your RAM while still having the swap available when needed.
For larger installations that follow our reference architectures, you [shouldn't configure swap](../administration/reference_architectures/index.md#no-swap).
- Up to 20 Requests per Second (RPS) or 1000 users - 8 GB (Minimum), 16 GB (Recommended).
- More users or load? Consult the [reference architectures page](../administration/reference_architectures/index.md).
NOTE:
Although excessive swapping is undesired and degrades performance, it is an
extremely important last resort against out-of-memory conditions. During
unexpected system load, such as OS updates or other services on the same host,
peak memory load spikes could be much higher than average. Having plenty of swap
helps avoid the Linux OOM killer unsafely terminating a potentially critical
process, such as PostgreSQL, which can have disastrous consequences.
While not recommended, in certain circumstances GitLab may run in a [memory constrained environment](https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html).
## Database

1
doc/raketasks/index.md
View File

@ -35,7 +35,6 @@ The following Rake tasks are available for use with GitLab:
| [Incoming email](../administration/raketasks/incoming_email.md) | Incoming email-related tasks. |
| [Integrity checks](../administration/raketasks/check.md) | Check the integrity of repositories, files, LDAP, and more. |
| [LDAP maintenance](../administration/raketasks/ldap.md) | [LDAP](../administration/auth/ldap/index.md)-related tasks. |
| [List repositories](list_repos.md) | List all GitLab-managed Git repositories on disk. |
| [Praefect Rake tasks](../administration/raketasks/praefect.md) | [Praefect](../administration/gitaly/praefect.md)-related tasks. |
| [Project import/export](../administration/raketasks/project_import_export.md) | Prepare for [project exports and imports](../user/project/settings/import_export.md). |
| [Sidekiq job migration](../administration/sidekiq/sidekiq_job_migration.md) | Migrate Sidekiq jobs scheduled for future dates to a new queue. |

46
doc/raketasks/list_repos.md
View File

@ -1,49 +1,17 @@
---
redirect_to: '../administration/operations/moving_repositories.md'
stage: Systems
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
remove_date: '2024-07-16'
---
<!--- start_remove The following content will be removed on remove_date: '2024-05-16' -->
# List repository directories Rake task (deprecated)
# List repository directories Rake task (removed)
DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
WARNING:
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/384361) in GitLab 16.7 and is planned for removal in 17.0.
[If migrating GitLab, use backup and restore](../administration/operations/moving_repositories.md#recommended-approach-in-all-cases)
instead.
You can print a list of all Git repositories on disk managed by GitLab.
To print a list, run the following command:
```shell
# Omnibus
sudo gitlab-rake gitlab:list_repos
# Source
cd /home/git/gitlab
sudo -u git -H bundle exec rake gitlab:list_repos RAILS_ENV=production
```
The results use the default ordering of the GitLab Rails application.
## Limit search results
To list only projects with recent activity, pass a date with the `SINCE` environment variable. The
time you specify is parsed by the Rails [`TimeZone#parse` function](https://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html#method-i-parse).
```shell
# Omnibus
sudo gitlab-rake gitlab:list_repos SINCE='Sep 1 2015'
# Source
cd /home/git/gitlab
sudo -u git -H bundle exec rake gitlab:list_repos RAILS_ENV=production SINCE='Sep 1 2015'
```
<!--- end_remove -->
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137592) in GitLab 16.7
and [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/384361) in 17.0.
See how to [move repositories](../administration/operations/moving_repositories.md) instead.

BIN
doc/topics/git/img/get_started_git_v16_11.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 14 KiB

40
doc/user/ai_features.md
View File

@ -18,22 +18,22 @@ GitLab is [transparent](https://handbook.gitlab.com/handbook/values/#transparenc
| Goal | Feature | Tier/Offering/Status |
|---|---|---|
| Helps you write code more efficiently by showing code suggestions as you type. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=hCAyCTacdAQ) | [Code Suggestions](project/repository/code_suggestions/index.md) | **Tier:** Premium or Ultimate with [GitLab Duo Pro](../subscriptions/subscription-add-ons.md) <br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated |
| Processes and generates text and code in a conversational manner. Helps you quickly identify useful information in large volumes of text in issues, epics, code, and GitLab documentation. | [Chat](gitlab_duo_chat.md) | **Tier:** For a limited time, freely available for Premium and Ultimate<br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated |
| Helps you discover or recall Git commands when and where you need them. | [Git suggestions](../editor_extensions/gitlab_cli/index.md#gitlab-duo-commands) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Assists with quickly getting everyone up to speed on lengthy conversations to help ensure you are all on the same page. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=IcdxLfTIUgc) | [Discussion summary](#summarize-issue-discussions-with-discussion-summary) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Generates issue descriptions. | [Issue description generation](#summarize-an-issue-with-issue-description-generation) | **Tier:** Ultimate<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Automates repetitive tasks and helps catch bugs early. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=g6MS1JsRWgs) | [Test generation](gitlab_duo_chat.md#write-tests-in-the-ide) | **Tier:** Ultimate <br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated <br>**Status:** Beta |
| Generates a description for the merge request based on the contents of the template. | [Merge request template population](project/merge_requests/ai_in_merge_requests.md#fill-in-merge-request-templates) | **Tier:** Ultimate<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Helps you write code more efficiently by showing code suggestions as you type.<br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=hCAyCTacdAQ) | [Code Suggestions](project/repository/code_suggestions/index.md) | **Tier:** Premium and Ultimate with [GitLab Duo Pro](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated |
| Processes and generates text and code in a conversational manner. Helps you quickly identify useful information in large volumes of text in issues, epics, code, and GitLab documentation. | [Chat](gitlab_duo_chat.md) | **Tier:** Freely available for Premium and Ultimate for a limited time<br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated |
| Helps you discover or recall Git commands when and where you need them. | [Git suggestions](../editor_extensions/gitlab_cli/index.md#gitlab-duo-commands) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com<br>**Status:** Experiment |
| Assists with quickly getting everyone up to speed on lengthy conversations to help ensure you are all on the same page. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=IcdxLfTIUgc) | [Discussion summary](#summarize-issue-discussions-with-discussion-summary) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Generates issue descriptions. | [Issue description generation](#summarize-an-issue-with-issue-description-generation) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Automates repetitive tasks and helps catch bugs early. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=g6MS1JsRWgs) | [Test generation](gitlab_duo_chat.md#write-tests-in-the-ide) | **Tier:** Freely available for Premium and Ultimate for a limited time<br>In the future, will require Premium or Ultimate with [GitLab Duo Pro](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated <br>**Status:** Beta |
| Generates a description for the merge request based on the contents of the template. | [Merge request template population](project/merge_requests/ai_in_merge_requests.md#fill-in-merge-request-templates) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com<br>**Status:** Experiment |
| Assists in creating faster and higher-quality reviews by automatically suggesting reviewers for your merge request. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=ivwZQgh4Rxw) | [Suggested Reviewers](project/merge_requests/reviews/index.md#gitlab-duo-suggested-reviewers) | **Tier:** Ultimate <br>**Offering:** GitLab.com<br>**Status:** Generally Available |
| Efficiently communicates the impact of your merge request changes. | [Merge request summary](project/merge_requests/ai_in_merge_requests.md#summarize-merge-request-changes) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Beta |
| Helps ease merge request handoff between authors and reviewers and help reviewers efficiently understand suggestions. | [Code review summary](project/merge_requests/ai_in_merge_requests.md#summarize-my-merge-request-review) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Helps you remediate vulnerabilities more efficiently, boost your skills, and write more secure code. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=6sDf73QOav8) | [Vulnerability explanation](application_security/vulnerabilities/index.md#explaining-a-vulnerability) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Beta |
| Generates a merge request containing the changes required to mitigate a vulnerability. | [Vulnerability resolution](application_security/vulnerabilities/index.md#vulnerability-resolution) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Helps you understand code by explaining it in English language. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=1izKaLmmaCA) | [Code explanation](#explain-code-in-the-web-ui-with-code-explanation) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Assists you in determining the root cause for a pipeline failure and failed CI/CD build. | [Root cause analysis](#root-cause-analysis) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Assists you with predicting productivity metrics and identifying anomalies across your software development lifecycle. | [Value stream forecasting](#forecast-deployment-frequency-with-value-stream-forecasting) | **Tier:** Ultimate <br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated <br>**Status:** Experiment |
| Processes and responds to your questions about your application's usage data. | [Product Analytics](analytics/analytics_dashboards.md#generate-a-custom-visualization-with-gitlab-duo) | **Tier:** Ultimate <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Efficiently communicates the impact of your merge request changes. | [Merge request summary](project/merge_requests/ai_in_merge_requests.md#summarize-merge-request-changes) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com <br>**Status:** Beta |
| Helps ease merge request handoff between authors and reviewers and help reviewers efficiently understand suggestions. | [Code review summary](project/merge_requests/ai_in_merge_requests.md#summarize-my-merge-request-review) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Helps you remediate vulnerabilities more efficiently, boost your skills, and write more secure code. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=6sDf73QOav8) | [Vulnerability explanation](application_security/vulnerabilities/index.md#explaining-a-vulnerability) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md) <br>**Offering:** GitLab.com <br>**Status:** Beta |
| Generates a merge request containing the changes required to mitigate a vulnerability. | [Vulnerability resolution](application_security/vulnerabilities/index.md#vulnerability-resolution) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Helps you understand code by explaining it in English language. <br><br><i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [Watch overview](https://www.youtube.com/watch?v=1izKaLmmaCA) | [Code explanation](#explain-code-in-the-web-ui-with-code-explanation) | **Tier:** Freely available for Premium and Ultimate for a limited time<br>In the future, will require Premium or Ultimate with [GitLab Duo Pro](../subscriptions/subscription-add-ons.md) <br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Assists you in determining the root cause for a pipeline failure and failed CI/CD build. | [Root cause analysis](#root-cause-analysis) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md)<br>**Offering:** GitLab.com <br>**Status:** Experiment |
| Assists you with predicting productivity metrics and identifying anomalies across your software development lifecycle. | [Value stream forecasting](#forecast-deployment-frequency-with-value-stream-forecasting) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md) <br>**Offering:** GitLab.com, Self-managed, GitLab Dedicated <br>**Status:** Experiment |
| Processes and responds to your questions about your application's usage data. | [Product Analytics](analytics/analytics_dashboards.md#generate-a-custom-visualization-with-gitlab-duo) | **Tier:** Freely available for Ultimate for a limited time<br>In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md) <br>**Offering:** GitLab.com <br>**Status:** Experiment |
## Controlling GitLab Duo features
@ -149,7 +149,7 @@ The following subsections describe the experimental AI features in more detail.
### Explain code in the Web UI with Code explanation
DETAILS:
**Tier:** Ultimate
**Tier:** Freely available for Premium and Ultimate for a limited time. In the future, will require Premium or Ultimate with [GitLab Duo Pro](../subscriptions/subscription-add-ons.md).
**Offering:** GitLab.com
**Status:** Experiment
@ -201,7 +201,7 @@ We cannot guarantee that the large language model produces results that are corr
### Summarize issue discussions with Discussion summary
DETAILS:
**Tier:** Ultimate
**Tier:** Freely available for Ultimate for a limited time. In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md).
**Offering:** GitLab.com
**Status:** Experiment
@ -231,7 +231,7 @@ language model referenced above.
### Forecast deployment frequency with Value stream forecasting
DETAILS:
**Tier:** Ultimate
**Tier:** Freely available for Ultimate for a limited time. In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md).
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
**Status:** Experiment
@ -263,7 +263,7 @@ Provide feedback on this experimental feature in [issue 416833](https://gitlab.c
### Root cause analysis
DETAILS:
**Tier:** Ultimate
**Tier:** Freely available for Ultimate for a limited time. In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md).
**Offering:** GitLab.com
**Status:** Experiment
@ -284,7 +284,7 @@ reason for the failure.
### Summarize an issue with Issue description generation
DETAILS:
**Tier:** Ultimate
**Tier:** Freely available for Ultimate for a limited time. In the future, will require Ultimate with [GitLab Duo Enterprise](../subscriptions/subscription-add-ons.md).
**Offering:** GitLab.com
**Status:** Experiment

9
doc/user/application_security/continuous_vulnerability_scanning/index.md
View File

@ -10,10 +10,11 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/371063) in GitLab 16.4 as an [Experiment](../../../policy/experiment-beta-support.md#experiment) with multiple [feature flags](../../../administration/feature_flags.md) enabled by default.
> - [Feature flags removed](https://gitlab.com/gitlab-org/gitlab/-/issues/425753) in GitLab 16.10.
> - Continuous Container Scanning [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435435) in GitLab 16.8 [with a flag](../../../administration/feature_flags.md) named `container_scanning_continuous_vulnerability_scans`. Disabled by default.
> - Continuous Container Scanning [enabled on GitLab.com, self-managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/issues/437162) in GitLab 16.10.
> - Continuous dependency scanning [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/371063) with [feature flags](../../../administration/feature_flags.md) `dependency_scanning_on_advisory_ingestion` and `package_metadata_advisory_scans` enabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/425753) in GitLab 16.10. Feature flags `dependency_scanning_on_advisory_ingestion` and `package_metadata_advisory_scans` removed.
> - Continuous container scanning [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435435) in GitLab 16.8 [with a flag](../../../administration/feature_flags.md) named `container_scanning_continuous_vulnerability_scans`. Disabled by default.
> - Continuous container scanning [enabled on self-managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/issues/437162) in GitLab 16.10.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/443712) in GitLab 17.0. Feature flag `container_scanning_continuous_vulnerability_scans` removed.
When advisories are added to either the [GitLab Advisory Database](https://advisories.gitlab.com/) or the
[Trivy Database](https://github.com/aquasecurity/trivy-db), Continuous Vulnerability Scanning

178
doc/user/clusters/agent/gitops/agent.md
View File

@ -1,175 +1,11 @@
---
stage: Deploy
group: Environments
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
redirect_to: '../gitops.md'
remove_date: '2024-07-25'
---
# Using GitOps with the agent for Kubernetes (deprecated)
This document was moved to [another location](../gitops.md).
DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/346567) from GitLab Premium to GitLab Free in 15.3.
> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346585) to make the `id` attribute optional in GitLab 15.7.
> - Specifying a branch, tag, or commit reference to fetch the Kubernetes manifest files [introduced](https://gitlab.com/groups/gitlab-org/-/epics/4516) in GitLab 15.7.
WARNING:
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/406545) in GitLab 16.2. You should use the [Flux integration](../gitops.md) for GitOps.
See [Migrate from legacy GitOps to Flux](migrate_to_flux.md).
This diagram shows the repositories and main actors in a GitOps deployment:
```mermaid
sequenceDiagram
participant D as Developer
participant A as Application code repository
participant M as Manifest repository
participant K as GitLab agent
participant C as Agent configuration repository
loop Regularly
K-->>C: Grab the configuration
end
D->>+A: Pushing code changes
A->>M: Updating manifest
loop Regularly
K-->>M: Watching changes
M-->>K: Pulling and applying changes
end
```
For details, view the [architecture documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/architecture.md#high-level-architecture).
## GitOps workflow steps
To update a Kubernetes cluster by using GitOps, complete the following steps.
1. Ensure you have a working Kubernetes cluster, and that the manifests are in a GitLab project.
1. In the same project, [register and install the GitLab agent](../install/index.md).
1. Configure the agent configuration file so that the agent monitors the project for changes to the Kubernetes manifests.
Use the [GitOps configuration reference](#gitops-configuration-reference) for guidance.
Any time you commit updates to your Kubernetes manifests, the agent updates the cluster.
## GitOps configuration reference
The following snippet shows an example of the possible keys and values for the GitOps section of an [agent configuration file](../install/index.md#create-an-agent-configuration-file) (`config.yaml`).
```yaml
gitops:
manifest_projects:
- id: gitlab-org/cluster-integration/gitlab-agent
ref: # either `branch`, `tag` or `commit` can be specified
branch: production
# commit: <mysha>
# tag: v1.0
default_namespace: my-ns
paths:
# Read all YAML files from this directory.
- glob: '/team1/app1/*.yaml'
# Read all .yaml files from team2/apps and all subdirectories.
- glob: '/team2/apps/**/*.yaml'
# If 'paths' is not specified or is an empty list, the configuration below is used.
- glob: '/**/*.{yaml,yml,json}'
reconcile_timeout: 3600s
dry_run_strategy: none
prune: true
prune_timeout: 3600s
prune_propagation_policy: foreground
inventory_policy: must_match
```
| Keyword | Description |
|--|--|
| `manifest_projects` | Projects where your Kubernetes manifests are stored. The agent monitors the files in the repositories in these projects. When manifest files change, the agent deploys the changes to the cluster. |
| `id` | Path to a Git repository that has Kubernetes manifests in YAML or JSON format. No authentication mechanisms are supported. Default is the agent configuration repository. |
| `ref` | Optional. Git reference in the configured Git repository to fetch the Kubernetes manifest files from. If not specified or empty, the default branch is used. If specified, it must contain either `branch`, `tag`, or `commit`. |
| `ref.branch` | Branch name in the configured Git repository to fetch the Kubernetes manifest files from. |
| `ref.tag` | Tag name in the configured Git repository to fetch the Kubernetes manifest files from. |
| `ref.commit` | Commit SHA in the configured Git repository to fetch the Kubernetes manifest files from. |
| `default_namespace` | Namespace to use if not set explicitly in object manifest. Also used for inventory `ConfigMap` objects. |
| `paths` | Repository paths to scan for manifest files. Directories with names that start with a dot `(.)` are ignored. |
| `paths[].glob` | Required. See [doublestar](https://github.com/bmatcuk/doublestar#about) and [the match function](https://pkg.go.dev/github.com/bmatcuk/doublestar/v2#Match) for globbing rules. |
| `reconcile_timeout` | Determines whether the applier should wait until all applied resources have been reconciled, and if so, how long to wait. Default is 3600 seconds (1 hour). |
| `dry_run_strategy` | Determines whether changes [should be performed](https://github.com/kubernetes-sigs/cli-utils/blob/d6968048dcd80b1c7b55d9e4f31fc25f71c9b490/pkg/common/common.go#L68-L89). Can be: `none`, `client`, or `server`. Default is `none`.|
| `prune` | Determines whether pruning of previously applied objects should happen after apply. Default is `true`. |
| `prune_timeout` | Determines whether to wait for all resources to be fully deleted after pruning, and if so, how long to wait. Default is 3600 seconds (1 hour). |
| `prune_propagation_policy` | The deletion propagation policy that [should be used for pruning](https://github.com/kubernetes/apimachinery/blob/44113beed5d39f1b261a12ec398a356e02358307/pkg/apis/meta/v1/types.go#L456-L470). Can be: `orphan`, `background`, or `foreground`. Default is `foreground`. |
| `inventory_policy` | Determines whether an inventory object can take over objects that belong to another inventory object or don't belong to any inventory object. This is done by determining if the apply/prune operation can go through for a resource based on comparison of the `inventory-id` value in the package and the `owning-inventory` annotation (`config.k8s.io/owning-inventory`) [in the live object](https://github.com/kubernetes-sigs/cli-utils/blob/d6968048dcd80b1c7b55d9e4f31fc25f71c9b490/pkg/inventory/policy.go#L12-L66). Can be: `must_match`, `adopt_if_no_inventory`, or `adopt_all`. Default is `must_match`. |
## GitOps annotations
The GitLab agent for Kubernetes has annotations you can use to:
- **Sort resources**: Apply or delete resources in a specific order.
- **Use apply-time mutation**: Dynamically substitute fields from one resource configuration to another.
The agent has [default sorting](https://github.com/kubernetes-sigs/cli-utils/blob/d7d63f4b62897f584ca9e02b6faf4d2f327a9b09/pkg/ordering/sort.go#L74),
but with annotations, you can fine-tune the order and apply time-value injection.
To provide the GitOps functionality, the GitLab agent for Kubernetes uses the [`cli-utils` library](https://github.com/kubernetes-sigs/cli-utils/),
a Kubernetes SIG project. For more information, see the available annotations in the [`cli-utils` documentation](https://github.com/kubernetes-sigs/cli-utils/blob/master/README.md).
## Automatic drift remediation
Drift happens when the current configuration of an infrastructure resource differs from its desired configuration.
Typically, this is caused by manually editing resources directly rather than via the used infrastructure-as-code
mechanism. Minimizing the risk of drift helps to ensure configuration consistency and successful operations.
In GitLab, the agent for Kubernetes regularly compares the desired state from the `git` repository with
the actual state from the Kubernetes cluster. Deviations from the `git` state are fixed at every check. These checks
happen automatically every 5 minutes. They are not configurable.
The agent uses [server-side applies](https://kubernetes.io/docs/reference/using-api/server-side-apply/).
As a result, every field in a resource can have different managers. Only fields managed by `git`
are checked for drift. This facilitates the use of in-cluster controllers to modify resources like
[Horizontal Pod Autoscalers](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
## Related topics
- [GitOps working examples for training and demos](https://gitlab.com/groups/guided-explorations/gl-k8s-agent/gitops/-/wikis/home)
- [Self-paced classroom workshop](https://gitlab-for-eks.awsworkshop.io) (Uses AWS EKS, but you can use for other Kubernetes clusters)
- [Managing Kubernetes secrets in a GitOps workflow](secrets_management.md)
- [Application and manifest repository example](https://gitlab.com/gitlab-examples/ops/gitops-demo/hello-world-service-gitops)
## Troubleshooting
### Avoiding conflicts when you have multiple projects
The agent watches each glob pattern set under a project's `paths` section independently, and makes updates to the cluster concurrently.
If changes are found at multiple paths, when the agent attempts to update the cluster,
a conflict can occur.
To prevent this from happening, consider storing a logical group of manifests in a single place and reference them only once to avoid overlapping globs.
For example, both of these globs match `*.yaml` files in the root directory
and could cause conflicts:
```yaml
gitops:
manifest_projects:
- id: project1
paths:
- glob: '/**/*.yaml'
- glob: '/*.yaml'
```
Instead, specify a single glob that matches all `*.yaml` files recursively:
```yaml
gitops:
manifest_projects:
- id: project1
paths:
- glob: '/**/*.yaml'
```
### Use multiple agents or projects
If you store your Kubernetes manifests in separate GitLab projects,
update your agent configuration file with the location of these projects.
WARNING:
The project with the agent's
configuration file can be private or public. Other projects with Kubernetes manifests must be public. Support for private manifest projects is tracked
in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/7704).
<!-- This redirect file can be deleted after <2024-07-25>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

2
doc/user/clusters/agent/gitops/migrate_to_flux.md
View File

@ -10,7 +10,7 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
Most users can migrate from their [legacy agent-based GitOps solution](agent.md)
Most users can migrate from their legacy agent-based GitOps solution
to Flux without additional work or downtime. In most cases, Flux can
take over existing workloads without any restarts.

68
doc/user/clusters/agent/gitops/secrets_management.md
View File

@ -1,65 +1,11 @@
---
stage: Deploy
group: Environments
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
redirect_to: '../gitops.md'
remove_date: '2024-07-25'
---
# Managing Kubernetes secrets in a GitOps workflow (deprecated)
This document was moved to [another location](../gitops.md).
WARNING:
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/406545) in GitLab 16.2.
To manage cluster resources with GitOps, you should use the [Flux integration](../../../clusters/agent/gitops.md).
You should never store Kubernetes secrets in unencrypted form in a `git` repository. If you use a GitOps workflow, you can follow these steps to securely manage your secrets.
1. Set up the Sealed Secrets controller to manage secrets.
1. Deploy Docker credentials so the cluster can pull images from the GitLab container registry.
## Prerequisites
This setup requires:
- A [GitLab agent for Kubernetes configured for the GitOps workflow](../gitops.md).
- Access to the cluster to finish the setup.
## Set up the Sealed Secrets controller to manage secrets
You can use the [Sealed Secrets controller](https://github.com/bitnami-labs/sealed-secrets) to store encrypted secrets securely in a `git` repository. The controller decrypts the secret into a standard Kubernetes `Secret` kind resource.
1. Go to [the Sealed Secrets release page](https://github.com/bitnami-labs/sealed-secrets/releases) and download the most recent `controller.yaml` file.
1. In GitLab, go to the project that contains your Kubernetes manifests and upload the `controller.yaml` file.
1. Open the agent configuration file (`config.yaml`) and if needed, update the `paths.glob` pattern to match the Sealed Secrets manifest.
1. Commit and push the changes to GitLab.
1. Confirm that the Sealed Secrets controller was installed successfully:
```shell
kubectl get pods -lname=sealed-secrets-controller -n kube-system
```
1. Install the `kubeseal` command line utility by following [the Sealed Secrets instructions](https://github.com/bitnami-labs/sealed-secrets#homebrew).
1. Get the public key you need to encrypt secrets without direct access to the cluster:
```shell
kubeseal --fetch-cert > public.pem
```
1. Commit the public key to the repository.
For more details on how the Sealed Secrets controller works, view [the usage instructions](https://github.com/bitnami-labs/sealed-secrets/blob/main/README.md#usage).
## Deploy Docker credentials
To deploy containers from the GitLab container registry, you must configure the cluster with the proper Docker registry credentials. You can achieve this by deploying a `docker-registry` type secret.
1. Generate a GitLab token with at least `read-registry` rights. The token can be either a Personal or a Project Access Token.
1. Create a Kubernetes secret manifest YAML file. Update the values as needed:
```shell
kubectl create secret docker-registry gitlab-credentials --docker-server=registry.gitlab.example.com --docker-username=<gitlab-username> --docker-password=<gitlab-token> --docker-email=<gitlab-user-email> -n <namespace> --dry-run=client -o yaml > gitlab-credentials.yaml
```
1. Encrypt the secret into a `SealedSecret` manifest:
```shell
kubeseal --format=yaml --cert=public.pem < gitlab-credentials.yaml > gitlab-credentials.sealed.yaml
```
<!-- This redirect file can be deleted after <2024-07-25>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

3
doc/user/clusters/agent/install/index.md
View File

@ -41,7 +41,6 @@ To install the agent in your cluster:
The agent configuration file can be added to multiple directories (or subdirectories) of the repository.
For configuration settings, the agent uses a YAML file in the GitLab project. You must create this file if:
- You use [a GitOps workflow](../gitops/agent.md#gitops-workflow-steps).
- You use [a GitLab CI/CD workflow](../ci_cd_workflow.md#use-gitlab-cicd-with-your-cluster) and want to authorize a different project to use the agent.
- You [allow specific project or group members to access Kubernetes](../user_access.md).
@ -196,7 +195,6 @@ GitLab also provides a [KPT package for the agent](https://gitlab.com/gitlab-org
To configure your agent, add content to the `config.yaml` file:
- For a GitOps workflow, [view the configuration reference](../gitops/agent.md#gitops-configuration-reference).
- For a GitLab CI/CD workflow, [authorize the agent to access your projects](../ci_cd_workflow.md#authorize-the-agent). Then
[add `kubectl` commands to your `.gitlab-ci.yml` file](../ci_cd_workflow.md#update-your-gitlab-ciyml-file-to-run-kubectl-commands).
@ -234,7 +232,6 @@ As a workaround, you can:
The following example projects can help you get started with the agent.
- [Configuration repository with minimal manifests](https://gitlab.com/gitlab-examples/ops/gitops-demo/k8s-agents)
- [Distinct application and manifest repository example](https://gitlab.com/gitlab-examples/ops/gitops-demo/hello-world-service-gitops)
- [Auto DevOps setup that uses the CI/CD workflow](https://gitlab.com/gitlab-examples/ops/gitops-demo/hello-world-service)
- [Cluster management project template example that uses the CI/CD workflow](https://gitlab.com/gitlab-examples/ops/gitops-demo/cluster-management)

58
doc/user/clusters/agent/troubleshooting.md
View File

@ -44,24 +44,6 @@ This error occurs when the `kas-address` doesn't include a trailing slash. To fi
`wss` or `ws` URL ends with a trailing slash, like `wss://GitLab.host.tld:443/-/kubernetes-agent/`
or `ws://GitLab.host.tld:80/-/kubernetes-agent/`.
## ValidationError(Deployment.metadata)
```json
{
"level": "info",
"time": "2020-10-30T08:56:54.329Z",
"msg": "Synced",
"project_id": "root/kas-manifest001",
"resource_key": "apps/Deployment/kas-test001/nginx-deployment",
"sync_result": "error validating data: [ValidationError(Deployment.metadata): unknown field \"replicas\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta, ValidationError(Deployment.metadata): unknown field \"selector\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta, ValidationError(Deployment.metadata): unknown field \"template\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta]"
}
```
This error occurs when a manifest file is malformed and Kubernetes can't
create the specified objects. Make sure that your manifest files are valid.
For additional troubleshooting, try to use the manifest files to create objects in Kubernetes directly.
## Error while dialing failed to WebSocket dial: failed to send handshake request
```json
@ -172,21 +154,6 @@ To apply the changes:
gitlab-ctl restart gitlab-kas
```
## Project not found
```json
{
"level ":"error ",
"time ":"2022-01-05T15:18:11.331Z",
"msg ":"GetObjectsToSynchronize.Recv failed ",
"mod_name ":"gitops ",
"error ":"rpc error: code = NotFound desc = project not found ",
}
```
This error occurs when the project where you keep your manifests is not public. To fix it, make sure your project is public or your manifest files
are stored in the repository where the agent is configured.
## Failed to perform vulnerability scan on workload: jobs.batch already exists
```json
@ -209,27 +176,6 @@ kubectl delete jobs -l app.kubernetes.io/managed-by=starboard -n gitlab-agent
[We're working on making the cleanup of these jobs more robust.](https://gitlab.com/gitlab-org/gitlab/-/issues/362016)
## Inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
```json
{
"error":"inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)",
"group":"networking.k8s.io",
"kind":"Deployment",
"name":"resource-name",
"namespace":"namespace",
"status":"Skipped",
"timestamp":"2022-10-29T15:34:21Z",
"type":"apply"
}
```
This error occurs when the GitLab agent tries to update an object and the object doesn't have the required annotations. To fix this error, you can:
- Add the required annotations manually.
- Delete the object and let the agent recreate it.
- Change your [`inventory_policy`](../../infrastructure/clusters/deploy/inventory_object.md#inventory_policy-options) setting.
## Parse error during installation
When you install the agent, you might encounter an error that states:
@ -251,10 +197,10 @@ might be caused by one of the following:
- There are multiple [`_gitlab_kas` cookies](../../../administration/clusters/kas.md#kubernetes-api-proxy-cookie)
in the browser and sent to KAS. The most likely cause is multiple GitLab instances hosted
on the same site.
For example, `gitlab.com` set a `_gitlab_kas` cookie targeted for `kas.gitlab.com`,
but the cookie is also sent to `kas.staging.gitlab.com`, which causes the error on `staging.gitlab.com`.
To temporarily resolve, delete the `_gitlab_kas` cookie for `gitlab.com` from the browser cookie store.
[Issue 418998](https://gitlab.com/gitlab-org/gitlab/-/issues/418998) proposes a fix for this known issue.
- GitLab and KAS run on different sites. For example, GitLab on `gitlab.example.com` and KAS on `kas.example.com`.

Some files were not shown because too many files have changed in this diff Show More