kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2021-10-19 18:13:24 +00:00
parent 59b0e2f45d
commit ee2c09733d
38 changed files with 970 additions and 472 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/assets/stylesheets/highlight/common.scss
View File

@ -96,9 +96,10 @@
}
@mixin line-number-link($color) {
min-width: $gl-spacing-scale-9;
&::before {
@include gl-visibility-hidden;
@include gl-display-inline-block;
@include gl-display-none;
@include gl-align-self-center;
@include gl-mt-2;
@include gl-mr-2;
@ -114,10 +115,10 @@
}
&:hover::before {
@include gl-visibility-visible;
@include gl-display-inline-block;
}
&:focus::before {
@include gl-visibility-visible;
@include gl-display-inline-block;
}
}

10
app/controllers/concerns/issuable_actions.rb
View File

@ -159,9 +159,9 @@ module IssuableActions
discussions = Discussion.build_collection(notes, issuable)
if issuable.is_a?(MergeRequest)
cache_context = [current_user&.cache_key, project.team.human_max_access(current_user&.id)].join(':')
render_cached(discussions, with: discussion_serializer, cache_context: -> (_) { cache_context }, context: self)
render_cached(discussions, with: discussion_serializer, cache_context: -> (_) { discussion_cache_context }, context: self)
elsif issuable.is_a?(Issue) && Feature.enabled?(:issue_discussions_http_cache, default_enabled: :yaml)
render json: discussion_serializer.represent(discussions, context: self) if stale?(etag: [discussion_cache_context, discussions])
else
render json: discussion_serializer.represent(discussions, context: self)
end
@ -197,6 +197,10 @@ module IssuableActions
current_user&.user_preference&.previous_changes&.any?
end
def discussion_cache_context
[current_user&.cache_key, project.team.human_max_access(current_user&.id)].join(':')
end
def discussion_serializer
DiscussionSerializer.new(project: project, noteable: issuable, current_user: current_user, note_entity: ProjectNoteEntity)
end

2
app/controllers/groups/dependency_proxy_for_containers_controller.rb
View File

@ -59,7 +59,7 @@ class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy
def authorize_upload_blob
set_workhorse_internal_api_content_type
render json: DependencyProxy::FileUploader.workhorse_authorize(has_length: false)
render json: DependencyProxy::FileUploader.workhorse_authorize(has_length: false, maximum_size: 5.gigabytes)
end
def upload_blob

4
app/models/bulk_imports/entity.rb
View File

@ -112,6 +112,10 @@ class BulkImports::Entity < ApplicationRecord
@export_relations_url_path ||= EXPORT_RELATIONS_URL % { resource: pluralized_name, full_path: encoded_source_full_path }
end
def relation_download_url_path(relation)
"#{export_relations_url_path}/download?relation=#{relation}"
end
private
def validate_parent_is_a_group

10
app/services/bulk_imports/file_download_service.rb
View File

@ -7,8 +7,16 @@ module BulkImports
REMOTE_FILENAME_PATTERN = %r{filename="(?<filename>[^"]+)"}.freeze
FILENAME_SIZE_LIMIT = 255 # chars before the extension
DEFAULT_FILE_SIZE_LIMIT = 5.gigabytes
DEFAULT_ALLOWED_CONTENT_TYPES = %w(application/gzip application/octet-stream).freeze
def initialize(configuration:, relative_url:, dir:, file_size_limit:, allowed_content_types:, filename: nil)
def initialize(
configuration:,
relative_url:,
dir:,
file_size_limit: DEFAULT_FILE_SIZE_LIMIT,
allowed_content_types: DEFAULT_ALLOWED_CONTENT_TYPES,
filename: nil)
@configuration = configuration
@relative_url = relative_url
@filename = filename

2
app/services/packages/rubygems/create_dependencies_service.rb
View File

@ -3,8 +3,6 @@
module Packages
module Rubygems
class CreateDependenciesService
include BulkInsertSafe
def initialize(package, gemspec)
@package = package
@gemspec = gemspec

2
app/services/snippets/update_service.rb
View File

@ -148,3 +148,5 @@ module Snippets
end
end
end
Snippets::UpdateService.prepend_mod_with('Snippets::UpdateService')

8
config/feature_flags/development/issue_discussions_http_cache.yml Normal file
View File

@ -0,0 +1,8 @@
---
name: issue_discussions_http_cache
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72589
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/343309
milestone: '14.5'
type: development
group: group::project management
default_enabled: false

2
doc/administration/clusters/kas.md
View File

@ -10,7 +10,7 @@ The Kubernetes Agent Server (KAS) is a GitLab backend service dedicated to
managing [Kubernetes Agents](../../user/clusters/agent/index.md).
The KAS is already installed and available in GitLab.com under `wss://kas.gitlab.com`.
See [how to use GitLab.com's KAS](../../user/clusters/agent/index.md#set-up-the-kubernetes-agent-server).
See [how to use GitLab.com's KAS](../../user/clusters/agent/install/index.md#set-up-the-kubernetes-agent-server).
This document describes how to install a KAS for GitLab self-managed instances.
## Installation options

2
doc/administration/geo/replication/troubleshooting.md
View File

@ -455,7 +455,7 @@ To solve this:
1. Back up [the `.git` folder](../../repository_storage_types.md#translate-hashed-storage-paths).
1. Optional: [Spot-check](../../troubleshooting/log_parsing.md#find-all-projects-affected-by-a-fatal-git-problem))
1. Optional: [Spot-check](../../troubleshooting/log_parsing.md#find-all-projects-affected-by-a-fatal-git-problem)
a few of those IDs whether they indeed correspond
to a project with known Geo replication failures.
Use `fatal: 'geo'` as the `grep` term and the following API call:

2
doc/administration/load_balancer.md
View File

@ -7,7 +7,7 @@ type: reference
# Load Balancer for multi-node GitLab **(FREE SELF)**
In an multi-node GitLab configuration, you need a load balancer to route
In a multi-node GitLab configuration, you need a load balancer to route
traffic to the application servers. The specifics on which load balancer to use
or the exact configuration is beyond the scope of GitLab documentation. We hope
that if you're managing HA systems like GitLab you have a load balancer of

4
doc/administration/postgresql/pgbouncer.md
View File

@ -84,7 +84,7 @@ This content has been moved to a [new location](replication_and_failover.md#conf
Do not backup or restore GitLab through a PgBouncer connection: it causes a GitLab outage.
[Read more about this and how to reconfigure backups](../../raketasks/backup_restore.md#backup-and-restore-for-installations-using-pgbouncer).
[Read more about this and how to reconfigure backups](../../raketasks/backup_restore.md#back-up-and-restore-for-installations-using-pgbouncer).
## Enable Monitoring
@ -172,7 +172,7 @@ ote_pid | tls
Some database changes have to be done directly, and not through PgBouncer.
Read more about the affected tasks: [database restores](../../raketasks/backup_restore.md#backup-and-restore-for-installations-using-pgbouncer)
Read more about the affected tasks: [database restores](../../raketasks/backup_restore.md#back-up-and-restore-for-installations-using-pgbouncer)
and [GitLab upgrades](../../update/zero_downtime.md#use-postgresql-ha).
1. To find the primary node, run the following on a database node:

2
doc/administration/postgresql/replication_and_failover.md
View File

@ -501,7 +501,7 @@ in the Troubleshooting section before proceeding.
Do not backup or restore GitLab through a PgBouncer connection: this causes a GitLab outage.
[Read more about this and how to reconfigure backups](../../raketasks/backup_restore.md#backup-and-restore-for-installations-using-pgbouncer).
[Read more about this and how to reconfigure backups](../../raketasks/backup_restore.md#back-up-and-restore-for-installations-using-pgbouncer).
### Ensure GitLab is running

11
doc/development/documentation/site_architecture/global_nav.md
View File

@ -97,20 +97,13 @@ mechanics of what is required is [documented below](#data-file) but, in principl
The global nav has five levels:
- **Section**
- Section
- Category
- Doc
- Doc
- Doc
The majority of the links available on the nav were added according to the UI.
The match is not perfect, as for some UI nav items the documentation doesn't
apply, and there are also other links to help the new users to discover the
documentation. The docs under **Administration** are ordered alphabetically
for clarity.
To see the improvements planned, check the
[global nav epic](https://gitlab.com/groups/gitlab-org/-/epics/1599).
You can view this structure in [the navigation.yml file](https://gitlab.com/gitlab-org/gitlab-docs/-/blob/main/content/_data/navigation.yaml).
**Do not** [add items](#add-a-navigation-entry) to the global nav without
the consent of one of the technical writers.

5
doc/integration/elasticsearch.md
View File

@ -93,7 +93,7 @@ the indexer itself.
This project relies on [International Components for Unicode](https://icu.unicode.org/) (ICU) for text encoding,
therefore we must ensure the development packages for your platform are
installed before running `make`.
installed before running `make`.
#### Debian / Ubuntu
@ -113,6 +113,9 @@ sudo yum install libicu-devel
#### macOS
NOTE:
You must first [install Homebrew](https://brew.sh/).
To install on macOS, run:
```shell

16
doc/raketasks/backup_restore.md
View File

@ -22,7 +22,7 @@ backups with your object storage provider, if desired.
## Requirements
To be able to backup and restore, ensure that Rsync is installed on your
To be able to back up and restore, ensure that Rsync is installed on your
system. If you installed GitLab:
- _Using the Omnibus package_, you're all set.
@ -74,7 +74,7 @@ GitLab does not back up any configuration files, SSL certificates, or system
files. You are highly advised to read about [storing configuration files](#storing-configuration-files).
WARNING:
The backup command requires [additional parameters](#backup-and-restore-for-installations-using-pgbouncer) when
The backup command requires [additional parameters](#back-up-and-restore-for-installations-using-pgbouncer) when
your installation is using PgBouncer, for either performance reasons or when using it with a Patroni cluster.
Depending on your version of GitLab, use the following command if you installed
@ -168,7 +168,7 @@ as its key defeats the purpose of using encryption in the first place.
WARNING:
The secrets file is essential to preserve your database encryption key.
At the very **minimum**, you must backup:
At the very **minimum**, you must back up:
For Omnibus:
@ -187,7 +187,7 @@ the GitLab container according to the documentation, it should be in the
For [GitLab Helm chart installations](https://gitlab.com/gitlab-org/charts/gitlab)
on a Kubernetes cluster, you must follow the
[Backup the secrets](https://docs.gitlab.com/charts/backup-restore/backup.html#backup-the-secrets)
[Back up the secrets](https://docs.gitlab.com/charts/backup-restore/backup.html#backup-the-secrets)
instructions.
You may also want to back up any TLS keys and certificates, and your
@ -787,7 +787,7 @@ For installations from source:
#### Configuring cron to make daily backups
WARNING:
The following cron jobs do not [backup your GitLab configuration files](#storing-configuration-files)
The following cron jobs do not [back up your GitLab configuration files](#storing-configuration-files)
or [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
You can schedule a cron job that backs up your repositories and GitLab metadata.
@ -974,7 +974,7 @@ message. Install the [correct GitLab version](https://packages.gitlab.com/gitlab
and then try again.
WARNING:
The restore command requires [additional parameters](#backup-and-restore-for-installations-using-pgbouncer) when
The restore command requires [additional parameters](#back-up-and-restore-for-installations-using-pgbouncer) when
your installation is using PgBouncer, for either performance reasons or when using it with a Patroni cluster.
Next, restore `/etc/gitlab/gitlab-secrets.json` if necessary,
@ -1215,9 +1215,9 @@ There are a few possible downsides to this:
There is an **experimental** script that attempts to automate this process in
[the Geo team Runbooks project](https://gitlab.com/gitlab-org/geo-team/runbooks/-/tree/main/experimental-online-backup-through-rsync).
## Backup and restore for installations using PgBouncer
## Back up and restore for installations using PgBouncer
Do NOT backup or restore GitLab through a PgBouncer connection. These
Do NOT back up or restore GitLab through a PgBouncer connection. These
tasks must [bypass PgBouncer and connect directly to the PostgreSQL primary database node](#bypassing-pgbouncer),
or they cause a GitLab outage.

2
doc/user/application_security/policies/index.md
View File

@ -159,7 +159,7 @@ at the bottom of the editor.
You can use policy alerts to track your policy's impact. Alerts are only available if you've
[installed](../../clusters/agent/repository.md)
and [configured](../../clusters/agent/index.md#create-an-agent-record-in-gitlab)
and [configured](../../clusters/agent/install/index.md#create-an-agent-record-in-gitlab)
a Kubernetes Agent for this project.
There are two ways to create policy alerts:

14
doc/user/clusters/agent/ci_cd_tunnel.md
View File

@ -21,11 +21,11 @@ Only CI/CD jobs set in the configuration project can access one of the configure
## Prerequisites
- A running [`kas` instance](index.md#set-up-the-kubernetes-agent-server).
- A [configuration repository](index.md#define-a-configuration-repository) with an Agent config file
- A running [`kas` instance](install/index.md#set-up-the-kubernetes-agent-server).
- A [configuration repository](install/index.md#define-a-configuration-repository) with an Agent config file
installed (`.gitlab/agents/<agent-name>/config.yaml`).
- An [Agent record](index.md#create-an-agent-record-in-gitlab).
- The Agent [installed in the cluster](index.md#install-the-agent-into-the-cluster).
- An [Agent record](install/index.md#create-an-agent-record-in-gitlab).
- The Agent [installed in the cluster](install/index.md#install-the-agent-into-the-cluster).
## Use the CI/CD Tunnel to run Kubernetes commands from GitLab CI/CD
@ -37,6 +37,12 @@ there isn't any context selected.
Contexts are named in the following format: `<agent-configuration-project-path>:<agent-name>`.
To get the list of available contexts, run `kubectl config get-contexts`.
## Share the CI/CD Tunnel provided by an Agent with other projects and group
The Agent can be configured to enable access to the CI/CD Tunnel to other projects or all the projects under a given group. This way you can have a single agent serving all the requests for several projects saving on resources and maintenance.
You can read more on how to [authorize access to groups in the Agent configuration reference](repository.md#authorize-groups-to-use-an-agent).
## Example for a `kubectl` command using the CI/CD Tunnel
The following example shows a CI/CD job that runs a `kubectl` command using the CI/CD Tunnel.

442
doc/user/clusters/agent/index.md
View File

@ -7,28 +7,54 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# GitLab Kubernetes Agent **(PREMIUM)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223061) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.4.
> - [Introduced](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/7) in GitLab 13.6, `grpcs` is supported.
> - Support for `grpcs` [introduced](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/7) in GitLab 13.6.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300960) in GitLab 13.10, KAS became available on GitLab.com under `wss://kas.gitlab.com` through an Early Adopter Program.
> - Introduced in GitLab 13.11, the GitLab Kubernetes Agent became available to every project on GitLab.com.
The [GitLab Kubernetes Agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent)
is an active in-cluster component for solving GitLab and Kubernetes integration
tasks in a secure and cloud-native way. It enables:
The [GitLab Kubernetes Agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent) ("Agent", for short)
is an active in-cluster component for connecting Kubernetes clusters to GitLab safely to support cloud-native deployment, management, and monitoring.
- GitLab integration with a Kubernetes cluster behind a firewall or NAT
(network address translation).
- Pull-based GitOps deployments.
- [Inventory object](../../infrastructure/clusters/deploy/inventory_object.md) to keep track of objects applied to your cluster.
- Real-time access to API endpoints in a cluster.
- Alert generation based on [Container network policy](../../application_security/policies/index.md#container-network-policy).
- [CI/CD Tunnel](ci_cd_tunnel.md) that enables users to access Kubernetes clusters from GitLab CI/CD jobs even if there is no network connectivity between GitLab Runner and a cluster.
The Agent is installed into the cluster through code, providing you with a fast, safe, stable, and scalable solution.
Many more features are planned. Please review [our roadmap](https://gitlab.com/groups/gitlab-org/-/epics/3329)
and [our development documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/doc).
With GitOps, you can manage containerized clusters and applications from a Git repository that:
## GitLab Agent GitOps workflow
- Is the single source of truth of your system.
- Is the single place where you operate your system.
- Is a single resource to monitor your system.
The GitLab Agent, herein _Agent_, uses multiple GitLab projects to provide a flexible workflow
By combining GitLab, Kubernetes, and GitOps, it results in a robust infrastructure:
- GitLab as the GitOps operator.
- Kubernetes as the automation and convergence system.
- GitLab CI/CD as the Continuous Integration and Continuous Deployment engine.
Beyond that, you can use all the features offered by GitLab as
the all-in-one DevOps platform for your product and your team.
## Agent's features
By using the GitLab Kubernetes Agent, you can:
- Connect GitLab with a Kubernetes cluster behind a firewall or a
Network Address Translation (NAT).
- Have real-time access to API endpoints in your cluster from GitLab CI/CD.
- Use GitOps to configure your cluster through the [Agent's repository](repository.md).
- Perform pull-based or push-based GitOps deployments.
- Configure [Network Security Alerts](#kubernetes-network-security-alerts)
based on [Container Network Policies](../../application_security/policies/index.md#container-network-policy).
- Track objects applied to your cluster through [inventory objects](../../infrastructure/clusters/deploy/inventory_object.md).
- Use the [CI/CD Tunnel](ci_cd_tunnel.md) to access Kubernetes clusters
from GitLab CI/CD jobs while keeping the cluster's APIs safe and unexposed
to the internet.
- [Deploy the GitLab Runner in a Kubernetes cluster](https://docs.gitlab.com/runner/install/kubernetes-agent.html).
See the [GitLab Kubernetes Agent roadmap](https://gitlab.com/groups/gitlab-org/-/epics/3329) to track its development.
To contribute to the Agent, see the [Agent's development documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/doc).
## Agent's workflow
The Agent uses multiple GitLab projects to provide a flexible workflow
that can suit various needs. This diagram shows these repositories and the main
actors involved in a deployment:
@ -50,363 +76,33 @@ sequenceDiagram
end
```
There are several components that work in concert for the Agent to accomplish GitOps deployments:
For more details, refer to our [architecture documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/architecture.md#high-level-architecture) in the Agent project.
## Install the Agent in your cluster
See how to [install the GitLab Kubernetes Agent in your cluster](install/index.md).
## GitOps deployments
To perform GitOps deployments with the Agent, you need:
- A properly-configured Kubernetes cluster where the Agent is running.
- A configuration repository that contains a `config.yaml` file, which tells the
Agent the repositories to synchronize with the cluster.
- A [configuration repository](repository.md) that contains a
`config.yaml` file, which tells the Agent the repositories to synchronize
with the cluster.
- A manifest repository that contains manifest files. Any changes to manifest files are applied to the cluster.
You can use the same GitLab project or projects for configuration and manifest files, as follows:
You can use a single GitLab project or different projects for the Agent
configuration and manifest files, as follows:
- Single GitLab project (recommended): when you use a single repository to hold both the manifest and the configuration files, these projects can be either private or public, as you prefer.
- Two GitLab projects: when you opt to use two different GitLab projects, one for manifest files, and another for configuration files, the manifests project must be public, while the configuration project can be either private or public. Our backlog contains issues for adding support for
[private manifest repositories outside of the configuration project](https://gitlab.com/gitlab-org/gitlab/-/issues/220912) and
[group level agents](https://gitlab.com/gitlab-org/gitlab/-/issues/283885) in the future.
- Single GitLab project (recommended): When you use a single repository to hold
both the manifest and the configuration files, these projects can be either
private or public.
- Two GitLab projects: When you use two different GitLab projects (one for
manifest files and another for configuration files), the manifests project must
be public, while the configuration project can be either private or public.
For more details, please refer to our [full architecture documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/architecture.md#high-level-architecture) in the Agent project.
## Get started with GitOps and the GitLab Agent
The setup process involves a few steps to enable GitOps deployments:
1. [Set up the Kubernetes Agent Server](#set-up-the-kubernetes-agent-server) for your GitLab instance.
1. [Define a configuration repository](#define-a-configuration-repository).
1. [Create an Agent record in GitLab](#create-an-agent-record-in-gitlab).
1. [Install the Agent into the cluster](#install-the-agent-into-the-cluster).
1. [Generate and copy a Secret token used to connect to the Agent](#create-the-kubernetes-secret).
1. [Create manifest files](#create-manifest-files).
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a GitLab 14.2 [walking-through video](https://www.youtube.com/watch?v=XuBpKtsgGkE) with this process.
### Upgrades and version compatibility
As the GitLab Kubernetes Agent is a new product, we are constantly adding new features
to it. As a result, while shipped features are production ready, its internal API is
neither stable nor versioned yet. For this reason, GitLab only guarantees compatibility
between corresponding major.minor (X.Y) versions of GitLab and its cluster side
component, `agentk`.
Upgrade your agent installations together with GitLab upgrades. To decide which version of `agentk` to install follow:
1. Open the [`GITLAB_KAS_VERSION`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_KAS_VERSION) file from the GitLab Repository, which contains the latest `agentk` version associated with the `master` branch.
1. Change the `master` branch and select the Git tag associated with your version. For instance, you could change it to GitLab [v13.5.3-ee release](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.5.3-ee/GITLAB_KAS_VERSION)
The available `agentk` and `kas` versions can be found in
[the container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/).
### Set up the Kubernetes Agent Server
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3834) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10, the GitLab Kubernetes Agent Server (KAS) became available on GitLab.com under `wss://kas.gitlab.com`.
To use the KAS:
- If you are a self-managed user, follow the instructions to [install the Kubernetes Agent Server](../../../administration/clusters/kas.md).
- If you are a GitLab.com user, when you [set up the configuration repository](#define-a-configuration-repository) for your agent, use `wss://kas.gitlab.com` as the `--kas-address`.
### Define a configuration repository
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7, the Agent manifest configuration can be added to multiple directories (or subdirectories) of its repository.
> - Group authorization was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
To configure an Agent, you need:
1. A GitLab repository to hold the configuration file.
1. Install the Agent in a cluster.
After installed, when you update the configuration file, GitLab transmits the
information to the cluster automatically without downtime.
In your repository, add the Agent configuration file under:
```plaintext
.gitlab/agents/<agent-name>/config.yaml
```
Your `config.yaml` file specifies all configurations of the Agent, such as:
- The manifest projects to synchronize.
- The groups that can access this Agent via the [CI/CD Tunnel](ci_cd_tunnel.md).
- The address of the `hubble-relay` for the Network Security policy integrations.
As an example, a minimal Agent configuration that sets up only the manifest
synchronizations is:
```yaml
gitops:
manifest_projects:
- id: "path-to/your-manifest-project-1"
paths:
- glob: '/**/*.{yaml,yml,json}'
```
All the options for the [Kubernetes Agent configuration repository](repository.md) are documented separately.
### Create an Agent record in GitLab
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5786) in GitLab 14.1, you can create a new Agent record directly from the GitLab UI.
Next, create a GitLab Rails Agent record to associate it with
the configuration repository project. Creating this record also creates a Secret needed to configure
the Agent in subsequent steps.
In GitLab:
1. From your project's sidebar, select **Infrastructure > Kubernetes clusters**.
1. Select the **GitLab Agent managed clusters** tab.
1. Select **Integrate with the GitLab Agent**.
1. From the **Select an Agent** dropdown menu, select the Agent you want to connect and select **Next** to access the installation form.
1. The form reveals your registration token. Securely store this secret token as you cannot view it again.
1. Copy the command under **Recommended installation method**.
In your computer:
1. Open your local terminal and connect to your cluster.
1. Run the command you copied from the installation form.
### Install the Agent into the cluster
To install the in-cluster component of the Agent, first you need to define a namespace. To create a new namespace,
for example, `gitlab-kubernetes-agent`, run:
```shell
kubectl create namespace gitlab-kubernetes-agent
```
To perform a one-liner installation, run the command below. Make sure to replace:
- `your-agent-token` with the token received from the previous step (identified as `secret` in the JSON output).
- `gitlab-kubernetes-agent` with the namespace you defined in the previous step.
- `wss://kas.gitlab.example.com` with the configured access of the Kubernetes Agent Server (KAS). For GitLab.com users, the KAS is available under `wss://kas.gitlab.com`.
- `--agent-version=vX.Y.Z` with the latest released patch version matching your GitLab installation's major and minor versions. For example, for GitLab v13.9.0, use `--agent-version=v13.9.1`. You can find your GitLab version under the "Help/Help" menu.
```shell
docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --agent-token=your-agent-token --kas-address=wss://kas.gitlab.example.com --agent-version=vX.Y.Z --namespace gitlab-kubernetes-agent | kubectl apply -f -
```
WARNING:
`--agent-version stable` can be used to refer to the latest stable release at the time when the command runs. It's fine for
testing purposes but for production please make sure to specify a matching version explicitly.
To find out the various options the above Docker container supports, run:
```shell
docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --help
```
#### Advanced installation
For more advanced configurations, we recommend to use [the `kpt` based installation method](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent).
Otherwise, follow the manual installation steps described below.
### Create the Kubernetes secret
After generating the token, you must apply it to the Kubernetes cluster.
To create your Secret, run:
```shell
kubectl create secret generic -n gitlab-kubernetes-agent gitlab-kubernetes-agent-token --from-literal=token='YOUR_AGENT_TOKEN'
```
The following example file contains the
Kubernetes resources required for the Agent to be installed. You can modify this
example [`resources.yml` file](#example-resourcesyml-file) in the following ways:
- Replace `namespace: gitlab-kubernetes-agent` with `namespace: <YOUR-DESIRED-NAMESPACE>`.
- You can configure `kas-address` (Kubernetes Agent Server) in several ways.
The agent can use the WebSockets or gRPC protocols to connect to the Agent Server.
Select the option appropriate for your cluster configuration and GitLab architecture:
- The `wss` scheme (an encrypted WebSockets connection) is specified by default
after you install the `gitlab-kas` sub-chart, or enable `gitlab-kas` for Omnibus GitLab.
When using the sub-chart, you must set `wss://kas.host.tld:443` as
`kas-address`, where `host.tld` is the domain you've setup for your GitLab installation.
When using Omnibus GitLab, you must set `wss://GitLab.host.tld:443/-/kubernetes-agent/` as
`kas-address`, where `GitLab.host.tld` is your GitLab hostname.
- When using the sub-chart, specify the `ws` scheme (such as `ws://kas.host.tld:80`)
to use an unencrypted WebSockets connection.
When using the Omnibus GitLab, specify the `ws` scheme (such as `ws://GitLab.host.tld:80/-/kubernetes-agent/`).
- Specify the `grpc` scheme if both Agent and Server are installed in one cluster.
In this case, you may specify `kas-address` value as
`grpc://gitlab-kas.<your-namespace>:8150`) to use gRPC directly, where `gitlab-kas`
is the name of the service created by `gitlab-kas` chart, and `<your-namespace>`
is the namespace where the chart was installed.
- Specify the `grpcs` scheme to use an encrypted gRPC connection.
- When deploying KAS through the [GitLab chart](https://docs.gitlab.com/charts/), it's possible to customize the
`kas-address` for `wss` and `ws` schemes to whatever you need.
Check the [chart's KAS Ingress documentation](https://docs.gitlab.com/charts/charts/gitlab/kas/#ingress)
to learn more about it.
- In the near future, Omnibus GitLab intends to provision `gitlab-kas` under a sub-domain by default, instead of the `/-/kubernetes-agent/` path. Please follow [this issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784) for details.
- If you defined your own secret name, replace `gitlab-kubernetes-agent-token` with your
secret name in the `secretName:` section.
To apply this file, run the following command:
```shell
kubectl apply -n gitlab-kubernetes-agent -f ./resources.yml
```
To review your configuration, run the following command:
```shell
$ kubectl get pods -n gitlab-kubernetes-agent
NAMESPACE NAME READY STATUS RESTARTS AGE
gitlab-kubernetes-agent gitlab-kubernetes-agent-77689f7dcb-5skqk 1/1 Running 0 51s
```
#### Example `resources.yml` file
```yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: gitlab-kubernetes-agent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-kubernetes-agent
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-kubernetes-agent
spec:
replicas: 1
selector:
matchLabels:
app: gitlab-kubernetes-agent
template:
metadata:
labels:
app: gitlab-kubernetes-agent
spec:
serviceAccountName: gitlab-kubernetes-agent
containers:
- name: agent
# Make sure to specify a matching version for production
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:vX.Y.Z
args:
- --token-file=/config/token
- --kas-address
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
volumeMounts:
- name: token-volume
mountPath: /config
volumes:
- name: token-volume
secret:
secretName: gitlab-kubernetes-agent-token
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-kubernetes-agent-write
rules:
- resources:
- '*'
apiGroups:
- '*'
verbs:
- create
- update
- delete
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-kubernetes-agent-write-binding
roleRef:
name: gitlab-kubernetes-agent-write
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- name: gitlab-kubernetes-agent
kind: ServiceAccount
namespace: gitlab-kubernetes-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-kubernetes-agent-read
rules:
- resources:
- '*'
apiGroups:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-kubernetes-agent-read-binding
roleRef:
name: gitlab-kubernetes-agent-read
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- name: gitlab-kubernetes-agent
kind: ServiceAccount
namespace: gitlab-kubernetes-agent
```
### Create manifest files
In a previous step, you configured a `config.yaml` to point to the GitLab projects
the Agent should synchronize. Agent monitors each of those projects for changes to the manifest files it contains. You can auto-generate manifest files with a
templating engine or other means.
The agent is authorized to download manifests for the configuration
project, and public projects. Support for other private projects is
planned in the issue [Agent authorization for private manifest
projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
Each time you push a change to a monitored manifest repository, the Agent logs the change:
```plaintext
2020-09-15_14:09:04.87946 gitlab-k8s-agent : time="2020-09-15T10:09:04-04:00" level=info msg="Config: new commit" agent_id=1 commit_id=e6a3651f1faa2e928fe6120e254c122451be4eea
```
#### Example manifest file
This file creates a minimal `ConfigMap`:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: demo-map
namespace: gitlab-kubernetes-agent # Can be any namespace managed by you that the agent has access to.
data:
key: value
```
## Example projects
The following example projects can help you get started with the Kubernetes Agent.
- [Configuration repository](https://gitlab.com/gitlab-org/configure/examples/kubernetes-agent)
- This basic GitOps example deploys NGINX: [Manifest repository](https://gitlab.com/gitlab-org/configure/examples/gitops-project)
### GitLab Runner Deployment with the Agent
You can use the Kubernetes Agent to
[deploy GitLab Runner in a Kubernetes cluster](https://docs.gitlab.com/runner/install/kubernetes-agent.html).
Support for private manifest repositories is tracked in this [issue](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
## Kubernetes Network Security Alerts
@ -426,24 +122,12 @@ There are several components that work in concert for the Agent to generate the
- Add the required labels and annotations to existing network policies.
- A configuration repository with [Cilium configured in `config.yaml`](repository.md#surface-network-security-alerts-from-cluster-to-gitlab)
The setup process follows the same steps as [GitOps](#get-started-with-gitops-and-the-gitlab-agent),
The setup process follows the same [Agent's installation steps](install/index.md),
with the following differences:
- When you define a configuration repository, you must do so with [Cilium settings](repository.md#surface-network-security-alerts-from-cluster-to-gitlab).
- You do not need to specify the `gitops` configuration section.
## Management interfaces
Users with at least the [Developer](../../permissions.md) can access the user interface
for the GitLab Kubernetes agent at **Infrastructure > Kubernetes clusters**, under the
**GitLab Agent managed clusters** tab. This page lists all registered agents for
the current project, and the configuration directory for each agent:
![GitLab Kubernetes Agent list UI](../img/kubernetes-agent-ui-list_v13_8.png)
Additional management interfaces are planned for the GitLab Kubernetes Agent.
[Provide more feedback in the related epic](https://gitlab.com/groups/gitlab-org/-/epics/4739).
## Remove the GitLab Kubernetes Agent
1. Remove an Agent record with GraphQL by deleting the `clusterAgent` and the `clusterAgentToken`.

363
doc/user/clusters/agent/install/index.md Normal file
View File

@ -0,0 +1,363 @@
---
stage: Configure
group: Configure
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Install the GitLab Kubernetes Agent **(PREMIUM)**
To get started with the GitLab Kubernetes Agent, install it in your cluster.
Pre-requisites:
- An existing Kubernetes cluster.
- An account on GitLab.
## Installation steps
To install the [GitLab Kubernetes Agent](../index.md) in your cluster:
1. [Set up the Kubernetes Agent Server](#set-up-the-kubernetes-agent-server) for your GitLab instance.
1. [Define a configuration repository](#define-a-configuration-repository).
1. [Create an Agent record in GitLab](#create-an-agent-record-in-gitlab).
1. [Install the Agent into the cluster](#install-the-agent-into-the-cluster).
1. [Generate and copy a Secret token used to connect to the Agent](#create-the-kubernetes-secret).
1. [Create manifest files](#create-manifest-files).
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a GitLab 14.2 [walking-through video](https://www.youtube.com/watch?v=XuBpKtsgGkE) with this process.
### Set up the Kubernetes Agent Server
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3834) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10, the GitLab Kubernetes Agent Server (KAS) became available on GitLab.com under `wss://kas.gitlab.com`.
To use the KAS:
- If you are a self-managed user, follow the instructions to [install the Kubernetes Agent Server](../../../../administration/clusters/kas.md).
- If you are a GitLab.com user, when you [set up the configuration repository](#define-a-configuration-repository) for your agent, use `wss://kas.gitlab.com` as the `--kas-address`.
### Define a configuration repository
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7, the Agent manifest configuration can be added to multiple directories (or subdirectories) of its repository.
> - Group authorization was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
To configure an Agent, you need:
1. A GitLab repository to hold the configuration file.
1. Install the Agent in a cluster.
After installed, when you update the configuration file, GitLab transmits the
information to the cluster automatically without downtime.
In your repository, add the Agent configuration file under:
```plaintext
.gitlab/agents/<agent-name>/config.yaml
```
Your `config.yaml` file specifies all configurations of the Agent, such as:
- The manifest projects to synchronize.
- The groups that can access this Agent via the [CI/CD Tunnel](../ci_cd_tunnel.md).
- The address of the `hubble-relay` for the Network Security policy integrations.
As an example, a minimal Agent configuration that sets up only the manifest
synchronizations is:
```yaml
gitops:
manifest_projects:
- id: "path-to/your-manifest-project-1"
paths:
- glob: '/**/*.{yaml,yml,json}'
```
All the options for the [Kubernetes Agent configuration repository](../repository.md) are documented separately.
### Create an Agent record in GitLab
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5786) in GitLab 14.1, you can create a new Agent record directly from the GitLab UI.
Next, create a GitLab Rails Agent record to associate it with
the configuration repository project. Creating this record also creates a Secret needed to configure
the Agent in subsequent steps.
In GitLab:
1. From your project's sidebar, select **Infrastructure > Kubernetes clusters**.
1. Select the **GitLab Agent managed clusters** tab.
1. Select **Integrate with the GitLab Agent**.
1. From the **Select an Agent** dropdown menu, select the Agent you want to connect and select **Next** to access the installation form.
1. The form reveals your registration token. Securely store this secret token as you cannot view it again.
1. Copy the command under **Recommended installation method**.
In your computer:
1. Open your local terminal and connect to your cluster.
1. Run the command you copied from the installation form.
### Install the Agent into the cluster
To install the in-cluster component of the Agent, first you need to define a namespace. To create a new namespace,
for example, `gitlab-kubernetes-agent`, run:
```shell
kubectl create namespace gitlab-kubernetes-agent
```
To perform a one-liner installation, run the command below. Make sure to replace:
- `your-agent-token` with the token received from the previous step (identified as `secret` in the JSON output).
- `gitlab-kubernetes-agent` with the namespace you defined in the previous step.
- `wss://kas.gitlab.example.com` with the configured access of the Kubernetes Agent Server (KAS). For GitLab.com users, the KAS is available under `wss://kas.gitlab.com`.
- `--agent-version=vX.Y.Z` with the latest released patch version matching your GitLab installation's major and minor versions. For example, for GitLab v13.9.0, use `--agent-version=v13.9.1`. You can find your GitLab version under the "Help/Help" menu.
```shell
docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --agent-token=your-agent-token --kas-address=wss://kas.gitlab.example.com --agent-version=vX.Y.Z --namespace gitlab-kubernetes-agent | kubectl apply -f -
```
WARNING:
`--agent-version stable` can be used to refer to the latest stable release at the time when the command runs. It's fine for
testing purposes but for production please make sure to specify a matching version explicitly.
To find out the various options the above Docker container supports, run:
```shell
docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --help
```
## Advanced installation
For more advanced configurations, we recommend to use [the `kpt` based installation method](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent).
Otherwise, follow the manual installation steps described below.
### Create the Kubernetes secret
After generating the token, you must apply it to the Kubernetes cluster.
To create your Secret, run:
```shell
kubectl create secret generic -n gitlab-kubernetes-agent gitlab-kubernetes-agent-token --from-literal=token='YOUR_AGENT_TOKEN'
```
The following example file contains the
Kubernetes resources required for the Agent to be installed. You can modify this
example [`resources.yml` file](#example-resourcesyml-file) in the following ways:
- Replace `namespace: gitlab-kubernetes-agent` with `namespace: <YOUR-DESIRED-NAMESPACE>`.
- You can configure `kas-address` (Kubernetes Agent Server) in several ways.
The agent can use the WebSockets or gRPC protocols to connect to the Agent Server.
Select the option appropriate for your cluster configuration and GitLab architecture:
- The `wss` scheme (an encrypted WebSockets connection) is specified by default
after you install the `gitlab-kas` sub-chart, or enable `gitlab-kas` for Omnibus GitLab.
When using the sub-chart, you must set `wss://kas.host.tld:443` as
`kas-address`, where `host.tld` is the domain you've setup for your GitLab installation.
When using Omnibus GitLab, you must set `wss://GitLab.host.tld:443/-/kubernetes-agent/` as
`kas-address`, where `GitLab.host.tld` is your GitLab hostname.
- When using the sub-chart, specify the `ws` scheme (such as `ws://kas.host.tld:80`)
to use an unencrypted WebSockets connection.
When using the Omnibus GitLab, specify the `ws` scheme (such as `ws://GitLab.host.tld:80/-/kubernetes-agent/`).
- Specify the `grpc` scheme if both Agent and Server are installed in one cluster.
In this case, you may specify `kas-address` value as
`grpc://gitlab-kas.<your-namespace>:8150`) to use gRPC directly, where `gitlab-kas`
is the name of the service created by `gitlab-kas` chart, and `<your-namespace>`
is the namespace where the chart was installed.
- Specify the `grpcs` scheme to use an encrypted gRPC connection.
- When deploying KAS through the [GitLab chart](https://docs.gitlab.com/charts/), it's possible to customize the
`kas-address` for `wss` and `ws` schemes to whatever you need.
Check the [chart's KAS Ingress documentation](https://docs.gitlab.com/charts/charts/gitlab/kas/#ingress)
to learn more about it.
- In the near future, Omnibus GitLab intends to provision `gitlab-kas` under a sub-domain by default, instead of the `/-/kubernetes-agent/` path. Please follow [this issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784) for details.
- If you defined your own secret name, replace `gitlab-kubernetes-agent-token` with your
secret name in the `secretName:` section.
To apply this file, run the following command:
```shell
kubectl apply -n gitlab-kubernetes-agent -f ./resources.yml
```
To review your configuration, run the following command:
```shell
$ kubectl get pods -n gitlab-kubernetes-agent
NAMESPACE NAME READY STATUS RESTARTS AGE
gitlab-kubernetes-agent gitlab-kubernetes-agent-77689f7dcb-5skqk 1/1 Running 0 51s
```
#### Example `resources.yml` file
```yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: gitlab-kubernetes-agent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-kubernetes-agent
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-kubernetes-agent
spec:
replicas: 1
selector:
matchLabels:
app: gitlab-kubernetes-agent
template:
metadata:
labels:
app: gitlab-kubernetes-agent
spec:
serviceAccountName: gitlab-kubernetes-agent
containers:
- name: agent
# Make sure to specify a matching version for production
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:vX.Y.Z
args:
- --token-file=/config/token
- --kas-address
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
volumeMounts:
- name: token-volume
mountPath: /config
volumes:
- name: token-volume
secret:
secretName: gitlab-kubernetes-agent-token
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-kubernetes-agent-write
rules:
- resources:
- '*'
apiGroups:
- '*'
verbs:
- create
- update
- delete
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-kubernetes-agent-write-binding
roleRef:
name: gitlab-kubernetes-agent-write
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- name: gitlab-kubernetes-agent
kind: ServiceAccount
namespace: gitlab-kubernetes-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-kubernetes-agent-read
rules:
- resources:
- '*'
apiGroups:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-kubernetes-agent-read-binding
roleRef:
name: gitlab-kubernetes-agent-read
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- name: gitlab-kubernetes-agent
kind: ServiceAccount
namespace: gitlab-kubernetes-agent
```
### Create manifest files
In a previous step, you configured a `config.yaml` to point to the GitLab projects
the Agent should synchronize. Agent monitors each of those projects for changes to the manifest files it contains. You can auto-generate manifest files with a
templating engine or other means.
The agent is authorized to download manifests for the configuration
project, and public projects. Support for other private projects is
planned in the issue [Agent authorization for private manifest
projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
Each time you push a change to a monitored manifest repository, the Agent logs the change:
```plaintext
2020-09-15_14:09:04.87946 gitlab-k8s-agent : time="2020-09-15T10:09:04-04:00" level=info msg="Config: new commit" agent_id=1 commit_id=e6a3651f1faa2e928fe6120e254c122451be4eea
```
#### Example manifest file
This file creates a minimal `ConfigMap`:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: demo-map
namespace: gitlab-kubernetes-agent # Can be any namespace managed by you that the agent has access to.
data:
key: value
```
## Example projects
The following example projects can help you get started with the Kubernetes Agent.
- [Configuration repository](https://gitlab.com/gitlab-org/configure/examples/kubernetes-agent)
- This basic GitOps example deploys NGINX: [Manifest repository](https://gitlab.com/gitlab-org/configure/examples/gitops-project)
## View installed Agents
Users with at least the [Developer](../../../permissions.md) can access the user interface
for the GitLab Kubernetes Agent at **Infrastructure > Kubernetes clusters**, under the
**GitLab Agent managed clusters** tab. This page lists all registered agents for
the current project, and the configuration directory for each agent:
![GitLab Kubernetes Agent list UI](../../img/kubernetes-agent-ui-list_v13_8.png)
Additional management interfaces are planned for the GitLab Kubernetes Agent.
[Provide more feedback in the related epic](https://gitlab.com/groups/gitlab-org/-/epics/4739).
## Upgrades and version compatibility
As the GitLab Kubernetes Agent is a new product, we are constantly adding new features
to it. As a result, while shipped features are production ready, its internal API is
neither stable nor versioned yet. For this reason, GitLab only guarantees compatibility
between corresponding major.minor (X.Y) versions of GitLab and its cluster side
component, `agentk`.
Upgrade your agent installations together with GitLab upgrades. To decide which version of `agentk` to install follow:
1. Open the [`GITLAB_KAS_VERSION`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_KAS_VERSION) file from the GitLab Repository, which contains the latest `agentk` version associated with the `master` branch.
1. Change the `master` branch and select the Git tag associated with your version. For instance, you could change it to GitLab [v13.5.3-ee release](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.5.3-ee/GITLAB_KAS_VERSION)
The available `agentk` and `kas` versions can be found in
[the container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/).

11
lib/api/helpers/projects_helpers.rb
View File

@ -177,6 +177,17 @@ module API
def filter_attributes_using_license!(attrs)
end
def validate_git_import_url!(import_url, import_enabled: true)
return if import_url.blank?
return unless import_enabled
result = Import::ValidateRemoteGitEndpointService.new(url: import_url).execute # network call
if result.error?
render_api_error!(result.message, 422)
end
end
end
end
end

8
lib/api/projects.rb
View File

@ -91,7 +91,7 @@ module API
end
def check_import_by_url_is_enabled
forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('git')
Gitlab::CurrentSettings.import_sources&.include?('git') || forbidden!
end
end
@ -269,7 +269,9 @@ module API
attrs = declared_params(include_missing: false)
attrs = translate_params_for_compatibility(attrs)
filter_attributes_using_license!(attrs)
check_import_by_url_is_enabled if params[:import_url].present?
validate_git_import_url!(params[:import_url], import_enabled: check_import_by_url_is_enabled)
project = ::Projects::CreateService.new(current_user, attrs).execute
if project.saved?
@ -307,6 +309,8 @@ module API
attrs = declared_params(include_missing: false)
attrs = translate_params_for_compatibility(attrs)
filter_attributes_using_license!(attrs)
validate_git_import_url!(params[:import_url])
project = ::Projects::CreateService.new(user, attrs).execute
if project.saved?

28
lib/bulk_imports/common/extractors/ndjson_extractor.rb
View File

@ -7,10 +7,6 @@ module BulkImports
include Gitlab::ImportExport::CommandLineUtil
include Gitlab::Utils::StrongMemoize
FILE_SIZE_LIMIT = 5.gigabytes
ALLOWED_CONTENT_TYPES = %w(application/gzip application/octet-stream).freeze
EXPORT_DOWNLOAD_URL_PATH = "/%{resource}/%{full_path}/export_relations/download?relation=%{relation}"
def initialize(relation:)
@relation = relation
@tmp_dir = Dir.mktmpdir
@ -39,32 +35,18 @@ module BulkImports
def download_service(tmp_dir, context)
@download_service ||= BulkImports::FileDownloadService.new(
configuration: context.configuration,
relative_url: relative_resource_url(context),
dir: tmp_dir,
filename: filename,
file_size_limit: FILE_SIZE_LIMIT,
allowed_content_types: ALLOWED_CONTENT_TYPES
)
end
def decompression_service(tmp_dir)
@decompression_service ||= BulkImports::FileDecompressionService.new(
relative_url: context.entity.relation_download_url_path(relation),
dir: tmp_dir,
filename: filename
)
end
def ndjson_reader(tmp_dir)
@ndjson_reader ||= Gitlab::ImportExport::Json::NdjsonReader.new(tmp_dir)
def decompression_service(tmp_dir)
@decompression_service ||= BulkImports::FileDecompressionService.new(dir: tmp_dir, filename: filename)
end
def relative_resource_url(context)
strong_memoize(:relative_resource_url) do
resource = context.entity.pluralized_name
encoded_full_path = context.entity.encoded_source_full_path
EXPORT_DOWNLOAD_URL_PATH % { resource: resource, full_path: encoded_full_path, relation: relation }
end
def ndjson_reader(tmp_dir)
@ndjson_reader ||= Gitlab::ImportExport::Json::NdjsonReader.new(tmp_dir)
end
end
end

52
lib/bulk_imports/common/pipelines/uploads_pipeline.rb Normal file
View File

@ -0,0 +1,52 @@
# frozen_string_literal: true
module BulkImports
module Common
module Pipelines
class UploadsPipeline
include Pipeline
include Gitlab::ImportExport::CommandLineUtil
FILENAME = 'uploads.tar.gz'
def extract(context)
download_service(tmp_dir, context).execute
untar_zxf(archive: File.join(tmp_dir, FILENAME), dir: tmp_dir)
upload_file_paths = Dir.glob(File.join(tmp_dir, '**', '*'))
BulkImports::Pipeline::ExtractedData.new(data: upload_file_paths)
end
def load(context, file_path)
dynamic_path = FileUploader.extract_dynamic_path(file_path)
return unless dynamic_path
return if File.directory?(file_path)
named_captures = dynamic_path.named_captures.symbolize_keys
UploadService.new(context.portable, File.open(file_path, 'r'), FileUploader, **named_captures).execute
end
def after_run(_)
FileUtils.remove_entry(tmp_dir)
end
private
def download_service(tmp_dir, context)
BulkImports::FileDownloadService.new(
configuration: context.configuration,
relative_url: context.entity.relation_download_url_path('uploads'),
dir: tmp_dir,
filename: FILENAME
)
end
def tmp_dir
@tmp_dir ||= Dir.mktmpdir('bulk_imports')
end
end
end
end
end

6
lib/bulk_imports/projects/stage.rb
View File

@ -27,9 +27,13 @@ module BulkImports
pipeline: BulkImports::Common::Pipelines::BoardsPipeline,
stage: 4
},
uploads: {
pipeline: BulkImports::Common::Pipelines::UploadsPipeline,
stage: 5
},
finisher: {
pipeline: BulkImports::Common::Pipelines::EntityFinisher,
stage: 5
stage: 6
}
}
end

20
lib/gitlab/content_security_policy/config_loader.rb
View File

@ -19,7 +19,7 @@ module Gitlab
'font_src' => "'self'",
'form_action' => "'self' https: http:",
'frame_ancestors' => "'self'",
'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
'frame_src' => "#{framed_gitlab_paths.join(' ')} https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
'img_src' => "'self' data: blob: http: https:",
'manifest_src' => "'self'",
'media_src' => "'self'",
@ -30,11 +30,6 @@ module Gitlab
'report_uri' => nil
}
# frame-src was deprecated in CSP level 2 in favor of child-src
# CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
# However Safari seems to read child-src first so we'll just keep both equal
directives['child_src'] = directives['frame_src']
# connect_src with 'self' includes https/wss variations of the origin,
# however, safari hasn't covered this yet and we need to explicitly add
# support for websocket origins until Safari catches up with the specs
@ -44,6 +39,11 @@ module Gitlab
allow_customersdot(directives) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn
# frame-src was deprecated in CSP level 2 in favor of child-src
# CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
# However Safari seems to read child-src first so we'll just keep both equal
directives['child_src'] = directives['frame_src']
directives
end
@ -119,6 +119,14 @@ module Gitlab
append_to_directive(directives, 'connect_src', sentry_uri.to_s)
end
# Using 'self' in the CSP introduces several CSP bypass opportunities
# for this reason we list the URLs where GitLab frames itself instead
def self.framed_gitlab_paths
['/admin/sidekiq', '/-/speedscope/index.html'].map do |path|
Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path)
end
end
end
end
end

12
lib/gitlab/sidekiq_middleware/size_limiter/validator.rb
View File

@ -28,15 +28,21 @@ module Gitlab
#
# The worker classes aren't constants here, because that would force
# Application Settings to be loaded earlier causing failures loading
# the environmant in rake tasks
# the environment in rake tasks
EXEMPT_WORKER_NAMES = ["BackgroundMigrationWorker", "Database::BatchedBackgroundMigrationWorker"].to_set
JOB_STATUS_KEY = 'size_limiter'
class << self
def validate!(worker_class, job)
return if EXEMPT_WORKER_NAMES.include?(worker_class.to_s)
return if validated?(job)
new(worker_class, job).validate!
end
def validated?(job)
job.has_key?(JOB_STATUS_KEY)
end
end
DEFAULT_SIZE_LIMIT = 0
@ -64,6 +70,8 @@ module Gitlab
end
def validate!
@job[JOB_STATUS_KEY] = 'validated'
job_args = compress_if_necessary(::Sidekiq.dump_json(@job['args']))
return if @size_limit == 0
@ -72,8 +80,10 @@ module Gitlab
exception = exceed_limit_error(job_args)
if compress_mode?
@job.delete(JOB_STATUS_KEY)
raise exception
else
@job[JOB_STATUS_KEY] = 'tracked'
track(exception)
end
end

6
locale/gitlab.pot
View File

@ -16215,12 +16215,6 @@ msgstr ""
msgid "GroupRoadmap|No start date %{dateWord}"
msgstr ""
msgid "GroupRoadmap|Roadmaps can display up to 1,000 epics. These appear in your selected sort order."
msgstr ""
msgid "GroupRoadmap|Some of your epics might not be visible"
msgstr ""
msgid "GroupRoadmap|Something went wrong while fetching epics"
msgstr ""

2
qa/qa/page/merge_request/show.rb
View File

@ -354,7 +354,7 @@ module QA
end
def apply_suggestion_with_message(message)
click_element(:apply_suggestion_dropdown)
all_elements(:apply_suggestion_dropdown, minimum: 1).first.click
fill_element(:commit_message_field, message)
click_element(:commit_with_custom_message_button)
end

4
qa/qa/specs/features/browser_ui/3_create/merge_request/suggestions/batch_suggestion_spec.rb
View File

@ -2,7 +2,7 @@
module QA
RSpec.describe 'Create' do
context 'Add batch suggestions to a Merge Request', :transient do
context 'Add batch suggestions to a Merge Request' do
let(:project) do
Resource::Project.fabricate_via_api! do |project|
project.name = 'suggestions_project'
@ -46,7 +46,7 @@ module QA
merge_request.visit!
end
it 'applies multiple suggestions', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/1838', quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/342131', type: :stale } do
it 'applies multiple suggestions', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/1838' do
Page::MergeRequest::Show.perform do |merge_request|
merge_request.click_diffs_tab
4.times { merge_request.add_suggestion_to_batch }

15
spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
View File

@ -397,11 +397,24 @@ RSpec.describe Groups::DependencyProxyForContainersController do
group.add_guest(user)
end
it 'sends Workhorse file upload instructions', :aggregate_failures do
it 'sends Workhorse local file instructions', :aggregate_failures do
authorize_upload_blob
expect(response.headers['Content-Type']).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
expect(json_response['TempPath']).to eq(DependencyProxy::FileUploader.workhorse_local_upload_path)
expect(json_response['RemoteObject']).to be_nil
expect(json_response['MaximumSize']).to eq(5.gigabytes)
end
it 'sends Workhorse remote object instructions', :aggregate_failures do
stub_dependency_proxy_object_storage(direct_upload: true)
authorize_upload_blob
expect(response.headers['Content-Type']).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
expect(json_response['TempPath']).to be_nil
expect(json_response['RemoteObject']).not_to be_nil
expect(json_response['MaximumSize']).to eq(5.gigabytes)
end
end
end

80
spec/lib/bulk_imports/common/pipelines/uploads_pipeline_spec.rb Normal file
View File

@ -0,0 +1,80 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe BulkImports::Common::Pipelines::UploadsPipeline do
let_it_be(:tmpdir) { Dir.mktmpdir }
let_it_be(:project) { create(:project) }
let_it_be(:entity) { create(:bulk_import_entity, :project_entity, project: project, source_full_path: 'test') }
let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) }
let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) }
let_it_be(:uploads_dir_path) { File.join(tmpdir, '72a497a02fe3ee09edae2ed06d390038') }
let_it_be(:upload_file_path) { File.join(uploads_dir_path, 'upload.txt')}
subject(:pipeline) { described_class.new(context) }
before do
stub_uploads_object_storage(FileUploader)
FileUtils.mkdir_p(uploads_dir_path)
FileUtils.touch(upload_file_path)
end
after do
FileUtils.remove_entry(tmpdir) if Dir.exist?(tmpdir)
end
describe '#run' do
it 'imports uploads into destination portable and removes tmpdir' do
allow(Dir).to receive(:mktmpdir).with('bulk_imports').and_return(tmpdir)
allow(pipeline).to receive(:extract).and_return(BulkImports::Pipeline::ExtractedData.new(data: [upload_file_path]))
pipeline.run
expect(project.uploads.map { |u| u.retrieve_uploader.filename }).to include('upload.txt')
expect(Dir.exist?(tmpdir)).to eq(false)
end
end
describe '#extract' do
it 'downloads & extracts upload paths' do
allow(Dir).to receive(:mktmpdir).and_return(tmpdir)
expect(pipeline).to receive(:untar_zxf)
file_download_service = instance_double("BulkImports::FileDownloadService")
expect(BulkImports::FileDownloadService)
.to receive(:new)
.with(
configuration: context.configuration,
relative_url: "/projects/test/export_relations/download?relation=uploads",
dir: tmpdir,
filename: 'uploads.tar.gz')
.and_return(file_download_service)
expect(file_download_service).to receive(:execute)
extracted_data = pipeline.extract(context)
expect(extracted_data.data).to contain_exactly(uploads_dir_path, upload_file_path)
end
end
describe '#load' do
it 'creates a file upload' do
expect { pipeline.load(context, upload_file_path) }.to change { project.uploads.count }.by(1)
end
context 'when dynamic path is nil' do
it 'returns' do
expect { pipeline.load(context, File.join(tmpdir, 'test')) }.not_to change { project.uploads.count }
end
end
context 'when path is a directory' do
it 'returns' do
expect { pipeline.load(context, uploads_dir_path) }.not_to change { project.uploads.count }
end
end
end
end

3
spec/lib/bulk_imports/projects/stage_spec.rb
View File

@ -10,7 +10,8 @@ RSpec.describe BulkImports::Projects::Stage do
[2, BulkImports::Common::Pipelines::LabelsPipeline],
[3, BulkImports::Projects::Pipelines::IssuesPipeline],
[4, BulkImports::Common::Pipelines::BoardsPipeline],
[5, BulkImports::Common::Pipelines::EntityFinisher]
[5, BulkImports::Common::Pipelines::UploadsPipeline],
[6, BulkImports::Common::Pipelines::EntityFinisher]
]
end

28
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
View File

@ -109,7 +109,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
it 'does not add CUSTOMER_PORTAL_URL to CSP' do
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com")
expect(directives['frame_src']).to eq("http://localhost/admin/sidekiq http://localhost/-/speedscope/index.html https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com")
end
end
@ -119,12 +119,36 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
it 'adds CUSTOMER_PORTAL_URL to CSP' do
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://customers.example.com")
expect(directives['frame_src']).to eq("http://localhost/admin/sidekiq http://localhost/-/speedscope/index.html https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://customers.example.com")
end
end
end
end
describe '#framed_gitlab_paths' do
context 'generates URLs to be added to child-src' do
it 'with insecure domain' do
stub_config_setting(url: 'http://example.com')
expect(described_class.framed_gitlab_paths).to eq(%w[http://example.com/admin/sidekiq http://example.com/-/speedscope/index.html])
end
it 'with secure domain' do
stub_config_setting(url: 'https://example.com')
expect(described_class.framed_gitlab_paths).to eq(%w[https://example.com/admin/sidekiq https://example.com/-/speedscope/index.html])
end
it 'with custom port' do
stub_config_setting(url: 'http://example.com:1234')
expect(described_class.framed_gitlab_paths).to eq(%w[http://example.com:1234/admin/sidekiq http://example.com:1234/-/speedscope/index.html])
end
it 'with custom port and secure domain' do
stub_config_setting(url: 'https://example.com:1234')
expect(described_class.framed_gitlab_paths).to eq(%w[https://example.com:1234/admin/sidekiq https://example.com:1234/-/speedscope/index.html])
end
end
end
describe '#load' do
subject { described_class.new(csp_config[:directives]) }

86
spec/lib/gitlab/sidekiq_middleware/size_limiter/validator_spec.rb
View File

@ -187,37 +187,51 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
context 'when size limit is 0' do
let(:size_limit) { 0 }
let(:job) { job_payload(a: 'a' * 300) }
it 'does not track jobs' do
expect(Gitlab::ErrorTracking).not_to receive(:track_exception)
validate.call(TestSizeLimiterWorker, job_payload(a: 'a' * 300))
validate.call(TestSizeLimiterWorker, job)
end
it 'does not raise exception' do
expect do
validate.call(TestSizeLimiterWorker, job_payload(a: 'a' * 300))
validate.call(TestSizeLimiterWorker, job)
end.not_to raise_error
end
it 'marks the job as validated' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('validated')
end
end
context 'when job size is bigger than size limit' do
let(:size_limit) { 50 }
let(:job) { job_payload(a: 'a' * 300) }
it 'tracks job' do
expect(Gitlab::ErrorTracking).to receive(:track_exception).with(
be_a(Gitlab::SidekiqMiddleware::SizeLimiter::ExceedLimitError)
)
validate.call(TestSizeLimiterWorker, job_payload(a: 'a' * 100))
validate.call(TestSizeLimiterWorker, job)
end
it 'does not raise an exception' do
expect do
validate.call(TestSizeLimiterWorker, job_payload(a: 'a' * 300))
validate.call(TestSizeLimiterWorker, job)
end.not_to raise_error
end
it 'marks the job as tracked' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('tracked')
end
context 'when the worker has big_payload attribute' do
before do
worker_class.big_payload!
@ -238,20 +252,33 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
validate.call('TestSizeLimiterWorker', job_payload(a: 'a' * 300))
end.not_to raise_error
end
it 'marks the job as validated' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('validated')
end
end
end
context 'when job size is less than size limit' do
let(:size_limit) { 50 }
let(:job) { job_payload(a: 'a') }
it 'does not track job' do
expect(Gitlab::ErrorTracking).not_to receive(:track_exception)
validate.call(TestSizeLimiterWorker, job_payload(a: 'a'))
validate.call(TestSizeLimiterWorker, job)
end
it 'does not raise an exception' do
expect { validate.call(TestSizeLimiterWorker, job_payload(a: 'a')) }.not_to raise_error
expect { validate.call(TestSizeLimiterWorker, job) }.not_to raise_error
end
it 'marks the job as validated' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('validated')
end
end
end
@ -266,7 +293,13 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
it 'does not raise an exception' do
expect(::Gitlab::SidekiqMiddleware::SizeLimiter::Compressor).not_to receive(:compress)
expect { validate.call(TestSizeLimiterWorker, job_payload(a: 'a')) }.not_to raise_error
expect { validate.call(TestSizeLimiterWorker, job) }.not_to raise_error
end
it 'marks the job as validated' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('validated')
end
end
@ -283,6 +316,12 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
validate.call(TestSizeLimiterWorker, job)
end.not_to raise_error
end
it 'marks the job as validated' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('validated')
end
end
context 'when job size is bigger than compression threshold and size limit is 0' do
@ -299,6 +338,12 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
validate.call(TestSizeLimiterWorker, job)
end.not_to raise_error
end
it 'marks the job as validated' do
validate.call(TestSizeLimiterWorker, job)
expect(job['size_limiter']).to eq('validated')
end
end
context 'when the job was already compressed' do
@ -326,6 +371,8 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
expect do
validate.call(TestSizeLimiterWorker, job)
end.to raise_error(Gitlab::SidekiqMiddleware::SizeLimiter::ExceedLimitError)
expect(job['size_limiter']).to eq(nil)
end
it 'does not raise an exception when the worker allows big payloads' do
@ -338,6 +385,8 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
expect do
validate.call(TestSizeLimiterWorker, job)
end.not_to raise_error
expect(job['size_limiter']).to eq('validated')
end
end
end
@ -363,6 +412,29 @@ RSpec.describe Gitlab::SidekiqMiddleware::SizeLimiter::Validator, :aggregate_fai
validate.call(class_name.constantize, job_payload)
end
end
it "skips jobs that are already validated" do
expect(described_class).to receive(:new).once.and_call_original
job = job_payload
described_class.validate!(TestSizeLimiterWorker, job)
described_class.validate!(TestSizeLimiterWorker, job)
end
end
describe '.validated?' do
let(:job) { job_payload }
it 'returns true when the job is already validated' do
described_class.validate!(TestSizeLimiterWorker, job)
expect(described_class.validated?(job)).to eq(true)
end
it 'returns false when job is not yet validated' do
expect(described_class.validated?(job)).to eq(false)
end
end
describe '#validate!' do

9
spec/models/bulk_imports/entity_spec.rb
View File

@ -243,4 +243,13 @@ RSpec.describe BulkImports::Entity, type: :model do
end
end
end
describe '#relation_download_url_path' do
it 'returns export relations url with download query string' do
entity = build(:bulk_import_entity)
expect(entity.relation_download_url_path('test'))
.to eq("/groups/#{entity.encoded_source_full_path}/export_relations/download?relation=test")
end
end
end

29
spec/requests/api/projects_spec.rb
View File

@ -48,6 +48,7 @@ end
RSpec.describe API::Projects do
include ProjectForksHelper
include StubRequests
let_it_be(:user) { create(:user) }
let_it_be(:user2) { create(:user) }
@ -1159,6 +1160,34 @@ RSpec.describe API::Projects do
expect(response).to have_gitlab_http_status(:forbidden)
end
it 'disallows creating a project with an import_url that is not reachable', :aggregate_failures do
url = 'http://example.com'
endpoint_url = "#{url}/info/refs?service=git-upload-pack"
stub_full_request(endpoint_url, method: :get).to_return({ status: 301, body: '', headers: nil })
project_params = { import_url: url, path: 'path-project-Foo', name: 'Foo Project' }
expect { post api('/projects', user), params: project_params }.not_to change { Project.count }
expect(response).to have_gitlab_http_status(:unprocessable_entity)
expect(json_response['message']).to eq("#{url} is not a valid HTTP Git repository")
end
it 'creates a project with an import_url that is valid', :aggregate_failures do
url = 'http://example.com'
endpoint_url = "#{url}/info/refs?service=git-upload-pack"
git_response = {
status: 200,
body: '001e# service=git-upload-pack',
headers: { 'Content-Type': 'application/x-git-upload-pack-advertisement' }
}
stub_full_request(endpoint_url, method: :get).to_return(git_response)
project_params = { import_url: url, path: 'path-project-Foo', name: 'Foo Project' }
expect { post api('/projects', user), params: project_params }.to change { Project.count }.by(1)
expect(response).to have_gitlab_http_status(:created)
end
it 'sets a project as public' do
project = attributes_for(:project, visibility: 'public')

131
spec/requests/projects/issues/discussions_spec.rb Normal file
View File

@ -0,0 +1,131 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'issue discussions' do
describe 'GET /:namespace/:project/-/issues/:iid/discussions' do
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project) }
let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:note_author) { create(:user) }
let_it_be(:notes) { create_list(:note, 5, project: project, noteable: issue, author: note_author) }
before_all do
project.add_maintainer(user)
end
def get_discussions
get discussions_namespace_project_issue_path(namespace_id: project.namespace, project_id: project, id: issue.iid), headers: {
'If-None-Match' => @etag
}
@etag = response.etag
end
before do
sign_in(user)
get_discussions
end
shared_examples 'cache miss' do
it 'returns 200 and serializes JSON' do
expect(DiscussionSerializer).to receive(:new).and_call_original
get_discussions
expect(response).to have_gitlab_http_status(:ok)
end
end
shared_examples 'cache hit' do
it 'returns 304 without serializing JSON' do
expect(DiscussionSerializer).not_to receive(:new)
get_discussions
expect(response).to have_gitlab_http_status(:not_modified)
end
end
context 'when issue_discussions_http_cache is disabled' do
before do
stub_feature_flags(issue_discussions_http_cache: false)
end
it_behaves_like 'cache miss'
end
context 'when issue_discussions_http_cache is enabled' do
before do
stub_feature_flags(issue_discussions_http_cache: true)
end
it_behaves_like 'cache hit'
context 'when user role changes' do
before do
project.add_guest(user)
end
it_behaves_like 'cache miss'
end
context 'when emoji is awarded to a note' do
before do
travel_to(1.minute.from_now) { create(:award_emoji, awardable: notes.first) }
end
it_behaves_like 'cache miss'
end
context 'when note author name changes' do
before do
note_author.update!(name: 'New name')
end
it_behaves_like 'cache miss'
end
context 'when note author status changes' do
before do
Users::SetStatusService.new(note_author, message: "updated status").execute
end
it_behaves_like 'cache miss'
end
context 'when note author role changes' do
before do
project.add_developer(note_author)
end
it_behaves_like 'cache miss'
end
context 'when note is added' do
before do
create(:note, project: project, noteable: issue)
end
it_behaves_like 'cache miss'
end
context 'when note is modified' do
before do
notes.first.update!(note: 'edited text')
end
it_behaves_like 'cache miss'
end
context 'when note is deleted' do
before do
notes.first.destroy!
end
it_behaves_like 'cache miss'
end
end
end
end