Add latest changes from gitlab-org/gitlab@master

changelogs/unreleased/docs-document-auto-devops-docker-build-secret-forwarding.yml

@@ -0,0 +1,5 @@
+---
+title: Document forwarding CI variables to docker build in Auto DevOps
+merge_request: 16783
+author:
+type: added

doc/topics/autodevops/index.md

@@ -734,6 +734,40 @@ Avoid passing secrets as Docker build arguments if possible, as they may be
 persisted in your image. See
 [this discussion](https://github.com/moby/moby/issues/13490) for details.
 
+### Passing secrets to `docker build` (beta)
+
+CI environment variables can be passed as [build
+secrets](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) to the `docker build` command by listing them comma separated by name in the
+`AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` variable. For example, in order to forward the variables `CI_COMMIT_SHA` and `CI_ENVIRONMENT_NAME`, one would set `AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` to `CI_COMMIT_SHA,CI_ENVIRONMENT_NAME`.
+
+Unlike build arguments, these are not persisted by Docker in the final image
+(though you can still persist them yourself, so be careful).
+
+In projects:
+
+- Without a `Dockerfile`, these are available automatically as environment
+  variables.
+- With a `Dockerfile`, the following is required:
+
+  1. Activate the experimental `Dockerfile` syntax by adding the following
+     to the top of the file:
+
+     ```Dockerfile
+     # syntax = docker/dockerfile:experimental
+     ```
+
+  1. To make secrets available in any `RUN $COMMAND` in the `Dockerfile`, mount
+     the secret file and source it prior to running `$COMMAND`:
+
+     ```Dockerfile
+     RUN --mount=type=secret,id=auto-devops-build-secrets . /run/secrets/auto-devops-build-secrets && $COMMAND
+     ```
+
+NOTE: **Note:**
+When `AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` is set, Auto DevOps
+enables the experimental [Docker BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/)
+feature to use the `--secret` flag.
+
 ### Custom Helm Chart
 
 Auto DevOps uses [Helm](https://helm.sh/) to deploy your application to Kubernetes.
@@ -827,6 +861,7 @@ applications.
 | `ADDITIONAL_HOSTS`                      | Fully qualified domain names specified as a comma-separated list that are added to the ingress hosts. |
 | `<ENVIRONMENT>_ADDITIONAL_HOSTS`        | For a specific environment, the fully qualified domain names specified as a comma-separated list that are added to the ingress hosts. This takes precedence over `ADDITIONAL_HOSTS`. |
 | `AUTO_DEVOPS_BUILD_IMAGE_EXTRA_ARGS`    | Extra arguments to be passed to the `docker build` command. Note that using quotes will not prevent word splitting. [More details](#passing-arguments-to-docker-build). |
+| `AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES` | A [comma-separated list of CI variable names](#passing-secrets-to-docker-build-beta) to be passed to the `docker build` command as secrets. |
 | `AUTO_DEVOPS_CHART`                     | Helm Chart used to deploy your apps. Defaults to the one [provided by GitLab](https://gitlab.com/gitlab-org/charts/auto-deploy-app). |
 | `AUTO_DEVOPS_CHART_REPOSITORY`          | Helm Chart repository used to search for charts. Defaults to `https://charts.gitlab.io`. |
 | `AUTO_DEVOPS_CHART_REPOSITORY_NAME`     | From Gitlab 11.11, used to set the name of the helm repository. Defaults to `gitlab`. |
@@ -1168,6 +1203,27 @@ There is no documented way of using private container registry with Auto DevOps.
 We strongly advise using GitLab Container Registry with Auto DevOps in order to
 simplify configuration and prevent any unforeseen issues.
 
+### Installing Helm behind a proxy
+
+GitLab does not yet support installing [Helm as a GitLab-managed App](../../user/clusters/applications.md#helm) when
+behind a proxy. Users who wish to do so must inject their proxy settings
+into the installation pods at runtime, for example by using a
+[`PodPreset`](https://kubernetes.io/docs/concepts/workloads/pods/podpreset/):
+
+```yml
+apiVersion: settings.k8s.io/v1alpha1
+kind: PodPreset
+metadata:
+  name: gitlab-managed-apps-default-proxy
+  namespace: gitlab-managed-apps
+spec:
+   env:
+    - name: http_proxy
+      value: "PUT_YOUR_HTTP_PROXY_HERE"
+    - name: https_proxy
+      value: "PUT_YOUR_HTTPS_PROXY_HERE"
+```
+
 ## Troubleshooting
 
 - Auto Build and Auto Test may fail in detecting your language/framework. There

doc/user/clusters/applications.md

@@ -67,6 +67,11 @@ required to install all the other applications. It is installed in its
 own pod inside the cluster which can run the `helm` CLI in a safe
 environment.
 
+NOTE: **Note:**
+Installing Helm as a GitLab-managed App behind a proxy is not supported,
+but a [workaround](../../topics/autodevops/index.md#installing-helm-behind-a-proxy)
+is available.
+
 ### Cert-Manager
 
 > Introduced in GitLab 11.6 for project- and group-level clusters.

doc/user/project/pipelines/job_artifacts.md

@@ -9,11 +9,11 @@ type: reference, howto
 > - In GitLab 8.17, builds were renamed to jobs.
 > - The artifacts browser will be available only for new artifacts that are sent to GitLab using GitLab Runner version 1.0 and up. It will not be possible to browse old artifacts already uploaded to GitLab.
 
-Artifacts are a list of files and directories which created by a job
+Job artifacts are a list of files and directories created by a job
 once it finishes. This feature is [enabled by default](../../../administration/job_artifacts.md) in all
 GitLab installations.
 
-Job artifacts that are created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI.
+Job artifacts created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI or the [GitLab API](../../../api/jobs.md#get-job-artifacts).
 
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For an overview, watch the video [GitLab CI Pipeline, Artifacts, and Environments](https://www.youtube.com/watch?v=PCKDICEe10s).
@@ -78,7 +78,7 @@ one HTML file that you can view directly online when
 ## Downloading artifacts
 
 If you need to download the whole archive, there are buttons in various places
-inside GitLab that make that possible.
+in the GitLab UI to do this:
 
 1. While on the pipelines page, you can see the download icon for each job's
    artifacts archive in the right corner:

qa/qa.rb

@@ -275,6 +275,7 @@ module QA
         autoload :Edit, 'qa/page/project/wiki/edit'
         autoload :New, 'qa/page/project/wiki/new'
         autoload :Show, 'qa/page/project/wiki/show'
+        autoload :GitAccess, 'qa/page/project/wiki/git_access'
       end
 
       module WebIDE

qa/qa/page/project/wiki/git_access.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module QA
+  module Page
+    module Project
+      module Wiki
+        class GitAccess < Page::Base
+          include Page::Component::LegacyClonePanel
+        end
+      end
+    end
+  end
+end

qa/qa/resource/repository/wiki_push.rb

@@ -21,14 +21,7 @@ module QA
         end
 
         def repository_http_uri
-          @repository_http_uri ||= begin
-            wiki.visit!
-            Page::Project::Wiki::Show.act do
-              click_clone_repository
-              choose_repository_clone_http
-              repository_location.uri
-            end
-          end
+          @repository_http_uri ||= wiki.repository_http_location.uri
         end
 
         def repository_ssh_uri

qa/qa/resource/wiki.rb

@@ -12,6 +12,15 @@ module QA
         end
       end
 
+      attribute :repository_http_location do
+        Page::Project::Wiki::Show.perform(&:click_clone_repository)
+
+        Page::Project::Wiki::GitAccess.perform do |git_access|
+          git_access.choose_repository_clone_http
+          git_access.repository_location
+        end
+      end
+
       def fabricate!
         project.visit!
 

qa/qa/specs/features/browser_ui/2_plan/issue/mentions_spec.rb

@@ -3,29 +3,12 @@
 module QA
   context 'Plan', :smoke do
     describe 'mention' do
-      let(:user) do
-        Resource::User.fabricate_via_api! do |user|
-          user.name = "bob"
-          user.password = "1234test"
-        end
-      end
-
       before do
-        QA::Runtime::Env.personal_access_token = QA::Runtime::Env.admin_personal_access_token
-
-        unless QA::Runtime::Env.personal_access_token
-          Runtime::Browser.visit(:gitlab, Page::Main::Login)
-          Page::Main::Login.perform(&:sign_in_using_admin_credentials)
-        end
-
-        QA::Runtime::Env.personal_access_token = nil
-
-        Page::Main::Menu.perform(&:sign_out) if Page::Main::Menu.perform { |p| p.has_personal_area?(wait: 0) }
-
         Runtime::Browser.visit(:gitlab, Page::Main::Login)
-
         Page::Main::Login.perform(&:sign_in_using_credentials)
 
+        @user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_1, Runtime::Env.gitlab_qa_password_1)
+
         project = Resource::Project.fabricate_via_api! do |resource|
           resource.name = 'project-to-test-mention'
         end
@@ -33,7 +16,7 @@ module QA
 
         Page::Project::Show.perform(&:go_to_members_settings)
         Page::Project::Settings::Members.perform do |members|
-          members.add_member(user.username)
+          members.add_member(@user.username)
         end
 
         issue = Resource::Issue.fabricate_via_api! do |issue|
@@ -45,7 +28,7 @@ module QA
 
       it 'user mentions another user in an issue' do
         Page::Project::Issue::Show.perform do |show|
-          at_username = "@#{user.username}"
+          at_username = "@#{@user.username}"
 
           show.select_all_activities_filter
           show.comment(at_username)