Add latest changes from gitlab-org/gitlab@14-3-stable-ee

8 files changed, 131 insertions, 3 deletions

diff --git a/GITLAB_KAS_VERSION b/GITLAB_KAS_VERSION
index f84a4218283..839845e0b6c 100644
--- a/GITLAB_KAS_VERSION
+++ b/GITLAB_KAS_VERSION
@@ -1 +1 @@
-14.3.2
+14.3.3
diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index 9dafbf994eb..12e42d263a9 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-13.21.0
+13.21.1
diff --git a/data/whats_new/202109200001_14_03.yml b/data/whats_new/202109200001_14_03.yml
new file mode 100644
index 00000000000..ab82772e637
--- /dev/null
+++ b/data/whats_new/202109200001_14_03.yml
@@ -0,0 +1,83 @@
+- title: Project-level DAST and secret detection scan execution policies
+  body: |
+     We have completed the first iterative step [toward our vision](https://about.gitlab.com/direction/protect/security_orchestration/) of bringing unified security policies to GitLab. Users can now require DAST and secret detection scans to run on a regular schedule or as part of project CI pipelines, independent of the `.gitlab-ci.yml` file's contents. This allows security teams to separately manage these scan requirements without allowing developers to change the configuration. You can get started with these policies on the **Security & Compliance > Policies** page.
+  stage: Protect
+  self-managed: true
+  gitlab-com: true
+  packages: [Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/application_security/policies/'
+  image_url: https://about.gitlab.com/images/14_3/security_policies.png
+  published_at: 2021-09-22
+  release: 14.3
+- title: Next Generation SAST to reduce Ruby false positives
+  body: |
+     GitLab SAST historically has been powered by [over a dozen open-source static analysis security analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks). These analyzers have proactively identified millions of vulnerabilities for developers using GitLab every month. These tools use a variety of different approaches for identifying vulnerabilities from basic regex pattern matching to abstract syntax tree parsing which can lead to issues with false positives. GitLab's Secure tools already offer vulnerability fingerprinting allowing you to dismiss these false positives persistently, however, we want to go a step further and not require this manual triaging.
+
+     Today we're releasing the first version of our proprietary static application security testing engine built in-house and maintained by GitLab's Static Analysis and Vulnerability Research groups. Initially, this tool is focused on Ruby and Rails to help reduce false positives.
+  stage: Secure
+  self-managed: true
+  gitlab-com: true
+  packages: [Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/application_security/sast/#false-positive-detection'
+  image_url: https://about.gitlab.com/images/14_3/secure-fp-reduction-ui.png
+  published_at: 2021-09-22
+  release: 14.3
+- title: Group-level permissions for Protected Environments
+  body: |
+      In this release, we are introducing group-level protected environments, based on the [deployment tier](https://docs.gitlab.com/ee/ci/environments/index.html#deployment-tier-of-environments) as the identifier. This enables operators to responsibly lock down deployments to higher tier environments without unnecessarily preventing developers from doing their work as the maintainers of their individual projects.
+  stage: Release
+  self-managed: true
+  gitlab-com: true
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/ci/environments/protected_environments.html#group-level-protected-environments'
+  image_url: https://about.gitlab.com/images/growth/release.png
+  published_at: 2021-09-22
+  release: 14.3
+- title: Edit a table's structure visually in the new wiki editor
+  body: |
+      Editing a Markdown table that has 9 columns and 25 rows is one thing. But adding a tenth column to that table in Markdown? That involves very repetitive and error-prone edits to every row. One mistake or misplaced `|` and the table fails to render.
+
+      The new WYSIWYG Markdown editor in the wiki lets you quickly and easily insert a table using the button in the toolbar. After selecting the initial number of rows and columns, however, dealing with the structure of the table can be more difficult. In GitLab 14.3, you can now click on the caret icon in the top right corner of any selected cell to add or remove columns and rows, either before or after the selected cell. Now, as your content scales, the complexity doesn't follow suit.
+  stage: Create
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/project/wiki/#content-editor'
+  image_url: https://about.gitlab.com/images/14_3/wiki-editor-edit-table-structure.png
+  published_at: 2021-09-22
+  release: 14.3
+- title: Use variables in other variables
+  body: |
+      CI/CD pipeline execution scenarios can depend on expanding variables declared in a pipeline or using GitLab predefined variables within another variable declaration. In 14.3, we are enabling the "variables inside other variables" feature on GitLab SaaS. Now you can define a variable and use it in another variable definition within the same pipeline. You can also use GitLab predefined variables inside of another variable declaration. This feature simplifies your pipeline definition and eliminates pipeline management issues caused by the duplicating of variable data. Note - for GitLab self-managed customers the feature is disabled by default. To use this feature, your GitLab administrator will need to enable the [feature flag](https://docs.gitlab.com/ee/ci/variables/where_variables_can_be_used.html#nested-variable-expansion).
+  stage: Verify
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/ci/variables/#use-variables-in-other-variables'
+  image_url: https://about.gitlab.com/images/growth/verify.png
+  published_at: 2021-09-22
+  release: 14.3
+- title: Add GitLab CI/CD configuration conditionally with `include`
+  body: |
+       [`include`](https://docs.gitlab.com/ee/ci/yaml/index.html#include) is one of the most popular keywords to use when writing a full CI/CD pipeline. If you are building larger pipelines, you are probably using the `include` keyword to bring external YAML configuration into your pipeline.
+
+        In this release, we are expanding the power of the keyword so you can use `include` with [`rules`](https://docs.gitlab.com/ee/ci/yaml/index.html#include) conditions. Now, you can decide when external CI/CD configuration should or shouldn't be included. This will help you write a standardized pipeline with the ability to dynamically modify itself based on the conditions you choose.
+  stage: Verify
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/#amazing'
+  image_url: https://about.gitlab.com/images/14_3/conditional_include.png
+  published_at: 2021-09-22
+  release: 14.3
+- title: Grant group access to the GitLab Kubernetes Agent
+  body: |
+       The GitLab Kubernetes Agent provides a secure connection between a Kubernetes cluster and GitLab. Until GitLab 14.2, the CI/CD Tunnel enabled pushing to a cluster only from the same project where the Kubernetes Agent was registered. In GitLab 14.3, the Agent can be authorized to access entire groups. As a result, every project under the authorized group has access to the cluster without the need to register an agent for every project.
+  stage: Configure
+  self-managed: true
+  gitlab-com: true
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/clusters/agent/repository.html#authorize-groups-to-use-an-agent'
+  image_url: https://about.gitlab.com/images/growth/configure.png
+  published_at: 2021-09-22
+  release: 14.3
diff --git a/db/migrate/20210826145509_add_function_for_inserting_deleted_records.rb b/db/migrate/20210826145509_add_function_for_inserting_deleted_records.rb
index ef688cdfd8c..631cc27c8c0 100644
--- a/db/migrate/20210826145509_add_function_for_inserting_deleted_records.rb
+++ b/db/migrate/20210826145509_add_function_for_inserting_deleted_records.rb
@@ -6,7 +6,7 @@ class AddFunctionForInsertingDeletedRecords < ActiveRecord::Migration[6.1]
 
   def up
     execute(<<~SQL)
-      CREATE FUNCTION #{DELETED_RECORDS_INSERT_FUNCTION_NAME}()
+      CREATE OR REPLACE FUNCTION #{DELETED_RECORDS_INSERT_FUNCTION_NAME}()
       RETURNS TRIGGER AS
       $$
       BEGIN
diff --git a/db/post_migrate/20210907211557_finalize_ci_builds_bigint_conversion.rb b/db/post_migrate/20210907211557_finalize_ci_builds_bigint_conversion.rb
index 872eef5fd31..02f98833703 100644
--- a/db/post_migrate/20210907211557_finalize_ci_builds_bigint_conversion.rb
+++ b/db/post_migrate/20210907211557_finalize_ci_builds_bigint_conversion.rb
@@ -103,6 +103,11 @@ class FinalizeCiBuildsBigintConversion < Gitlab::Database::Migration[1.0]
       remove_foreign_key(:ci_resources, TABLE_NAME, column: :build_id, name: 'fk_rails_e169a8e3d5')
     end
 
+    # Remove this unexpected FK if it exists - https://gitlab.com/gitlab-org/gitlab/-/issues/341822
+    if foreign_key_exists?(:ci_sources_pipelines, TABLE_NAME, column: :source_job_id, name: 'fk_3f0c88d7dc')
+      remove_foreign_key(:ci_sources_pipelines, TABLE_NAME, column: :source_job_id, name: 'fk_3f0c88d7dc')
+    end
+
     swap_columns
   end
 
diff --git a/spec/migrations/20210907211557_finalize_ci_builds_bigint_conversion_spec.rb b/spec/migrations/20210907211557_finalize_ci_builds_bigint_conversion_spec.rb
new file mode 100644
index 00000000000..362b4be1bc6
--- /dev/null
+++ b/spec/migrations/20210907211557_finalize_ci_builds_bigint_conversion_spec.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!('finalize_ci_builds_bigint_conversion')
+
+RSpec.describe FinalizeCiBuildsBigintConversion, :migration, schema: 20210907182359 do
+  context 'with an unexpected FK fk_3f0c88d7dc' do
+    it 'removes the FK and migrates successfully' do
+      # Add the unexpected FK
+      subject.add_foreign_key(:ci_sources_pipelines, :ci_builds, column: :source_job_id, name: 'fk_3f0c88d7dc')
+
+      expect { migrate! }.to change { subject.foreign_key_exists?(:ci_sources_pipelines, :ci_builds, column: :source_job_id, name: 'fk_3f0c88d7dc') }.from(true).to(false)
+
+      # Additional check: The actually expected FK should still exist
+      expect(subject.foreign_key_exists?(:ci_sources_pipelines, :ci_builds, column: :source_job_id, name: 'fk_be5624bf37')).to be_truthy
+    end
+  end
+end
diff --git a/spec/support/database/cross-join-allowlist.yml b/spec/support/database/cross-join-allowlist.yml
index 2b4cfc6773a..45e95cf3262 100644
--- a/spec/support/database/cross-join-allowlist.yml
+++ b/spec/support/database/cross-join-allowlist.yml
@@ -115,6 +115,7 @@
 - "./spec/lib/gitlab/background_migration/migrate_legacy_artifacts_spec.rb"
 - "./spec/lib/gitlab/prometheus/query_variables_spec.rb"
 - "./spec/mailers/emails/pipelines_spec.rb"
+- "./spec/migrations/20210907211557_finalize_ci_builds_bigint_conversion_spec.rb"
 - "./spec/migrations/cleanup_legacy_artifact_migration_spec.rb"
 - "./spec/migrations/migrate_protected_attribute_to_pending_builds_spec.rb"
 - "./spec/migrations/re_schedule_latest_pipeline_id_population_with_all_security_related_artifact_types_spec.rb"
diff --git a/spec/support/helpers/filtered_search_helpers.rb b/spec/support/helpers/filtered_search_helpers.rb
index 10068b9c508..b6cf78b9046 100644
--- a/spec/support/helpers/filtered_search_helpers.rb
+++ b/spec/support/helpers/filtered_search_helpers.rb
@@ -101,6 +101,27 @@ module FilteredSearchHelpers
     end
   end
 
+  # Same as `expect_tokens` but works with GlFilteredSearch
+  def expect_vue_tokens(tokens)
+    page.within '.gl-search-box-by-click .gl-filtered-search-scrollable' do
+      token_elements = page.all(:css, '.gl-filtered-search-token')
+
+      tokens.each_with_index do |token, index|
+        el = token_elements[index]
+
+        expect(el.find('.gl-filtered-search-token-type')).to have_content(token[:name])
+        expect(el.find('.gl-filtered-search-token-operator')).to have_content(token[:operator]) if token[:operator].present?
+        expect(el.find('.gl-filtered-search-token-data')).to have_content(token[:value]) if token[:value].present?
+
+        # gl-emoji content is blank when the emoji unicode is not supported
+        if token[:emoji_name].present?
+          selector = %(gl-emoji[data-name="#{token[:emoji_name]}"])
+          expect(el.find('.gl-filtered-search-token-data-content')).to have_css(selector)
+        end
+      end
+    end
+  end
+
   def create_token(token_name, token_value = nil, symbol = nil, token_operator = '=')
     { name: token_name, operator: token_operator, value: "#{symbol}#{token_value}" }
   end