diff options
35 files changed, 218 insertions, 358 deletions
diff --git a/app/assets/javascripts/batch_comments/mixins/resolved_status.js b/app/assets/javascripts/batch_comments/mixins/resolved_status.js index 96ee9f62ba4..3bbbaa86b51 100644 --- a/app/assets/javascripts/batch_comments/mixins/resolved_status.js +++ b/app/assets/javascripts/batch_comments/mixins/resolved_status.js @@ -1,10 +1,12 @@ +import { sprintf, __ } from '~/locale'; + export default { computed: { resolveButtonTitle() { - let title = 'Mark comment as resolved'; + let title = __('Mark comment as resolved'); if (this.resolvedBy) { - title = `Resolved by ${this.resolvedBy.name}`; + title = sprintf(__('Resolved by %{name}'), { name: this.resolvedBy.name }); } return title; diff --git a/app/assets/stylesheets/framework/avatar.scss b/app/assets/stylesheets/components/avatar.scss index 37a729c7a63..4ab197b935b 100644 --- a/app/assets/stylesheets/framework/avatar.scss +++ b/app/assets/stylesheets/components/avatar.scss @@ -1,33 +1,28 @@ -@mixin avatar-size($size, $margin-right) { - width: $size; - height: $size; - margin-right: $margin-right; -} - .avatar-circle { float: left; margin-right: 15px; border-radius: $avatar-radius; border: 1px solid $gray-normal; - &.s16 { @include avatar-size(16px, 6px); } - &.s18 { @include avatar-size(18px, 6px); } - &.s19 { @include avatar-size(19px, 6px); } - &.s20 { @include avatar-size(20px, 7px); } + &.s16 { @include avatar-size(16px, 8px); } + &.s18 { @include avatar-size(18px, 8px); } + &.s19 { @include avatar-size(19px, 8px); } + &.s20 { @include avatar-size(20px, 8px); } &.s24 { @include avatar-size(24px, 8px); } &.s26 { @include avatar-size(26px, 8px); } - &.s32 { @include avatar-size(32px, 10px); } - &.s36 { @include avatar-size(36px, 10px); } - &.s40 { @include avatar-size(40px, 10px); } - &.s46 { @include avatar-size(46px, 15px); } - &.s48 { @include avatar-size(48px, 10px); } - &.s60 { @include avatar-size(60px, 12px); } - &.s64 { @include avatar-size(64px, 14px); } - &.s70 { @include avatar-size(70px, 14px); } - &.s90 { @include avatar-size(90px, 15px); } - &.s100 { @include avatar-size(100px, 15px); } - &.s110 { @include avatar-size(110px, 15px); } - &.s140 { @include avatar-size(140px, 15px); } - &.s160 { @include avatar-size(160px, 20px); } + &.s32 { @include avatar-size(32px, 8px); } + &.s36 { @include avatar-size(36px, 16px); } + &.s40 { @include avatar-size(40px, 16px); } + &.s46 { @include avatar-size(46px, 16px); } + &.s48 { @include avatar-size(48px, 16px); } + &.s60 { @include avatar-size(60px, 16px); } + &.s64 { @include avatar-size(64px, 16px); } + &.s70 { @include avatar-size(70px, 16px); } + &.s90 { @include avatar-size(90px, 16px); } + &.s96 { @include avatar-size(96px, 16px); } + &.s100 { @include avatar-size(100px, 16px); } + &.s110 { @include avatar-size(110px, 16px); } + &.s140 { @include avatar-size(140px, 16px); } + &.s160 { @include avatar-size(160px, 16px); } } .avatar { @@ -39,6 +34,7 @@ padding: 0; background: $gray-lightest; overflow: hidden; + border-color: rgba($black, $gl-avatar-border-opacity); &.avatar-inline { float: none; @@ -64,41 +60,37 @@ &.avatar-placeholder { border: 0; } - - &:not([href]):hover { - border-color: darken($gray-normal, 10%); - } } .identicon { text-align: center; vertical-align: top; - color: $gl-gray-700; + color: $gray-800; background-color: $gray-darker; // Sizes - &.s16 { font-size: 12px; - line-height: 1.33; } + &.s16 { font-size: 10px; + line-height: 16px; } - &.s24 { font-size: 13px; - line-height: 1.8; } + &.s24 { font-size: 12px; + line-height: 24px; } &.s26 { font-size: 20px; line-height: 1.33; } - &.s32 { font-size: 20px; - line-height: 30px; } + &.s32 { font-size: 14px; + line-height: 32px; } &.s40 { font-size: 16px; line-height: 38px; } &.s48 { font-size: 20px; - line-height: 46px; } + line-height: 48px; } &.s60 { font-size: 32px; line-height: 58px; } - &.s64 { font-size: 32px; + &.s64 { font-size: 28px; line-height: 64px; } &.s70 { font-size: 34px; @@ -107,6 +99,9 @@ &.s90 { font-size: 36px; line-height: 88px; } + &.s96 { font-size: 48px; + line-height: 96px; } + &.s100 { font-size: 36px; line-height: 98px; } @@ -144,7 +139,6 @@ .avatar { border-radius: 0; - border: 0; height: auto; width: 100%; margin: 0; diff --git a/app/assets/stylesheets/framework.scss b/app/assets/stylesheets/framework.scss index ab9047c54e4..9b0d19b0ef0 100644 --- a/app/assets/stylesheets/framework.scss +++ b/app/assets/stylesheets/framework.scss @@ -8,7 +8,6 @@ @import 'framework/animations'; @import 'framework/vue_transitions'; -@import 'framework/avatar'; @import 'framework/asciidoctor'; @import 'framework/banner'; @import 'framework/blocks'; diff --git a/app/assets/stylesheets/framework/files.scss b/app/assets/stylesheets/framework/files.scss index 53d3645cd63..17c117188b3 100644 --- a/app/assets/stylesheets/framework/files.scss +++ b/app/assets/stylesheets/framework/files.scss @@ -241,6 +241,7 @@ */ &.code { padding: 0; + border-radius: 0 0 $border-radius-default $border-radius-default; } .list-inline.previews { diff --git a/app/assets/stylesheets/framework/highlight.scss b/app/assets/stylesheets/framework/highlight.scss index 946f575ac13..741f92110c3 100644 --- a/app/assets/stylesheets/framework/highlight.scss +++ b/app/assets/stylesheets/framework/highlight.scss @@ -8,7 +8,7 @@ pre { padding: 10px 0; border: 0; - border-radius: 0; + border-radius: 0 0 $border-radius-default $border-radius-default; font-family: $monospace-font; font-size: $code-font-size; line-height: 19px; @@ -42,6 +42,7 @@ padding: 10px; text-align: right; float: left; + border-bottom-left-radius: $border-radius-default; a { font-family: $monospace-font; diff --git a/app/assets/stylesheets/framework/mixins.scss b/app/assets/stylesheets/framework/mixins.scss index 97de0c98325..18671f7c4d8 100644 --- a/app/assets/stylesheets/framework/mixins.scss +++ b/app/assets/stylesheets/framework/mixins.scss @@ -376,3 +376,12 @@ } } } + +/* +* Mixin that handles the size and right margin of avatars. +*/ +@mixin avatar-size($size, $margin-right) { + width: $size; + height: $size; + margin-right: $margin-right; +} diff --git a/app/assets/stylesheets/framework/variables.scss b/app/assets/stylesheets/framework/variables.scss index 1cf122102cc..28768bdf88f 100644 --- a/app/assets/stylesheets/framework/variables.scss +++ b/app/assets/stylesheets/framework/variables.scss @@ -589,6 +589,7 @@ $issue-board-list-difference-md: $issue-board-list-difference-sm + $issue-boards */ $avatar-radius: 50%; $gl-avatar-size: 40px; +$gl-avatar-border-opacity: 0.1; /* * Blame diff --git a/app/assets/stylesheets/pages/diff.scss b/app/assets/stylesheets/pages/diff.scss index b2b3720fdde..b3a634e23a3 100644 --- a/app/assets/stylesheets/pages/diff.scss +++ b/app/assets/stylesheets/pages/diff.scss @@ -494,6 +494,12 @@ table.code { } } + .line_holder:last-of-type { + td:first-child { + border-bottom-left-radius: $border-radius-default; + } + } + &.left-side-selected { td.line_content.parallel.right-side { user-select: none; diff --git a/app/assets/stylesheets/pages/login.scss b/app/assets/stylesheets/pages/login.scss index 22a515cbdaa..fd082cbe0cd 100644 --- a/app/assets/stylesheets/pages/login.scss +++ b/app/assets/stylesheets/pages/login.scss @@ -21,13 +21,6 @@ color: $login-brand-holder-color; } - h1:first-child { - font-weight: $gl-font-weight-normal; - margin-bottom: 0.68em; - margin-top: 0; - font-size: 34px; - } - h3 { font-size: 22px; } diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb index f7ea7accab2..3c6e185f9e2 100644 --- a/app/models/clusters/cluster.rb +++ b/app/models/clusters/cluster.rb @@ -204,7 +204,7 @@ module Clusters end def kube_ingress_domain - @kube_ingress_domain ||= domain.presence || instance_domain || legacy_auto_devops_domain + @kube_ingress_domain ||= domain.presence || instance_domain end def predefined_variables @@ -221,24 +221,6 @@ module Clusters @instance_domain ||= Gitlab::CurrentSettings.auto_devops_domain end - # To keep backward compatibility with AUTO_DEVOPS_DOMAIN - # environment variable, we need to ensure KUBE_INGRESS_BASE_DOMAIN - # is set if AUTO_DEVOPS_DOMAIN is set on any of the following options: - # ProjectAutoDevops#Domain, project variables or group variables, - # as the AUTO_DEVOPS_DOMAIN is needed for CI_ENVIRONMENT_URL - # - # This method should is scheduled to be removed on - # https://gitlab.com/gitlab-org/gitlab-ce/issues/56959 - def legacy_auto_devops_domain - if project_type? - project&.auto_devops&.domain.presence || - project.variables.find_by(key: 'AUTO_DEVOPS_DOMAIN')&.value.presence || - project.group&.variables&.find_by(key: 'AUTO_DEVOPS_DOMAIN')&.value.presence - elsif group_type? - group.variables.find_by(key: 'AUTO_DEVOPS_DOMAIN')&.value.presence - end - end - def restrict_modification if provider&.on_creation? errors.add(:base, "cannot modify during creation") diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb index f972c40f317..90bcb3067f6 100644 --- a/app/models/project_auto_devops.rb +++ b/app/models/project_auto_devops.rb @@ -16,27 +16,8 @@ class ProjectAutoDevops < ApplicationRecord after_save :create_gitlab_deploy_token, if: :needs_to_create_deploy_token? - def instance_domain - Gitlab::CurrentSettings.auto_devops_domain - end - - def has_domain? - domain.present? || instance_domain.present? - end - - # From 11.8, AUTO_DEVOPS_DOMAIN has been replaced by KUBE_INGRESS_BASE_DOMAIN. - # See Clusters::Cluster#predefined_variables and https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580 - # for more info. - # - # Suppport AUTO_DEVOPS_DOMAIN is scheduled to be removed on - # https://gitlab.com/gitlab-org/gitlab-ce/issues/52363 def predefined_variables Gitlab::Ci::Variables::Collection.new.tap do |variables| - if has_domain? - variables.append(key: 'AUTO_DEVOPS_DOMAIN', - value: domain.presence || instance_domain) - end - variables.concat(deployment_strategy_default_variables) end end diff --git a/app/views/layouts/devise.html.haml b/app/views/layouts/devise.html.haml index f7a561afbb3..ff3410f6268 100644 --- a/app/views/layouts/devise.html.haml +++ b/app/views/layouts/devise.html.haml @@ -10,15 +10,17 @@ .container.navless-container .content = render "layouts/flash" - .row.append-bottom-15 - .col-sm-7.brand-holder - %h1 + .row.mt-3 + .col-sm-12 + %h1.mb-3.font-weight-normal = brand_title + .row.mb-3 + .col-sm-7.order-12.order-sm-1.brand-holder = brand_image - if current_appearance&.description? = brand_text - else - %h3 + %h3.mt-sm-0 = _('Open source software to collaborate on code') %p @@ -29,7 +31,7 @@ = render_if_exists 'layouts/devise_help_text' - .col-sm-5.new-session-forms-container + .col-sm-5.order-1.order-sm-12.new-session-forms-container = yield %hr.footer-fixed diff --git a/changelogs/unreleased/38561-border-radii.yml b/changelogs/unreleased/38561-border-radii.yml new file mode 100644 index 00000000000..510af18d651 --- /dev/null +++ b/changelogs/unreleased/38561-border-radii.yml @@ -0,0 +1,5 @@ +--- +title: Fix border radii on diff files and repo files +merge_request: +author: +type: fixed diff --git a/changelogs/unreleased/56959-remove-auto-devops-domain-ci-variable.yml b/changelogs/unreleased/56959-remove-auto-devops-domain-ci-variable.yml new file mode 100644 index 00000000000..c1c1708f935 --- /dev/null +++ b/changelogs/unreleased/56959-remove-auto-devops-domain-ci-variable.yml @@ -0,0 +1,5 @@ +--- +title: Removes support for AUTO_DEVOPS_DOMAIN +merge_request: 28460 +author: +type: removed diff --git a/changelogs/unreleased/59987-move-sign-in-2fa-on-users-sign_in-above-intro-content-on-mobile.yml b/changelogs/unreleased/59987-move-sign-in-2fa-on-users-sign_in-above-intro-content-on-mobile.yml new file mode 100644 index 00000000000..7863f1f7bbe --- /dev/null +++ b/changelogs/unreleased/59987-move-sign-in-2fa-on-users-sign_in-above-intro-content-on-mobile.yml @@ -0,0 +1,5 @@ +--- +title: Prioritize login form on mobile breakpoint +merge_request: 28360 +author: +type: changed diff --git a/changelogs/unreleased/patch-64.yml b/changelogs/unreleased/patch-64.yml new file mode 100644 index 00000000000..1bf022e7e41 --- /dev/null +++ b/changelogs/unreleased/patch-64.yml @@ -0,0 +1,5 @@ +--- +title: Update SAST.gitlab-ci.yml - Add SAST_GITLEAKS_ENTROPY_LEVEL +merge_request: 28607 +author: +type: fixed diff --git a/config/database.yml.example b/config/database.yml.example new file mode 100644 index 00000000000..e69de29bb2d --- /dev/null +++ b/config/database.yml.example diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb index 8bb9ea29c33..2a3fdc8de5f 100644 --- a/config/initializers/rack_attack_logging.rb +++ b/config/initializers/rack_attack_logging.rb @@ -1,7 +1,15 @@ +# frozen_string_literal: true +# # Adds logging for all Rack Attack blocks and throttling events. ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req| if [:throttle, :blacklist].include? req.env['rack.attack.match_type'] - Rails.logger.info("Rack_Attack: #{req.env['rack.attack.match_type']} #{req.ip} #{req.request_method} #{req.fullpath}") + Gitlab::AuthLogger.error( + message: 'Rack_Attack', + env: req.env['rack.attack.match_type'], + ip: req.ip, + request_method: req.request_method, + fullpath: req.fullpath + ) end end diff --git a/doc/administration/logs.md b/doc/administration/logs.md index 3d40cda491a..a7e57e44e86 100644 --- a/doc/administration/logs.md +++ b/doc/administration/logs.md @@ -280,6 +280,14 @@ installations from source. Currently it logs the progress of project imports from the Bitbucket Server importer. Future importers may use this file. +## `auth.log` + +Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for +Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for +installations from source. + +It logs information whenever [Rack Attack] registers an abusive request. + ## Reconfigure Logs Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab @@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for installations from source. [repocheck]: repository_checks.md +[Rack Attack]: ../security/rack_attack.md diff --git a/doc/api/epic_links.md b/doc/api/epic_links.md index 619ae6ea2dc..d6e43ae7074 100644 --- a/doc/api/epic_links.md +++ b/doc/api/epic_links.md @@ -125,7 +125,7 @@ POST /groups/:id/epics/:epic_iid/epics | --------------- | -------------- | -------- | ------------------------------------------------------------------------------------------------------------------ | | `id` | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user | | `epic_iid` | integer | yes | The internal ID of the (future parent) epic. | -| `title` | integer | yes | The global ID of the child epic. Internal ID can't be used because they can conflict with epics from other groups. | +| `title` | string | yes | The title of a newly created epic. | ```bash curl --header POST "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/groups/1/epics/5/epics?title=Newpic @@ -141,6 +141,7 @@ Example response: "group_id": 49, "parent_id": 23, "has_children": false, + "has_issues": false, "reference": "&2", "url": "http://localhost/groups/group16/-/epics/2", "relation_url": "http://localhost/groups/group16/-/epics/1/links/24" diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md index 31ff56e06f8..8667eacd3d5 100644 --- a/doc/ci/yaml/README.md +++ b/doc/ci/yaml/README.md @@ -1986,7 +1986,7 @@ production: - deploy environment: name: production - url: https://$CI_PROJECT_PATH_SLUG.$AUTO_DEVOPS_DOMAIN + url: https://$CI_PROJECT_PATH_SLUG.$KUBE_INGRESS_BASE_DOMAIN only: - master ``` diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index ad83dc05a93..66081d7e376 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps: 1. Find the IPs that have been blocked in the production log: ```sh - grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log + grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log ``` 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`: diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index 5a8744d71f9..4ceccaabf86 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -126,10 +126,6 @@ Auto Deploy, and Auto Monitoring will be silently skipped. ## Auto DevOps base domain -NOTE: **Note** -`AUTO_DEVOPS_DOMAIN` environment variable is deprecated and -[is scheduled to be removed](https://gitlab.com/gitlab-org/gitlab-ce/issues/56959). - The Auto DevOps base domain is required if you want to make use of [Auto Review Apps](#auto-review-apps) and [Auto Deploy](#auto-deploy). It can be defined in any of the following places: @@ -162,6 +158,12 @@ Auto DevOps base domain to `1.2.3.4.nip.io`. Once set up, all requests will hit the load balancer, which in turn will route them to the Kubernetes pods that run your application(s). +NOTE: **Note:** +From GitLab 11.8, `KUBE_INGRESS_BASE_DOMAIN` replaces `AUTO_DEVOPS_DOMAIN`. +Support for `AUTO_DEVOPS_DOMAIN` was [removed in GitLab +12.0](https://gitlab.com/gitlab-org/gitlab-ce/issues/56959). + + ## Using multiple Kubernetes clusters **[PREMIUM]** When using Auto DevOps, you may want to deploy different environments to @@ -209,10 +211,6 @@ and verifying that your app is deployed as a review app in the Kubernetes cluster with the `review/*` environment scope. Similarly, you can check the other environments. -NOTE: **Note:** -From GitLab 11.8, `KUBE_INGRESS_BASE_DOMAIN` replaces `AUTO_DEVOPS_DOMAIN`. -`AUTO_DEVOPS_DOMAIN` [is scheduled to be removed](https://gitlab.com/gitlab-org/gitlab-ce/issues/56959). - ## Enabling/Disabling Auto DevOps When first using Auto Devops, review the [requirements](#requirements) to ensure all necessary components to make @@ -734,7 +732,6 @@ also be customized, and you can easily use a [custom buildpack](#custom-buildpac | **Variable** | **Description** | | ------------ | --------------- | -| `AUTO_DEVOPS_DOMAIN` | The [Auto DevOps domain](#auto-devops-base-domain). By default, set automatically by the [Auto DevOps setting](#enablingdisabling-auto-devops). This variable is deprecated and [is scheduled to be removed](https://gitlab.com/gitlab-org/gitlab-ce/issues/56959). Use `KUBE_INGRESS_BASE_DOMAIN` instead. | | `AUTO_DEVOPS_CHART` | The Helm Chart used to deploy your apps; defaults to the one [provided by GitLab](https://gitlab.com/gitlab-org/charts/auto-deploy-app). | | `AUTO_DEVOPS_CHART_REPOSITORY` | The Helm Chart repository used to search for charts; defaults to `https://charts.gitlab.io`. | | `AUTO_DEVOPS_CHART_REPOSITORY_NAME` | From Gitlab 11.11, this variable can be used to set the name of the helm repository; defaults to "gitlab" | diff --git a/doc/user/admin_area/geo_nodes.md b/doc/user/admin_area/geo_nodes.md index 776ab139c64..fb0f9a3285d 100644 --- a/doc/user/admin_area/geo_nodes.md +++ b/doc/user/admin_area/geo_nodes.md @@ -1,9 +1,13 @@ +--- +type: howto +--- + # Geo nodes admin area **[PREMIUM ONLY]** -For more information about setting up GitLab Geo, read the -[Geo documentation](https://docs.gitlab.com/ee/administration/geo/replication/index.html). +You can configure various settings for GitLab Geo nodes. For more information, see +[Geo documentation](https://docs.gitlab.com/ee/administration/geo/replication/index.md). -When you're done, you can navigate to **Admin area > Geo** (`/admin/geo/nodes`). +On the primary node, go to **Admin area > Geo**. On secondary nodes, go to **Admin area > Geo > Nodes**. ## Common settings @@ -68,3 +72,15 @@ a unique `name` is set for each Geo node. The `gitlab.rb` setting The load balancer must use sticky sessions in order to avoid authentication failures and cross site request errors. + +<!-- ## Troubleshooting + +Include any troubleshooting steps that you can foresee. If you know beforehand what issues +one might have when setting this up, or when something is changed, or on upgrading, it's +important to describe those, too. Think of things that may go wrong and include them here. +This is important to minimize requests for support, and to avoid doc comments with +questions that you know someone might ask. + +Each scenario can be a third-level heading, e.g. `### Getting error message X`. +If you have none to add when creating a doc, leave this section in place +but commented out to help encourage others to add to it in the future. -->
\ No newline at end of file diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 3bc3beb2055..bc4d732a405 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -71,7 +71,7 @@ new Kubernetes cluster to your project: - **Number of nodes** - Enter the number of nodes you wish the cluster to have. - **Machine type** - The [machine type](https://cloud.google.com/compute/docs/machine-types) of the Virtual Machine instance that the cluster will be based on. - - **RBAC-enabled cluster** - Leave this checked if using default GKE creation options, see the [RBAC section](#role-based-access-control-rbac) for more information. + - **RBAC-enabled cluster** - Leave this checked if using default GKE creation options, see the [RBAC section](#rbac-cluster-resources) for more information. - **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information. 1. Finally, click the **Create Kubernetes cluster** button. @@ -263,65 +263,66 @@ you can either: ## Access controls -When creating a cluster in GitLab, you will be asked if you would like to create an -[Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/) cluster, or -a [Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) one. +When creating a cluster in GitLab, you will be asked if you would like to create either: -NOTE: **Note:** -[RBAC](#role-based-access-control-rbac) is recommended and the GitLab default. +- An [Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/) cluster. +- A [Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) cluster. -Whether [ABAC](#attribute-based-access-control-abac) or [RBAC](#role-based-access-control-rbac) is enabled, -GitLab will create the necessary service accounts and privileges in order to install and run -[GitLab managed applications](#installing-applications): +NOTE: **Note:** +[RBAC](#rbac-cluster-resources) is recommended and the GitLab default. -- If GitLab is creating the cluster, a `gitlab` service account with - `cluster-admin` privileges will be created in the `default` namespace, - which will be used by GitLab to manage the newly created cluster. +GitLab creates the necessary service accounts and privileges to install and run +[GitLab managed applications](#installing-applications). When GitLab creates the cluster: +- A `gitlab` service account with `cluster-admin` privileges is created in the `default` namespace + to manage the newly created cluster. - A project service account with [`edit` privileges](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) - will be created in the project namespace (also created by GitLab), which will - be used in [deployment jobs](#deployment-variables). + is created in the GitLab-created project namespace for [deployment jobs](#deployment-variables). NOTE: **Note:** Restricted service account for deployment was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716) in GitLab 11.5. -- When you install Helm into your cluster, the `tiller` service account - will be created with `cluster-admin` privileges in the `gitlab-managed-apps` - namespace. This service account will be added to the installed Helm Tiller and will - be used by Helm to install and run [GitLab managed applications](#installing-applications). - Helm will also create additional service accounts and other resources for each - installed application. Consult the documentation of the Helm charts for each application - for details. +When you install Helm into your cluster, the `tiller` service account +is created with `cluster-admin` privileges in the `gitlab-managed-apps` +namespace. This service account will be added to the installed Helm Tiller and will +be used by Helm to install and run [GitLab managed applications](#installing-applications). +Helm will also create additional service accounts and other resources for each +installed application. Consult the documentation of the Helm charts for each application +for details. If you are [adding an existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster), ensure the token of the account has administrator privileges for the cluster. -The following sections summarize which resources will be created on ABAC/RBAC clusters. +The resources created by GitLab differ depending on the type of cluster. + +### ABAC cluster resources + +GitLab creates the following resources for ABAC clusters. -### Attribute-based access control (ABAC) +| Name | Type | Details | Created when | +|:------------------|:---------------------|:----------------------------------|:---------------------------| +| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | +| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | +| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | +| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | -| Name | Kind | Details | Created when | -| --- | --- | --- | --- | -| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | -| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | -| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | -| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | -| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | -| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | +### RBAC cluster resources -### Role-based access control (RBAC) +GitLab creates the following resources for RBAC clusters. -| Name | Kind | Details | Created when | -| --- | --- | --- | --- | -| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | -| `gitlab-admin` | `ClusterRoleBinding` | [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating a new GKE Cluster | -| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | -| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | -| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | -| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | -| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | -| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Deploying to a cluster | +| Name | Type | Details | Created when | +|:------------------|:---------------------|:-----------------------------------------------------------------------------------------------------------|:---------------------------| +| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | +| `gitlab-admin` | `ClusterRoleBinding` | [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating a new GKE Cluster | +| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | +| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | +| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | +| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Deploying to a cluster | NOTE: **Note:** Project-specific resources are only created if your cluster is [managed by GitLab](#gitlab-managed-clusters). @@ -375,7 +376,7 @@ by GitLab before installing any of the applications. | [Prometheus](https://prometheus.io/docs/introduction/overview/) | 10.4+ | Prometheus is an open-source monitoring and alerting system useful to supervise your deployed applications. | [stable/prometheus](https://github.com/helm/charts/tree/master/stable/prometheus) | | [GitLab Runner](https://docs.gitlab.com/runner/) | 10.6+ | GitLab Runner is the open source project that is used to run your jobs and send the results back to GitLab. It is used in conjunction with [GitLab CI/CD](../../../ci/README.md), the open-source continuous integration service included with GitLab that coordinates the jobs. When installing the GitLab Runner via the applications, it will run in **privileged mode** by default. Make sure you read the [security implications](#security-implications) before doing so. | [runner/gitlab-runner](https://gitlab.com/charts/gitlab-runner) | | [JupyterHub](http://jupyter.org/) | 11.0+ | [JupyterHub](https://jupyterhub.readthedocs.io/en/stable/) is a multi-user service for managing notebooks across a team. [Jupyter Notebooks](https://jupyter-notebook.readthedocs.io/en/latest/) provide a web-based interactive programming environment used for data analysis, visualization, and machine learning. We use a [custom Jupyter image](https://gitlab.com/gitlab-org/jupyterhub-user-image/blob/master/Dockerfile) that installs additional useful packages on top of the base Jupyter. Authentication will be enabled only for [project members](../members/index.md) with [Developer or higher](../../permissions.md) access to the project. You will also see ready-to-use DevOps Runbooks built with Nurtch's [Rubix library](https://github.com/amit1rrr/rubix). More information on creating executable runbooks can be found in [our Nurtch documentation](runbooks/index.md#nurtch-executable-runbooks). Note that Ingress must be installed and have an IP address assigned before JupyterHub can be installed. | [jupyter/jupyterhub](https://jupyterhub.github.io/helm-chart/) | -| [Knative](https://cloud.google.com/knative) | 11.5+ | Knative provides a platform to create, deploy, and manage serverless workloads from a Kubernetes cluster. It is used in conjunction with, and includes [Istio](https://istio.io) to provide an external IP address for all programs hosted by Knative. You will be prompted to enter a wildcard domain where your applications will be exposed. Configure your DNS server to use the external IP address for that domain. For any application created and installed, they will be accessible as `<program_name>.<kubernetes_namespace>.<domain_name>`. This will require your kubernetes cluster to have [RBAC enabled](#role-based-access-control-rbac). | [knative/knative](https://storage.googleapis.com/triggermesh-charts) +| [Knative](https://cloud.google.com/knative) | 11.5+ | Knative provides a platform to create, deploy, and manage serverless workloads from a Kubernetes cluster. It is used in conjunction with, and includes [Istio](https://istio.io) to provide an external IP address for all programs hosted by Knative. You will be prompted to enter a wildcard domain where your applications will be exposed. Configure your DNS server to use the external IP address for that domain. For any application created and installed, they will be accessible as `<program_name>.<kubernetes_namespace>.<domain_name>`. This will require your kubernetes cluster to have [RBAC enabled](#rbac-cluster-resources). | [knative/knative](https://storage.googleapis.com/triggermesh-charts) With the exception of Knative, the applications will be installed in a dedicated namespace called `gitlab-managed-apps`. diff --git a/lib/gitlab/auth_logger.rb b/lib/gitlab/auth_logger.rb new file mode 100644 index 00000000000..6d3edba02b0 --- /dev/null +++ b/lib/gitlab/auth_logger.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Gitlab + class AuthLogger < Gitlab::JsonLogger + def self.file_name_noext + 'auth' + end + end +end diff --git a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml index 779f4b5f006..11569437cb6 100644 --- a/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml @@ -507,23 +507,13 @@ rollout 100%: kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" } - # Function to ensure backwards compatibility with AUTO_DEVOPS_DOMAIN - function ensure_kube_ingress_base_domain() { - if [ -z ${KUBE_INGRESS_BASE_DOMAIN+x} ] && [ -n "$AUTO_DEVOPS_DOMAIN" ] ; then - export KUBE_INGRESS_BASE_DOMAIN=$AUTO_DEVOPS_DOMAIN - fi - } - function check_kube_domain() { - ensure_kube_ingress_base_domain - if [[ -z "$KUBE_INGRESS_BASE_DOMAIN" ]]; then echo "In order to deploy or use Review Apps," - echo "AUTO_DEVOPS_DOMAIN or KUBE_INGRESS_BASE_DOMAIN variables must be set" + echo "KUBE_INGRESS_BASE_DOMAIN variables must be set" echo "From 11.8, you can set KUBE_INGRESS_BASE_DOMAIN in cluster settings" echo "or by defining a variable at group or project level." echo "You can also manually add it in .gitlab-ci.yml" - echo "AUTO_DEVOPS_DOMAIN support will be dropped on 12.0" false else true diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml index 706692e063b..abf16e5b2e7 100644 --- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml @@ -40,6 +40,7 @@ sast: SAST_BRAKEMAN_LEVEL \ SAST_GOSEC_LEVEL \ SAST_FLAWFINDER_LEVEL \ + SAST_GITLEAKS_ENTROPY_LEVEL \ SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ SAST_PULL_ANALYZER_IMAGE_TIMEOUT \ SAST_RUN_ANALYZER_TIMEOUT \ diff --git a/locale/gitlab.pot b/locale/gitlab.pot index cc81e3b2e44..604b87b8438 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -5811,6 +5811,9 @@ msgstr "" msgid "Mark as resolved" msgstr "" +msgid "Mark comment as resolved" +msgstr "" + msgid "Mark this issue as a duplicate of another issue" msgstr "" @@ -8217,6 +8220,9 @@ msgstr "" msgid "Resolved all discussions." msgstr "" +msgid "Resolved by %{name}" +msgstr "" + msgid "Resolved by %{resolvedByName}" msgstr "" diff --git a/spec/lib/gitlab/ci/config_spec.rb b/spec/lib/gitlab/ci/config_spec.rb index fd2a29e4ddb..092e9f242b7 100644 --- a/spec/lib/gitlab/ci/config_spec.rb +++ b/spec/lib/gitlab/ci/config_spec.rb @@ -190,7 +190,6 @@ describe Gitlab::Ci::Config do let(:remote_file_content) do <<~HEREDOC variables: - AUTO_DEVOPS_DOMAIN: domain.example.com POSTGRES_USER: user POSTGRES_PASSWORD: testing-password POSTGRES_ENABLED: "true" @@ -232,7 +231,6 @@ describe Gitlab::Ci::Config do "bundle install --jobs $(nproc) \"${FLAGS[@]}\"" ] variables = { - AUTO_DEVOPS_DOMAIN: "domain.example.com", POSTGRES_USER: "user", POSTGRES_PASSWORD: "testing-password", POSTGRES_ENABLED: "true", diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb index 5f2e8aa0baa..bc81c34f7ab 100644 --- a/spec/models/ci/build_spec.rb +++ b/spec/models/ci/build_spec.rb @@ -2604,30 +2604,6 @@ describe Ci::Build do it { is_expected.to include(ci_config_path) } end - context 'when using auto devops' do - context 'and is enabled' do - before do - project.create_auto_devops!(enabled: true, domain: 'example.com') - end - - it "includes AUTO_DEVOPS_DOMAIN" do - is_expected.to include( - { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true, masked: false }) - end - end - - context 'and is disabled' do - before do - project.create_auto_devops!(enabled: false, domain: 'example.com') - end - - it "includes AUTO_DEVOPS_DOMAIN" do - is_expected.not_to include( - { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true, masked: false }) - end - end - end - context 'when pipeline variable overrides build variable' do before do build.yaml_variables = [{ key: 'MYVAR', value: 'myvar', public: true }] diff --git a/spec/models/clusters/cluster_spec.rb b/spec/models/clusters/cluster_spec.rb index 3ee8c340bfe..f066ed6b620 100644 --- a/spec/models/clusters/cluster_spec.rb +++ b/spec/models/clusters/cluster_spec.rb @@ -557,62 +557,15 @@ describe Clusters::Cluster do end context 'with no domain on cluster' do - context 'with a project cluster' do - let(:cluster) { create(:cluster, :project, :provided_by_gcp) } - let(:project) { cluster.project } + let(:cluster) { create(:cluster, :project, :provided_by_gcp) } + let(:project) { cluster.project } - context 'with domain set at instance level' do - before do - stub_application_setting(auto_devops_domain: 'global_domain.com') - - it { is_expected.to eq('global_domain.com') } - end - end - - context 'with domain set on ProjectAutoDevops' do - before do - auto_devops = project.build_auto_devops(domain: 'legacy-ado-domain.com') - auto_devops.save - end - - it { is_expected.to eq('legacy-ado-domain.com') } - end - - context 'with domain set as environment variable on project' do - before do - variable = project.variables.build(key: 'AUTO_DEVOPS_DOMAIN', value: 'project-ado-domain.com') - variable.save - end - - it { is_expected.to eq('project-ado-domain.com') } + context 'with domain set at instance level' do + before do + stub_application_setting(auto_devops_domain: 'global_domain.com') end - context 'with domain set as environment variable on the group project' do - let(:group) { create(:group) } - - before do - project.update(parent_id: group.id) - variable = group.variables.build(key: 'AUTO_DEVOPS_DOMAIN', value: 'group-ado-domain.com') - variable.save - end - - it { is_expected.to eq('group-ado-domain.com') } - end - end - - context 'with a group cluster' do - let(:cluster) { create(:cluster, :group, :provided_by_gcp) } - - context 'with domain set as environment variable for the group' do - let(:group) { cluster.group } - - before do - variable = group.variables.build(key: 'AUTO_DEVOPS_DOMAIN', value: 'group-ado-domain.com') - variable.save - end - - it { is_expected.to eq('group-ado-domain.com') } - end + it { is_expected.to eq('global_domain.com') } end end end diff --git a/spec/models/project_auto_devops_spec.rb b/spec/models/project_auto_devops_spec.rb index b81e5610e2c..7bdd2367a68 100644 --- a/spec/models/project_auto_devops_spec.rb +++ b/spec/models/project_auto_devops_spec.rb @@ -14,65 +14,9 @@ describe ProjectAutoDevops do it { is_expected.to respond_to(:created_at) } it { is_expected.to respond_to(:updated_at) } - describe '#has_domain?' do - context 'when domain is defined' do - let(:auto_devops) { build_stubbed(:project_auto_devops, project: project, domain: 'domain.com') } - - it { expect(auto_devops).to have_domain } - end - - context 'when domain is empty' do - let(:auto_devops) { build_stubbed(:project_auto_devops, project: project, domain: '') } - - context 'when there is an instance domain specified' do - before do - allow(Gitlab::CurrentSettings).to receive(:auto_devops_domain).and_return('example.com') - end - - it { expect(auto_devops).to have_domain } - end - - context 'when there is no instance domain specified' do - before do - allow(Gitlab::CurrentSettings).to receive(:auto_devops_domain).and_return(nil) - end - - it { expect(auto_devops).not_to have_domain } - end - end - end - describe '#predefined_variables' do let(:auto_devops) { build_stubbed(:project_auto_devops, project: project, domain: domain) } - context 'when domain is defined' do - let(:domain) { 'example.com' } - - it 'returns AUTO_DEVOPS_DOMAIN' do - expect(auto_devops.predefined_variables).to include(domain_variable) - end - end - - context 'when domain is not defined' do - let(:domain) { nil } - - context 'when there is an instance domain specified' do - before do - allow(Gitlab::CurrentSettings).to receive(:auto_devops_domain).and_return('example.com') - end - - it { expect(auto_devops.predefined_variables).to include(domain_variable) } - end - - context 'when there is no instance domain specified' do - before do - allow(Gitlab::CurrentSettings).to receive(:auto_devops_domain).and_return(nil) - end - - it { expect(auto_devops.predefined_variables).not_to include(domain_variable) } - end - end - context 'when deploy_strategy is manual' do let(:auto_devops) { build_stubbed(:project_auto_devops, :manual_deployment, project: project) } let(:expected_variables) do @@ -105,10 +49,6 @@ describe ProjectAutoDevops do .not_to include("STAGING_ENABLED", "INCREMENTAL_ROLLOUT_ENABLED") end end - - def domain_variable - { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true } - end end describe '#create_gitlab_deploy_token' do diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 425096d7e80..08662231fdf 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -3975,64 +3975,6 @@ describe Project do end end - describe '#auto_devops_variables' do - set(:project) { create(:project) } - - subject { project.auto_devops_variables } - - context 'when enabled in instance settings' do - before do - stub_application_setting(auto_devops_enabled: true) - end - - context 'when domain is empty' do - before do - stub_application_setting(auto_devops_domain: nil) - end - - it 'variables does not include AUTO_DEVOPS_DOMAIN' do - is_expected.not_to include(domain_variable) - end - end - - context 'when domain is configured' do - before do - stub_application_setting(auto_devops_domain: 'example.com') - end - - it 'variables includes AUTO_DEVOPS_DOMAIN' do - is_expected.to include(domain_variable) - end - end - end - - context 'when explicitly enabled' do - context 'when domain is empty' do - before do - create(:project_auto_devops, project: project, domain: nil) - end - - it 'variables does not include AUTO_DEVOPS_DOMAIN' do - is_expected.not_to include(domain_variable) - end - end - - context 'when domain is configured' do - before do - create(:project_auto_devops, project: project, domain: 'example.com') - end - - it 'variables includes AUTO_DEVOPS_DOMAIN' do - is_expected.to include(domain_variable) - end - end - end - - def domain_variable - { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true } - end - end - describe '#latest_successful_builds_for' do let(:project) { build(:project) } diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index a12646ea222..89adbc77a7f 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do end end end + + it 'logs RackAttack info into structured logs' do + requests_per_period.times do + get url_that_does_not_require_authentication + expect(response).to have_http_status 200 + end + + expect(Gitlab::AuthLogger).to receive(:error).once + + get url_that_does_not_require_authentication + end end context 'when the throttle is disabled' do @@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do expect_rejection { get url_that_requires_authentication } end + + it 'logs RackAttack info into structured logs' do + requests_per_period.times do + get url_that_requires_authentication + expect(response).to have_http_status 200 + end + + expect(Gitlab::AuthLogger).to receive(:error).once + + get url_that_requires_authentication + end end context 'when the throttle is disabled' do |