Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
9c590535c8
commit
5fe91268ac
|
@ -849,6 +849,8 @@
|
||||||
when: never
|
when: never
|
||||||
- <<: *if-merge-request-labels-run-all-jest
|
- <<: *if-merge-request-labels-run-all-jest
|
||||||
- <<: *if-merge-request-labels-frontend-and-feature-flag
|
- <<: *if-merge-request-labels-frontend-and-feature-flag
|
||||||
|
- <<: *if-merge-request
|
||||||
|
changes: ["{package.json,yarn.lock}"]
|
||||||
- <<: *if-merge-request
|
- <<: *if-merge-request
|
||||||
changes: [".gitlab/ci/rules.gitlab-ci.yml", ".gitlab/ci/frontend.gitlab-ci.yml"]
|
changes: [".gitlab/ci/rules.gitlab-ci.yml", ".gitlab/ci/frontend.gitlab-ci.yml"]
|
||||||
- <<: *if-automated-merge-request
|
- <<: *if-automated-merge-request
|
||||||
|
@ -867,6 +869,9 @@
|
||||||
when: never
|
when: never
|
||||||
- <<: *if-merge-request-labels-frontend-and-feature-flag
|
- <<: *if-merge-request-labels-frontend-and-feature-flag
|
||||||
when: never
|
when: never
|
||||||
|
- <<: *if-merge-request
|
||||||
|
changes: ["{package.json,yarn.lock}"]
|
||||||
|
when: never
|
||||||
- <<: *if-merge-request
|
- <<: *if-merge-request
|
||||||
changes: [".gitlab/ci/rules.gitlab-ci.yml", ".gitlab/ci/frontend.gitlab-ci.yml"]
|
changes: [".gitlab/ci/rules.gitlab-ci.yml", ".gitlab/ci/frontend.gitlab-ci.yml"]
|
||||||
when: never
|
when: never
|
||||||
|
@ -878,6 +883,8 @@
|
||||||
- !reference [".strict-ee-only-rules", rules]
|
- !reference [".strict-ee-only-rules", rules]
|
||||||
- <<: *if-merge-request-labels-as-if-foss
|
- <<: *if-merge-request-labels-as-if-foss
|
||||||
- <<: *if-merge-request-labels-run-all-jest
|
- <<: *if-merge-request-labels-run-all-jest
|
||||||
|
- <<: *if-merge-request
|
||||||
|
changes: ["{package.json,yarn.lock}"]
|
||||||
- <<: *if-security-merge-request
|
- <<: *if-security-merge-request
|
||||||
changes: *code-backstage-patterns
|
changes: *code-backstage-patterns
|
||||||
|
|
||||||
|
@ -887,6 +894,9 @@
|
||||||
- !reference [".frontend:rules:minimal-default-rules", rules]
|
- !reference [".frontend:rules:minimal-default-rules", rules]
|
||||||
- <<: *if-merge-request-labels-run-all-jest
|
- <<: *if-merge-request-labels-run-all-jest
|
||||||
when: never
|
when: never
|
||||||
|
- <<: *if-merge-request
|
||||||
|
changes: ["{package.json,yarn.lock}"]
|
||||||
|
when: never
|
||||||
- <<: *if-fork-merge-request
|
- <<: *if-fork-merge-request
|
||||||
when: never
|
when: never
|
||||||
- <<: *if-merge-request
|
- <<: *if-merge-request
|
||||||
|
|
2
Gemfile
2
Gemfile
|
@ -340,7 +340,7 @@ gem 'pg_query', '~> 2.1.4'
|
||||||
gem 'premailer-rails', '~> 1.10.3'
|
gem 'premailer-rails', '~> 1.10.3'
|
||||||
|
|
||||||
# LabKit: Tracing and Correlation
|
# LabKit: Tracing and Correlation
|
||||||
gem 'gitlab-labkit', '~> 0.24.0'
|
gem 'gitlab-labkit', '~> 0.26.0'
|
||||||
gem 'thrift', '>= 0.16.0'
|
gem 'thrift', '>= 0.16.0'
|
||||||
|
|
||||||
# I18n
|
# I18n
|
||||||
|
|
|
@ -205,7 +205,7 @@
|
||||||
{"name":"gitlab-dangerfiles","version":"3.6.1","platform":"ruby","checksum":"f7b69b093d52acb89095d411cb7b8849f5f3b9e76f8baa4c99b5671f1564865f"},
|
{"name":"gitlab-dangerfiles","version":"3.6.1","platform":"ruby","checksum":"f7b69b093d52acb89095d411cb7b8849f5f3b9e76f8baa4c99b5671f1564865f"},
|
||||||
{"name":"gitlab-experiment","version":"0.7.1","platform":"ruby","checksum":"166dddb3aa83428bcaa93c35684ed01dc4d61f321fd2ae40b020806dc54a7824"},
|
{"name":"gitlab-experiment","version":"0.7.1","platform":"ruby","checksum":"166dddb3aa83428bcaa93c35684ed01dc4d61f321fd2ae40b020806dc54a7824"},
|
||||||
{"name":"gitlab-fog-azure-rm","version":"1.3.0","platform":"ruby","checksum":"2fef5317d6515f95f803099afa860fe3019ce6e1907bf49f66b5e06468a617b5"},
|
{"name":"gitlab-fog-azure-rm","version":"1.3.0","platform":"ruby","checksum":"2fef5317d6515f95f803099afa860fe3019ce6e1907bf49f66b5e06468a617b5"},
|
||||||
{"name":"gitlab-labkit","version":"0.24.0","platform":"ruby","checksum":"8f16e5aa4e0a05be58958fe880bdd53c84b659a081ea9981d2b510922a4a0548"},
|
{"name":"gitlab-labkit","version":"0.26.0","platform":"ruby","checksum":"718f1a8fe685780c2d78ecb25cc626e58e8b866a9f59565a5f705a1b84109517"},
|
||||||
{"name":"gitlab-license","version":"2.2.1","platform":"ruby","checksum":"39fcf6be8b2887df8afe01b5dcbae8d08b7c5d937ff56b0fb40484a8c4f02d30"},
|
{"name":"gitlab-license","version":"2.2.1","platform":"ruby","checksum":"39fcf6be8b2887df8afe01b5dcbae8d08b7c5d937ff56b0fb40484a8c4f02d30"},
|
||||||
{"name":"gitlab-mail_room","version":"0.0.9","platform":"ruby","checksum":"6700374b5c0aa9d9ad4e711aeb677f0b7d415a6d01d3baa699efab25349d851c"},
|
{"name":"gitlab-mail_room","version":"0.0.9","platform":"ruby","checksum":"6700374b5c0aa9d9ad4e711aeb677f0b7d415a6d01d3baa699efab25349d851c"},
|
||||||
{"name":"gitlab-markup","version":"1.8.1","platform":"ruby","checksum":"ab1f9fd016977497c2af25b76341dea670533014f406861834a0bd99f646707b"},
|
{"name":"gitlab-markup","version":"1.8.1","platform":"ruby","checksum":"ab1f9fd016977497c2af25b76341dea670533014f406861834a0bd99f646707b"},
|
||||||
|
|
|
@ -569,14 +569,14 @@ GEM
|
||||||
fog-json (~> 1.2.0)
|
fog-json (~> 1.2.0)
|
||||||
mime-types
|
mime-types
|
||||||
ms_rest_azure (~> 0.12.0)
|
ms_rest_azure (~> 0.12.0)
|
||||||
gitlab-labkit (0.24.0)
|
gitlab-labkit (0.26.0)
|
||||||
actionpack (>= 5.0.0, < 8.0.0)
|
actionpack (>= 5.0.0, < 8.0.0)
|
||||||
activesupport (>= 5.0.0, < 8.0.0)
|
activesupport (>= 5.0.0, < 8.0.0)
|
||||||
grpc (>= 1.37)
|
grpc (>= 1.37)
|
||||||
jaeger-client (~> 1.1.0)
|
jaeger-client (~> 1.1.0)
|
||||||
opentracing (~> 0.4)
|
opentracing (~> 0.4)
|
||||||
pg_query (~> 2.1)
|
pg_query (~> 2.1)
|
||||||
redis (> 3.0.0, < 5.0.0)
|
redis (> 3.0.0, < 6.0.0)
|
||||||
gitlab-license (2.2.1)
|
gitlab-license (2.2.1)
|
||||||
gitlab-mail_room (0.0.9)
|
gitlab-mail_room (0.0.9)
|
||||||
gitlab-markup (1.8.1)
|
gitlab-markup (1.8.1)
|
||||||
|
@ -1632,7 +1632,7 @@ DEPENDENCIES
|
||||||
gitlab-dangerfiles (~> 3.6.1)
|
gitlab-dangerfiles (~> 3.6.1)
|
||||||
gitlab-experiment (~> 0.7.1)
|
gitlab-experiment (~> 0.7.1)
|
||||||
gitlab-fog-azure-rm (~> 1.3.0)
|
gitlab-fog-azure-rm (~> 1.3.0)
|
||||||
gitlab-labkit (~> 0.24.0)
|
gitlab-labkit (~> 0.26.0)
|
||||||
gitlab-license (~> 2.2.1)
|
gitlab-license (~> 2.2.1)
|
||||||
gitlab-mail_room (~> 0.0.9)
|
gitlab-mail_room (~> 0.0.9)
|
||||||
gitlab-markup (~> 1.8.0)
|
gitlab-markup (~> 1.8.0)
|
||||||
|
|
|
@ -41,7 +41,7 @@ module PreviewMarkdown
|
||||||
case controller_name
|
case controller_name
|
||||||
when 'wikis' then { pipeline: :wiki, wiki: wiki, page_slug: params[:id] }
|
when 'wikis' then { pipeline: :wiki, wiki: wiki, page_slug: params[:id] }
|
||||||
when 'snippets' then { skip_project_check: true }
|
when 'snippets' then { skip_project_check: true }
|
||||||
when 'groups' then { group: group }
|
when 'groups' then { group: group, issuable_reference_expansion_enabled: true }
|
||||||
when 'projects' then projects_filter_params
|
when 'projects' then projects_filter_params
|
||||||
when 'timeline_events' then timeline_events_filter_params
|
when 'timeline_events' then timeline_events_filter_params
|
||||||
else {}
|
else {}
|
||||||
|
|
|
@ -24,15 +24,7 @@ module Clusters
|
||||||
|
|
||||||
# rubocop: disable CodeReuse/ActiveRecord
|
# rubocop: disable CodeReuse/ActiveRecord
|
||||||
def project_authorizations
|
def project_authorizations
|
||||||
namespace_ids = if project.group
|
namespace_ids = project.group ? all_namespace_ids : project.namespace_id
|
||||||
if include_descendants?
|
|
||||||
all_namespace_ids
|
|
||||||
else
|
|
||||||
ancestor_namespace_ids
|
|
||||||
end
|
|
||||||
else
|
|
||||||
project.namespace_id
|
|
||||||
end
|
|
||||||
|
|
||||||
Clusters::Agents::ProjectAuthorization
|
Clusters::Agents::ProjectAuthorization
|
||||||
.where(project_id: project.id)
|
.where(project_id: project.id)
|
||||||
|
@ -57,35 +49,21 @@ module Clusters
|
||||||
authorizations[:group_id].eq(ordered_ancestors_cte.table[:id])
|
authorizations[:group_id].eq(ordered_ancestors_cte.table[:id])
|
||||||
).join_sources
|
).join_sources
|
||||||
|
|
||||||
authorized_groups = Clusters::Agents::GroupAuthorization
|
Clusters::Agents::GroupAuthorization
|
||||||
.with(ordered_ancestors_cte.to_arel)
|
.with(ordered_ancestors_cte.to_arel)
|
||||||
.joins(cte_join_sources)
|
.joins(cte_join_sources)
|
||||||
.joins(agent: :project)
|
.joins(agent: :project)
|
||||||
.with_available_ci_access_fields(project)
|
.with_available_ci_access_fields(project)
|
||||||
|
.where(projects: { namespace_id: all_namespace_ids })
|
||||||
.order(Arel.sql('agent_id, array_position(ARRAY(SELECT id FROM ordered_ancestors)::bigint[], agent_group_authorizations.group_id)'))
|
.order(Arel.sql('agent_id, array_position(ARRAY(SELECT id FROM ordered_ancestors)::bigint[], agent_group_authorizations.group_id)'))
|
||||||
.select('DISTINCT ON (agent_id) agent_group_authorizations.*')
|
.select('DISTINCT ON (agent_id) agent_group_authorizations.*')
|
||||||
.preload(agent: :project)
|
.preload(agent: :project)
|
||||||
|
.to_a
|
||||||
authorized_groups = if include_descendants?
|
|
||||||
authorized_groups.where(projects: { namespace_id: all_namespace_ids })
|
|
||||||
else
|
|
||||||
authorized_groups.where('projects.namespace_id IN (SELECT id FROM ordered_ancestors)')
|
|
||||||
end
|
|
||||||
|
|
||||||
authorized_groups.to_a
|
|
||||||
end
|
end
|
||||||
# rubocop: enable CodeReuse/ActiveRecord
|
# rubocop: enable CodeReuse/ActiveRecord
|
||||||
|
|
||||||
def ancestor_namespace_ids
|
|
||||||
project.ancestors.select(:id)
|
|
||||||
end
|
|
||||||
|
|
||||||
def all_namespace_ids
|
def all_namespace_ids
|
||||||
project.root_ancestor.self_and_descendants.select(:id)
|
project.root_ancestor.self_and_descendants.select(:id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def include_descendants?
|
|
||||||
Feature.enabled?(:agent_authorization_include_descendants, project)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
name: agent_authorization_include_descendants
|
|
||||||
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95774
|
|
||||||
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/371310
|
|
||||||
milestone: '15.5'
|
|
||||||
type: development
|
|
||||||
group: group::configure
|
|
||||||
default_enabled: false
|
|
|
@ -58,7 +58,8 @@ Authorization configuration can take one or two minutes to propagate.
|
||||||
|
|
||||||
### Authorize the agent to access your projects
|
### Authorize the agent to access your projects
|
||||||
|
|
||||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4.
|
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4.
|
||||||
|
> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6.
|
||||||
|
|
||||||
To authorize the agent to access the GitLab project where you keep Kubernetes manifests:
|
To authorize the agent to access the GitLab project where you keep Kubernetes manifests:
|
||||||
|
|
||||||
|
@ -72,7 +73,7 @@ To authorize the agent to access the GitLab project where you keep Kubernetes ma
|
||||||
- id: path/to/project
|
- id: path/to/project
|
||||||
```
|
```
|
||||||
|
|
||||||
- The Kubernetes projects must be in the same group hierarchy as the project where the agent's configuration is.
|
- Authorized projects must have the same root group as the agent's configuration project.
|
||||||
- You can install additional agents into the same cluster to accommodate additional hierarchies.
|
- You can install additional agents into the same cluster to accommodate additional hierarchies.
|
||||||
- You can authorize up to 100 projects.
|
- You can authorize up to 100 projects.
|
||||||
|
|
||||||
|
@ -81,7 +82,8 @@ Choose the context to run `kubectl` commands from your CI/CD scripts.
|
||||||
|
|
||||||
### Authorize the agent to access projects in your groups
|
### Authorize the agent to access projects in your groups
|
||||||
|
|
||||||
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
|
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
|
||||||
|
> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6.
|
||||||
|
|
||||||
To authorize the agent to access all of the GitLab projects in a group or subgroup:
|
To authorize the agent to access all of the GitLab projects in a group or subgroup:
|
||||||
|
|
||||||
|
@ -95,7 +97,7 @@ To authorize the agent to access all of the GitLab projects in a group or subgro
|
||||||
- id: path/to/group/subgroup
|
- id: path/to/group/subgroup
|
||||||
```
|
```
|
||||||
|
|
||||||
- The Kubernetes projects must be in the same group hierarchy as the project where the agent's configuration is.
|
- Authorized groups must have the same root group as the agent's configuration project.
|
||||||
- You can install additional agents into the same cluster to accommodate additional hierarchies.
|
- You can install additional agents into the same cluster to accommodate additional hierarchies.
|
||||||
- All of the subgroups of an authorized group also have access to the same agent (without being specified individually).
|
- All of the subgroups of an authorized group also have access to the same agent (without being specified individually).
|
||||||
- You can authorize up to 100 groups.
|
- You can authorize up to 100 groups.
|
||||||
|
|
|
@ -45,6 +45,8 @@ For configuration settings, the agent uses a YAML file in the GitLab project. Yo
|
||||||
- You use [a GitOps workflow](../gitops.md#gitops-workflow-steps).
|
- You use [a GitOps workflow](../gitops.md#gitops-workflow-steps).
|
||||||
- You use [a GitLab CI/CD workflow](../ci_cd_workflow.md#gitlab-cicd-workflow-steps) and want to authorize a different project to use the agent.
|
- You use [a GitLab CI/CD workflow](../ci_cd_workflow.md#gitlab-cicd-workflow-steps) and want to authorize a different project to use the agent.
|
||||||
|
|
||||||
|
Otherwise it is optional.
|
||||||
|
|
||||||
To create an agent configuration file:
|
To create an agent configuration file:
|
||||||
|
|
||||||
1. Choose a name for your agent. The agent name follows the
|
1. Choose a name for your agent. The agent name follows the
|
||||||
|
|
|
@ -7,7 +7,7 @@ gem 'activesupport', '~> 6.1.4.7' # This should stay in sync with the root's Gem
|
||||||
gem 'allure-rspec', '~> 2.18.0'
|
gem 'allure-rspec', '~> 2.18.0'
|
||||||
gem 'capybara', '~> 3.37.1'
|
gem 'capybara', '~> 3.37.1'
|
||||||
gem 'capybara-screenshot', '~> 1.0.26'
|
gem 'capybara-screenshot', '~> 1.0.26'
|
||||||
gem 'rake', '~> 13'
|
gem 'rake', '~> 13', '>= 13.0.6'
|
||||||
gem 'rspec', '~> 3.11'
|
gem 'rspec', '~> 3.11'
|
||||||
gem 'selenium-webdriver', '~> 4.5'
|
gem 'selenium-webdriver', '~> 4.5'
|
||||||
gem 'airborne', '~> 0.3.7', require: false # airborne is messing with rspec sandboxed mode so not requiring by default
|
gem 'airborne', '~> 0.3.7', require: false # airborne is messing with rspec sandboxed mode so not requiring by default
|
||||||
|
|
|
@ -323,7 +323,7 @@ DEPENDENCIES
|
||||||
parallel_tests (~> 3.13)
|
parallel_tests (~> 3.13)
|
||||||
pry-byebug (~> 3.10.1)
|
pry-byebug (~> 3.10.1)
|
||||||
rainbow (~> 3.1.1)
|
rainbow (~> 3.1.1)
|
||||||
rake (~> 13)
|
rake (~> 13, >= 13.0.6)
|
||||||
rest-client (~> 2.1.0)
|
rest-client (~> 2.1.0)
|
||||||
rotp (~> 6.2.0)
|
rotp (~> 6.2.0)
|
||||||
rspec (~> 3.11)
|
rspec (~> 3.11)
|
||||||
|
|
|
@ -64,14 +64,6 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
|
||||||
let!(:project_authorization) { create(:agent_project_authorization, agent: non_ancestor_agent, project: requesting_project) }
|
let!(:project_authorization) { create(:agent_project_authorization, agent: non_ancestor_agent, project: requesting_project) }
|
||||||
|
|
||||||
it { is_expected.to match_array([project_authorization]) }
|
it { is_expected.to match_array([project_authorization]) }
|
||||||
|
|
||||||
context 'agent_authorization_include_descendants feature flag is disabled' do
|
|
||||||
before do
|
|
||||||
stub_feature_flags(agent_authorization_include_descendants: false)
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to be_empty }
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with project authorizations present' do
|
context 'with project authorizations present' do
|
||||||
|
@ -138,14 +130,6 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
|
||||||
let!(:group_authorization) { create(:agent_group_authorization, agent: non_ancestor_agent, group: bottom_level_group) }
|
let!(:group_authorization) { create(:agent_group_authorization, agent: non_ancestor_agent, group: bottom_level_group) }
|
||||||
|
|
||||||
it { is_expected.to match_array([group_authorization]) }
|
it { is_expected.to match_array([group_authorization]) }
|
||||||
|
|
||||||
context 'agent_authorization_include_descendants feature flag is disabled' do
|
|
||||||
before do
|
|
||||||
stub_feature_flags(agent_authorization_include_descendants: false)
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to be_empty }
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'access_as' do
|
it_behaves_like 'access_as' do
|
||||||
|
|
Loading…
Reference in New Issue