diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/api/applications.md | 37 | ||||
| -rw-r--r-- | doc/ci/examples/dast.md | 21 | ||||
| -rw-r--r-- | doc/ci/yaml/README.md | 2 | ||||
| -rw-r--r-- | doc/development/fe_guide/axios.md | 21 | ||||
| -rw-r--r-- | doc/development/performance.md | 3 | ||||
| -rw-r--r-- | doc/development/profiling.md | 45 | ||||
| -rw-r--r-- | doc/development/testing_guide/best_practices.md | 2 | ||||
| -rw-r--r-- | doc/raketasks/backup_restore.md | 24 | ||||
| -rw-r--r-- | doc/security/rack_attack.md | 136 | ||||
| -rw-r--r-- | doc/topics/autodevops/index.md | 56 | ||||
| -rw-r--r-- | doc/user/project/clusters/index.md | 276 | ||||
| -rw-r--r-- | doc/user/project/integrations/kubernetes.md | 10 | ||||
| -rw-r--r-- | doc/user/project/pipelines/img/pipeline_schedule_play.png | bin | 0 -> 39142 bytes | |||
| -rw-r--r-- | doc/user/project/pipelines/img/pipeline_schedules_list.png | bin | 14665 -> 38034 bytes | |||
| -rw-r--r-- | doc/user/project/pipelines/schedules.md | 15 |
15 files changed, 538 insertions, 110 deletions
diff --git a/doc/api/applications.md b/doc/api/applications.md new file mode 100644 index 00000000000..933867ed0bb --- /dev/null +++ b/doc/api/applications.md @@ -0,0 +1,37 @@ +# Applications API + +> [Introduced][ce-8160] in GitLab 10.5 + +[ce-8160]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8160 + +## Create a application + +Create a application by posting a JSON payload. + +User must be admin to do that. + +Returns `200` if the request succeeds. + +``` +POST /applications +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `name` | string | yes | The name of the application | +| `redirect_uri` | string | yes | The redirect URI of the application | +| `scopes` | string | yes | The scopes of the application | + +```bash +curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" --data "name=MyApplication&redirect_uri=http://redirect.uri&scopes=" https://gitlab.example.com/api/v3/applications +``` + +Example response: + +```json +{ + "application_id": "5832fc6e14300a0d962240a8144466eef4ee93ef0d218477e55f11cf12fc3737", + "secret": "ee1dd64b6adc89cf7e2c23099301ccc2c61b441064e9324d963c46902a85ec34", + "callback_url": "http://redirect.uri" +} +``` diff --git a/doc/ci/examples/dast.md b/doc/ci/examples/dast.md index 16ff8d5bb3e..7bf647bbb8b 100644 --- a/doc/ci/examples/dast.md +++ b/doc/ci/examples/dast.md @@ -1,11 +1,12 @@ # Dynamic Application Security Testing with GitLab CI/CD -This example shows how to run [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis) -on your project's source code by using GitLab CI/CD. +is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy) +to perform an analysis on your running web application. -DAST is using the popular open source tool -[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis. +It can be very useful combined with [Review Apps](../review_apps/index.md). + +## Example All you need is a GitLab Runner with the Docker executor (the shared Runners on GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, @@ -14,22 +15,26 @@ called `dast`: ```yaml dast: image: owasp/zap2docker-stable + variables: + website: "https://example.com" script: - mkdir /zap/wrk/ - - /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true + - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true - cp /zap/wrk/gl-dast-report.json . artifacts: paths: [gl-dast-report.json] ``` -The above example will create a `dast` job in your CI pipeline and will allow -you to download and analyze the report artifact in JSON format. +The above example will create a `dast` job in your CI/CD pipeline which will run +the tests on the URL defined in the `website` variable (change it to use your +own) and finally write the results in the `gl-dast-report.json` file. You can +then download and analyze the report artifact in JSON format. TIP: **Tip:** Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will be automatically extracted and shown right in the merge request widget. To do so, the CI job must be named `dast` and the artifact path must be `gl-dast-report.json`. -[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). +[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). [ee]: https://about.gitlab.com/gitlab-ee/ diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md index 82052cc0376..4a650303d45 100644 --- a/doc/ci/yaml/README.md +++ b/doc/ci/yaml/README.md @@ -1293,7 +1293,7 @@ to the CI pipeline: ```yaml variables: GIT_STRATEGY: clone - GIT_CHECKOUT: false + GIT_CHECKOUT: "false" script: - git checkout master - git merge $CI_BUILD_REF_NAME diff --git a/doc/development/fe_guide/axios.md b/doc/development/fe_guide/axios.md index 34fa684c5d6..0d9397c3bd5 100644 --- a/doc/development/fe_guide/axios.md +++ b/doc/development/fe_guide/axios.md @@ -27,10 +27,23 @@ This exported module should be used instead of directly using `axios` to ensure }); ``` -## Mock axios response on tests +## Mock axios response in tests -To help us mock the responses we need we use [axios-mock-adapter][axios-mock-adapter] +To help us mock the responses we are using [axios-mock-adapter][axios-mock-adapter]. +Advantages over [`spyOn()`]: + +- no need to create response objects +- does not allow call through (which we want to avoid) +- simple API to test error cases +- provides `replyOnce()` to allow for different responses + +We have also decided against using [axios interceptors] because they are not suitable for mocking. + +[axios interceptors]: https://github.com/axios/axios#interceptors +[`spyOn()`]: https://jasmine.github.io/api/edge/global.html#spyOn + +### Example ```javascript import axios from '~/lib/utils/axios_utils'; @@ -50,11 +63,11 @@ To help us mock the responses we need we use [axios-mock-adapter][axios-mock-ada }); afterEach(() => { - mock.reset(); + mock.restore(); }); ``` -### Mock poll requests on tests with axios +### Mock poll requests in tests with axios Because polling function requires a header object, we need to always include an object as the third argument: diff --git a/doc/development/performance.md b/doc/development/performance.md index e7c5a6ca07a..c4162a05b77 100644 --- a/doc/development/performance.md +++ b/doc/development/performance.md @@ -36,7 +36,8 @@ graphs/dashboards. GitLab provides built-in tools to aid the process of improving performance: -* [Sherlock](profiling.md#sherlock) +* [Profiling](profiling.md) + * [Sherlock](profiling.md#sherlock) * [GitLab Performance Monitoring](../administration/monitoring/performance/index.md) * [Request Profiling](../administration/monitoring/performance/request_profiling.md) * [QueryRecoder](query_recorder.md) for preventing `N+1` regressions diff --git a/doc/development/profiling.md b/doc/development/profiling.md index af79353b721..97c997e0568 100644 --- a/doc/development/profiling.md +++ b/doc/development/profiling.md @@ -4,6 +4,41 @@ To make it easier to track down performance problems GitLab comes with a set of profiling tools, some of these are available by default while others need to be explicitly enabled. +## Profiling a URL + +There is a `Gitlab::Profiler.profile` method, and corresponding +`bin/profile-url` script, that enable profiling a GET or POST request to a +specific URL, either as an anonymous user (the default) or as a specific user. + +When using the script, command-line documentation is available by passing no +arguments. + +When using the method in an interactive console session, any changes to the +application code within that console session will be reflected in the profiler +output. + +For example: + +```ruby +Gitlab::Profiler.profile('/my-user') +# Returns a RubyProf::Profile for the regular operation of this request +class UsersController; def show; sleep 100; end; end +Gitlab::Profiler.profile('/my-user') +# Returns a RubyProf::Profile where 100 seconds is spent in UsersController#show +``` + +Passing a `logger:` keyword argument to `Gitlab::Profiler.profile` will send +ActiveRecord and ActionController log output to that logger. Further options are +documented with the method source. + +[GitLab-Profiler](https://gitlab.com/gitlab-com/gitlab-profiler) is a project +that builds on this to add some additional niceties, such as allowing +configuration with a single Yaml file for multiple URLs, and uploading of the +profile and log output to S3. + +For GitLab.com, you can find the latest results here: +<http://redash.gitlab.com/dashboard/gitlab-profiler-statistics> + ## Sherlock Sherlock is a custom profiling tool built into GitLab. Sherlock is _only_ @@ -27,13 +62,3 @@ Bullet will log query problems to both the Rails log as well as the Chrome console. As a follow up to finding `N+1` queries with Bullet, consider writing a [QueryRecoder test](query_recorder.md) to prevent a regression. - -## GitLab Profiler - - -[Gitlab-Profiler](https://gitlab.com/gitlab-com/gitlab-profiler) was built to -help developers understand why specific URLs of their application may be slow -and to provide hard data that can help reduce load times. - -For GitLab.com, you can find the latest results here: -<http://redash.gitlab.com/dashboard/gitlab-profiler-statistics> diff --git a/doc/development/testing_guide/best_practices.md b/doc/development/testing_guide/best_practices.md index f5e8b4f146f..df80cd9f584 100644 --- a/doc/development/testing_guide/best_practices.md +++ b/doc/development/testing_guide/best_practices.md @@ -88,6 +88,8 @@ Finished in 34.51 seconds (files took 0.76702 seconds to load) 1 example, 0 failures ``` +Note: `live_debug` only works on javascript enabled specs. + ### `let` variables GitLab's RSpec suite has made extensive use of `let` variables to reduce diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 50bb665216e..76f33b765d3 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -169,6 +169,30 @@ For Omnibus GitLab packages: 1. [Reconfigure GitLab] for the changes to take effect +#### Digital Ocean Spaces and other S3-compatible providers + +Not all S3 providers are fully-compatible with the Fog library. For example, +if you see `411 Length Required` errors after attempting to upload, you may +need to downgrade the `aws_signature_version` value from the default value to +2 [due to this issue](https://github.com/fog/fog-aws/issues/428). + +1. For example, with [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces/), +this example configuration can be used for a bucket in Amsterdam (AMS3): + + ```ruby + gitlab_rails['backup_upload_connection'] = { + 'provider' => 'AWS', + 'region' => 'ams3', + 'aws_access_key_id' => 'AKIAKIAKI', + 'aws_secret_access_key' => 'secret123', + 'aws_signature_version' => 2, + 'endpoint' => 'https://ams3.digitaloceanspaces.com' + } + gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket' + ``` + +1. [Reconfigure GitLab] for the changes to take effect + --- For installations from source: diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index 92066997be8..c61729581e8 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -1,25 +1,135 @@ -# Rack attack +# Rack Attack -To prevent abusive clients doing damage GitLab uses rack-attack gem. +Rack Attack, also known as Rack::Attack, is [a rubygem](https://github.com/kickstarter/rack-attack) +that is meant to protect GitLab with the ability to customize throttling and +blocking user IPs. +You can prevent brute-force passwords attacks, scrapers, or any other offenders +by throttling requests from IP addresses making large volumes of requests. +In case you find throttling is not enough to protect you against abusive clients, +Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering and +tracking. -If you installed or upgraded GitLab by following the official guides this should be enabled by default. +By default, user sign-in, user sign-up (if enabled), and user password reset is +limited to 6 requests per minute. After trying for 6 times, the client will +have to wait for the next minute to be able to try again. -If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: +If you installed or upgraded GitLab by following the [official guides](../install/README.md) +this should be enabled by default. If your instance is not exposed to any incoming +connections, it is recommended to disable Rack Attack. -1. In config/application.rb find and uncomment the following line: +For more information on how to use these options check out +[rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). - config.middleware.use Rack::Attack +## Settings -1. Rename `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb`. +**Omnibus GitLab** -1. Review the `paths_to_be_protected` and add any other path you need protecting. +1. Open `/etc/gitlab/gitlab.rb` with you editor +1. Add the following: -1. Restart GitLab instance. + ```ruby + gitlab_rails['rack_attack_git_basic_auth'] = { + 'enabled' => true, + 'ip_whitelist' => ["127.0.0.1"], + 'maxretry' => 10, + 'findtime' => 60, + 'bantime' => 3600 + } + ``` -By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. After trying for 6 times, client will have to wait for the next minute to be able to try again. These settings can be found in `config/initializers/rack_attack.rb` +3. Reconfigure GitLab: -If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. + ``` + sudo gitlab-ctl reconfigure + ``` -In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. +The following settings can be configured: -For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). +- `enabled`: By default this is set to `true`. Set this to `false` to disable Rack Attack. +- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array. + For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`. +- `maxretry`: The maximum amount of times a request can be made in the + specified time. +- `findtime`: The maximum amount of time failed requests can count against an IP + before it's blacklisted. +- `bantime`: The total amount of time that a blacklisted IP will be blocked in + seconds. + +**Installations from source** + +These settings can be found in `config/initializers/rack_attack.rb`. If you are +missing `config/initializers/rack_attack.rb`, the following steps need to be +taken in order to enable protection for your GitLab instance: + +1. In `config/application.rb` find and uncomment the following line: + + ```ruby + config.middleware.use Rack::Attack + ``` + +1. Copy `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb` +1. Open `config/initializers/rack_attack.rb`, review the + `paths_to_be_protected`, and add any other path you need protecting +1. Restart GitLab: + + ```sh + sudo service gitlab restart + ``` + +If you want more restrictive/relaxed throttle rules, edit +`config/initializers/rack_attack.rb` and change the `limit` or `period` values. +For example, more relaxed throttle rules will be if you set +`limit: 3` and `period: 1.seconds` (this will allow 3 requests per second). +You can also add other paths to the protected list by adding to `paths_to_be_protected` +variable. If you change any of these settings do not forget to restart your +GitLab instance. + +## Remove blocked IPs from Rack Attack via Redis + +In case you want to remove a blocked IP, follow these steps: + +1. Find the IPs that have been blocked in the production log: + + ```sh + grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log + ``` + +2. Since the blacklist is stored in Redis, you need to open up `redis-cli`: + + ```sh + /opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket + ``` + +3. You can remove the block using the following syntax, replacing `<ip>` with + the actual IP that is blacklisted: + + ``` + del cache:gitlab:rack::attack:allow2ban:ban:<ip> + ``` + +4. Confirm that the key with the IP no longer shows up: + + ``` + keys *rack::attack* + ``` + +5. Optionally, add the IP to the whitelist to prevent it from being blacklisted + again (see [settings](#settings)). + +## Troubleshooting + +### Rack attack is blacklisting the load balancer + +Rack Attack may block your load balancer if all traffic appears to come from +the load balancer. In that case, you will need to: + +1. [Configure `nginx[real_ip_trusted_addresses]`](https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-gitlab-trusted_proxies-and-the-nginx-real_ip-module). + This will keep users' IPs from being listed as the load balancer IPs. +2. Whitelist the load balancer's IP address(es) in the Rack Attack [settings](#settings). +3. Reconfigure GitLab: + + ``` + sudo gitlab-ctl reconfigure + ``` + +4. [Remove the block via Redis.](#remove-blocked-ips-from-rack-attack-via-redis) diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index 6ad314647ee..764ee0ca72c 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -21,10 +21,10 @@ project in an easy and automatic way: 1. [Auto Code Quality](#auto-code-quality) 1. [Auto SAST (Static Application Security Testing)](#auto-sast) 1. [Auto SAST for Docker images](#auto-sast-for-docker-images) -1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast) -1. [Auto Browser Performance Testing](#auto-browser-performance-testing) 1. [Auto Review Apps](#auto-review-apps) +1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast) 1. [Auto Deploy](#auto-deploy) +1. [Auto Browser Performance Testing](#auto-browser-performance-testing) 1. [Auto Monitoring](#auto-monitoring) As Auto DevOps relies on many different components, it's good to have a basic @@ -229,6 +229,32 @@ check out. In GitLab Enterprise Edition Ultimate, any security warnings are also [shown in the merge request widget](https://docs.gitlab.com/ee/user/project/merge_requests/sast_docker.html). +### Auto Review Apps + +NOTE: **Note:** +This is an optional step, since many projects do not have a Kubernetes cluster +available. If the [prerequisites](#prerequisites) are not met, the job will +silently be skipped. + +CAUTION: **Caution:** +Your apps should *not* be manipulated outside of Helm (using Kubernetes directly.) +This can cause confusion with Helm not detecting the change, and subsequent +deploys with Auto DevOps can undo your changes. Also, if you change something +and want to undo it by deploying again, Helm may not detect that anything changed +in the first place, and thus not realize that it needs to re-apply the old config. + +[Review Apps][review-app] are temporary application environments based on the +branch's code so developers, designers, QA, product managers, and other +reviewers can actually see and interact with code changes as part of the review +process. Auto Review Apps create a Review App for each branch. + +The Review App will have a unique URL based on the project name, the branch +name, and a unique number, combined with the Auto DevOps base domain. For +example, `user-project-branch-1234.example.com`. A link to the Review App shows +up in the merge request widget for easy discovery. When the branch is deleted, +for example after the merge request is merged, the Review App will automatically +be deleted. + ### Auto DAST > Introduced in [GitLab Enterprise Edition Ultimate][ee] 10.4. @@ -256,32 +282,6 @@ Auto Browser Performance Testing utilizes the [Sitespeed.io container](https://h In GitLab Enterprise Edition Premium, performance differences between the source and target branches are [shown in the merge request widget](https://docs.gitlab.com/ee/user/project/merge_requests/browser_performance_testing.html). -### Auto Review Apps - -NOTE: **Note:** -This is an optional step, since many projects do not have a Kubernetes cluster -available. If the [prerequisites](#prerequisites) are not met, the job will -silently be skipped. - -CAUTION: **Caution:** -Your apps should *not* be manipulated outside of Helm (using Kubernetes directly.) -This can cause confusion with Helm not detecting the change, and subsequent -deploys with Auto DevOps can undo your changes. Also, if you change something -and want to undo it by deploying again, Helm may not detect that anything changed -in the first place, and thus not realize that it needs to re-apply the old config. - -[Review Apps][review-app] are temporary application environments based on the -branch's code so developers, designers, QA, product managers, and other -reviewers can actually see and interact with code changes as part of the review -process. Auto Review Apps create a Review App for each branch. - -The Review App will have a unique URL based on the project name, the branch -name, and a unique number, combined with the Auto DevOps base domain. For -example, `user-project-branch-1234.example.com`. A link to the Review App shows -up in the merge request widget for easy discovery. When the branch is deleted, -for example after the merge request is merged, the Review App will automatically -be deleted. - ### Auto Deploy NOTE: **Note:** diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 130f7897b1a..e87b4403854 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -1,26 +1,28 @@ # Connecting GitLab with a Kubernetes cluster -> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/35954) in 10.1. +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/35954) in GitLab 10.1. + +Connect your project to Google Kubernetes Engine (GKE) or an existing Kubernetes +cluster in a few steps. With a cluster associated to your project, you can use Review Apps, deploy your applications, run your pipelines, and much more, in an easy way. -Connect your project to Google Kubernetes Engine (GKE) or your own Kubernetes -cluster in a few steps. - -NOTE: **Note:** -The Cluster integration will eventually supersede the -[Kubernetes integration](../integrations/kubernetes.md). For the moment, -you can create only one cluster. +There are two options when adding a new cluster to your project; either associate +your account with Google Kubernetes Engine (GKE) so that you can [create new +clusters](#adding-and-creating-a-new-gke-cluster-via-gitlab) from within GitLab, +or provide the credentials to an [existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster). ## Prerequisites -In order to be able to manage your GKE cluster through GitLab, the following -prerequisites must be met: +In order to be able to manage your Kubernetes cluster through GitLab, the +following prerequisites must be met. + +**For a cluster hosted on GKE:** - The [Google authentication integration](../../../integration/google.md) must be enabled in GitLab at the instance level. If that's not the case, ask your - administrator to enable it. + GitLab administrator to enable it. - Your associated Google account must have the right privileges to manage clusters on GKE. That would mean that a [billing account](https://cloud.google.com/billing/docs/how-to/manage-billing-account) @@ -31,41 +33,88 @@ prerequisites must be met: - You must have [Resource Manager API](https://cloud.google.com/resource-manager/) -If all of the above requirements are met, you can proceed to add a new GKE +**For an existing Kubernetes cluster:** + +- Since the cluster is already created, there are no prerequisites. + +--- + +If all of the above requirements are met, you can proceed to add a new Kubernetes cluster. -## Adding a cluster +## Adding and creating a new GKE cluster via GitLab + +NOTE: **Note:** +You need Master [permissions] and above to access the Clusters page. + +Before proceeding, make sure all [prerequisites](#prerequisites) are met. +To add a new cluster hosted on GKE to your project: + +1. Navigate to your project's **CI/CD > Clusters** page. +1. Click on **Add cluster**. +1. Click on **Create with GKE**. +1. Connect your Google account if you haven't done already by clicking the + **Sign in with Google** button. +1. Fill in the requested values: + - **Cluster name** (required) - The name you wish to give the cluster. + - **GCP project ID** (required) - The ID of the project you created in your GCP + console that will host the Kubernetes cluster. This must **not** be confused + with the project name. Learn more about [Google Cloud Platform projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects). + - **Zone** - The [zone](https://cloud.google.com/compute/docs/regions-zones/) + under which the cluster will be created. + - **Number of nodes** - The number of nodes you wish the cluster to have. + - **Machine type** - The [machine type](https://cloud.google.com/compute/docs/machine-types) + of the Virtual Machine instance that the cluster will be based on. + - **Environment scope** - The [associated environment](#setting-the-environment-scope) to this cluster. +1. Finally, click the **Create cluster** button. + +After a few moments, your cluster should be created. If something goes wrong, +you will be notified. + +You can now proceed to install some pre-defined applications and then +enable the Cluster integration. + +## Adding an existing Kubernetes cluster NOTE: **Note:** -You need Master [permissions] and above to add a cluster. - -There are two options when adding a new cluster; either use Google Kubernetes -Engine (GKE) or provide the credentials to your own Kubernetes cluster. - -To add a new cluster: - -1. Navigate to your project's **CI/CD > Cluster** page -1. If you want to let GitLab create a cluster on GKE for you, go through the - following steps, otherwise skip to the next one. - 1. Click on **Create with GKE** - 1. Connect your Google account if you haven't done already by clicking the - **Sign in with Google** button - 1. Fill in the requested values: - - **Cluster name** (required) - The name you wish to give the cluster. - - **GCP project ID** (required) - The ID of the project you created in your GCP - console that will host the Kubernetes cluster. This must **not** be confused - with the project name. Learn more about [Google Cloud Platform projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects). - - **Zone** - The [zone](https://cloud.google.com/compute/docs/regions-zones/) - under which the cluster will be created. - - **Number of nodes** - The number of nodes you wish the cluster to have. - - **Machine type** - The [machine type](https://cloud.google.com/compute/docs/machine-types) - of the Virtual Machine instance that the cluster will be based on. - - **Project namespace** - The unique namespace for this project. By default you - don't have to fill it in; by leaving it blank, GitLab will create one for you. -1. If you want to use your own existing Kubernetes cluster, click on - **Add an existing cluster** and fill in the details as described in the - [Kubernetes integration](../integrations/kubernetes.md) documentation. -1. Finally, click the **Create cluster** button +You need Master [permissions] and above to access the Clusters page. + +To add an existing Kubernetes cluster to your project: + +1. Navigate to your project's **CI/CD > Clusters** page. +1. Click on **Add cluster**. +1. Click on **Add an existing cluster** and fill in the details: + - **Cluster name** (required) - The name you wish to give the cluster. + - **Environment scope** (required)- The + [associated environment](#setting-the-environment-scope) to this cluster. + - **API URL** (required) - + It's the URL that GitLab uses to access the Kubernetes API. Kubernetes + exposes several APIs, we want the "base" URL that is common to all of them, + e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`. + - **CA certificate** (optional) - + If the API is using a self-signed TLS certificate, you'll also need to include + the `ca.crt` contents here. + - **Token** - + GitLab authenticates against Kubernetes using service tokens, which are + scoped to a particular `namespace`. If you don't have a service token yet, + you can follow the + [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) + to create one. You can also view or create service tokens in the + [Kubernetes dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#config) + (under **Config > Secrets**). + - **Project namespace** (optional) - The following apply: + - By default you don't have to fill it in; by leaving it blank, GitLab will + create one for you. + - Each project should have a unique namespace. + - The project namespace is not necessarily the namespace of the secret, if + you're using a secret with broader permissions, like the secret from `default`. + - You should **not** use `default` as the project namespace. + - If you or someone created a secret specifically for the project, usually + with limited permissions, the secret's namespace and project namespace may + be the same. +1. Finally, click the **Create cluster** button. + +The Kubernetes service takes the following parameters: After a few moments, your cluster should be created. If something goes wrong, you will be notified. @@ -85,6 +134,91 @@ added directly to your configured cluster. Those applications are needed for | [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) | 10.2+ | Ingress can provide load balancing, SSL termination, and name-based virtual hosting. It acts as a web proxy for your applications and is useful if you want to use [Auto DevOps](../../../topics/autodevops/index.md) or deploy your own web apps. | | [Prometheus](https://prometheus.io/docs/introduction/overview/) | 10.4+ | Prometheus is an open-source monitoring and alerting system useful to supervise your deployed applications | +## Setting the environment scope + +When adding more than one clusters, you need to differentiate them with an +environment scope. The environment scope associates clusters and +[environments](../../../ci/environments.md) in an 1:1 relationship similar to how the +[environment-specific variables](../../../ci/variables/README.md#limiting-environment-scopes-of-secret-variables) +work. + +The default environment scope is `*`, which means all jobs, regardless of their +environment, will use that cluster. Each scope can only be used by a single +cluster in a project, and a validation error will occur if otherwise. + +--- + +For example, let's say the following clusters exist in a project: + +| Cluster | Environment scope | +| ---------- | ------------------- | +| Development| `*` | +| Staging | `staging/*` | +| Production | `production/*` | + +And the following environments are set in [`.gitlab-ci.yml`](../../../ci/yaml/README.md): + +```yaml +stages: +- test +- deploy + +test: + stage: test + script: sh test + +deploy to staging: + stage: deploy + script: make deploy + environment: + name: staging/$CI_COMMIT_REF_NAME + url: https://staging.example.com/ + +deploy to production: + stage: deploy + script: make deploy + environment: + name: production/$CI_COMMIT_REF_NAME + url: https://example.com/ +``` + +The result will then be: + +- The development cluster will be used for the "test" job. +- The staging cluster will be used for the "deploy to staging" job. +- The production cluster will be used for the "deploy to production" job. + +## Multiple Kubernetes clusters + +> Introduced in [GitLab Enterprise Edition Premium][ee] 10.3. + +With GitLab EEP, you can associate more than one Kubernetes clusters to your +project. That way you can have different clusters for different environments, +like dev, staging, production, etc. + +To add another cluster, follow the same steps as described in [adding a +Kubernetes cluster](#adding-a-kubernetes-cluster) and make sure to +[set an environment scope](#setting-the-environment-scope) that will +differentiate the new cluster with the rest. + +## Deployment variables + +The Kubernetes cluster integration exposes the following +[deployment variables](../../../ci/variables/README.md#deployment-variables) in the +GitLab CI/CD build environment: + +- `KUBE_URL` - Equal to the API URL. +- `KUBE_TOKEN` - The Kubernetes token. +- `KUBE_NAMESPACE` - The Kubernetes namespace is auto-generated if not specified. + The default value is `<project_name>-<project_id>`. You can overwrite it to + use different one if needed, otherwise the `KUBE_NAMESPACE` variable will + receive the default value. +- `KUBE_CA_PEM_FILE` - Only present if a custom CA bundle was specified. Path + to a file containing PEM data. +- `KUBE_CA_PEM` (deprecated) - Only if a custom CA bundle was specified. Raw PEM data. +- `KUBECONFIG` - Path to a file containing `kubeconfig` for this deployment. + CA bundle would be embedded if specified. + ## Enabling or disabling the Cluster integration After you have successfully added your cluster information, you can enable the @@ -111,4 +245,62 @@ To remove the Cluster integration from your project, simply click on the **Remove integration** button. You will then be able to follow the procedure and [add a cluster](#adding-a-cluster) again. +## What you can get with the Kubernetes integration + +Here's what you can do with GitLab if you enable the Kubernetes integration. + +### Deploy Boards (EEP) + +> Available in [GitLab Enterprise Edition Premium][ee]. + +GitLab's Deploy Boards offer a consolidated view of the current health and +status of each CI [environment](../../../ci/environments.md) running on Kubernetes, +displaying the status of the pods in the deployment. Developers and other +teammates can view the progress and status of a rollout, pod by pod, in the +workflow they already use without any need to access Kubernetes. + +[> Read more about Deploy Boards](https://docs.gitlab.com/ee/user/project/deploy_boards.html) + +### Canary Deployments (EEP) + +> Available in [GitLab Enterprise Edition Premium][ee]. + +Leverage [Kubernetes' Canary deployments](https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments) +and visualize your canary deployments right inside the Deploy Board, without +the need to leave GitLab. + +[> Read more about Canary Deployments](https://docs.gitlab.com/ee/user/project/canary_deployments.html) + +### Kubernetes monitoring + +Automatically detect and monitor Kubernetes metrics. Automatic monitoring of +[NGINX ingress](../integrations/prometheus_library/nginx.md) is also supported. + +[> Read more about Kubernetes monitoring](../integrations/prometheus_library/kubernetes.md) + +### Auto DevOps + +Auto DevOps automatically detects, builds, tests, deploys, and monitors your +applications. + +To make full use of Auto DevOps(Auto Deploy, Auto Review Apps, and Auto Monitoring) +you will need the Kubernetes project integration enabled. + +[> Read more about Auto DevOps](../../../topics/autodevops/index.md) + +### Web terminals + +NOTE: **Note:** +Introduced in GitLab 8.15. You must be the project owner or have `master` permissions +to use terminals. Support is limited to the first container in the +first pod of your environment. + +When enabled, the Kubernetes service adds [web terminal](../../../ci/environments.md#web-terminals) +support to your [environments](../../../ci/environments.md). This is based on the `exec` functionality found in +Docker and Kubernetes, so you get a new shell session within your existing +containers. To use this integration, you should deploy to Kubernetes using +the deployment variables above, ensuring any pods you create are labelled with +`app=$CI_ENVIRONMENT_SLUG`. GitLab will do the rest! + [permissions]: ../../permissions.md +[ee]: https://about.gitlab.com/gitlab-ee/ diff --git a/doc/user/project/integrations/kubernetes.md b/doc/user/project/integrations/kubernetes.md index 710cf78e84f..543baaa81e1 100644 --- a/doc/user/project/integrations/kubernetes.md +++ b/doc/user/project/integrations/kubernetes.md @@ -2,11 +2,15 @@ last_updated: 2017-12-28 --- -CAUTION: **Warning:** -Kubernetes service integration has been deprecated in GitLab 10.3. If the service is active the cluster information still be editable, however we advised to disable and reconfigure the clusters using the new [Clusters](../clusters/index.md) page. If the service is inactive the fields will be uneditable. Read [GitLab 10.3 release post](https://about.gitlab.com/2017/12/22/gitlab-10-3-released/#kubernetes-integration-service) for more information. - # GitLab Kubernetes / OpenShift integration +CAUTION: **Warning:** +The Kubernetes service integration has been deprecated in GitLab 10.3. If the +service is active, the cluster information will still be editable, however we +advise to disable and reconfigure the clusters using the new +[Clusters](../clusters/index.md) page. If the service is inactive, the fields +will not be editable. Read [GitLab 10.3 release post](https://about.gitlab.com/2017/12/22/gitlab-10-3-released/#kubernetes-integration-service) for more information. + GitLab can be configured to interact with Kubernetes, or other systems using the Kubernetes API (such as OpenShift). diff --git a/doc/user/project/pipelines/img/pipeline_schedule_play.png b/doc/user/project/pipelines/img/pipeline_schedule_play.png Binary files differnew file mode 100644 index 00000000000..f594ceee19d --- /dev/null +++ b/doc/user/project/pipelines/img/pipeline_schedule_play.png diff --git a/doc/user/project/pipelines/img/pipeline_schedules_list.png b/doc/user/project/pipelines/img/pipeline_schedules_list.png Binary files differindex 50d9d184b05..2ab2061db94 100644 --- a/doc/user/project/pipelines/img/pipeline_schedules_list.png +++ b/doc/user/project/pipelines/img/pipeline_schedules_list.png diff --git a/doc/user/project/pipelines/schedules.md b/doc/user/project/pipelines/schedules.md index 2101e3b1d58..34809a2826f 100644 --- a/doc/user/project/pipelines/schedules.md +++ b/doc/user/project/pipelines/schedules.md @@ -31,6 +31,20 @@ is installed on.  +### Running a scheduled pipeline manually + +> [Introduced][ce-15700] in GitLab 10.4. + +To trigger a pipeline schedule manually, click the "Play" button: + + + +This will schedule a background job to run the pipeline schedule. A flash +message will provide a link to the CI/CD Pipeline index page. + +To help avoid abuse, users are rate limited to triggering a pipeline once per +minute. + ### Making use of scheduled pipeline variables > [Introduced][ce-12328] in GitLab 9.4. @@ -90,4 +104,5 @@ don't have admin access to the server, ask your administrator. [ce-10533]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10533 [ce-10853]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10853 [ce-12328]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12328 +[ce-15700]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/15700 [settings]: https://about.gitlab.com/gitlab-com/settings/#cron-jobs |
