kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

Browse source
This commit is contained in:
GitLab Bot 2022-03-01 21:16:08 +00:00
parent 08da8623a9
commit 70fe7ce74b
52 changed files with 329 additions and 329 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitlab/ci/review-apps/dast.gitlab-ci.yml
View file

@ -5,7 +5,7 @@
extends:
- .reports:rules:schedule-dast
image:
name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
name: "registry.gitlab.com/security-products/dast:$DAST_VERSION"
resource_group: dast_scan
variables:
DAST_USERNAME_FIELD: "user[login]"

2
GITALY_SERVER_VERSION
View file

@ -1 +1 @@
ec28a70c49706f53a1d06612dd6f855e1b85d11c
416988ddd41d192114142a828eb039fac450d084

5
app/graphql/resolvers/concerns/resolves_pipelines.rb
View file

@ -20,11 +20,14 @@ module ResolvesPipelines
GraphQL::Types::String,
required: false,
description: "Filter pipelines by the sha of the commit they are run for."
argument :source,
GraphQL::Types::String,
required: false,
description: "Filter pipelines by their source."
argument :username,
GraphQL::Types::String,
required: false,
description: "Filter pipelines by the user that triggered the pipeline."
end
class_methods do

6
app/helpers/routing/pseudonymization_helper.rb
View file

@ -15,7 +15,7 @@ module Routing
end
def mask_params
return default_root_url + @request.original_fullpath unless has_maskable_params?
return @request.original_url unless has_maskable_params?
masked_params = @request.path_parameters.to_h do |key, value|
case key
@ -66,10 +66,6 @@ module Routing
query_string_hash
end
def default_root_url
Gitlab::Routing.url_helpers.root_url(only_path: false)
end
end
def masked_page_url(group:, project:)

4
app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
View file

@ -2,8 +2,8 @@
"$schema": "http://json-schema.org/draft-07/schema#",
"global": [
{
"field" : "SECURE_ANALYZERS_PREFIX",
"label" : "Image prefix",
"field": "SECURE_ANALYZERS_PREFIX",
"label": "Image prefix",
"type": "string",
"default_value": "",
"value": "",

4
config/initializers/1_settings.rb
View file

@ -629,13 +629,13 @@ Gitlab.ee do
Settings.cron_jobs['active_user_count_threshold_worker']['cron'] ||= '0 12 * * *'
Settings.cron_jobs['active_user_count_threshold_worker']['job_class'] = 'ActiveUserCountThresholdWorker'
Settings.cron_jobs['adjourned_group_deletion_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['adjourned_group_deletion_worker']['cron'] ||= '0 3 * * *'
Settings.cron_jobs['adjourned_group_deletion_worker']['cron'] ||= '0 2 * * *'
Settings.cron_jobs['adjourned_group_deletion_worker']['job_class'] = 'AdjournedGroupDeletionWorker'
Settings.cron_jobs['clear_shared_runners_minutes_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['clear_shared_runners_minutes_worker']['cron'] ||= '0 0 1 * *'
Settings.cron_jobs['clear_shared_runners_minutes_worker']['job_class'] = 'ClearSharedRunnersMinutesWorker'
Settings.cron_jobs['adjourned_projects_deletion_cron_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['adjourned_projects_deletion_cron_worker']['cron'] ||= '0 4 * * *'
Settings.cron_jobs['adjourned_projects_deletion_cron_worker']['cron'] ||= '0 7 * * *'
Settings.cron_jobs['adjourned_projects_deletion_cron_worker']['job_class'] = 'AdjournedProjectsDeletionCronWorker'
Settings.cron_jobs['geo_verification_cron_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['geo_verification_cron_worker']['cron'] ||= '* * * * *'

15
db/post_migrate/20220225133705_cleanup_backfill_ci_queuing_tables.rb Normal file
View file

@ -0,0 +1,15 @@
# frozen_string_literal: true
class CleanupBackfillCiQueuingTables < Gitlab::Database::Migration[1.0]
MIGRATION = 'BackfillCiQueuingTables'
disable_ddl_transaction!
def up
finalize_background_migration(MIGRATION)
end
def down
# no-op
end
end

1
db/schema_migrations/20220225133705 Normal file
View file

@ -0,0 +1 @@
aa9ab05f6991f06c465fbc4878e0cbc648dc09b1b7912dbbf3dd68887a9cdd1d

21
doc/administration/cicd.md
View file

@ -71,6 +71,27 @@ Plan.default.actual_limits.update!(ci_needs_size_limit: 100)
To disable directed acyclic graphs (DAG), set the limit to `0`.
## Change maximum scheduled pipeline frequency
[Scheduled pipelines](../ci/pipelines/schedules.md) can be configured with any [cron value](../topics/cron/index.md),
but they do not always run exactly when scheduled. An internal process, called the
_pipeline schedule worker_, queues all the scheduled pipelines, but does not
run continuously. The worker runs on its own schedule, and scheduled pipelines that
are ready to start are only queued the next time the worker runs. Scheduled pipelines
can't run more frequently than the worker.
The default frequency of the pipeline schedule worker is `3-59/10 * * * *` (every ten minutes,
starting with `0:03`, `0:13`, `0:23`, and so on). The default frequency for GitLab.com
is listed in the [GitLab.com settings](../user/gitlab_com/index.md#gitlab-cicd).
To change the frequency of the pipeline schedule worker:
1. Edit the `gitlab_rails['pipeline_schedule_worker_cron']` value in your instance's `gitlab.rb` file.
1. [Reconfigure GitLab](restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
For example, to set the maximum frequency of pipelines to twice a day, set `pipeline_schedule_worker_cron`
to a cron value of `0 */12 * * *` (`00:00` and `12:00` every day).
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues

3
doc/api/graphql/reference/index.md
View file

@ -9514,6 +9514,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
| <a id="commitpipelinessha"></a>`sha` | [`String`](#string) | Filter pipelines by the sha of the commit they are run for. |
| <a id="commitpipelinessource"></a>`source` | [`String`](#string) | Filter pipelines by their source. |
| <a id="commitpipelinesstatus"></a>`status` | [`PipelineStatusEnum`](#pipelinestatusenum) | Filter pipelines by their status. |
| <a id="commitpipelinesusername"></a>`username` | [`String`](#string) | Filter pipelines by the user that triggered the pipeline. |
### `ComplianceFramework`
@ -12379,6 +12380,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
| <a id="mergerequestpipelinessha"></a>`sha` | [`String`](#string) | Filter pipelines by the sha of the commit they are run for. |
| <a id="mergerequestpipelinessource"></a>`source` | [`String`](#string) | Filter pipelines by their source. |
| <a id="mergerequestpipelinesstatus"></a>`status` | [`PipelineStatusEnum`](#pipelinestatusenum) | Filter pipelines by their status. |
| <a id="mergerequestpipelinesusername"></a>`username` | [`String`](#string) | Filter pipelines by the user that triggered the pipeline. |
##### `MergeRequest.reference`
@ -14420,6 +14422,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
| <a id="projectpipelinessha"></a>`sha` | [`String`](#string) | Filter pipelines by the sha of the commit they are run for. |
| <a id="projectpipelinessource"></a>`source` | [`String`](#string) | Filter pipelines by their source. |
| <a id="projectpipelinesstatus"></a>`status` | [`PipelineStatusEnum`](#pipelinestatusenum) | Filter pipelines by their status. |
| <a id="projectpipelinesusername"></a>`username` | [`String`](#string) | Filter pipelines by the user that triggered the pipeline. |
##### `Project.projectMembers`

22
doc/ci/jobs/job_control.md
View file

@ -85,6 +85,28 @@ be triggered by the same event (a push to the source branch for an open merge re
See how to [prevent duplicate pipelines](#avoid-duplicate-pipelines)
for more details.
#### Run jobs for scheduled pipelines
To configure a job to be executed only when the pipeline has been
scheduled, use the [`rules`](../yaml/index.md#rules) keyword.
In this example, `make world` runs in scheduled pipelines, and `make build`
runs in branch and tag pipelines:
```yaml
job:on-schedule:
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
script:
- make world
job:
rules:
- if: $CI_PIPELINE_SOURCE == "push"
script:
- make build
```
### Complex rules
You can use all `rules` keywords, like `if`, `changes`, and `exists`, in the same

2
doc/ci/migration/circleci.md
View file

@ -169,7 +169,7 @@ job1:
- if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_REF_NAME == "try-schedule-workflow"'
```
After the pipeline configuration is saved, you configure the cron schedule in the [GitLab UI](../pipelines/schedules.md#configuring-pipeline-schedules), and can enable or disable schedules in the UI as well.
After the pipeline configuration is saved, you configure the cron schedule in the [GitLab UI](../pipelines/schedules.md#add-a-pipeline-schedule), and can enable or disable schedules in the UI as well.
#### Manual run

BIN
doc/ci/pipelines/img/pipeline_schedule_play.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
doc/ci/pipelines/img/pipeline_schedule_variables.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 6.2 KiB

BIN
doc/ci/pipelines/img/pipeline_schedules_list.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
doc/ci/pipelines/img/pipeline_schedules_new_form.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
doc/ci/pipelines/img/pipeline_schedules_ownership.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.9 KiB

156
doc/ci/pipelines/schedules.md
View file

@ -8,140 +8,64 @@ type: reference, howto
# Pipeline schedules **(FREE)**
Pipelines are normally run based on certain conditions being met. For example, when a branch is pushed to repository.
Pipeline schedules can be used to also run [pipelines](index.md) at specific intervals. For example:
- Every month on the 22nd (cron example: `0 0 22 * *`) for a certain branch.
- Every month on the 2nd Monday (cron example: `0 0 * * 1#2`).
- Every other Sunday at 0900 hours (cron example: `0 9 * * sun%2`).
- Once every day (cron example: `0 0 * * *`).
Schedule timing is configured with [cron notation](../../topics/cron/index.md).
You can use any cron value, but scheduled pipelines cannot run more frequently
than the instance's [maximum frequency for scheduled pipelines](#advanced-configuration).
In addition to using the GitLab UI, pipeline schedules can be maintained using the
[Pipeline schedules API](../../api/pipeline_schedules.md).
Use scheduled pipelines to run GitLab CI/CD [pipelines](index.md) at regular intervals.
## Prerequisites
In order for a scheduled pipeline to be created successfully:
For a scheduled pipeline to run:
- The schedule owner must have [permissions](../../user/permissions.md) to merge into the target branch.
- The pipeline configuration must be valid.
- The schedule owner must have the Developer role. For pipelines on protected branches,
the schedule owner must be [allowed to merge](../../user/project/protected_branches.md#configure-a-protected-branch)
to the branch.
- The [CI/CD configuration](../yaml/index.md) must be valid.
Otherwise the pipeline is not created.
Otherwise, the pipeline is not created. No error message is displayed.
## Configuring pipeline schedules
## Add a pipeline schedule
To schedule a pipeline for project:
To add a pipeline schedule:
1. Navigate to the project's **CI/CD > Schedules** page.
1. Click the **New schedule** button.
1. Fill in the **Schedule a new pipeline** form.
1. Click the **Save pipeline schedule** button.
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **CI/CD > Schedules**.
1. Select **New schedule** and fill in the form.
- **Interval Pattern**: Select one of the preconfigured intervals, or enter a custom
interval in [cron notation](../../topics/cron/index.md). You can use any cron value,
but scheduled pipelines cannot run more frequently than the instance's
[maximum scheduled pipeline frequency](../../administration/cicd.md#change-maximum-scheduled-pipeline-frequency).
- **Variables**: Add any number of [CI/CD variables](../variables/index.md) to the schedule.
These variables are available only when the scheduled pipeline runs,
and not in any other pipeline run.
![New Schedule Form](img/pipeline_schedules_new_form.png)
## Run manually
NOTE:
Pipelines execution [timing is dependent](#advanced-configuration) on Sidekiq's own schedule.
To trigger a pipeline schedule manually, so that it runs immediately instead of
the next scheduled time:
In the **Schedules** index page you can see a list of the pipelines that are
scheduled to run. The next run is automatically calculated by the server GitLab
is installed on.
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **CI/CD > Schedules**.
1. On the right of the list, for
the pipeline you want to run, select **Play** (**{play}**).
![Schedules list](img/pipeline_schedules_list.png)
You can manually run scheduled pipelines once per minute.
### Using variables
## Take ownership
You can pass any number of arbitrary variables. They are available in
GitLab CI/CD so that they can be used in your [`.gitlab-ci.yml` file](../../ci/yaml/index.md).
Scheduled pipelines execute with the permissions of the user
who owns the schedule. The pipeline has access to the same resources as the pipeline owner,
including [protected environments](../environments/protected_environments.md) and the
[CI/CD job token](../jobs/ci_job_token.md).
![Scheduled pipeline variables](img/pipeline_schedule_variables.png)
To take ownership of a pipeline created by a different user:
### Using `rules`
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **CI/CD > Schedules**.
1. On the right of the list, for
the pipeline you want to become owner of, select **Take ownership**.
To configure a job to be executed only when the pipeline has been
scheduled, use the [`rules`](../yaml/index.md#rules) keyword.
## Related topics
In this example, `make world` runs in scheduled pipelines, and `make build`
runs in branch and tag pipelines:
```yaml
job:on-schedule:
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
script:
- make world
job:
rules:
- if: $CI_PIPELINE_SOURCE == "push"
script:
- make build
```
### Advanced configuration **(FREE SELF)**
Scheduled pipelines can be configured with any [cron value](../../topics/cron/index.md),
but they do not always run exactly when scheduled. An internal process, called the
_pipeline schedule worker_, queues all the scheduled pipelines, but does not
run continuously. The worker runs on its own schedule, and scheduled pipelines that
are ready to start are only queued the next time the worker runs. Scheduled pipelines
can't run more frequently than the worker.
The default frequency of the pipeline schedule worker is `3-59/10 * * * *` (every ten minutes,
starting with `0:03`, `0:13`, `0:23`, and so on). The default frequency for GitLab.com
is listed in the [GitLab.com settings](../../user/gitlab_com/index.md#gitlab-cicd).
To change the frequency of the pipeline schedule worker:
1. Edit the `gitlab_rails['pipeline_schedule_worker_cron']` value in your instance's `gitlab.rb` file.
1. [Reconfigure GitLab](../../administration/restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
For example, to set the maximum frequency of pipelines to twice a day, set `pipeline_schedule_worker_cron`
to a cron value of `0 */12 * * *` (`00:00` and `12:00` every day).
## Working with scheduled pipelines
After configuration, GitLab supports many functions for working with scheduled pipelines.
### Running manually
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/15700) in GitLab 10.4.
To trigger a pipeline schedule manually, click the "Play" button:
![Play Pipeline Schedule](img/pipeline_schedule_play.png)
This schedules a background job to run the pipeline schedule. A flash
message provides a link to the CI/CD Pipeline index page.
NOTE:
To help avoid abuse, users are rate limited to triggering a pipeline once per
minute.
### Taking ownership
Pipelines are executed as a user, who owns a schedule. This influences what projects and other resources the pipeline has access to.
If a user does not own a pipeline, you can take ownership by clicking the **Take ownership** button.
The next time a pipeline is scheduled, your credentials are used.
![Schedules list](img/pipeline_schedules_ownership.png)
If the owner of a pipeline schedule cannot create
pipelines on the target branch, the schedule stops creating new
pipelines.
This can happen if, for example:
- The owner is blocked or removed from the project.
- The target branch or tag is protected.
In this case, someone with sufficient privileges must take ownership of the
schedule.
- Pipeline schedules can be maintained by using the [Pipeline schedules API](../../api/pipeline_schedules.md).
- You can [control which jobs are added to scheduled pipelines](../jobs/job_control.md#run-jobs-for-scheduled-pipelines).
<!-- ## Troubleshooting

2
doc/ci/variables/index.md
View file

@ -653,7 +653,7 @@ The order of precedence for variables is (from highest to lowest):
1. These all have the same (highest) precedence:
- [Trigger variables](../triggers/index.md#pass-cicd-variables-in-the-api-call).
- [Scheduled pipeline variables](../pipelines/schedules.md#using-variables).
- [Scheduled pipeline variables](../pipelines/schedules.md#add-a-pipeline-schedule).
- [Manual pipeline run variables](#override-a-variable-when-running-a-pipeline-manually).
- Variables added when [creating a pipeline with the API](../../api/pipelines.md#create-a-new-pipeline).
1. Project [variables](#custom-cicd-variables).

2
doc/ci/yaml/includes.md
View file

@ -302,7 +302,7 @@ In `include` sections in your `.gitlab-ci.yml` file, you can use:
In GitLab 14.5 and later, you can also use:
- [Trigger variables](../triggers/index.md#pass-cicd-variables-in-the-api-call).
- [Scheduled pipeline variables](../pipelines/schedules.md#using-variables).
- [Scheduled pipeline variables](../pipelines/schedules.md#add-a-pipeline-schedule).
- [Manual pipeline run variables](../variables/index.md#override-a-variable-when-running-a-pipeline-manually).
- Pipeline [predefined variables](../variables/predefined_variables.md).

126
doc/development/ee_features.md
View file

@ -444,6 +444,69 @@ resolve when you add the indentation to the equation.
EE-specific views should be placed in `ee/app/views/`, using extra
sub-directories if appropriate.
#### Using `render_if_exists`
Instead of using regular `render`, we should use `render_if_exists`, which
doesn't render anything if it cannot find the specific partial. We use this
so that we could put `render_if_exists` in CE, keeping code the same between
CE and EE.
The advantages of this:
- Very clear hints about where we're extending EE views while reading CE code.
The disadvantage of this:
- If we have typos in the partial name, it would be silently ignored.
##### Caveats
The `render_if_exists` view path argument must be relative to `app/views/` and `ee/app/views`.
Resolving an EE template path that is relative to the CE view path doesn't work.
```haml
- # app/views/projects/index.html.haml
= render_if_exists 'button' # Will not render `ee/app/views/projects/_button` and will quietly fail
= render_if_exists 'projects/button' # Will render `ee/app/views/projects/_button`
```
#### Using `render_ce`
For `render` and `render_if_exists`, they search for the EE partial first,
and then CE partial. They would only render a particular partial, not all
partials with the same name. We could take the advantage of this, so that
the same partial path (for example, `shared/issuable/form/default_templates`) could
be referring to the CE partial in CE (that is,
`app/views/shared/issuable/form/_default_templates.html.haml`), while EE
partial in EE (that is,
`ee/app/views/shared/issuable/form/_default_templates.html.haml`). This way,
we could show different things between CE and EE.
However sometimes we would also want to reuse the CE partial in EE partial
because we might just want to add something to the existing CE partial. We
could workaround this by adding another partial with a different name, but it
would be tedious to do so.
In this case, we could as well just use `render_ce` which would ignore any EE
partials. One example would be
`ee/app/views/shared/issuable/form/_default_templates.html.haml`:
```haml
- if @project.feature_available?(:issuable_default_templates)
= render_ce 'shared/issuable/form/default_templates'
- elsif show_promotions?
= render 'shared/promotions/promote_issue_templates'
```
In the above example, we can't use
`render 'shared/issuable/form/default_templates'` because it would find the
same EE partial, causing infinite recursion. Instead, we could use `render_ce`
so it ignores any partials in `ee/` and then it would render the CE partial
(that is, `app/views/shared/issuable/form/_default_templates.html.haml`)
for the same path (that is, `shared/issuable/form/default_templates`). This way
we could easily wrap around the CE partial.
### Code in `lib/gitlab/background_migration/`
When you create EE-only background migrations, you have to plan for users that
@ -525,69 +588,6 @@ module EE
end
```
#### Using `render_if_exists`
Instead of using regular `render`, we should use `render_if_exists`, which
doesn't render anything if it cannot find the specific partial. We use this
so that we could put `render_if_exists` in CE, keeping code the same between
CE and EE.
The advantages of this:
- Very clear hints about where we're extending EE views while reading CE code.
The disadvantage of this:
- If we have typos in the partial name, it would be silently ignored.
##### Caveats
The `render_if_exists` view path argument must be relative to `app/views/` and `ee/app/views`.
Resolving an EE template path that is relative to the CE view path doesn't work.
```haml
- # app/views/projects/index.html.haml
= render_if_exists 'button' # Will not render `ee/app/views/projects/_button` and will quietly fail
= render_if_exists 'projects/button' # Will render `ee/app/views/projects/_button`
```
#### Using `render_ce`
For `render` and `render_if_exists`, they search for the EE partial first,
and then CE partial. They would only render a particular partial, not all
partials with the same name. We could take the advantage of this, so that
the same partial path (for example, `shared/issuable/form/default_templates`) could
be referring to the CE partial in CE (that is,
`app/views/shared/issuable/form/_default_templates.html.haml`), while EE
partial in EE (that is,
`ee/app/views/shared/issuable/form/_default_templates.html.haml`). This way,
we could show different things between CE and EE.
However sometimes we would also want to reuse the CE partial in EE partial
because we might just want to add something to the existing CE partial. We
could workaround this by adding another partial with a different name, but it
would be tedious to do so.
In this case, we could as well just use `render_ce` which would ignore any EE
partials. One example would be
`ee/app/views/shared/issuable/form/_default_templates.html.haml`:
```haml
- if @project.feature_available?(:issuable_default_templates)
= render_ce 'shared/issuable/form/default_templates'
- elsif show_promotions?
= render 'shared/promotions/promote_issue_templates'
```
In the above example, we can't use
`render 'shared/issuable/form/default_templates'` because it would find the
same EE partial, causing infinite recursion. Instead, we could use `render_ce`
so it ignores any partials in `ee/` and then it would render the CE partial
(that is, `app/views/shared/issuable/form/_default_templates.html.haml`)
for the same path (that is, `shared/issuable/form/default_templates`). This way
we could easily wrap around the CE partial.
### Code in `lib/`
Place EE-specific logic in the top-level `EE` module namespace. Namespace the

3
doc/topics/cron/index.md
View file

@ -38,7 +38,10 @@ are valid:
- Run once a day at midnight: `0 0 * * *`
- Run once a week at midnight on Sunday morning: `0 0 * * 0`
- Run once a month at midnight of the first day of the month: `0 0 1 * *`
- Run once a month on the 22nd: `0 0 22 * *`)
- Run once a month on the 2nd Monday: `0 0 * * 1#2`
- Run once a year at midnight of 1 January: `0 0 1 1 *`
- Run every other Sunday at 0900 hours: `0 9 * * sun%2`
For complete cron documentation, refer to the
[crontab(5) — Linux manual page](https://man7.org/linux/man-pages/man5/crontab.5.html).

2
doc/user/application_security/dependency_scanning/analyzers.md
View file

@ -50,7 +50,7 @@ Any custom change to the official analyzers can be achieved by using a
You can switch to a custom Docker registry that provides the official analyzer
images under a different prefix. For instance, the following instructs Dependency
Scanning to pull `my-docker-registry/gl-images/gemnasium`
instead of `registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium`.
instead of `registry.gitlab.com/security-products/gemnasium`.
In `.gitlab-ci.yml` define:
```yaml

10
doc/user/application_security/dependency_scanning/index.md
View file

@ -892,11 +892,11 @@ import the following default dependency scanning analyzer images from `registry.
your [local Docker container registry](../../packages/container_registry/index.md):
```plaintext
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
registry.gitlab.com/security-products/gemnasium:2
registry.gitlab.com/security-products/gemnasium-maven:2
registry.gitlab.com/security-products/gemnasium-python:2
registry.gitlab.com/security-products/retire.js:2
registry.gitlab.com/security-products/bundler-audit:2
```
The process for importing Docker images into a local offline Docker registry depends on

6
doc/user/application_security/index.md
View file

@ -110,11 +110,9 @@ For more details about each of the security scanning tools, see their respective
### Override the default registry base address
By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
By default, GitLab security scanners use `registry.gitlab.com/security-products` as the
base address for Docker images. You can override this globally by setting the CI/CD variable
`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once, except
the container-scanning analyzer which uses
`registry.gitlab.com/security-products/container-scanning` as its registry.
`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
### Use security scanning tools with merge request pipelines

2
doc/user/application_security/offline_deployments/index.md
View file

@ -179,7 +179,7 @@ set -ux
# Specify needed analyzer images
analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"}
gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/
gitlab=registry.gitlab.com/security-products/
for i in "${analyzers[@]}"
do

139
doc/user/clusters/management_project_template.md
View file

@ -4,93 +4,57 @@ group: Configure
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Manage cluster applications **(FREE)**
# Sample GitLab CI/CD project for Kubernetes **(FREE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25318) in GitLab 12.10 with Helmfile support via Helm v2.
> - Helm v2 support was [dropped](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63577) in GitLab 14.0. Use Helm v3 instead.
> - [Migrated](https://gitlab.com/gitlab-org/project-templates/cluster-management/-/merge_requests/24) to the GitLab agent in GitLab 14.5.
Use a repository to install, manage, and deploy clusters applications through code.
GitLab provides a cluster management project template, which you use
to create a project. The project includes cluster applications that integrate with GitLab
and extend GitLab functionality. You can use the pattern shown in the project to extend
your custom cluster applications.
## Cluster Management Project Template
## Use one project for the agent and your manifests
The Cluster Management Project Template provides you a baseline to get
started and flexibility to customize your project to your cluster's needs.
For instance, you can:
If you **have not yet** used the agent to connect your cluster with GitLab:
- Extend the CI/CD configuration.
- Configure the built-in cluster applications.
- Remove the built-in cluster applications you don't need.
- Add other cluster applications using the same structure as the ones already available.
1. [Create a project from the cluster management project template](#create-a-project-based-on-the-cluster-management-project-template).
1. [Configure the project for the agent](agent/install/index.md).
1. In your project's settings, create an
[environment variable](../../ci/variables/index.md#add-a-cicd-variable-to-a-project) named `$KUBE_CONTEXT`
and set the value to `path/to/agent-configuration-project:your-agent-name`.
1. [Configure the files](#configure-the-project) as needed.
The template contains the following [components](#configure-the-available-components):
## Use separate projects for the agent and your manifests
- A pre-configured `.gitlab-ci.yml`file so that you can configure CI/CD pipelines using [the agent for Kubernetes](agent/ci_cd_tunnel.md).
- A pre-configured [Helmfile](https://github.com/roboll/helmfile) so that
you can manage cluster applications with [Helm v3](https://helm.sh/).
- An `applications` directory with a `helmfile.yaml` configured for each
application available in the template.
If you have already configured the agent and connected a cluster with GitLab:
## Use the agent with the Cluster Management Project Template
1. [Create a project from the cluster management project template](#create-a-project-based-on-the-cluster-management-project-template).
1. In the project where you configured your agent,
[grant the agent access to the new project](agent/ci_cd_tunnel.md#authorize-the-agent).
1. In the new project, create an
[environment variable](../../ci/variables/index.md#add-a-cicd-variable-to-a-project) named `$KUBE_CONTEXT`
and set the value to `path/to/agent-configuration-project:your-agent-name`.
1. In the new project, [configure the files](#configure-the-project) as needed.
To use a new project created from the Cluster Management Project Template
with a cluster connected to GitLab through the [GitLab agent](agent/index.md),
you have two options:
## Create a project based on the cluster management project template
- [Use one single project](#single-project) to configure the agent and manage cluster applications.
- [Use separate projects](#separate-projects) - one to configure the agent and another to manage cluster applications.
To create a project from the cluster management project template:
### Single project
1. On the top bar, select **Menu > Projects > Create new project**.
1. Select **Create from template**.
1. From the list of templates, next to **GitLab Cluster Management**, select **Use template**.
1. Enter the project details.
1. Select **Create project**.
This setup is particularly useful when you haven't connected your cluster
to GitLab through the agent yet and you want to use the Cluster Management
Project Template to manage cluster applications.
If you use self-managed GitLab, your instance might not include the latest version of the template.
In that case, select **Import project**, **Repo by URL** and for the **Git repository URL**, enter
`https://gitlab.com/gitlab-org/project-templates/cluster-management.git`.
To use one single project to configure the agent and to manage cluster applications:
## Configure the project
1. [Create a new project from the Cluster Management Project Template](#create-a-new-project-based-on-the-cluster-management-template).
1. Configure the new project as the [agent's configuration repository](agent/repository.md)
(where the agent is registered and its `config.yaml` is stored).
1. From your project's settings, add a [new environment variable](../../ci/variables/index.md#add-a-cicd-variable-to-a-project) `$KUBE_CONTEXT` and set it to `path/to/agent-configuration-project:your-agent-name`.
1. [Configure the components](#configure-the-available-components) inherited from the template.
### Separate projects
This setup is particularly useful **when you already have a cluster** connected
to GitLab through the agent and want to use the Cluster Management
Project Template to manage cluster applications.
To use one project to configure the agent ("project A") and another project to
manage cluster applications ("project B"), follow the steps below.
We assume that you already have a cluster connected through the agent and
[configured through the agent's configuration repository](agent/repository.md)
("project A").
1. [Create a new project from the Cluster Management Project Template](#create-a-new-project-based-on-the-cluster-management-template).
This new project is "project B".
1. In your "project A", [grant the agent access to the new project (B)](agent/ci_cd_tunnel.md#authorize-the-agent).
1. From the "project's B" settings, add a [new environment variable](../../ci/variables/index.md#add-a-cicd-variable-to-a-project) `$KUBE_CONTEXT` and set it to `path/to/agent-configuration-project:your-agent-name`.
1. In "project B", [configure the components](#configure-the-available-components) inherited from the template.
## Create a new project based on the Cluster Management Template
To get started, create a new project based on the Cluster Management
project template to use as a cluster management project.
You can either create the new project from the template or import the
project from the URL. Importing the project is useful if you are using
a GitLab self-managed instance that may not have the latest version of
the template.
To [create the new project](../project/working_with_projects.md#create-a-project):
- From the template: select the **GitLab Cluster Management** project template.
- Importing from the URL: use `https://gitlab.com/gitlab-org/project-templates/cluster-management.git`.
## Configure the available components
Use the available components to configure your cluster applications:
After you use the cluster management template to create a project, you can configure:
- [The `.gitlab-ci.yml` file](#the-gitlab-ciyml-file).
- [The main `helmfile.yml` file](#the-main-helmfileyml-file).
@ -98,22 +62,22 @@ Use the available components to configure your cluster applications:
### The `.gitlab-ci.yml` file
The base image used in your pipeline is built by the [cluster-applications](https://gitlab.com/gitlab-org/cluster-integration/cluster-applications)
project. This image consists of a set of Bash utility scripts to support [Helm v3 releases](https://helm.sh/docs/intro/using_helm/#three-big-concepts):
The `.gitlab-ci.yml` file:
- `gl-fail-if-helm2-releases-exist {namespace}`: It tries to detect whether you have apps deployed through Helm v2
releases for a given namespace. If so, it will fail the pipeline and ask you to manually
[migrate your Helm v2 releases to Helm v3](https://helm.sh/docs/topics/v2_v3_migration/).
- `gl-ensure-namespace {namespace}`: It creates the given namespace if it does not exist and adds the necessary label
for the [Cilium](https://github.com/cilium/cilium/) app network policies to work.
- `gl-adopt-resource-with-helm-v3 {arguments}`: Used only internally in the [cert-manager's](https://cert-manager.io/) Helmfile to
facilitate the GitLab Managed Apps adoption.
- `gl-adopt-crds-with-helm-v3 {arguments}`: Used only internally in the [cert-manager's](https://cert-manager.io/) Helmfile to
facilitate the GitLab Managed Apps adoption.
- `gl-helmfile {arguments}`: A thin wrapper that triggers the [Helmfile](https://github.com/roboll/helmfile) command.
- Ensures you are on Helm version 3.
- Deploys the enabled applications from the project.
You can edit and extend the pipeline definitions.
The base image used in the pipeline is built by the
[cluster-applications](https://gitlab.com/gitlab-org/cluster-integration/cluster-applications) project.
This image contains a set of Bash utility scripts to support [Helm v3 releases](https://helm.sh/docs/intro/using_helm/#three-big-concepts).
### The main `helmfile.yml` file
The template contains a [Helmfile](https://github.com/roboll/helmfile) you can use to manage
cluster applications with [Helm v3](https://helm.sh/).
This file has a list of paths to other Helmfiles for each app. They're all commented out by default, so you must uncomment
the paths for the apps that you would like to use in your cluster.
@ -124,6 +88,9 @@ from your cluster. [Read more](https://github.com/roboll/helmfile) about how Hel
### Built-in applications
The template contains an `applications` directory with a `helmfile.yaml` configured for each
application in the template.
The [built-in supported applications](https://gitlab.com/gitlab-org/project-templates/cluster-management/-/tree/master/applications) are:
- [Apparmor](../infrastructure/clusters/manage/management_project_applications/apparmor.md)
@ -138,8 +105,8 @@ The [built-in supported applications](https://gitlab.com/gitlab-org/project-temp
- [Sentry](../infrastructure/clusters/manage/management_project_applications/sentry.md)
- [Vault](../infrastructure/clusters/manage/management_project_applications/vault.md)
#### Customize your applications
Each application has an `applications/{app}/values.yaml` file.
For GitLab Runner, the file is `applications/{app}/values.yaml.gotmpl`.
Each app has an `applications/{app}/values.yaml` file (`applications/{app}/values.yaml.gotmpl` in case of GitLab Runner). This is the
place where you can define default values for your app's Helm chart. Some apps already have defaults
pre-defined by GitLab.
In this file, you can define default values for your app's Helm chart.
Some apps already have defaults defined.

2
doc/user/clusters/migrating_from_gma_to_project_template.md
View file

@ -20,7 +20,7 @@ To migrate from GitLab Managed Apps to a Cluster Management Project,
follow the steps below.
See also [video walk-throughs](#video-walk-throughs) with examples.
1. Create a new project based on the [Cluster Management Project template](management_project_template.md#create-a-new-project-based-on-the-cluster-management-template).
1. Create a new project based on the [Cluster Management Project template](management_project_template.md#create-a-project-based-on-the-cluster-management-project-template).
1. [Associate your new Cluster Management Project with your cluster](management_project.md#associate-the-cluster-management-project-with-the-cluster).
1. Detect apps deployed through Helm v2 releases by using the pre-configured [`.gitlab-ci.yml`](management_project_template.md#the-gitlab-ciyml-file) file:
- In case you had overwritten the default GitLab Managed Apps namespace, edit `.gitlab-ci.yml`,

6
doc/user/compliance/license_compliance/index.md
View file

@ -650,7 +650,7 @@ import the following default License Compliance analyzer images from `registry.g
offline [local Docker container registry](../../packages/container_registry/index.md):
```plaintext
registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
registry.gitlab.com/security-products/license-finder:latest
```
The process for importing Docker images into a local offline Docker registry depends on
@ -853,7 +853,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia
To find out what tools are pre-installed in the `license_scanning` Docker image use the following command:
```shell
$ docker run --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -lc 'asdf list'
$ docker run --entrypoint='' registry.gitlab.com/security-products/license-finder:3 /bin/bash -lc 'asdf list'
golang
1.14
gradle
@ -880,7 +880,7 @@ sbt
To interact with the `license_scanning` runtime environment use the following command:
```shell
$ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -l
$ docker run -it --entrypoint='' registry.gitlab.com/security-products/license-finder:3 /bin/bash -l
root@6abb70e9f193:~#
```

2
doc/user/infrastructure/clusters/migrate_to_gitlab_agent.md
View file

@ -74,7 +74,7 @@ Follow the process to [migrate from GitLab Managed Apps to the cluster managemen
## Migrate a cluster management project
See [how to use a cluster management project with the GitLab agent](../../clusters/management_project_template.md#use-the-agent-with-the-cluster-management-project-template).
See [how to use a cluster management project with the GitLab agent](../../clusters/management_project_template.md).
## Migrate cluster monitoring features

2
lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
View file

@ -11,7 +11,7 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_ANALYZERS: ""
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"

2
lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml
View file

@ -11,7 +11,7 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
LICENSE_MANAGEMENT_SETUP_CMD: '' # If needed, specify a command to setup your environment with a custom package manager.
LICENSE_MANAGEMENT_VERSION: 3

2
lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
View file

@ -1,7 +1,7 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
iac-sast:

2
lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
View file

@ -6,7 +6,7 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"

2
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
View file

@ -5,7 +5,7 @@
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: ""

2
lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
View file

@ -10,7 +10,7 @@
variables:
FUZZAPI_VERSION: "1"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
apifuzzer_fuzz:

2
lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
View file

@ -10,7 +10,7 @@
variables:
FUZZAPI_VERSION: "1"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
FUZZAPI_IMAGE: api-fuzzing
apifuzzer_fuzz:

2
lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml
View file

@ -24,7 +24,7 @@
variables:
# Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
#
DAST_API_VERSION: "1"
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION

2
lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml
View file

@ -24,7 +24,7 @@
variables:
# Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
#
DAST_API_VERSION: "1"
DAST_API_IMAGE: api-fuzzing

2
lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml
View file

@ -5,7 +5,7 @@ stages:
- dast
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DAST_API_VERSION: "1"
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION

2
lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
View file

@ -13,7 +13,7 @@ variables:
DAST_VERSION: 2
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast

2
lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
View file

@ -25,7 +25,7 @@ variables:
DAST_VERSION: 2
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast

2
lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
View file

@ -25,7 +25,7 @@ variables:
DAST_VERSION: 2
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast

7
lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
View file

@ -14,8 +14,11 @@
# Docs: https://docs.gitlab.com/ee/topics/airgap/
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECURE_BINARIES_ANALYZERS: >-
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep,
bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
license-finder,
dast, dast-runner-validation, api-fuzzing
@ -40,7 +43,7 @@ variables:
script:
- docker info
- env
- if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
- if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
- docker pull --quiet ${SECURE_BINARIES_IMAGE}
- mkdir -p output/$(dirname ${CI_JOB_NAME})
- |

3
qa/qa.rb
View file

@ -59,7 +59,8 @@ module QA
"jira_api" => "JiraAPI",
"registry_tls" => "RegistryTLS",
"jetbrains" => "JetBrains",
"vscode" => "VSCode"
"vscode" => "VSCode",
"registry_with_cdn" => "RegistryWithCDN"
)
loader.setup

13
qa/qa/scenario/test/integration/object_storage_gcs.rb Normal file
View file

@ -0,0 +1,13 @@
# frozen_string_literal: true
module QA
module Scenario
module Test
module Integration
class ObjectStorageGcs < Test::Instance::All
tags :object_storage
end
end
end
end
end

14
qa/qa/scenario/test/integration/registry_with_cdn.rb Normal file
View file

@ -0,0 +1,14 @@
# rubocop:todo Naming/FileName
# frozen_string_literal: true
module QA
module Scenario
module Test
module Integration
class RegistryWithCDN < Test::Instance::All
tags :registry
end
end
end
end
end

12
spec/graphql/resolvers/concerns/resolves_pipelines_spec.rb
View file

@ -15,7 +15,7 @@ RSpec.describe ResolvesPipelines do
end
end
let(:current_user) { create(:user) }
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project, :private) }
let_it_be(:pipeline) { create(:ci_pipeline, project: project) }
@ -23,13 +23,15 @@ RSpec.describe ResolvesPipelines do
let_it_be(:success_pipeline) { create(:ci_pipeline, :success, project: project) }
let_it_be(:ref_pipeline) { create(:ci_pipeline, project: project, ref: 'awesome-feature') }
let_it_be(:sha_pipeline) { create(:ci_pipeline, project: project, sha: 'deadbeef') }
let_it_be(:username_pipeline) { create(:ci_pipeline, project: project, user: current_user) }
let_it_be(:all_pipelines) do
[
pipeline,
failed_pipeline,
success_pipeline,
ref_pipeline,
sha_pipeline
sha_pipeline,
username_pipeline
]
end
@ -37,7 +39,7 @@ RSpec.describe ResolvesPipelines do
project.add_developer(current_user)
end
it { is_expected.to have_graphql_arguments(:status, :scope, :ref, :sha, :source) }
it { is_expected.to have_graphql_arguments(:status, :scope, :ref, :sha, :source, :username) }
it 'finds all pipelines' do
expect(resolve_pipelines).to contain_exactly(*all_pipelines)
@ -71,6 +73,10 @@ RSpec.describe ResolvesPipelines do
end
end
it 'allows filtering by username' do
expect(resolve_pipelines(username: current_user.username)).to contain_exactly(username_pipeline)
end
it 'does not return any pipelines if the user does not have access' do
expect(resolve_pipelines({}, {})).to be_empty
end

26
spec/helpers/routing/pseudonymization_helper_spec.rb
View file

@ -222,16 +222,26 @@ RSpec.describe ::Routing::PseudonymizationHelper do
end
describe 'when url has no params to mask' do
let(:root_url) { 'http://localhost/some/path' }
let(:original_url) { 'http://localhost/-/security/vulnerabilities' }
let(:request) do
double(:Request,
path_parameters: {
controller: 'security/vulnerabilities',
action: 'index'
},
protocol: 'http',
host: 'localhost',
query_string: '',
original_fullpath: '/-/security/vulnerabilities',
original_url: original_url)
end
context 'returns root url' do
before do
controller.request.path = 'some/path'
end
before do
allow(helper).to receive(:request).and_return(request)
end
it 'masked_page_url' do
expect(subject).to eq(root_url)
end
it 'returns unchanged url' do
expect(subject).to eq(original_url)
end
end

8
spec/lib/security/ci_configuration/sast_build_action_spec.rb
View file

@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:default_sast_values) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
],
'pipeline' =>
[
@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'new_registry' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'new_registry' }
],
'pipeline' =>
[
@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
],
'pipeline' =>
[
@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => '' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => '' }
] }
end

2
spec/services/ci/create_pipeline_service/parameter_content_spec.rb
View file

@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do
variables:
DAST_VERSION: 1
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast

2
spec/support/helpers/ci/template_helpers.rb
View file

@ -3,7 +3,7 @@
module Ci
module TemplateHelpers
def secure_analyzers_prefix
'registry.gitlab.com/gitlab-org/security-products/analyzers'
'registry.gitlab.com/security-products'
end
end
end