21 files changed, 254 insertions, 92 deletions

diff --git a/config/application.rb b/config/application.rb
index 5d7c52c5d81..cad5c8bbe76 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -157,6 +157,8 @@ module Gitlab
     config.assets.paths << "#{config.root}/vendor/assets/fonts"
 
     config.assets.precompile << "print.css"
+    config.assets.precompile << "mailer.css"
+    config.assets.precompile << "mailer_client_specific.css"
     config.assets.precompile << "notify.css"
     config.assets.precompile << "mailers/*.css"
     config.assets.precompile << "page_bundles/ide.css"
@@ -247,15 +249,18 @@ module Gitlab
     end
 
     # Use caching across all environments
+    # Full list of options:
+    # https://api.rubyonrails.org/classes/ActiveSupport/Cache/RedisCacheStore.html#method-c-new
     caching_config_hash = Gitlab::Redis::Cache.params
+    caching_config_hash[:compress] = false
     caching_config_hash[:namespace] = Gitlab::Redis::Cache::CACHE_NAMESPACE
     caching_config_hash[:expires_in] = 2.weeks # Cache should not grow forever
-    if Sidekiq.server? # threaded context
-      caching_config_hash[:pool_size] = Sidekiq.options[:concurrency] + 5
+    if Sidekiq.server? || defined?(::Puma) # threaded context
+      caching_config_hash[:pool_size] = Gitlab::Redis::Cache.pool_size
       caching_config_hash[:pool_timeout] = 1
     end
 
-    config.cache_store = :redis_store, caching_config_hash
+    config.cache_store = :redis_cache_store, caching_config_hash
 
     config.active_job.queue_adapter = :sidekiq
 
diff --git a/config/dependency_decisions.yml b/config/dependency_decisions.yml
index 5346bf45473..84db15d6535 100644
--- a/config/dependency_decisions.yml
+++ b/config/dependency_decisions.yml
@@ -620,3 +620,9 @@
     :why: https://github.com/hexorx/countries/blob/master/LICENSE
     :versions: []
     :when: 2019-09-11 13:08:28.431132000 Z
+- - :whitelist
+  - "(MIT OR CC0-1.0)"
+  - :who: 
+    :why: 
+    :versions: []
+    :when: 2019-11-08 10:03:31.787226000 Z
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index f6814262b7a..a5486e450d4 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -8,7 +8,7 @@
 # If a setting requires an application restart say so in that screen.  #
 # If you change this file in a Merge Request, please also create       #
 # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
-# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/0928cfb09f43993fd9454b0b14dbd1924b1407bc/doc/settings/gitlab.yml.md #
+# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
 ########################################################################
 #
 #
@@ -467,6 +467,13 @@ production: &base
       # enabled: true
       # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API
 
+  ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html
+  feature_flags:
+    unleash:
+      # enabled: false
+      # url: https://gitlab.com/api/v4/feature_flags/unleash/<project_id>
+      # app_name: gitlab.com # Environment name of your GitLab instance
+      # instance_id: INSTANCE_ID
 
   #
   # 2. GitLab CI settings
@@ -494,6 +501,7 @@ production: &base
   #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
   ldap:
     enabled: false
+    prevent_ldap_sign_in: false
 
     # This setting controls the number of seconds between LDAP permission checks
     # for each user. After this time has expired for a given user, their next
@@ -1024,12 +1032,6 @@ production: &base
     #  enabled: true
     #  address: localhost
     #  port: 8083
-    #  # blackout_seconds:
-    #  #   defines an interval to block healthcheck,
-    #  #   but continue accepting application requests
-    #  #   this allows Load Balancer to notice service
-    #  #   being shutdown and not interrupt any of the clients
-    #  blackout_seconds: 10
 
   ## Prometheus settings
   # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
@@ -1041,6 +1043,14 @@ production: &base
     # enable: true
     # listen_address: 'localhost:9090'
 
+  shutdown:
+    #  # blackout_seconds:
+    #  #   defines an interval to block healthcheck,
+    #  #   but continue accepting application requests
+    #  #   this allows Load Balancer to notice service
+    #  #   being shutdown and not interrupt any of the clients
+    #  blackout_seconds: 10
+
   #
   # 5. Extra customization
   # ==========================
diff --git a/config/initializers/0_inflections.rb b/config/initializers/0_inflections.rb
index c0afa207ac3..7690eafdc6b 100644
--- a/config/initializers/0_inflections.rb
+++ b/config/initializers/0_inflections.rb
@@ -12,18 +12,19 @@
 ActiveSupport::Inflector.inflections do |inflect|
   inflect.uncountable %w(
     award_emoji
-    project_statistics
-    system_note_metadata
+    container_repository_registry
+    design_registry
     event_log
-    project_auto_devops
-    project_registry
     file_registry
+    group_view
     job_artifact_registry
-    container_repository_registry
-    design_registry
-    vulnerability_feedback
+    lfs_object_registry
+    project_auto_devops
+    project_registry
+    project_statistics
+    system_note_metadata
     vulnerabilities_feedback
-    group_view
+    vulnerability_feedback
   )
   inflect.acronym 'EE'
 end
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 7ee4a4e3610..df4f49524bc 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -5,6 +5,7 @@ require_relative '../smime_signature_settings'
 # Default settings
 Settings['ldap'] ||= Settingslogic.new({})
 Settings.ldap['enabled'] = false if Settings.ldap['enabled'].nil?
+Settings.ldap['prevent_ldap_sign_in'] = false if Settings.ldap['prevent_ldap_sign_in'].blank?
 
 Gitlab.ee do
   Settings.ldap['sync_time'] = 3600 if Settings.ldap['sync_time'].nil?
@@ -308,6 +309,13 @@ Gitlab.ee do
 end
 
 #
+# Unleash
+#
+Settings['feature_flags'] ||= Settingslogic.new({})
+Settings.feature_flags['unleash'] ||= Settingslogic.new({})
+Settings.feature_flags.unleash['enabled'] = false if Settings.feature_flags.unleash['enabled'].nil?
+
+#
 # External merge request diffs
 #
 Settings['external_diffs'] ||= Settingslogic.new({})
@@ -668,7 +676,12 @@ Settings.monitoring['web_exporter'] ||= Settingslogic.new({})
 Settings.monitoring.web_exporter['enabled'] ||= false
 Settings.monitoring.web_exporter['address'] ||= 'localhost'
 Settings.monitoring.web_exporter['port'] ||= 8083
-Settings.monitoring.web_exporter['blackout_seconds'] ||= 10
+
+#
+# Shutdown settings
+#
+Settings['shutdown'] ||= Settingslogic.new({})
+Settings.shutdown['blackout_seconds'] ||= 10
 
 #
 # Testing settings
diff --git a/config/initializers/7_prometheus_metrics.rb b/config/initializers/7_prometheus_metrics.rb
index 974eff1a528..d40049970c1 100644
--- a/config/initializers/7_prometheus_metrics.rb
+++ b/config/initializers/7_prometheus_metrics.rb
@@ -70,8 +70,15 @@ if defined?(::Unicorn) || defined?(::Puma)
     Gitlab::Metrics::Exporter::WebExporter.instance.start
   end
 
-  Gitlab::Cluster::LifecycleEvents.on_before_phased_restart do
-    # We need to ensure that before we re-exec server
+  # DEPRECATED: TO BE REMOVED
+  # This is needed to implement blackout period of `web_exporter`
+  # https://gitlab.com/gitlab-org/gitlab/issues/35343#note_238479057
+  Gitlab::Cluster::LifecycleEvents.on_before_blackout_period do
+    Gitlab::Metrics::Exporter::WebExporter.instance.mark_as_not_running!
+  end
+
+  Gitlab::Cluster::LifecycleEvents.on_before_graceful_shutdown do
+    # We need to ensure that before we re-exec or shutdown server
     # we do stop the exporter
     Gitlab::Metrics::Exporter::WebExporter.instance.stop
   end
diff --git a/config/initializers/database_config.rb b/config/initializers/database_config.rb
new file mode 100644
index 00000000000..d8c2821066b
--- /dev/null
+++ b/config/initializers/database_config.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# when running on puma, scale connection pool size with the number
+# of threads per worker process
+if defined?(::Puma)
+  db_config = Gitlab::Database.config ||
+      Rails.application.config.database_configuration[Rails.env]
+  puma_options = Puma.cli_config.options
+
+  # We use either the maximum number of threads per worker process, or
+  # the user specified value, whichever is larger.
+  desired_pool_size = [db_config['pool'].to_i, puma_options[:max_threads]].max
+
+  db_config['pool'] = desired_pool_size
+
+  # recreate the connection pool from the new config
+  ActiveRecord::Base.establish_connection(db_config)
+end
diff --git a/config/initializers/health_check.rb b/config/initializers/health_check.rb
index 9f466dc39de..1496f20afc1 100644
--- a/config/initializers/health_check.rb
+++ b/config/initializers/health_check.rb
@@ -8,3 +8,15 @@ HealthCheck.setup do |config|
     end
   end
 end
+
+Gitlab::Cluster::LifecycleEvents.on_before_fork do
+  Gitlab::HealthChecks::MasterCheck.register_master
+end
+
+Gitlab::Cluster::LifecycleEvents.on_before_blackout_period do
+  Gitlab::HealthChecks::MasterCheck.finish_master
+end
+
+Gitlab::Cluster::LifecycleEvents.on_worker_start do
+  Gitlab::HealthChecks::MasterCheck.register_worker
+end
diff --git a/config/initializers/lograge.rb b/config/initializers/lograge.rb
index d5d4c589884..769ef2af0e7 100644
--- a/config/initializers/lograge.rb
+++ b/config/initializers/lograge.rb
@@ -10,6 +10,11 @@ unless Sidekiq.server?
     # unmaintained gem that monkey patches `Time`
     config.lograge.formatter = Lograge::Formatters::Json.new
     config.lograge.logger = ActiveSupport::Logger.new(filename)
+    config.lograge.before_format = lambda do |data, payload|
+      data.delete(:error)
+      data
+    end
+
     # Add request parameters to log output
     config.lograge.custom_options = lambda do |event|
       params = event.payload[:params]
@@ -36,6 +41,20 @@ unless Sidekiq.server?
         payload[:cpu_s] = cpu_s
       end
 
+      # https://github.com/roidrage/lograge#logging-errors--exceptions
+      exception = event.payload[:exception_object]
+
+      if exception
+        payload[:exception] = {
+          class: exception.class.name,
+          message: exception.message
+        }
+
+        if exception.backtrace
+          payload[:exception][:backtrace] = Gitlab::Profiler.clean_backtrace(exception.backtrace)
+        end
+      end
+
       payload
     end
   end
diff --git a/config/initializers/rack_attack_git_basic_auth.rb b/config/initializers/rack_attack_git_basic_auth.rb
index 6a721826170..71e5e2969ce 100644
--- a/config/initializers/rack_attack_git_basic_auth.rb
+++ b/config/initializers/rack_attack_git_basic_auth.rb
@@ -1,14 +1,14 @@
-rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
+# Tell the Rack::Attack Rack middleware to maintain an IP blacklist.
+# We update the blacklist in Gitlab::Auth::IpRateLimiter.
+Rack::Attack.blocklist('Git HTTP Basic Auth') do |req|
+  rate_limiter = Gitlab::Auth::IpRateLimiter.new(req.ip)
 
-unless Rails.env.test? || !rack_attack_enabled
-  # Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will
-  # update the blacklist from Grack::Auth#authenticate_user.
-  Rack::Attack.blacklist('Git HTTP Basic Auth') do |req|
-    Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
-      # This block only gets run if the IP was not already banned.
-      # Return false, meaning that we do not see anything wrong with the
-      # request at this time
-      false
-    end
+  next false if !rate_limiter.enabled? || rate_limiter.trusted_ip?
+
+  Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
+    # This block only gets run if the IP was not already banned.
+    # Return false, meaning that we do not see anything wrong with the
+    # request at this time
+    false
   end
 end
diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb
index be7c2175cb2..a95cb09755b 100644
--- a/config/initializers/rack_attack_logging.rb
+++ b/config/initializers/rack_attack_logging.rb
@@ -2,8 +2,10 @@
 #
 # Adds logging for all Rack Attack blocks and throttling events.
 
-ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
-  if [:throttle, :blacklist].include? req.env['rack.attack.match_type']
+ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, request_id, payload|
+  req = payload[:request]
+
+  if [:throttle, :blocklist].include? req.env['rack.attack.match_type']
     rack_attack_info = {
       message: 'Rack_Attack',
       env: req.env['rack.attack.match_type'],
diff --git a/config/initializers/rack_attack_new.rb b/config/initializers/rack_attack_new.rb
index b0f7febe427..92a8bf79432 100644
--- a/config/initializers/rack_attack_new.rb
+++ b/config/initializers/rack_attack_new.rb
@@ -39,45 +39,65 @@ module Gitlab::Throttle
 end
 
 class Rack::Attack
+  # Order conditions by how expensive they are:
+  # 1. The most expensive is the `req.unauthenticated?` and
+  #    `req.authenticated_user_id` as it performs an expensive
+  #    DB/Redis query to validate the request
+  # 2. Slightly less expensive is the need to query DB/Redis
+  #    to unmarshal settings (`Gitlab::Throttle.settings`)
+  #
+  # We deliberately skip `/-/health|liveness|readiness`
+  # from Rack Attack as they need to always be accessible
+  # by Load Balancer and additional measure is implemented
+  # (token and whitelisting) to prevent abuse.
   throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
-    Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
-      req.unauthenticated? &&
-      !req.should_be_skipped? &&
+    if !req.should_be_skipped? &&
+        Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
+        req.unauthenticated?
       req.ip
+    end
   end
 
   throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req|
-    Gitlab::Throttle.settings.throttle_authenticated_api_enabled &&
-      req.api_request? &&
+    if req.api_request? &&
+        Gitlab::Throttle.settings.throttle_authenticated_api_enabled
       req.authenticated_user_id([:api])
+    end
   end
 
   throttle('throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req|
-    Gitlab::Throttle.settings.throttle_authenticated_web_enabled &&
-      req.web_request? &&
+    if req.web_request? &&
+        Gitlab::Throttle.settings.throttle_authenticated_web_enabled
       req.authenticated_user_id([:api, :rss, :ics])
+    end
   end
 
   throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req|
-    Gitlab::Throttle.protected_paths_enabled? &&
-      req.unauthenticated? &&
-      !req.should_be_skipped? &&
-      req.protected_path? &&
+    if req.post? &&
+        !req.should_be_skipped? &&
+        req.protected_path? &&
+        Gitlab::Throttle.protected_paths_enabled? &&
+        req.unauthenticated?
       req.ip
+    end
   end
 
   throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req|
-    Gitlab::Throttle.protected_paths_enabled? &&
-      req.api_request? &&
-      req.protected_path? &&
+    if req.post? &&
+        req.api_request? &&
+        req.protected_path? &&
+        Gitlab::Throttle.protected_paths_enabled?
       req.authenticated_user_id([:api])
+    end
   end
 
   throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req|
-    Gitlab::Throttle.protected_paths_enabled? &&
-      req.web_request? &&
-      req.protected_path? &&
+    if req.post? &&
+        req.web_request? &&
+        req.protected_path? &&
+        Gitlab::Throttle.protected_paths_enabled?
       req.authenticated_user_id([:api, :rss, :ics])
+    end
   end
 
   class Request
@@ -97,12 +117,16 @@ class Rack::Attack
       path =~ %r{^/api/v\d+/internal/}
     end
 
+    def health_check_request?
+      path =~ %r{^/-/(health|liveness|readiness)}
+    end
+
     def should_be_skipped?
-      api_internal_request?
+      api_internal_request? || health_check_request?
     end
 
     def web_request?
-      !api_request?
+      !api_request? && !health_check_request?
     end
 
     def protected_path?
diff --git a/config/initializers/validate_puma.rb b/config/initializers/validate_puma.rb
new file mode 100644
index 00000000000..64bd6e7bbc1
--- /dev/null
+++ b/config/initializers/validate_puma.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+if defined?(::Puma) && ::Puma.cli_config.options[:workers].to_i.zero?
+  raise 'Puma is only supported in Cluster-mode: workers > 0'
+end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index eff015459e3..950529f0355 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -19,6 +19,7 @@ en:
       project/grafana_integration:
         token: "Grafana HTTP API Token"
         grafana_url: "Grafana API URL"
+        grafana_enabled: "Grafana integration enabled"
   views:
     pagination:
       previous: "Prev"
diff --git a/config/puma.example.development.rb b/config/puma.example.development.rb
index f23ccc23c9a..6f686437f88 100644
--- a/config/puma.example.development.rb
+++ b/config/puma.example.development.rb
@@ -14,9 +14,13 @@ rackup 'config.ru'
 pidfile '/home/git/gitlab/tmp/pids/puma.pid'
 state_path '/home/git/gitlab/tmp/pids/puma.state'
 
-stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
-  '/home/git/gitlab/log/puma.stderr.log',
-  true
+## Uncomment the lines if you would like to write puma stdout & stderr streams
+## to a different location than rails logs.
+## When using GitLab Development Kit, by default, these logs will be consumed
+## by runit and can be accessed using `gdk tail rails-web`
+# stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
+#  '/home/git/gitlab/log/puma.stderr.log',
+#  true
 
 # Configure "min" to be the minimum number of threads to use to answer
 # requests and "max" the maximum.
diff --git a/config/routes.rb b/config/routes.rb
index 5bfae777f17..9fb4d94f068 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -57,7 +57,7 @@ Rails.application.routes.draw do
 
   # Sign up
   get 'users/sign_up/welcome' => 'registrations#welcome'
-  patch 'users/sign_up/update_role' => 'registrations#update_role'
+  patch 'users/sign_up/update_registration' => 'registrations#update_registration'
 
   # Search
   get 'search' => 'search#show'
@@ -142,6 +142,13 @@ Rails.application.routes.draw do
       collection do
         post :create_user
         post :create_gcp
+        post :create_aws
+        post :authorize_aws_role
+        delete :revoke_aws_role
+
+        scope :aws do
+          get 'api/:resource', to: 'clusters#aws_proxy', as: :aws_proxy
+        end
       end
 
       member do
diff --git a/config/routes/group.rb b/config/routes/group.rb
index 093cde64c85..437c80b8c92 100644
--- a/config/routes/group.rb
+++ b/config/routes/group.rb
@@ -62,6 +62,8 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
       delete :leave, on: :collection
     end
 
+    resources :group_links, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
+
     resources :uploads, only: [:create] do
       collection do
         get ":secret/:filename", action: :show, as: :show, constraints: { filename: %r{[^/]+} }
diff --git a/config/routes/project.rb b/config/routes/project.rb
index 7d51cfd6dee..3f913683b00 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -179,7 +179,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           end
         end
 
-        resources :releases, only: [:index]
+        resources :releases, only: [:index, :edit], param: :tag, constraints: { tag: %r{[^/]+} }
         resources :starrers, only: [:index]
         resources :forks, only: [:index, :new, :create]
         resources :group_links, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
@@ -187,9 +187,35 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         resource :import, only: [:new, :create, :show]
         resource :avatar, only: [:show, :destroy]
 
-        get 'grafana/proxy/:datasource_id/*proxy_path',
-            to: 'grafana_api#proxy',
-            as: :grafana_api
+        scope :grafana, as: :grafana_api do
+          get 'proxy/:datasource_id/*proxy_path', to: 'grafana_api#proxy'
+          get :metrics_dashboard, to: 'grafana_api#metrics_dashboard'
+        end
+
+        resource :mattermost, only: [:new, :create]
+        resource :variables, only: [:show, :update]
+        resources :triggers, only: [:index, :create, :edit, :update, :destroy]
+
+        resource :mirror, only: [:show, :update] do
+          member do
+            get :ssh_host_keys, constraints: { format: :json }
+            post :update_now
+          end
+        end
+
+        resource :cycle_analytics, only: [:show]
+
+        namespace :cycle_analytics do
+          scope :events, controller: 'events' do
+            get :issue
+            get :plan
+            get :code
+            get :test
+            get :review
+            get :staging
+            get :production
+          end
+        end
       end
       # End of the /-/ scope.
 
@@ -222,6 +248,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         resources :domains, except: :index, controller: 'pages_domains', constraints: { id: %r{[^/]+} } do
           member do
             post :verify
+            delete :clean_certificate
           end
         end
       end
@@ -233,8 +260,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         end
       end
 
-      resource :mattermost, only: [:new, :create]
-
       namespace :prometheus do
         resources :metrics, constraints: { id: %r{[^\/]+} }, only: [:index, :new, :create, :edit, :update, :destroy] do
           get :active_common, on: :collection
@@ -274,6 +299,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           get :discussions, format: :json
           post :rebase
           get :test_reports
+          get :exposed_artifacts
 
           scope constraints: { format: nil }, action: :show do
             get :commits, defaults: { tab: 'commits' }
@@ -361,17 +387,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         put '/service_desk' => 'service_desk#update', as: :service_desk_refresh
       end
 
-      resource :variables, only: [:show, :update]
-
-      resources :triggers, only: [:index, :create, :edit, :update, :destroy]
-
-      resource :mirror, only: [:show, :update] do
-        member do
-          get :ssh_host_keys, constraints: { format: :json }
-          post :update_now
-        end
-      end
-
       Gitlab.ee do
         resources :push_rules, constraints: { id: /\d+/ }, only: [:update]
       end
@@ -430,6 +445,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
 
           Gitlab.ee do
             get :logs
+            get '/pods/(:pod_name)/containers/(:container_name)/logs', to: 'environments#k8s_pod_logs', as: :k8s_pod_logs
           end
         end
 
@@ -437,6 +453,10 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           get :metrics, action: :metrics_redirect
           get :folder, path: 'folders/*id', constraints: { format: /(html|json)/ }
           get :search
+
+          Gitlab.ee do
+            get :logs, action: :logs_redirect
+          end
         end
 
         resources :deployments, only: [:index] do
@@ -455,20 +475,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         end
       end
 
-      resource :cycle_analytics, only: [:show]
-
-      namespace :cycle_analytics do
-        scope :events, controller: 'events' do
-          get :issue
-          get :plan
-          get :code
-          get :test
-          get :review
-          get :staging
-          get :production
-        end
-      end
-
       namespace :serverless do
         scope :functions do
           get '/:environment_id/:id', to: 'functions#show'
@@ -609,10 +615,20 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
 
       resources :error_tracking, only: [:index], controller: :error_tracking do
         collection do
+          get ':issue_id/details',
+              to: 'error_tracking#details',
+              as: 'details'
+          get ':issue_id/stack_trace',
+              to: 'error_tracking#stack_trace',
+              as: 'stack_trace'
           post :list_projects
         end
       end
 
+      scope :usage_ping, controller: :usage_ping do
+        post :web_ide_clientside_preview
+      end
+
       # Since both wiki and repository routing contains wildcard characters
       # its preferable to keep it below all other project routes
       draw :wiki
@@ -648,7 +664,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
 
   # Legacy routes.
   # Introduced in 12.0.
-  # Should be removed after 12.1
+  # Should be removed with https://gitlab.com/gitlab-org/gitlab/issues/28848.
   scope(path: '*namespace_id',
         as: :namespace,
         namespace_id: Gitlab::PathRegex.full_namespace_route_regex) do
@@ -660,7 +676,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
                                             :network, :graphs, :autocomplete_sources,
                                             :project_members, :deploy_keys, :deploy_tokens,
                                             :labels, :milestones, :services, :boards, :releases,
-                                            :forks, :group_links, :import, :avatar)
+                                            :forks, :group_links, :import, :avatar, :mirror,
+                                            :cycle_analytics, :mattermost, :variables, :triggers)
     end
   end
 end
diff --git a/config/routes/user.rb b/config/routes/user.rb
index d4616c8080d..31af321d2b2 100644
--- a/config/routes/user.rb
+++ b/config/routes/user.rb
@@ -13,7 +13,7 @@ def override_omniauth(provider, controller, path_prefix = '/users/auth')
 end
 
 # Use custom controller for LDAP omniauth callback
-if Gitlab::Auth::LDAP::Config.enabled?
+if Gitlab::Auth::LDAP::Config.sign_in_enabled?
   devise_scope :user do
     Gitlab::Auth::LDAP::Config.available_servers.each do |server|
       override_omniauth(server['provider_name'], 'ldap/omniauth_callbacks')
@@ -55,6 +55,7 @@ scope(constraints: { username: Gitlab::PathRegex.root_namespace_route_regex }) d
     get :starred, as: :starred_projects
     get :snippets
     get :exists
+    get :suggests
     get :activity
     get '/', to: redirect('%{username}'), as: nil
   end
diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml
index b97e8ad67c9..b4be61d8a3d 100644
--- a/config/sidekiq_queues.yml
+++ b/config/sidekiq_queues.yml
@@ -98,8 +98,10 @@
   - [update_namespace_statistics, 1]
   - [chaos, 2]
   - [create_evidence, 2]
+  - [group_export, 1]
 
   # EE-specific queues
+  - [analytics, 1]
   - [ldap_group_sync, 2]
   - [create_github_webhook, 2]
   - [geo, 1]
@@ -120,3 +122,4 @@
   - [update_external_pull_requests, 3]
   - [refresh_license_compliance_checks, 2]
   - [design_management_new_version, 1]
+  - [epics, 2]
diff --git a/config/webpack.config.js b/config/webpack.config.js
index 25fb6cc5f5a..9c7a3f42c97 100644
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -73,7 +73,7 @@ function generateEntries() {
 
   const manualEntries = {
     default: defaultEntries,
-    raven: './raven/index.js',
+    sentry: './sentry/index.js',
   };
 
   return Object.assign(manualEntries, autoEntries);
@@ -300,6 +300,11 @@ module.exports = {
         to: path.join(ROOT_PATH, 'public/assets/webpack/cmaps/'),
       },
       {
+        from: path.join(ROOT_PATH, 'node_modules/@sourcegraph/code-host-integration/'),
+        to: path.join(ROOT_PATH, 'public/assets/webpack/sourcegraph/'),
+        ignore: ['package.json'],
+      },
+      {
         from: path.join(
           ROOT_PATH,
           'node_modules/@gitlab/visual-review-tools/dist/visual_review_toolbar.js',