Add latest changes from gitlab-org/gitlab@master

49 files changed, 248 insertions, 104 deletions

diff --git a/doc/administration/auth/ldap-troubleshooting.md b/doc/administration/auth/ldap-troubleshooting.md
index 01c22711efc..b852140e80a 100644
--- a/doc/administration/auth/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap-troubleshooting.md
@@ -634,7 +634,7 @@ The rails console is a valuable tool to help debug LDAP problems. It allows you
 directly interact with the application by running commands and seeing how GitLab
 responds to them.
 
-Please refer to [this guide](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session)
+Please refer to [this guide](../troubleshooting/debug.md#starting-a-rails-console-session)
 for instructions on how to use the rails console.
 
 #### Enable debug output
diff --git a/doc/administration/img/repository_storages_admin_ui_v12_10.png b/doc/administration/img/repository_storages_admin_ui_v12_10.png
index b66e2c598bc..e5ac09524b8 100644
--- a/doc/administration/img/repository_storages_admin_ui_v12_10.png
+++ b/doc/administration/img/repository_storages_admin_ui_v12_10.png
diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md
index c53c46bf0cb..22f2d6ca0b9 100644
--- a/doc/administration/instance_limits.md
+++ b/doc/administration/instance_limits.md
@@ -70,7 +70,7 @@ There is a limit when embedding metrics in GFM for performance reasons.
 On GitLab.com, the [maximum number of webhooks](../user/gitlab_com/index.md#maximum-number-of-webhooks) per project, and per group, is limited.
 
 To set this limit on a self-managed installation, run the following in the
-[GitLab Rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session):
+[GitLab Rails console](troubleshooting/debug.md#starting-a-rails-console-session):
 
 ```ruby
 # If limits don't exist for the default plan, you can create one with:
@@ -120,7 +120,7 @@ will fail with a `job_activity_limit_exceeded` error.
   This limit is disabled by default.
 
 To set this limit on a self-managed installation, run the following in the
-[GitLab Rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session):
+[GitLab Rails console](troubleshooting/debug.md#starting-a-rails-console-session):
 
 ```ruby
 # If limits don't exist for the default plan, you can create one with:
@@ -145,7 +145,7 @@ limit, the subscription will be considered invalid.
 - On [GitLab Starter](https://about.gitlab.com/pricing/#self-managed) tier or higher self-managed installations, this limit is defined for the `default` plan that affects all projects.
 
 To set this limit on a self-managed installation, run the following in the
-[GitLab Rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session):
+[GitLab Rails console](troubleshooting/debug.md#starting-a-rails-console-session):
 
 ```ruby
 Plan.default.limits.update!(ci_project_subscriptions: 500)
@@ -170,7 +170,7 @@ or higher tiers), this limit is defined for the `default` plan that affects all
 projects. By default, there is no limit.
 
 To set this limit on a self-managed installation, run the following in the
-[GitLab Rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session):
+[GitLab Rails console](troubleshooting/debug.md#starting-a-rails-console-session):
 
 ```ruby
 Plan.default.limits.update!(ci_pipeline_schedules: 100)
diff --git a/doc/administration/repository_storage_types.md b/doc/administration/repository_storage_types.md
index 29b4179a3f7..562f653765a 100644
--- a/doc/administration/repository_storage_types.md
+++ b/doc/administration/repository_storage_types.md
@@ -100,7 +100,7 @@ The "Gitaly relative path" is shown there, for example:
 This is the path under `/var/opt/gitlab/git-data/repositories/` on a
 default Omnibus installation.
 
-In a [Rails console](troubleshooting/debug.md#starting-a-rails-console),
+In a [Rails console](troubleshooting/debug.md#starting-a-rails-console-session),
 get this information using either the numeric project ID or the full path:
 
 ```ruby
@@ -112,7 +112,7 @@ Project.find_by_full_path('group/project').disk_path
 
 To translate from a hashed storage path to a project name:
 
-1. Start a [Rails console](troubleshooting/debug.md#starting-a-rails-console).
+1. Start a [Rails console](troubleshooting/debug.md#starting-a-rails-console-session).
 1. Run the following:
 
 ```ruby
diff --git a/doc/administration/troubleshooting/debug.md b/doc/administration/troubleshooting/debug.md
index 6a22b22a5be..295dab2be38 100644
--- a/doc/administration/troubleshooting/debug.md
+++ b/doc/administration/troubleshooting/debug.md
@@ -3,9 +3,10 @@
 Sometimes things don't work the way they should. Here are some tips on debugging issues out
 in production.
 
-## Starting a Rails console
+## Starting a Rails console session
 
-Troubleshooting and debugging often requires a rails console.
+Troubleshooting and debugging your GitLab instance often requires a
+[Rails console](https://guides.rubyonrails.org/command_line.html#rails-console).
 
 **For Omnibus installations**
 
@@ -13,22 +14,81 @@ Troubleshooting and debugging often requires a rails console.
 sudo gitlab-rails console
 ```
 
----
-
 **For installations from source**
 
 ```shell
-bundle exec rails console production
+sudo -u git -H bundle exec rails console -e production
 ```
 
 Kubernetes: the console is in the task-runner pod, refer to our [Kubernetes cheat sheet](kubernetes_cheat_sheet.md#gitlab-specific-kubernetes-information) for details.
 
+### Enabling Active Record logging
+
+You can enable output of Active Record debug logging in the Rails console
+session by running:
+
+```ruby
+ActiveRecord::Base.logger = Logger.new(STDOUT)
+```
+
+This will show information about database queries triggered by any Ruby code
+you may run in the console. To turn off logging again, run:
+
+```ruby
+ActiveRecord::Base.logger = nil
+```
+
+### Disabling database statement timeout
+
+You can disable the PostgreSQL statement timeout for the current Rails console
+session by running:
+
+```ruby
+ActiveRecord::Base.connection.execute('SET statement_timeout TO 0')
+```
+
+Note that this change only affects the current Rails console session and will
+not be persisted in the GitLab production environment or in the next Rails
+console session.
+
+### Output Rails console session history
+
+If you'd like to output your Rails console command history in a format that's
+easy to copy and save for future reference, you can run:
+
+```ruby
+puts Readline::HISTORY.to_a
+```
+
+## Using the Rails Runner
+
+If you need to run some Ruby code in thex context of your GitLab production
+environment, you can do so using the [Rails Runner](https://guides.rubyonrails.org/command_line.html#rails-runner).
+
+**For Omnibus installations**
+
+```shell
+sudo gitlab-rails runner "RAILS_COMMAND"
+
+# Example with a two-line Ruby script
+sudo gitlab-rails runner "user = User.first; puts user.username"
+```
+
+**For installations from source**
+
+```shell
+sudo -u git -H bundle exec rails runner -e production "RAILS_COMMAND"
+
+# Example with a two-line Ruby script
+sudo -u git -H bundle exec rails runner -e production "user = User.first; puts user.username"
+```
+
 ## Mail not working
 
 A common problem is that mails are not being sent for some reason. Suppose you configured
 an SMTP server, but you're not seeing mail delivered. Here's how to check the settings:
 
-1. Run a [Rails console.](#starting-a-rails-console)
+1. Run a [Rails console](#starting-a-rails-console-session).
 
 1. Look at the ActionMailer `delivery_method` to make sure it matches what you
    intended. If you configured SMTP, it should say `:smtp`. If you're using
@@ -168,7 +228,7 @@ separate Rails process to debug the issue:
 1. Log in to your GitLab account.
 1. Copy the URL that is causing problems (e.g. `https://gitlab.com/ABC`).
 1. Create a Personal Access Token for your user (Profile Settings -> Access Tokens).
-1. Bring up the [GitLab Rails console.](#starting-a-rails-console)
+1. Bring up the [GitLab Rails console.](#starting-a-rails-console-session)
 1. At the Rails console, run:
 
    ```ruby
diff --git a/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md b/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md
index 15ed436fb34..0471c7b7ffd 100644
--- a/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md
+++ b/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md
@@ -25,36 +25,6 @@ mentioned above, we recommend running these scripts under the supervision of a
 Support Engineer, who can also verify that they will continue to work as they
 should and, if needed, update the script for the latest version of GitLab.
 
-## Use the Rails Runner
-
-If the script you want to run is short, you can use the Rails Runner to avoid
-entering the rails console in the first place. Here's an example of its use:
-
-```shell
-gitlab-rails runner "RAILS_COMMAND"
-
-# Example with a 2-line script
-gitlab-rails runner "user = User.first; puts user.username"
-```
-
-## Enable debug logging on rails console
-
-```ruby
-Rails.logger.level = 0
-```
-
-## Enable debug logging for ActiveRecord (db issues)
-
-```ruby
-ActiveRecord::Base.logger = Logger.new(STDOUT)
-```
-
-## Temporarily Disable Timeout
-
-```ruby
-ActiveRecord::Base.connection.execute('SET statement_timeout TO 0')
-```
-
 ## Find specific methods for an object
 
 ```ruby
@@ -85,12 +55,6 @@ o = Object.where('attribute like ?', 'ex')
 Rails.cache.instance_variable_get(:@data).keys
 ```
 
-## Rails console history
-
-```ruby
-puts Readline::HISTORY.to_a
-```
-
 ## Profile a page
 
 ```ruby
diff --git a/doc/administration/troubleshooting/img/Okta-SAMLsetup.png b/doc/administration/troubleshooting/img/Okta-SAMLsetup.png
index 8171febb5bc..1bd9bf4d7e9 100644
--- a/doc/administration/troubleshooting/img/Okta-SAMLsetup.png
+++ b/doc/administration/troubleshooting/img/Okta-SAMLsetup.png
diff --git a/doc/administration/troubleshooting/img/Okta-advancedsettings.png b/doc/administration/troubleshooting/img/Okta-advancedsettings.png
index 43eb546f238..45e378d1d12 100644
--- a/doc/administration/troubleshooting/img/Okta-advancedsettings.png
+++ b/doc/administration/troubleshooting/img/Okta-advancedsettings.png
diff --git a/doc/administration/troubleshooting/img/Okta-attributes.png b/doc/administration/troubleshooting/img/Okta-attributes.png
index e4a7b33fe55..a3405e4de9b 100644
--- a/doc/administration/troubleshooting/img/Okta-attributes.png
+++ b/doc/administration/troubleshooting/img/Okta-attributes.png
diff --git a/doc/administration/troubleshooting/img/Okta-linkscert.png b/doc/administration/troubleshooting/img/Okta-linkscert.png
index 33e6b3cc53e..38cae415f7e 100644
--- a/doc/administration/troubleshooting/img/Okta-linkscert.png
+++ b/doc/administration/troubleshooting/img/Okta-linkscert.png
diff --git a/doc/administration/troubleshooting/navigating_gitlab_via_rails_console.md b/doc/administration/troubleshooting/navigating_gitlab_via_rails_console.md
index 01c3da80481..b78d5490cd2 100644
--- a/doc/administration/troubleshooting/navigating_gitlab_via_rails_console.md
+++ b/doc/administration/troubleshooting/navigating_gitlab_via_rails_console.md
@@ -3,7 +3,7 @@
 At the heart of GitLab is a web application [built using the Ruby on Rails
 framework](https://about.gitlab.com/blog/2018/10/29/why-we-use-rails-to-build-gitlab/).
 Thanks to this, we also get access to the amazing tools built right into Rails.
-In this guide, we'll introduce the [Rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session)
+In this guide, we'll introduce the [Rails console](debug.md#starting-a-rails-console-session)
 and the basics of interacting with your GitLab instance from the command line.
 
 CAUTION: **CAUTION:**
diff --git a/doc/administration/troubleshooting/ssl.md b/doc/administration/troubleshooting/ssl.md
index 9474126e5c8..475b7d44eac 100644
--- a/doc/administration/troubleshooting/ssl.md
+++ b/doc/administration/troubleshooting/ssl.md
@@ -23,7 +23,7 @@ After configuring a GitLab instance with an internal CA certificate, you might n
   More details here: https://curl.haxx.se/docs/sslcerts.html
   ```
 
-- Testing via the [rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session) also fails:
+- Testing via the [rails console](debug.md#starting-a-rails-console-session) also fails:
 
   ```ruby
   uri = URI.parse("https://gitlab.domain.tld")
diff --git a/doc/api/groups.md b/doc/api/groups.md
index 57c71f1ea50..33a3c2305d5 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -552,7 +552,6 @@ PUT /groups/:id
 | `membership_lock`                    | boolean | no       | **(STARTER)** Prevent adding new members to project membership within this group. |
 | `share_with_group_lock`              | boolean | no       | Prevent sharing a project with another group within this group. |
 | `visibility`                         | string  | no       | The visibility level of the group. Can be `private`, `internal`, or `public`. |
-| `share_with_group_lock`              | boolean | no       | Prevent sharing a project with another group within this group. |
 | `require_two_factor_authentication`  | boolean | no       | Require all users in this group to setup Two-factor authentication. |
 | `two_factor_grace_period`            | integer | no       | Time before Two-factor authentication is enforced (in hours). |
 | `project_creation_level`             | string  | no       | Determine if developers can create projects in the group. Can be `noone` (No one), `maintainer` (Maintainers), or `developer` (Developers + Maintainers). |
diff --git a/doc/api/merge_request_approvals.md b/doc/api/merge_request_approvals.md
index 8fee23a74e8..84f5e41496c 100644
--- a/doc/api/merge_request_approvals.md
+++ b/doc/api/merge_request_approvals.md
@@ -676,7 +676,8 @@ This includes additional information about the users who have already approved
         }
       ],
       "source_rule": null,
-      "approved": true
+      "approved": true,
+      "overridden": false
     }
   ]
 }
@@ -753,7 +754,8 @@ GET /projects/:id/merge_requests/:merge_request_iid/approval_rules
         "ldap_access": null
       }
     ],
-    "contains_hidden_groups": false
+    "contains_hidden_groups": false,
+    "overridden": false
   }
 ]
 ```
@@ -837,7 +839,8 @@ will be used.
       "ldap_access": null
     }
   ],
-  "contains_hidden_groups": false
+  "contains_hidden_groups": false,
+  "overridden": false
 }
 ```
 
@@ -921,7 +924,8 @@ These are system generated rules.
       "ldap_access": null
     }
   ],
-  "contains_hidden_groups": false
+  "contains_hidden_groups": false,
+  "overridden": false
 }
 ```
 
diff --git a/doc/api/projects.md b/doc/api/projects.md
index 39293b28b79..959b263c301 100644
--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -970,6 +970,7 @@ GET /projects/:id/users
 
 | Attribute    | Type          | Required | Description |
 | ------------ | ------------- | -------- | ----------- |
+| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) |
 | `search`     | string        | no       | Search for specific users |
 | `skip_users` | integer array | no       | Filter out users with the specified IDs |
 
@@ -1515,6 +1516,7 @@ GET /projects/:id/starrers
 
 | Attribute | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
+| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) |
 | `search` | string | no | Search for specific users. |
 
 ```shell
@@ -1558,6 +1560,10 @@ Get languages used in a project with percentage value.
 GET /projects/:id/languages
 ```
 
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) |
+
 ```shell
 curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/languages"
 ```
@@ -2183,6 +2189,7 @@ PUT /projects/:id/transfer
 
 | Attribute | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
+| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) |
 | `namespace` | integer/string | yes | The ID or path of the namespace to transfer to project to |
 
 ## Branches
diff --git a/doc/ci/img/ecs_dashboard_v12_9.png b/doc/ci/img/ecs_dashboard_v12_9.png
index bebd6f7903c..62b85c75ec2 100644
--- a/doc/ci/img/ecs_dashboard_v12_9.png
+++ b/doc/ci/img/ecs_dashboard_v12_9.png
diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md
index 85a2e91682d..b72cf25282b 100644
--- a/doc/ci/yaml/README.md
+++ b/doc/ci/yaml/README.md
@@ -2549,7 +2549,7 @@ This example creates four paths of execution:
 
 The maximum number of jobs that can be defined within `needs:` defaults to 10, but
 can be changed to 50 via a feature flag. To change the limit to 50,
-[start a Rails console session](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session)
+[start a Rails console session](../../administration/troubleshooting/debug.md#starting-a-rails-console-session)
 and run:
 
 ```ruby
diff --git a/doc/development/pipelines.md b/doc/development/pipelines.md
index 8e13c5e7efc..c123722dc4e 100644
--- a/doc/development/pipelines.md
+++ b/doc/development/pipelines.md
@@ -176,7 +176,7 @@ graph RL;
   O[coverage-frontend];
   N["pages (master only)"];
   Q[package-and-qa];
-  S["RSpec<br/>(e.g. rspec unit pg9)"]
+  S["RSpec<br/>(e.g. rspec unit pg10)"]
   T[retrieve-tests-metadata];
   QA["qa:internal, qa:selectors"];
   QA2["qa:internal-as-if-foss, qa:selectors-as-if-foss<br/>(EE default refs only)"];
diff --git a/doc/install/aws/img/aws_ha_architecture_diagram.png b/doc/install/aws/img/aws_ha_architecture_diagram.png
index b3f4d5b2bd8..e019ed61abf 100644
--- a/doc/install/aws/img/aws_ha_architecture_diagram.png
+++ b/doc/install/aws/img/aws_ha_architecture_diagram.png
diff --git a/doc/install/aws/index.md b/doc/install/aws/index.md
index ee4f759be3a..c2b1198940b 100644
--- a/doc/install/aws/index.md
+++ b/doc/install/aws/index.md
@@ -315,10 +315,8 @@ persistence and is used for certain types of the GitLab application.
 
 1. Navigate back to the ElastiCache dashboard.
 1. Select **Redis** on the left menu and click **Create** to create a new
-   Redis cluster. Depending on your load, you can choose whether to enable
-   cluster mode or not. Even without cluster mode on, you still get the
-   chance to deploy Redis in multi availability zones. In this guide, we chose
-   not to enable it.
+   Redis cluster. Do not enable **Cluster Mode** as it is [not supported](../../administration/high_availability/redis.md#provide-your-own-redis-instance-core-only). Even without cluster mode on, you still get the
+   chance to deploy Redis in multiple availability zones.
 1. In the settings section:
    1. Give the cluster a name (`gitlab-redis`) and a description.
    1. For the version, select the latest of `5.0` series (e.g., `5.0.6`).
@@ -383,6 +381,37 @@ EC2 instances running Linux use private key files for SSH authentication. You'll
 
 Storing private key files on your bastion host is a bad idea. To get around this, use SSH agent forwarding on your client. See [Securely Connect to Linux Instances Running in a Private Amazon VPC](https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/) for a step-by-step guide on how to use SSH agent forwarding.
 
+## Setting up Gitaly
+
+CAUTION: **Caution:** In this architecture, having a single Gitaly server creates a single point of failure. This limitation will be removed once [Gitaly HA](https://gitlab.com/groups/gitlab-org/-/epics/842) is released.
+
+Gitaly is a service that provides high-level RPC access to Git repositories.
+It should be enabled and configured on a separate EC2 instance in one of the
+[private subnets](#subnets) we configured previously.
+
+Let's create an EC2 instance where we'll install Gitaly:
+
+1. From the EC2 dashboard, click **Launch instance**.
+1. Choose an AMI. In this example, we'll select the **Ubuntu Server 18.04 LTS (HVM), SSD Volume Type**.
+1. Choose an instance type. We'll pick a **c5.xlarge**.
+1. Click **Configure Instance Details**.
+   1. In the **Network** dropdown, select `gitlab-vpc`, the VPC we created earlier.
+   1. In the **Subnet** dropdown, select `gitlab-private-10.0.1.0` from the list of subnets we created earlier.
+   1. Double check that **Auto-assign Public IP** is set to `Use subnet setting (Disable)`.
+   1. Click **Add Storage**.
+1. Increase the Root volume size to `20 GiB` and change the **Volume Type** to `Provisoned IOPS SSD (io1)`. (This is an arbitrary size. Create a volume big enough for your repository storage requirements.)
+   1. For **IOPS** set `1000` (20 GiB x 50 IOPS). You can provision up to 50 IOPS per GiB. If you select a larger volume, increase the IOPS accordingly. Workloads where many small files are written in a serialized manner, like `git`, requires performant storage, hence the choice of `Provisoned IOPS SSD (io1)`.
+1. Click on **Add Tags** and add your tags. In our case, we'll only set `Key: Name` and `Value: Gitaly`.
+1. Click on **Configure Security Group** and let's **Create a new security group**.
+   1. Give your security group a name and description. We'll use `gitlab-gitaly-sec-group` for both.
+   1. Create a **Custom TCP** rule and add port `8075` to the **Port Range**. For the **Source**, select the `gitlab-loadbalancer-sec-group`.
+1. Click **Review and launch** followed by **Launch** if you're happy with your settings.
+1. Finally, acknowledge that you have access to the selected private key file or create a new one. Click **Launch Instances**.
+
+  > **Optional:** Instead of storing configuration _and_ repository data on the root volume, you can also choose to add an additional EBS volume for repository storage. Follow the same guidance as above. See the [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).
+
+Now that we have our EC2 instance ready, follow the [documentation to install GitLab and set up Gitaly on its own server](../../administration/gitaly/index.md#running-gitaly-on-its-own-server).
+
 ## Deploying GitLab inside an auto scaling group
 
 We'll use AWS's wizard to deploy GitLab and then SSH into the instance to
@@ -551,37 +580,6 @@ sudo gitlab-ctl status
 
 If everything looks good, you should be able to reach GitLab in your browser.
 
-### Setting up Gitaly
-
-CAUTION: **Caution:** In this architecture, having a single Gitaly server creates a single point of failure. This limitation will be removed once [Gitaly HA](https://gitlab.com/groups/gitlab-org/-/epics/842) is released.
-
-Gitaly is a service that provides high-level RPC access to Git repositories.
-It should be enabled and configured on a separate EC2 instance in one of the
-[private subnets](#subnets) we configured previously.
-
-Let's create an EC2 instance where we'll install Gitaly:
-
-1. From the EC2 dashboard, click **Launch instance**.
-1. Choose an AMI. In this example, we'll select the **Ubuntu Server 18.04 LTS (HVM), SSD Volume Type**.
-1. Choose an instance type. We'll pick a **c5.xlarge**.
-1. Click **Configure Instance Details**.
-   1. In the **Network** dropdown, select `gitlab-vpc`, the VPC we created earlier.
-   1. In the **Subnet** dropdown, select `gitlab-private-10.0.1.0` from the list of subnets we created earlier.
-   1. Double check that **Auto-assign Public IP** is set to `Use subnet setting (Disable)`.
-   1. Click **Add Storage**.
-1. Increase the Root volume size to `20 GiB` and change the **Volume Type** to `Provisoned IOPS SSD (io1)`. (This is an arbitrary size. Create a volume big enough for your repository storage requirements.)
-   1. For **IOPS** set `1000` (20 GiB x 50 IOPS). You can provision up to 50 IOPS per GiB. If you select a larger volume, increase the IOPS accordingly. Workloads where many small files are written in a serialized manner, like `git`, requires performant storage, hence the choice of `Provisoned IOPS SSD (io1)`.
-1. Click on **Add Tags** and add your tags. In our case, we'll only set `Key: Name` and `Value: Gitaly`.
-1. Click on **Configure Security Group** and let's **Create a new security group**.
-   1. Give your security group a name and description. We'll use `gitlab-gitaly-sec-group` for both.
-   1. Create a **Custom TCP** rule and add port `8075` to the **Port Range**. For the **Source**, select the `gitlab-loadbalancer-sec-group`.
-1. Click **Review and launch** followed by **Launch** if you're happy with your settings.
-1. Finally, acknowledge that you have access to the selected private key file or create a new one. Click **Launch Instances**.
-
-  > **Optional:** Instead of storing configuration _and_ repository data on the root volume, you can also choose to add an additional EBS volume for repository storage. Follow the same guidance as above. See the [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).
-
-Now that we have our EC2 instance ready, follow the [documentation to install GitLab and set up Gitaly on its own server](../../administration/gitaly/index.md#running-gitaly-on-its-own-server).
-
 ### Using Amazon S3 object storage
 
 GitLab stores many objects outside the Git repository, many of which can be
diff --git a/doc/integration/github.md b/doc/integration/github.md
index f95159731aa..c957fc24eb8 100644
--- a/doc/integration/github.md
+++ b/doc/integration/github.md
@@ -151,7 +151,7 @@ via Omnibus, or [restart GitLab] if you installed from source.
 Check the [`production.log`](../administration/logs.md#productionlog)
 on your GitLab server to obtain further details. If you are getting the error like
 `Faraday::ConnectionFailed (execution expired)` in the log, there may be a connectivity issue
-between your GitLab instance and GitHub Enterprise. To verify it, [start the rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session)
+between your GitLab instance and GitHub Enterprise. To verify it, [start the rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session)
 and run the commands below replacing `<github_url>` with the URL of your GitHub Enterprise instance:
 
 ```ruby
diff --git a/doc/raketasks/import.md b/doc/raketasks/import.md
index 09d919d0120..cda742b6077 100644
--- a/doc/raketasks/import.md
+++ b/doc/raketasks/import.md
@@ -125,7 +125,7 @@ There is an [open issue to add a migration to make all bare repositories
 importable](https://gitlab.com/gitlab-org/gitlab-foss/issues/41776).
 
 Until then, you may wish to manually migrate repositories yourself. You can use
-[Rails console](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session)
+[Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session)
 to do so. In a Rails console session, run the following to migrate a project:
 
 ```ruby
diff --git a/doc/update/README.md b/doc/update/README.md
index a72e0e1e6ae..c7be3f3cb2b 100644
--- a/doc/update/README.md
+++ b/doc/update/README.md
@@ -122,7 +122,7 @@ If using GitLab 12.9 and newer, run:
 sudo gitlab-rails runner -e production 'puts Gitlab::BackgroundMigration.remaining'
 ```
 
-If using GitLab 12.8 and older, run the following using a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console):
+If using GitLab 12.8 and older, run the following using a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session):
 
 ```ruby
 puts Sidekiq::Queue.new("background_migration").size
@@ -140,7 +140,7 @@ cd /home/git/gitlab
 sudo -u git -H bundle exec rails runner -e production 'puts Gitlab::BackgroundMigration.remaining'
 ```
 
-If using GitLab 12.8 and older, run the following using a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console):
+If using GitLab 12.8 and older, run the following using a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session):
 
 ```ruby
 puts Sidekiq::Queue.new("background_migration").size
diff --git a/doc/user/admin_area/img/broadcast_messages_banner_v12_10.png b/doc/user/admin_area/img/broadcast_messages_banner_v12_10.png
index f3c468d158e..2e893476bc6 100644
--- a/doc/user/admin_area/img/broadcast_messages_banner_v12_10.png
+++ b/doc/user/admin_area/img/broadcast_messages_banner_v12_10.png
diff --git a/doc/user/admin_area/img/broadcast_messages_notification_v12_10.png b/doc/user/admin_area/img/broadcast_messages_notification_v12_10.png
index 98ea48ccd3c..fb03748c892 100644
--- a/doc/user/admin_area/img/broadcast_messages_notification_v12_10.png
+++ b/doc/user/admin_area/img/broadcast_messages_notification_v12_10.png
diff --git a/doc/user/analytics/img/label_based_stage_vsm_v12_9.png b/doc/user/analytics/img/label_based_stage_vsm_v12_9.png
index f1cbd9e1a8e..84ce33aece5 100644
--- a/doc/user/analytics/img/label_based_stage_vsm_v12_9.png
+++ b/doc/user/analytics/img/label_based_stage_vsm_v12_9.png
diff --git a/doc/user/analytics/img/vsm_stage_list_v12_9.png b/doc/user/analytics/img/vsm_stage_list_v12_9.png
index 3775cdeddb4..3b50dd48543 100644
--- a/doc/user/analytics/img/vsm_stage_list_v12_9.png
+++ b/doc/user/analytics/img/vsm_stage_list_v12_9.png
diff --git a/doc/user/application_security/container_scanning/img/container_scanning_v12_9.png b/doc/user/application_security/container_scanning/img/container_scanning_v12_9.png
index dd96fc7aacb..13cacc6a489 100644
--- a/doc/user/application_security/container_scanning/img/container_scanning_v12_9.png
+++ b/doc/user/application_security/container_scanning/img/container_scanning_v12_9.png
diff --git a/doc/user/application_security/dast/img/dast_all_v12_9.png b/doc/user/application_security/dast/img/dast_all_v12_9.png
index 9871d1e6a43..548cea3f7f9 100644
--- a/doc/user/application_security/dast/img/dast_all_v12_9.png
+++ b/doc/user/application_security/dast/img/dast_all_v12_9.png
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index b4fdf307d8b..c83e69ed6c4 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -160,6 +160,7 @@ The following variables are used for configuring specific analyzers (used for a
 | `GEMNASIUM_DB_LOCAL_PATH`               | `gemnasium`        | `/gemnasium-db`              | Path to local gemnasium database. |
 | `GEMNASIUM_DB_REMOTE_URL`               | `gemnasium`        | `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git` | Repository URL for fetching the gemnasium database. |
 | `GEMNASIUM_DB_REF_NAME`                 | `gemnasium`        | `master`                     | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
+| `DS_REMEDIATE`                          | `gemnasium`        | `"true"`                       | Enable automatic remediation of vulnerable dependencies.  |
 | `PIP_INDEX_URL`                         | `gemnasium-python` | `https://pypi.org/simple`    | Base URL of Python Package Index. |
 | `PIP_EXTRA_INDEX_URL`                   | `gemnasium-python` |                              | Array of [extra URLs](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url) of package indexes to use in addition to `PIP_INDEX_URL`. Comma separated. |
 | `PIP_REQUIREMENTS_FILE`                 | `gemnasium-python` |                              | Pip requirements file to be scanned. |
@@ -167,7 +168,7 @@ The following variables are used for configuring specific analyzers (used for a
 | `DS_PIP_DEPENDENCY_PATH`                | `gemnasium-python` |                              | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12412) in GitLab 12.2) |
 | `DS_PYTHON_VERSION`                     | `retire.js`        |                              | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12296) in GitLab 12.1)|
 | `MAVEN_CLI_OPTS`                        | `gemnasium-maven`  | `"-DskipTests --batch-mode"` | List of command line arguments that will be passed to `maven` by the analyzer. See an example for [using private repos](#using-private-maven-repos). |
-| `BUNDLER_AUDIT_UPDATE_DISABLED`         | `bundler-audit`    | `false`                      | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running Dependency Scanning in an offline environment. |
+| `BUNDLER_AUDIT_UPDATE_DISABLED`         | `bundler-audit`    | `"false"`                      | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running Dependency Scanning in an offline, air-gapped environment.|
 | `BUNDLER_AUDIT_ADVISORY_DB_URL`         | `bundler-audit`    | `https://github.com/rubysec/ruby-advisory-db` | URL of the advisory database used by bundler-audit. |
 | `BUNDLER_AUDIT_ADVISORY_DB_REF_NAME`    | `bundler-audit`    | `master`                     | Git ref for the advisory database specified by `BUNDLER_AUDIT_ADVISORY_DB_URL`. |
 | `RETIREJS_JS_ADVISORY_DB`               | `retire.js`        | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json` | Path or URL to Retire.js js vulnerability data file. |
diff --git a/doc/user/application_security/img/multi_select_v12_9.png b/doc/user/application_security/img/multi_select_v12_9.png
index b2b171e13d0..ec3648bff08 100644
--- a/doc/user/application_security/img/multi_select_v12_9.png
+++ b/doc/user/application_security/img/multi_select_v12_9.png
diff --git a/doc/user/application_security/sast/img/sast_v12_9.png b/doc/user/application_security/sast/img/sast_v12_9.png
index 91f4b8a8e2e..3c6ee7a276b 100644
--- a/doc/user/application_security/sast/img/sast_v12_9.png
+++ b/doc/user/application_security/sast/img/sast_v12_9.png
diff --git a/doc/user/application_security/threat_monitoring/index.md b/doc/user/application_security/threat_monitoring/index.md
index 07427af7c7d..3a3e2b36133 100644
--- a/doc/user/application_security/threat_monitoring/index.md
+++ b/doc/user/application_security/threat_monitoring/index.md
@@ -13,6 +13,7 @@ navigating to your project's **Security & Compliance > Threat Monitoring** page.
 GitLab supports statistics for the following security features:
 
 - [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
+- [Container Network Policies](../../../topics/autodevops/index.md#network-policy)
 
 ## Web Application Firewall
 
@@ -38,3 +39,38 @@ about your Ingress traffic:
 If a significant percentage of traffic is anomalous, you should
 investigate it for potential threats by
 [examining the application logs](../../clusters/applications.md#web-application-firewall-modsecurity).
+
+## Container Network Policy
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32365) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+
+The **Container Network Policy** section provides packet flow metrics for
+your application's Kubernetes namespace. This section has the following
+prerequisites:
+
+- Your project contains at least one [environment](../../../ci/environments.md)
+- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
+- You've configured the [Prometheus service](../../project/integrations/prometheus.md#enabling-prometheus-integration)
+
+If you're using custom Helm values for Cilium, you must enable Hubble
+with flow metrics for each namespace by adding the following lines to
+your [Hubble values](../../clusters/applications.md#install-cilium-using-gitlab-cicd):
+
+```yaml
+metrics:
+  enabled:
+    - 'flow:sourceContext=namespace;destinationContext=namespace'
+```
+
+The **Container Network Policy** section displays the following information
+about your packet flow:
+
+- The total amount of the inbound and outbound packets
+- The proportion of packets dropped according to the configured
+  policies
+- The per-second average rate of the forwarded and dropped packets
+  accumulated over time window for the requested time interval
+
+If a significant percentage of packets is dropped, you should
+investigate it for potential threats by
+[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).
diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md
index 0aff09910d2..08ac82ed781 100644
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -825,6 +825,28 @@ agent:
     enabled: false
 ```
 
+The [Hubble](https://github.com/cilium/hubble) monitoring daemon is
+enabled by default and it's set to collect per namespace flow
+metrics. This metrics are accessible on the [Threat Monitoring](../application_security/threat_monitoring/index.md)
+dashboard. You can disable Hubble by adding the following to
+`.gitlab/managed-apps/config.yaml`:
+
+```yaml
+cilium:
+  installed: true
+  hubble:
+    installed: false
+```
+
+You can also adjust Helm values for Hubble via
+`.gitlab/managed-apps/cilium/hubble-values.yaml`:
+
+```yaml
+metrics:
+  enabled:
+    - 'flow:sourceContext=namespace;destinationContext=namespace'
+```
+
 ### Install Vault using GitLab CI/CD
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9982) in GitLab 12.9.
diff --git a/doc/user/compliance/license_compliance/img/policies_maintainer_add_v12_9.png b/doc/user/compliance/license_compliance/img/policies_maintainer_add_v12_9.png
index 6dc7d3a0924..ad5a49eebe5 100644
--- a/doc/user/compliance/license_compliance/img/policies_maintainer_add_v12_9.png
+++ b/doc/user/compliance/license_compliance/img/policies_maintainer_add_v12_9.png
diff --git a/doc/user/compliance/license_compliance/img/policies_maintainer_edit_v12_9.png b/doc/user/compliance/license_compliance/img/policies_maintainer_edit_v12_9.png
index 31abbcf2d44..4f2380a0bf6 100644
--- a/doc/user/compliance/license_compliance/img/policies_maintainer_edit_v12_9.png
+++ b/doc/user/compliance/license_compliance/img/policies_maintainer_edit_v12_9.png
diff --git a/doc/user/compliance/license_compliance/img/policies_v12_9.png b/doc/user/compliance/license_compliance/img/policies_v12_9.png
index 6c6247320dc..b3bca716ae5 100644
--- a/doc/user/compliance/license_compliance/img/policies_v12_9.png
+++ b/doc/user/compliance/license_compliance/img/policies_v12_9.png
diff --git a/doc/user/group/roadmap/img/roadmap_view_v12_10.png b/doc/user/group/roadmap/img/roadmap_view_v12_10.png
index 7fc888ec2ca..69579fd1c1e 100644
--- a/doc/user/group/roadmap/img/roadmap_view_v12_10.png
+++ b/doc/user/group/roadmap/img/roadmap_view_v12_10.png
diff --git a/doc/user/packages/container_registry/img/container_registry_group_repositories_v12_10.png b/doc/user/packages/container_registry/img/container_registry_group_repositories_v12_10.png
new file mode 100644
index 00000000000..e2b606d024f
--- /dev/null
+++ b/doc/user/packages/container_registry/img/container_registry_group_repositories_v12_10.png
diff --git a/doc/user/packages/container_registry/img/container_registry_repositories_with_quickstart_v12_10.png b/doc/user/packages/container_registry/img/container_registry_repositories_with_quickstart_v12_10.png
new file mode 100644
index 00000000000..e94aab58a1d
--- /dev/null
+++ b/doc/user/packages/container_registry/img/container_registry_repositories_with_quickstart_v12_10.png
diff --git a/doc/user/packages/container_registry/img/container_registry_repository_details_v12.10.png b/doc/user/packages/container_registry/img/container_registry_repository_details_v12.10.png
new file mode 100644
index 00000000000..b911ffea935
--- /dev/null
+++ b/doc/user/packages/container_registry/img/container_registry_repository_details_v12.10.png
diff --git a/doc/user/packages/container_registry/index.md b/doc/user/packages/container_registry/index.md
index 37072eea39e..f5b8bd82a2b 100644
--- a/doc/user/packages/container_registry/index.md
+++ b/doc/user/packages/container_registry/index.md
@@ -7,6 +7,7 @@
 >   to pass a [personal access token](../../profile/personal_access_tokens.md) instead of your password in order to
 >   login to GitLab's Container Registry.
 > - Multiple level image names support was added in GitLab 9.1.
+> - The group level Container Registry was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23315) in GitLab 12.10.
 
 NOTE: **Note:**
 This document is the user guide. To learn how to enable GitLab Container
@@ -47,11 +48,51 @@ project:
 
 ## Control Container Registry from within GitLab
 
-GitLab offers a simple Container Registry management panel. Go to your project
-and click **Packages > Container Registry** in the project menu.
+GitLab offers a simple Container Registry management panel. This management panel is available
+for both projects and groups.
 
-This view will show you all Docker images in your project and will easily allow you to
-delete them.
+### Control Container Registry for your project
+
+Navigate to your project's **{package}** **Packages > Container Registry**.
+
+![Container Registry project repositories](img/container_registry_repositories_with_quickstart_v12_10.png)
+
+This view will:
+
+- Show all the image repositories that belong to the project.
+- Allow you to [delete](#delete-images-from-within-gitlab) one or more image repository.
+- Allow you to navigate to the image repository details page.
+- Show a **Quick start** dropdown with the most common commands to log in, build and push
+- Optionally, a banner will be visible if the [expiration policy](#expiration-policy) is enabled for this project.
+
+### Control Container Registry for your group
+
+Navigate to your groups's **{package}** **Packages > Container Registry**.
+
+![Container Registry group repositories](img/container_registry_group_repositories_v12_10.png)
+
+This view will:
+
+- Show all the image repositories of the projects that belong to this group.
+- Allow to [delete](#delete-images-from-within-gitlab) one or more image repositories.
+- Allow to navigate to a specific image repository details page.
+
+### Image Repository details page
+
+Clicking on the name of any image repository will navigate to the details.
+
+![Container Registry project repository details](img/container_registry_repository_details_v12.10.png)
+
+NOTE: **Note:**
+The following page has the same functionalities both in the **Group level container registry**
+and in the **Project level container registry**.
+
+This view:
+
+- Shows all the image repository details.
+- Shows all the tags of the image repository.
+- Allows you to quickly copy the tag path (by clicking on the clipboard button near the tag name).
+- Allows you to [delete one or more tags](#delete-images-from-within-gitlab).
 
 ## Use images from GitLab Container Registry
 
diff --git a/doc/user/packages/nuget_repository/index.md b/doc/user/packages/nuget_repository/index.md
index 15772d1303d..ed936b546d2 100644
--- a/doc/user/packages/nuget_repository/index.md
+++ b/doc/user/packages/nuget_repository/index.md
@@ -18,7 +18,7 @@ NuGet CLI is probably already installed.
 
 Alternatively, you can use [.NET SDK 3.0 or later](https://dotnet.microsoft.com/download/dotnet-core/3.0), which installs NuGet CLI.
 
-You can confirm that [nuget CLI](https://www.nuget.org/) is properly installed with:
+You can confirm that [NuGet CLI](https://www.nuget.org/) is properly installed with:
 
 ```shell
 nuget help
@@ -36,6 +36,18 @@ Available commands:
 [output truncated]
 ```
 
+### macOS support
+
+For macOS, you can also use [Mono](https://www.mono-project.com/) to run
+the NuGet CLI. For Homebrew users, run `brew install mono` to install
+Mono. Then you should be able to download the Windows C# binary
+`nuget.exe` from the [NuGet CLI page](https://www.nuget.org/downloads)
+and run:
+
+```shell
+mono nuget.exe
+```
+
 ## Enabling the NuGet Repository
 
 NOTE: **Note:**
diff --git a/doc/user/project/issues/img/csv_export_button_v12_9.png b/doc/user/project/issues/img/csv_export_button_v12_9.png
index 88083cacbfb..702b6439d7c 100644
--- a/doc/user/project/issues/img/csv_export_button_v12_9.png
+++ b/doc/user/project/issues/img/csv_export_button_v12_9.png
diff --git a/doc/user/project/issues/img/design_drag_and_drop_uploads_v12_9.png b/doc/user/project/issues/img/design_drag_and_drop_uploads_v12_9.png
index 61ce3692808..6680c792063 100644
--- a/doc/user/project/issues/img/design_drag_and_drop_uploads_v12_9.png
+++ b/doc/user/project/issues/img/design_drag_and_drop_uploads_v12_9.png
diff --git a/doc/user/project/issues/img/issue_health_status_v12_10.png b/doc/user/project/issues/img/issue_health_status_v12_10.png
index bcd6af144fb..dd6becbb970 100644
--- a/doc/user/project/issues/img/issue_health_status_v12_10.png
+++ b/doc/user/project/issues/img/issue_health_status_v12_10.png
diff --git a/doc/user/project/merge_requests/img/test_coverage_visualization_v12_9.png b/doc/user/project/merge_requests/img/test_coverage_visualization_v12_9.png
index c2cd28adc95..1922a566dd5 100644
--- a/doc/user/project/merge_requests/img/test_coverage_visualization_v12_9.png
+++ b/doc/user/project/merge_requests/img/test_coverage_visualization_v12_9.png
diff --git a/doc/user/project/pages/img/change_path_v12_10.png b/doc/user/project/pages/img/change_path_v12_10.png
index 79c6432707a..7ca09bd21a3 100644
--- a/doc/user/project/pages/img/change_path_v12_10.png
+++ b/doc/user/project/pages/img/change_path_v12_10.png
diff --git a/doc/user/project/web_ide/img/commit_changes_v12_9.png b/doc/user/project/web_ide/img/commit_changes_v12_9.png
index 48491360626..d26c9cc82e1 100644
--- a/doc/user/project/web_ide/img/commit_changes_v12_9.png
+++ b/doc/user/project/web_ide/img/commit_changes_v12_9.png