Merge remote-tracking branch 'origin/master' into 43446-new-cluster-page-tabs

# Conflicts:
#	doc/user/project/clusters/index.md

8 files changed, 96 insertions, 15 deletions

diff --git a/config/application.rb b/config/application.rb
index 09f706e3d70..1b575f1325d 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -116,6 +116,7 @@ module Gitlab
     config.assets.precompile << "snippets.css"
     config.assets.precompile << "locale/**/app.js"
     config.assets.precompile << "emoji_sprites.css"
+    config.assets.precompile << "errors.css"
 
     # Import gitlab-svgs directly from vendored directory
     config.assets.paths << "#{config.root}/node_modules/@gitlab-org/gitlab-svgs/dist"
diff --git a/config/initializers/secret_token.rb b/config/initializers/01_secret_token.rb
index 750a5b34f3b..02bded43083 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -1,3 +1,6 @@
+# This file needs to be loaded BEFORE any initializers that attempt to
+# prepend modules that require access to secrets (e.g. EE's 0_as_concern.rb).
+#
 # Be sure to restart your server when you modify this file.
 
 require 'securerandom'
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index dd36700964a..a0e3ab0d343 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -391,8 +391,10 @@ repositories_storages          = Settings.repositories.storages.values
 repository_downloads_path      = Settings.gitlab['repository_downloads_path'].to_s.gsub(%r{/$}, '')
 repository_downloads_full_path = File.expand_path(repository_downloads_path, Settings.gitlab['user_home'])
 
-if repository_downloads_path.blank? || repositories_storages.any? { |rs| [repository_downloads_path, repository_downloads_full_path].include?(rs.legacy_disk_path.gsub(%r{/$}, '')) }
-  Settings.gitlab['repository_downloads_path'] = File.join(Settings.shared['path'], 'cache/archive')
+Gitlab::GitalyClient::StorageSettings.allow_disk_access do
+  if repository_downloads_path.blank? || repositories_storages.any? { |rs| [repository_downloads_path, repository_downloads_full_path].include?(rs.legacy_disk_path.gsub(%r{/$}, '')) }
+    Settings.gitlab['repository_downloads_path'] = File.join(Settings.shared['path'], 'cache/archive')
+  end
 end
 
 #
diff --git a/config/initializers/2_gitlab.rb b/config/initializers/2_gitlab.rb
index 1d2ab606a63..8b7f245b7b0 100644
--- a/config/initializers/2_gitlab.rb
+++ b/config/initializers/2_gitlab.rb
@@ -1 +1 @@
-require_relative '../../lib/gitlab'
+require_dependency 'gitlab'
diff --git a/config/initializers/6_validations.rb b/config/initializers/6_validations.rb
index 89aabe530fe..362a23164ab 100644
--- a/config/initializers/6_validations.rb
+++ b/config/initializers/6_validations.rb
@@ -38,10 +38,12 @@ def validate_storages_config
 end
 
 def validate_storages_paths
-  Gitlab.config.repositories.storages.each do |name, repository_storage|
-    parent_name, _parent_path = find_parent_path(name, repository_storage.legacy_disk_path)
-    if parent_name
-      storage_validation_error("#{name} is a nested path of #{parent_name}. Nested paths are not supported for repository storages")
+  Gitlab::GitalyClient::StorageSettings.allow_disk_access do
+    Gitlab.config.repositories.storages.each do |name, repository_storage|
+      parent_name, _parent_path = find_parent_path(name, repository_storage.legacy_disk_path)
+      if parent_name
+        storage_validation_error("#{name} is a nested path of #{parent_name}. Nested paths are not supported for repository storages")
+      end
     end
   end
 end
diff --git a/config/initializers/carrierwave_monkey_patch.rb b/config/initializers/carrierwave_monkey_patch.rb
new file mode 100644
index 00000000000..7543231cd4f
--- /dev/null
+++ b/config/initializers/carrierwave_monkey_patch.rb
@@ -0,0 +1,69 @@
+# This fixes the problem https://gitlab.com/gitlab-org/gitlab-ce/issues/46182 that carrierwave eagerly loads upoloading files into memory
+# There is an PR https://github.com/carrierwaveuploader/carrierwave/pull/2314 which has the identical change.
+module CarrierWave
+  module Storage
+    class Fog < Abstract
+      class File
+        module MonkeyPatch
+          ##
+          # Read content of file from service
+          #
+          # === Returns
+          #
+          # [String] contents of file
+          def read
+            file_body = file.body
+
+            return if file_body.nil?
+            return file_body unless file_body.is_a?(::File)
+
+            # Fog::Storage::XXX::File#body could return the source file which was upoloaded to the remote server.
+            read_source_file(file_body) if ::File.exist?(file_body.path)
+
+            # If the source file doesn't exist, the remote content is read
+            @file = nil # rubocop:disable Gitlab/ModuleWithInstanceVariables
+            file.body
+          end
+
+          ##
+          # Write file to service
+          #
+          # === Returns
+          #
+          # [Boolean] true on success or raises error
+          def store(new_file)
+            if new_file.is_a?(self.class) # rubocop:disable Cop/LineBreakAroundConditionalBlock
+              new_file.copy_to(path)
+            else
+              fog_file = new_file.to_file
+              @content_type ||= new_file.content_type # rubocop:disable Gitlab/ModuleWithInstanceVariables
+              @file = directory.files.create({ # rubocop:disable Gitlab/ModuleWithInstanceVariables
+                :body         => fog_file ? fog_file : new_file.read, # rubocop:disable Style/HashSyntax
+                :content_type => @content_type, # rubocop:disable Style/HashSyntax,Gitlab/ModuleWithInstanceVariables
+                :key          => path, # rubocop:disable Style/HashSyntax
+                :public       => @uploader.fog_public # rubocop:disable Style/HashSyntax,Gitlab/ModuleWithInstanceVariables
+              }.merge(@uploader.fog_attributes)) # rubocop:disable Gitlab/ModuleWithInstanceVariables
+              fog_file.close if fog_file && !fog_file.closed?
+            end
+            true
+          end
+
+          private
+
+          def read_source_file(file_body)
+            return unless ::File.exist?(file_body.path)
+
+            begin
+              file_body = ::File.open(file_body.path) if file_body.closed? # Reopen if it's already closed
+              file_body.read
+            ensure
+              file_body.close
+            end
+          end
+        end
+
+        prepend MonkeyPatch
+      end
+    end
+  end
+end
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index e33ebb25c4c..a7fa926a853 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -19,12 +19,5 @@ end
 
 if Gitlab.config.omniauth.enabled
   provider_names = Gitlab.config.omniauth.providers.map(&:name)
-  require 'omniauth-kerberos' if provider_names.include?('kerberos')
-end
-
-module OmniAuth
-  module Strategies
-    autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
-    autoload :Jwt, Rails.root.join('lib', 'omni_auth', 'strategies', 'jwt')
-  end
+  Gitlab::Auth.omniauth_setup_providers(provider_names)
 end
diff --git a/config/settings.rb b/config/settings.rb
index 69d637761ea..58f38d103ea 100644
--- a/config/settings.rb
+++ b/config/settings.rb
@@ -85,6 +85,17 @@ class Settings < Settingslogic
       File.expand_path(path, Rails.root)
     end
 
+    # Returns a 256-bit key for attr_encrypted
+    def attr_encrypted_db_key_base
+      # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
+      # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
+      # Previous versions quietly truncated the input.
+      #
+      # The default mode for the attr_encrypted gem is to use a 256-bit key.
+      # We truncate the 128-byte string to 32 bytes.
+      Gitlab::Application.secrets.db_key_base[0..31]
+    end
+
     private
 
     def base_url(config)