Commit 23902b12 authored by GitLab Bot's avatar GitLab Bot

Automatic merge of gitlab-org/gitlab-ce master

parents c67a83fd bbf639c4
......@@ -11,7 +11,7 @@ class Projects::EnvironmentsController < Projects::ApplicationController
before_action :verify_api_request!, only: :terminal_websocket_authorize
before_action :expire_etag_cache, only: [:index]
before_action only: [:metrics, :additional_metrics, :metrics_dashboard] do
push_frontend_feature_flag(:environment_metrics_use_prometheus_endpoint)
push_frontend_feature_flag(:environment_metrics_use_prometheus_endpoint, default_enabled: true)
push_frontend_feature_flag(:environment_metrics_show_multiple_dashboards)
push_frontend_feature_flag(:environment_metrics_additional_panel_types)
push_frontend_feature_flag(:prometheus_computed_alerts)
......
......@@ -39,7 +39,7 @@ module ServicesHelper
end
def disable_fields_service?(service)
service.is_a?(KubernetesService) || (!current_controller?("admin/services") && service.deprecated?)
!current_controller?("admin/services") && service.deprecated?
end
extend self
......
......@@ -162,7 +162,6 @@ class Project < ApplicationRecord
has_one :bugzilla_service
has_one :gitlab_issue_tracker_service, inverse_of: :project
has_one :external_wiki_service
has_one :kubernetes_service, inverse_of: :project
has_one :prometheus_service, inverse_of: :project
has_one :mock_ci_service
has_one :mock_deployment_service
......
# frozen_string_literal: true
class KubernetesService < Service
default_value_for :category, 'deployment'
# Namespace defaults to the project path, but can be overridden in case that
# is an invalid or inappropriate name
prop_accessor :namespace
# Access to kubernetes is directly through the API
prop_accessor :api_url
# Bearer authentication
# TODO: user/password auth, client certificates
prop_accessor :token
# Provide a custom CA bundle for self-signed deployments
prop_accessor :ca_pem
with_options presence: true, if: :activated? do
validates :api_url, public_url: true
validates :token
end
before_validation :enforce_namespace_to_lower_case
attr_accessor :skip_deprecation_validation
validate :deprecation_validation, unless: :skip_deprecation_validation
validates :namespace,
allow_blank: true,
length: 1..63,
if: :activated?,
format: {
with: Gitlab::Regex.kubernetes_namespace_regex,
message: Gitlab::Regex.kubernetes_namespace_regex_message
}
def self.supported_events
%w()
end
def can_test?
false
end
def initialize_properties
self.properties = {} if properties.nil?
end
def title
'Kubernetes'
end
def description
'Kubernetes / OpenShift integration'
end
def self.to_param
'kubernetes'
end
def fields
[
{ type: 'text',
name: 'api_url',
title: 'API URL',
placeholder: 'Kubernetes API URL, like https://kube.example.com/' },
{ type: 'textarea',
name: 'ca_pem',
title: 'CA Certificate',
placeholder: 'Certificate Authority bundle (PEM format)' },
{ type: 'text',
name: 'namespace',
title: 'Project namespace (optional/unique)',
placeholder: namespace_placeholder },
{ type: 'text',
name: 'token',
title: 'Token',
placeholder: 'Service token' }
]
end
def deprecated?
true
end
def editable?
false
end
def deprecation_message
content = if project
_("Kubernetes service integration has been disabled. Fields on this page are not used by GitLab, you can configure your Kubernetes clusters using the new <a href=\"%{url}\"/>Kubernetes Clusters</a> page") % {
url: Gitlab::Routing.url_helpers.project_clusters_path(project)
}
else
_("The instance-level Kubernetes service integration is disabled. Your data has been migrated to an <a href=\"%{url}\"/>instance-level cluster</a>.") % {
url: Gitlab::Routing.url_helpers.admin_clusters_path
}
end
content.html_safe
end
TEMPLATE_PLACEHOLDER = 'Kubernetes namespace'.freeze
private
def namespace_placeholder
default_namespace || TEMPLATE_PLACEHOLDER
end
def default_namespace
return unless project
slug = "#{project.path}-#{project.id}".downcase
slug.gsub(/[^-a-z0-9]/, '-').gsub(/^-+/, '')
end
def enforce_namespace_to_lower_case
self.namespace = self.namespace&.downcase
end
def deprecation_validation
return if active_changed?(from: true, to: false) || (new_record? && !active?)
if deprecated?
errors[:base] << deprecation_message
end
end
end
......@@ -260,7 +260,6 @@ class Service < ApplicationRecord
hipchat
irker
jira
kubernetes
mattermost_slash_commands
mattermost
packagist
......
......@@ -6,6 +6,5 @@
= form_for :service, url: admin_application_settings_service_path, method: :put, html: { class: 'fieldset-form' } do |form|
= render 'shared/service_settings', form: form, subject: @service
- unless @service.is_a?(KubernetesService)
.footer-block.row-content-block
= form.submit 'Save', class: 'btn btn-success'
---
title: Remove Kubernetes service integration page
merge_request: 31365
author:
type: removed
---
title: Add max_replication_slots to PG HA documentation
merge_request: 31534
author:
type: other
---
title: Add a field for released_at to GH importer
merge_request: 31496
author:
type: fixed
---
title: Filter title, description, and body parameters from logs
merge_request:
author:
type: changed
---
title: Update 'Ruby on Rails' project template
merge_request: 31310
author:
type: other
---
title: Rename githost.log -> git_json.log
merge_request: 31634
author:
type: changed
---
title: Remove counts from default labels API responses
merge_request: 31543
author:
type: changed
......@@ -105,10 +105,23 @@ module Gitlab
# - Sentry DSN (:sentry_dsn)
# - File content from Web Editor (:content)
# - Jira shared secret (:sharedSecret)
# - Titles, bodies, and descriptions for notes, issues, etc.
#
# NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not
# introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182
config.filter_parameters += [/token$/, /password/, /secret/, /key$/, /^note$/, /^text$/]
# NOTE: It is **IMPORTANT** to also update labkit's filter when
# adding parameters here to not introduce another security
# vulnerability:
# https://gitlab.com/gitlab-org/labkit/blob/master/mask/matchers.go
config.filter_parameters += [
/token$/,
/password/,
/secret/,
/key$/,
/^body$/,
/^description$/,
/^note$/,
/^text$/,
/^title$/
]
config.filter_parameters += %i(
certificate
encrypted_key
......
# frozen_string_literal: true
class DeleteKubernetesServices < ActiveRecord::Migration[5.2]
DOWNTIME = false
def up
Service.where(type: "KubernetesService").delete_all
end
def down
# no-op
end
end
......@@ -25,7 +25,7 @@ No matter how you use GitLab, we have documentation for you.
| [**User Documentation**](user/index.md)<br/>Discover features and concepts for GitLab users. | [**Administrator documentation**](administration/index.md)<br/>Everything GitLab self-managed administrators need to know. |
| [**Contributing to GitLab**](#contributing-to-gitlab)<br/>At GitLab, everyone can contribute! | [**New to Git and GitLab?**](#new-to-git-and-gitlab)<br/>We have resources to get you started. |
| [**Building an integration with GitLab?**](#building-an-integration-with-gitlab)<br/>Consult our automation and integration documentation. | [**Coming to GitLab from another platform?**](#coming-to-gitlab-from-another-platform)<br/>Consult our handy guides. |
| [**Install GitLab**](https://about.gitlab.com/install/)<br/>Installation options for different platforms. | [**Subscribe to GitLab**](#subscribe-to-gitlab)<br/>Get access to more features. |
| [**Install GitLab**](https://about.gitlab.com/install/)<br/>Installation options for different platforms. | [**Customers**](subscriptions/index.md)<br/>Information for new and existing customers. |
| [**Update GitLab**](update/README.md)<br/>Update your GitLab self-managed instance to the latest version. | [**GitLab Releases**](https://about.gitlab.com/releases/)<br/>What's new in GitLab. |
## Popular Documentation
......@@ -38,7 +38,7 @@ Have a look at some of our most popular documentation resources:
| [GitLab CI/CD examples](ci/examples/README.md) | Get up to speed quickly with common CI/CD scenarios. |
| [GitLab Container Registry](user/project/container_registry.md) | Host containers within GitLab. |
| [GitLab Pages](user/project/pages/index.md) | Host static websites for your projects with GitLab. |
| [GitLab.com settings](user/gitlab_com/index.md) | Settings for [GitLab.com](#gitlabcom). |
| [GitLab.com settings](user/gitlab_com/index.md) | Settings for GitLab.com. |
| [Kubernetes integration](user/project/clusters/index.md) | Use GitLab with Kubernetes. |
| [SSH authentication](ssh/README.md) | Secure your network communications. |
| [Using Docker images](ci/docker/using_docker_images.md) | Build and test your applications with Docker. |
......@@ -361,90 +361,6 @@ The following documentation relates to the DevOps **Secure** stage:
| [Project Security Dashboard](user/application_security/security_dashboard/index.md) **(ULTIMATE)** | View the latest security reports for your project. |
| [Static Application Security Testing (SAST)](user/application_security/sast/index.md) **(ULTIMATE)** | Analyze source code for known vulnerabilities. |
## Subscribe to GitLab
There are two ways to use GitLab:
- [GitLab self-managed](#gitlab-self-managed): Install, administer, and maintain your own GitLab instance.
- [GitLab.com](#gitlabcom): GitLab's SaaS offering. You don't need to install anything to use GitLab.com,
you only need to [sign up](https://gitlab.com/users/sign_in) and start using GitLab straight away.
For more information on managing your subscription and [Customers Portal](https://customers.gitlab.com) account, please see [Getting Started with Subscriptions](getting-started/subscription.md).
The following sections outline tiers and features within GitLab self-managed and GitLab.com.
<div align="right">
<a type="button" class="btn btn-default" href="#overview">
Back to Overview <i class="fa fa-angle-double-up" aria-hidden="true"></i>
</a>
</div>
### GitLab self-managed
With GitLab self-managed, you deploy your own GitLab instance on-premises or on a cloud of your choice.
GitLab self-managed is available for [free and with paid subscriptions](https://about.gitlab.com/pricing/#self-managed) in the following tiers:
| Tier | Includes |
|:---------|:-----------------------------------------------|
| Core | Core features. |
| Starter | Core and Starter features. |
| Premium | Core, Starter, and Premium features. |
| Ultimate | Core, Starter, Premium, and Ultimate features. |
The following resources are available for more information on GitLab self-managed:
- [Feature comparison](https://about.gitlab.com/pricing/self-managed/feature-comparison/), for information on what features are available at each tier.
- [GitLab pricing page](https://about.gitlab.com/pricing/#self-managed), for subscription information and a free trial.
- Our [product marketing page](https://about.gitlab.com/handbook/marketing/product-marketing/), for additional information including:
- How [different tiers are licensed](https://about.gitlab.com/handbook/marketing/product-marketing/#tiers).
- The different [GitLab distributions](https://about.gitlab.com/handbook/marketing/product-marketing/#distributions).
<div align="right">
<a type="button" class="btn btn-default" href="#overview">
Back to Overview <i class="fa fa-angle-double-up" aria-hidden="true"></i>
</a>
</div>
### GitLab.com
GitLab.com is hosted, managed, and administered by GitLab, Inc., with
[free and paid subscriptions](https://about.gitlab.com/pricing/) for individuals
and teams in the following tiers:
| Tier | Includes same features available in |
|:-------|:----------------------------------------------------|
| Free | [Core](#gitlab-self-managed) self-managed tier. |
| Bronze | [Starter](#gitlab-self-managed) self-managed tier. |
| Silver | [Premium](#gitlab-self-managed) self-managed tier. |
| Gold | [Ultimate](#gitlab-self-managed) self-managed tier. |
GitLab.com subscriptions grant access
to the same features available in GitLab self-managed, **except
[administration](administration/index.md) tools and settings**.
GitLab.com allows you to apply your subscription to a group or your personal user.
When applied to a **group**, the group, all subgroups, and all projects under the selected group on GitLab.com will have the features of the associated plan. It is recommended to go with a group plan when managing projects and users of an organization.
When associated with a **personal userspace** instead, all projects will have features with the subscription applied, but as it is not a group, group features will not be available.
TIP: **Tip:**
To support the open source community and encourage the development of open source projects, GitLab grants access to **Gold** features for all GitLab.com **public** projects, regardless of the subscription.
The following resources are available for more information on GitLab.com:
- [Feature comparison](https://about.gitlab.com/pricing/gitlab-com/feature-comparison/), for information on what features are available at each tier.
- [GitLab pricing page](https://about.gitlab.com/pricing/), for subscription information and a free trial.
- Our [product marketing page](https://about.gitlab.com/handbook/marketing/product-marketing/), for additional information including:
- How [different tiers are licensed](https://about.gitlab.com/handbook/marketing/product-marketing/#tiers).
- The different [GitLab distributions](https://about.gitlab.com/handbook/marketing/product-marketing/#distributions).
<div align="right">
<a type="button" class="btn btn-default" href="#overview">
Back to Overview <i class="fa fa-angle-double-up" aria-hidden="true"></i>
</a>
</div>
## New to Git and GitLab?
Working with new systems can be daunting.
......
......@@ -327,6 +327,7 @@ When installing the GitLab package, do not supply `EXTERNAL_URL` value.
postgresql['sql_user_password'] = 'POSTGRESQL_PASSWORD_HASH'
# Replace X with value of number of db nodes + 1
postgresql['max_wal_senders'] = X
postgresql['max_replication_slots'] = X
# Replace XXX.XXX.XXX.XXX/YY with Network Address
postgresql['trust_auth_cidr_addresses'] = %w(XXX.XXX.XXX.XXX/YY)
......
......@@ -188,3 +188,5 @@ Learn how to install, configure, update, and maintain your GitLab instance.
- Useful [diagnostics tools](troubleshooting/diagnostics_tools.md) that are sometimes used by the GitLab
Support team.
- [Troubleshooting ElasticSearch](troubleshooting/elasticsearch.md): Tips to troubleshoot ElasticSearch.
- [Kubernetes troubleshooting](troubleshooting/kubernetes_cheat_sheet.md): Commands and tips useful
for troubleshooting Kubernetes-related issues.
......@@ -151,14 +151,15 @@ etc. For example:
{"severity":"ERROR","time":"2018-11-23T15:42:11.647Z","exception":"Kubeclient::HttpError","error_code":null,"service":"Clusters::Applications::InstallService","app_id":2,"project_ids":[19],"group_ids":[],"message":"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)"}
```
## `githost.log`
## `git_json.log`
This file lives in `/var/log/gitlab/gitlab-rails/githost.log` for
Omnibus GitLab packages or in `/home/git/gitlab/log/githost.log` for
This file lives in `/var/log/gitlab/gitlab-rails/git_json.log` for
Omnibus GitLab packages or in `/home/git/gitlab/log/git_json.log` for
installations from source.
NOTE: **Note:**
After 12.2, this file will be stored in JSON format.
After 12.2, this file was renamed from `githost.log` to
`git_json.log` and stored in JSON format.
GitLab has to interact with Git repositories but in some rare cases
something can go wrong and in this case you will know what exactly
......
---
type: reference
---
# Kubernetes, GitLab and You
This is a list of useful information regarding Kubernetes that the GitLab Support
Team sometimes uses while troubleshooting. GitLab is making this public, so that anyone
can make use of the Support team's collected knowledge
CAUTION: **Caution:**
These commands **can alter or break** your Kubernetes components so use these at your own risk.
If you are on a [paid tier](https://about.gitlab.com/pricing/) and are not sure how
to use these commands, it is best to [contact Support](https://about.gitlab.com/support/)
and they will assist you with any issues you are having.
## Generic kubernetes commands
- How to authorize to your GCP project (can be especially useful if you have projects
under different GCP accounts):
```bash
gcloud auth login
```
- How to access Kubernetes dashboard:
```bash
# for minikube:
minikube dashboard —url
# for non-local installations if access via kubectl is configured:
kubectl proxy
```
- How to ssh to a Kubernetes node and enter the container as root
<https://github.com/kubernetes/kubernetes/issues/30656>:
- For GCP, you may find the node name and run `gcloud compute ssh node-name`.
- List containers using `docker ps`.
- Enter container using `docker exec --user root -ti container-id bash`.
- How to copy a file from local machine to a pod:
```bash
kubectl cp file-name pod-name:./destination-path
```
- What to do with pods in `CrashLoopBackoff` status:
- Check logs via Kubernetes dashboard.
- Check logs via `kubectl`:
```bash
kubectl logs <unicorn pod> -c dependencies
```
- How to tail all Kubernetes cluster events in real time:
```bash
kubectl get events -w --all-namespaces
```
- How to get logs of the previously terminated pod instance:
```bash
kubectl logs <pod-name> --previous
```
NOTE: **Note:**
No logs are kept in the containers/pods themselves, everything is written to stdout.
This is the principle of Kubernetes, read [Twelve-factor app](https://12factor.net/)
for details.
## Gitlab-specific kubernetes information
- Minimal config that can be used to test a Kubernetes helm chart can be found
[here](https://gitlab.com/charts/gitlab/issues/620).
- Tailing logs of a separate pod. An example for a unicorn pod:
```bash
kubectl logs gitlab-unicorn-7656fdd6bf-jqzfs -c unicorn
```
- It is not possible to get all the logs via `kubectl` at once, like with `gitlab-ctl tail`,
but a number of third-party tools can be used to do it:
- [Kubetail](https://github.com/johanhaleby/kubetail)
- [kail: kubernetes tail](https://github.com/boz/kail)
- [stern](https://github.com/wercker/stern)
- Check all events in the `gitlab` namespace (the namespace name can be different if you
specified a different one when deploying the helm chart):
```bash
kubectl get events -w --namespace=gitlab
```
- Most of the useful GitLab tools (console, rake tasks, etc) are found in the task-runner
pod. You may enter it and run commands inside or run them from the outside:
```bash
# find the pod
kubectl get pods | grep task-runner
# enter it
kubectl exec -it <task-runner-pod-name> bash
# open rails console
# rails console can be also called from other GitLab pods
/srv/gitlab/bin/rails console
# source-style commands should also work
/srv/gitlab && bundle exec rake gitlab:check RAILS_ENV=production
# run GitLab check. Note that the output can be confusing and invalid because of the specific structure of GitLab installed via helm chart
/usr/local/bin/gitlab-rake gitlab:check
# open console without entering pod
kubectl exec -it <task-runner-pod-name> /srv/gitlab/bin/rails console
# check the status of DB migrations
kubectl exec -it <task-runner-pod-name> /usr/local/bin/gitlab-rake db:migrate:status
```
You can also use `gitlab-rake`, instead of `/usr/local/bin/gitlab-rake`.
- Troubleshooting **Operations > Kubernetes** integration:
- Check the output of `kubectl get events -w --all-namespaces`.
- Check the logs of pods within `gitlab-managed-apps` namespace.
- On the side of GitLab check sidekiq log and kubernetes log. When GitLab is installed
via helm chart, kubernetes.log can be found inside the sidekiq pod.
- How to get your initial admin password <https://docs.gitlab.com/charts/installation/deployment.html#initial-login>:
```bash
# find the name of the secret containing the password
kubectl get secrets | grep initial-root
# decode it
kubectl get secret <secret-name> -ojsonpath={.data.password} | base64 --decode ; echo
```
- How to connect to a GitLab postgres database:
```bash
kubectl exec -it <task-runner-pod-name> -- /srv/gitlab/bin/rails dbconsole -p
```
- How to get info about helm installation status:
```bash
helm status name-of-installation
```
- How to update GitLab installed using helm chart:
```bash
helm repo upgrade
# get current values and redirect them to yaml file (analogue of gitlab.rb values)
helm get values <release name> > gitlab.yaml
# run upgrade itself
helm upgrade <release name> <chart path> -f gitlab.yaml
```
After <https://canary.gitlab.com/charts/gitlab/issues/780> is fixed, it should
be possible to use [Updating GitLab using the Helm Chart](https://docs.gitlab.com/ee/install/kubernetes/gitlab_chart.html#updating-gitlab-using-the-helm-chart)
for upgrades.
- How to apply changes to GitLab config:
- Modify the `gitlab.yaml` file.
- Run the following command to apply changes:
```bash
helm upgrade <release name> <chart path> -f gitlab.yaml
```
## Installation of minimal GitLab config via minukube on macOS
This section is based on [Developing for Kubernetes with Minikube](https://gitlab.com/charts/gitlab/blob/master/doc/minikube/index.md)
and [Helm](https://gitlab.com/charts/gitlab/blob/master/doc/helm/index.md). Refer
to those documents for details.
- Install kubectl via Homebrew:
```bash
brew install kubernetes-cli
```
- Install minikube via Homebrew:
```bash
brew cask install minikube
```
- Start minikube and configure it. If minikube cannot start, try running `minikube delete && minikube start`
and repeat the steps:
```bash
minikube start --cpus 3 --memory 8192 # minimum amount for GitLab to work
minikube addons enable ingress
minikube addons enable kube-dns
```
- Install helm via Homebrew and initialize it:
```bash
brew install kubernetes-helm
helm init --service-account tiller
```
- Copy the file <https://gitlab.com/charts/gitlab/raw/master/examples/values-minikube-minimum.yaml>
to your workstation.
- Find the IP address in the output of `minikube ip` and update the yaml file with
this IP address.
- Install the GitLab helm chart:
```bash
helm repo add gitlab https://charts.gitlab.io
helm install --name gitlab -f <path-to-yaml-file> gitlab/gitlab
```
If you want to modify some GitLab settings, you can use the above-mentioned config
as a base and create your own yaml file.
- Monitor the installation progress via `helm status gitlab` and `minikube dashboard`.
The installation could take up to 20-30 minutes depending on the amount of resources
on your workstation.
- When all the pods show either a `Running` or `Completed` status, get the GitLab password as
described in [Initial login](https://docs.gitlab.com/ee/install/kubernetes/gitlab_chart.html#initial-login),
and log in to GitLab via the UI. It will be accessible via `https://gitlab.domain`
where `domain` is the value provided in the yaml file.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
......@@ -15,9 +15,10 @@ GET /groups/:id/labels
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user. |
| `with_counts` | boolean | no | Whether or not to include issue and merge request counts. Defaults to `false`. _([Introduced in GitLab 12.2](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31543))_ |
```bash
curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/groups/5/labels
curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/groups/5/labels?with_counts=true
```
Example response:
......
......@@ -11,9 +11,10 @@ GET /projects/:id/labels
| Attribute | Type | Required | Description |
| --------- | ------- | -------- | --------------------- |
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
| `with_counts` | boolean | no | Whether or not to include issue and merge request counts. Defaults to `false`. _([Introduced in GitLab 12.2](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31543))_ |
```bash
curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/projects/1/labels
curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/projects/1/labels?with_counts=true
```
Example response:
......
......@@ -595,44 +595,6 @@ Remove all previously Jira settings from a project.
DELETE /projects/:id/services/jira
```
## Kubernetes
Kubernetes / OpenShift integration
CAUTION: **Warning:**
Kubernetes service integration has been deprecated in GitLab 10.3. API service endpoints will continue to work as long as the Kubernetes service is active, however if the service is inactive API endpoints will automatically return a `400 Bad Request`. Read [GitLab 10.3 release post](https://about.gitlab.com/2017/12/22/gitlab-10-3-released/#kubernetes-integration-service) for more information.
### Create/Edit Kubernetes service
Set Kubernetes service for a project.
```
PUT /projects/:id/services/kubernetes
```
Parameters:
- `namespace` (**required**) - The Kubernetes namespace to use
- `api_url` (**required**) - The URL to the Kubernetes cluster API. For example, `https://kubernetes.example.com`
- `token` (**required**) - The service token to authenticate against the Kubernetes cluster with
- `ca_pem` (optional) - A custom certificate authority bundle to verify the Kubernetes cluster with (PEM format)
### Delete Kubernetes service
Delete Kubernetes service for a project.
```
DELETE /projects/:id/services/kubernetes
```
### Get Kubernetes service settings
Get Kubernetes service settings for a project.
```
GET /projects/:id/services/kubernetes
```
## Slack slash commands
Ability to receive slash commands from a Slack chat instance.
......
......@@ -568,7 +568,7 @@ Usage: /etc/init.d/postgresql {start|stop|restart|reload|force-reload|status} [v
gitlabhq (includes Unicorn and Sidekiq logs)
- `/home/git/gitlab/log/` contains `application.log`, `production.log`, `sidekiq.log`, `unicorn.stdout.log`, `githost.log` and `unicorn.stderr.log` normally.
- `/home/git/gitlab/log/` contains `application.log`, `production.log`, `sidekiq.log`, `unicorn.stdout.log`, `git_json.log` and `unicorn.stderr.log` normally.
gitlab-shell
......
......@@ -90,12 +90,20 @@ and details for a database reviewer:
- Ensure that migrations execute in a transaction or only contain
concurrent index/foreign key helpers (with transactions disabled)
- Check consistency with `db/schema.rb` and that migrations are [reversible](migration_style_guide.md#reversibility)
- Check queries timing (If any): Queries executed in a migration
need to fit comfortable within `15s` - preferably much less than that - on GitLab.com.
- Check [background migrations](background_migrations.md):
- For data migrations, establish a time estimate for execution
- Check post deploy migration
- Make sure we can expect post deploy migrations to finish within 1 hour max.
- Check background migrations
- They should only be used when migrating data in larger tables.
- If a single `update` is below than `1s` the query can be placed
directly in a regular migration (inside `db/migrate`).
- Review queries (for example, make sure batch sizes are fine)
- Establish a time estimate for execution
- Because execution time can be longer than for a regular migration,
it's suggested to treat background migrations as post migrations:
place them in `db/post_migrate` instead of `db/migrate`. Keep in mind
that post migrations are executed post-deployment in production.
- Check [timing guidelines for migrations](#timing-guidelines-for-migrations)
- Query performance
- Check for any obviously complex queries and queries the author specifically
points out for review (if any)
......@@ -110,3 +118,17 @@ and details for a database reviewer:
(eg indexes, columns), you can use a [one-off instance from the restore
pipeline](https://ops.gitlab.net/gitlab-com/gl-infra/gitlab-restore/postgres-gprd)
in order to establish a proper testing environment.
### Timing guidelines for migrations
In general, migrations for a single deploy shouldn't take longer than
1 hour for GitLab.com. The following guidelines are not hard rules, they were
estimated to keep migration timing to a minimum.
NOTE: **Note:** Keep in mind that all runtimes should be measured against GitLab.com.
| Migration Type | Execution Time Recommended | Notes |
|----|----|---|
| Regular migrations on `db/migrate` | `3 minutes` | A valid exception are index creation as this can take a long time. |
| Post migrations on `db/post_migrate` | `10 minutes` | |
| Background migrations | --- | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any query must stay well below `10s` of execution time. |
......@@ -10,9 +10,7 @@ migrations are written carefully, can be applied online and adhere to the style
guide below.
Migrations are **not** allowed to require GitLab installations to be taken
offline unless _absolutely necessary_. Downtime assumptions should be based on
the behaviour of a migration when performed using PostgreSQL, as various
operations in MySQL may require downtime without there being alternatives.
offline unless _absolutely necessary_.
When downtime is necessary the migration has to be approved by:
......@@ -343,10 +341,7 @@ class AddOptionsToBuildMetadata < ActiveRecord::Migration[5.0]
end
```
On MySQL the `JSON` and `JSONB` is translated to `TEXT 1MB`, as `JSONB` is PostgreSQL only feature.
For above reason you have to use a serializer to provide a translation layer
in order to support PostgreSQL and MySQL seamlessly:
You have to use a serializer to provide a translation layer:
```ruby
class BuildMetadata
......@@ -356,7 +351,7 @@ end
## Testing
Make sure that your migration works with MySQL and PostgreSQL with data. An
Make sure that your migration works for databases with data. An
empty database does not guarantee that your migration is correct.
Make sure your migration can be reversed.
......
......@@ -610,7 +610,7 @@ To back up GitLab:
1. Take a backup:
```sh
sudo gitlab-rake gitlab:backup:create
sudo gitlab-backup create
```
### Restoring GitLab from a backup
......@@ -628,7 +628,7 @@ released, you can update your GitLab instance:
1. Take a backup:
```sh
sudo gitlab-rake gitlab:backup:create
sudo gitlab-backup create
```
1. Update the repositories and install GitLab:
......
......@@ -93,6 +93,7 @@ enough available RAM. Having swap will help reduce the chance of errors occurrin
if your available memory changes. We also recommend [configuring the kernel's swappiness setting](https://askubuntu.com/a/103916)
to a low value like `10` to make the most of your RAM while still having the swap
available when needed.
Our [Memory Team](https://about.gitlab.com/handbook/engineering/development/enablement/memory/) is actively working to reduce this requirement.
NOTE: **Note:** The 25 workers of Sidekiq will show up as separate processes in your process overview (such as `top` or `htop`) but they share the same RAM allocation since Sidekiq is a multithreaded application. Please see the section below about Unicorn workers for information about how many you need of those.
......
......@@ -2,28 +2,28 @@
You accept and agree to the following terms and conditions for Your present and future Contributions submitted to GitLab B.V.. Except for the license granted herein to GitLab B.V. and recipients of software distributed by GitLab B.V., You reserve all right, title, and interest in and to Your Contributions.
1. Definitions.
- **Definitions:**
"You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with GitLab B.V.. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"Contribution" shall mean the code, documentation or other original works of authorship, including any modifications or additions to an existing work, that is submitted by You to GitLab B.V. for inclusion in, or documentation of, any of the products owned or managed by GitLab B.V. (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to GitLab B.V. or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, GitLab B.V. for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
2. Grant of Copyright License.
- **Grant of Copyright License:**
Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
3. Grant of Patent License.
- **Grant of Patent License:**
Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
4. You represent that You are legally entitled to grant the above license. You represent further that each of Your employees is authorized to submit Contributions on Your behalf, but excluding employees that are designated in writing by You as "Not authorized to submit Contributions on behalf of [name of Your corporation here]." Such designations of exclusion for unauthorized employees are to be submitted via email to legal@gitlab.com.
You represent that You are legally entitled to grant the above license. You represent further that each of Your employees is authorized to submit Contributions on Your behalf, but excluding employees that are designated in writing by You as "Not authorized to submit Contributions on behalf of (name of Your corporation here)." Such designations of exclusion for unauthorized employees are to be submitted via email to legal@gitlab.com. It is Your responsibility to notify GitLab B.V. when any change is required to the list of designated employees excluded from submitting Contributions on Your behalf. Such notification should also be sent via email to legal@gitlab.com.
5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others).
- **Contributions:**
6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
You represent that each of Your Contributions is Your original creation.
7. Should You wish to submit work that is not Your original creation, You may submit it to GitLab B.V. separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
Should You wish to submit work that is not Your original creation, You may submit it to GitLab B.V. separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: (named here)".
8. It is Your responsibility to notify GitLab.com when any change is required to the list of designated employees excluded from submitting Contributions on Your behalf per Section 4. Such notification should be sent via email to legal@gitlab.com.
You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
This text is licensed under the [Creative Commons Attribution 3.0 License](https://creativecommons.org/licenses/by/3.0/) and the original source is the Google Open Source Programs Office.
......@@ -2,24 +2,30 @@
You accept and agree to the following terms and conditions for Your present and future Contributions submitted to GitLab B.V.. Except for the license granted herein to GitLab B.V. and recipients of software distributed by GitLab B.V., You reserve all right, title, and interest in and to Your Contributions.
1. Definitions.
- **Definitions:**
"You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with GitLab B.V.. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to GitLab B.V. for inclusion in, or documentation of, any of the products owned or managed by GitLab B.V. (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to GitLab B.V. or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, GitLab B.V. for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
- **Grant of Copyright License:**
3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
4. You represent that you are legally entitled to grant the above license. If your employer(s) has rights to intellectual property that you create that includes your Contributions, you represent that you have received permission to make Contributions on behalf of that employer, that your employer has waived such rights for your Contributions to GitLab B.V., or that your employer has executed a separate Corporate CLA with GitLab B.V..
- **Grant of Patent License:**
5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
Subject to the terms and conditions of this Agreement, You hereby grant to GitLab B.V. and to recipients of software distributed by GitLab B.V. a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
You represent that you are legally entitled to grant the above license. If your employer(s) has rights to intellectual property that you create that includes your Contributions, you represent that you have received permission to make Contributions on behalf of that employer, that your employer has waived such rights for your Contributions to GitLab B.V., or that your employer has executed a separate Corporate CLA with GitLab B.V..
7. Should You wish to submit work that is not Your original creation, You may submit it to GitLab B.V. separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [insert_name_here]".
- **Contributions:**
8. You agree to notify GitLab B.V. of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
You represent that each of Your Contributions is Your original creation. You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
Should You wish to submit work that is not Your original creation, You may submit it to GitLab B.V. separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: (insert_name_here)".
You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
You agree to notify GitLab B.V. of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
This text is licensed under the [Creative Commons Attribution 3.0 License](https://creativecommons.org/licenses/by/3.0/) and the original source is the Google Open Source Programs Office.
......@@ -67,7 +67,7 @@ Also check on your GitLab server.
```
# On your GitLab server:
# Omnibus
sudo gitlab-rake gitlab:backup:create SKIP=repositories,uploads
sudo gitlab-backup create SKIP=repositories,uploads
# Source
cd /home/git/gitlab
......
......@@ -12,7 +12,7 @@ public access directory (`/public` under your GitLab instance), like at [https:/
### Public projects
Public projects can be cloned **without any** authentication.
Public projects can be cloned **without any** authentication over https.
They will be listed in the public access directory (`/public`) for all users.
......
......@@ -77,7 +77,7 @@ You are highly advised to [read about storing configuration files](#storing-conf
Use this command if you've installed GitLab with the Omnibus package:
```sh
sudo gitlab-rake gitlab:backup:create
sudo gitlab-backup create
```
Use this if you've installed GitLab from source:
......@@ -89,7 +89,7 @@ sudo -u git -H bundle exec rake gitlab:backup:create RAILS_ENV=production
If you are running GitLab within a Docker container, you can run the backup from the host:
```sh
docker exec -t <container name> gitlab-rake gitlab:backup:create
docker exec -t <container name> gitlab-backup create
```
If you are using the [GitLab helm chart](https://gitlab.com/charts/gitlab) on a
......@@ -199,7 +199,7 @@ To use the `copy` strategy instead of the default streaming strategy, specify
`STRATEGY=copy` in the Rake task command. For example:
```sh
sudo gitlab-rake gitlab:backup:create STRATEGY=copy
sudo gitlab-backup create STRATEGY=copy
```
### Backup filename
......@@ -207,7 +207,7 @@ sudo gitlab-rake gitlab:backup:create STRATEGY=copy
By default a backup file is created according to the specification in [the Backup timestamp](#backup-timestamp) section above. You can however override the `[TIMESTAMP]` part of the filename by setting the `BACKUP` environment variable. For example:
```sh
sudo gitlab-rake gitlab:backup:create BACKUP=dump
sudo gitlab-backup create BACKUP=dump
```
The resulting file will then be `dump_gitlab_backup.tar`. This is useful for systems that make use of rsync and incremental backups, and will result in considerably faster transfer speeds.
......@@ -219,7 +219,7 @@ To make sure the generated archive is intelligently transferable by rsync, the `
Note that the `--rsyncable` option in `gzip` is not guaranteed to be available on all distributions. To verify that it is available in your distribution you can run `gzip --help` or consult the man pages.
```sh
sudo gitlab-rake gitlab:backup:create BACKUP=dump GZIP_RSYNCABLE=yes
sudo gitlab-backup create BACKUP=dump GZIP_RSYNCABLE=yes
```
### Excluding specific directories from the backup
......@@ -244,7 +244,7 @@ will be skipped during a backup.
For Omnibus GitLab packages:
```sh
sudo gitlab-rake gitlab:backup:create SKIP=db,uploads
sudo gitlab-backup create SKIP=db,uploads
```
For installations from source:
......@@ -448,8 +448,8 @@ Note: This option only works for remote storage. If you want to group your backu
you can pass a `DIRECTORY` environment variable:
```
sudo gitlab-rake gitlab:backup:create DIRECTORY=daily
sudo gitlab-rake gitlab:backup:create DIRECTORY=weekly
sudo gitlab-backup create DIRECTORY=daily
sudo gitlab-backup create DIRECTORY=weekly
```
### Uploading to locally mounted shares
......@@ -566,7 +566,7 @@ crontab -e
There, add the following line to schedule the backup for everyday at 2 AM:
```
0 2 * * * /opt/gitlab/bin/gitlab-rake gitlab:backup:create CRON=1
0 2 * * * /opt/gitlab/bin/gitlab-backup create CRON=1
```
You may also want to set a limited lifetime for backups to prevent regular
......@@ -726,7 +726,7 @@ restore:
```shell
# This command will overwrite the contents of your GitLab database!
sudo gitlab-rake gitlab:backup:restore BACKUP=1493107454_2018_04_25_10.6.4-ce
sudo gitlab-backup restore BACKUP=1493107454_2018_04_25_10.6.4-ce
```
Next, restore `/etc/gitlab/gitlab-secrets.json` if necessary as mentioned above.
......@@ -760,7 +760,7 @@ backup location (default location is `/var/opt/gitlab/backups`).
For docker installations, the restore task can be run from host:
```sh
docker exec -it <name of container> gitlab-rake gitlab:backup:restore
docker exec -it <name of container> gitlab-backup restore
```
The GitLab helm chart uses a different process, documented in
......@@ -966,7 +966,7 @@ want to run the chown against your custom location instead of
While running the backup, you may receive a gzip error:
```sh
sudo /opt/gitlab/bin/gitlab-rake gitlab:backup:create
sudo /opt/gitlab/bin/gitlab-backup create
Dumping ...
...
gzip: stdout: Input/output error
......
......@@ -53,3 +53,8 @@ sudo gitlab-rake gitlab:web_hook:list NAMESPACE=acme
# source installations
bundle exec rake gitlab:web_hook:list NAMESPACE=acme RAILS_ENV=production
```
## Local requests in webhooks
[Requests to local network by webhooks](../security/webhooks.md) can be allowed
or blocked by an administrator.
......@@ -45,6 +45,36 @@ NOTE: **Note:**
set up by administrators. However, you can turn this off by disabling the
**Allow requests to the local network from system hooks** option.
## Whitelist for local requests
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/44496) in GitLab 12.2
You can allow certain domains and IP addresses to be accessible to both *system hooks*
and *webhooks* even when local requests are not allowed by adding them to the
whitelist. Navigate to **Admin Area > Settings > Network** (`/admin/application_settings/network`)
and expand **Outbound requests**:
![Outbound local requests whitelist](img/whitelist.png)
The whilelist entries can be separated by semicolons, commas or whitespaces
(including newlines) and be in different formats like hostnames, IP addresses and/or
IP ranges. IPv6 is supported. Hostnames that contain unicode characters should
use IDNA encoding.
The whitelist can hold a maximum of 1000 entries. Each entry can be a maximum of
255 characters.
Example:
```text
example.com;gitlab.example.com
127.0.0.1,1:0:0:0:0:0:0:1
127.0.0.0/8 1:0:0:0:0:0:0:0/124
```
NOTE: **Note:**
Wildcards (`*.example.com`) and ports (`127.0.0.1:3000`) are not currently supported.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
......
This diff is collapsed.
......@@ -644,6 +644,11 @@ X-Gitlab-Event: System Hook
}
```
## Local requests in system hooks
[Requests to local network by system hooks](../security/webhooks.md) can be allowed
or blocked by an administrator.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
......
......@@ -272,7 +272,7 @@ The **Logs** page provides access to the following log files:
| Log file | Contents |
| :---------------------- | :------- |
| `application.log` | GitLab user activity |
| `githost.log` | Failed GitLab interaction with Git repositories |
| `git_json.log` | Failed GitLab interaction with Git repositories |
| `production.log` | Requests received from Unicorn, and the actions taken to serve those requests |
| `sidekiq.log` | Background jobs |
| `repocheck.log` | Repository activity |
......
......@@ -34,11 +34,13 @@ This configuration option sets the email hostname for [private commit emails](..
In order to change this option:
1. Go to **Admin area > Settings** (`/admin/application_settings`).
1. Under the **Email** section, change the **Custom hostname (for private commit emails)** field.
1. Hit **Save** for the changes to take effect.
1. Go to **Admin Area > Settings > Preferences** (`/admin/application_settings/preferences`).
1. Expand the **Email** section.
1. Enter the desire hostname in the **Custom hostname (for private commit emails)** field.
1. Click **Save changes**.
NOTE: **Note**: Once the hostname gets configured, every private commit email using the previous hostname, will not get
NOTE: **Note:**
Once the hostname gets configured, every private commit email using the previous hostname, will not get
recognized by GitLab. This can directly conflict with certain [Push rules](../../../push_rules/push_rules.md) such as
`Check whether author is a GitLab user` and `Check whether committer is the current authenticated user`.
......
......@@ -17,19 +17,19 @@ This is achieved by implementing the [common API](https://gitlab.com/gitlab-org/
SAST supports the following official analyzers:
- [Bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit)
- [Brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman)
- [ESLint (Javascript)](https://gitlab.com/gitlab-org/security-products/analyzers/eslint)
- [SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT)](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs)
- [Flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder)
- [Gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec)
- [NodeJsScan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan)
- [PHP CS security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit)
- [Secrets (Gitleaks, TruffleHog & Diffence secret detectors)](https://gitlab.com/gitlab-org/security-products/analyzers/secrets)
- [Security Code Scan (.NET)](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan)
- [TSLint (Typescript)](https://gitlab.com/gitlab-org/security-products/analyzers/tslint)
- [Sobelow (Elixir Phoenix)](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow)
- [PMD (Apex only)](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex)
- [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) (Bandit)
- [`brakeman`](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) (Brakeman)
- [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) (ESLint (Javascript))
- [`flawfinder`](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) (Flawfinder)
- [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) (Gosec)
- [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan)
- [`phpcs-security-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP CS security-audit)
- [`pmd-apex`](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (PMD (Apex only))
- [`secrets`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) (Secrets (Gitleaks, TruffleHog & Diffence secret detectors))
- [`security-code-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (Security Code Scan (.NET))
- [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (Sobelow (Elixir Phoenix))
- [`spotbugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) (SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT))
- [`tslint`](https://gitlab.com/gitlab-org/security-products/analyzers/tslint) (TSLint (Typescript))
The analyzers are published as Docker images that SAST will use to launch
dedicated containers for each analysis.
......
......@@ -438,7 +438,7 @@ NOTE: **Note:**
Environment-specific resources are only created if your cluster is [managed by GitLab](#gitlab-managed-clusters).
NOTE: **Note:**
If your project was created before GitLab 12.2 it will use a single namespace for all project environments.
If your cluster was created before GitLab 12.2, it will use a single namespace for all project environments.
#### Security of GitLab Runners
......@@ -652,6 +652,9 @@ NOTE: **NOTE:**
Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main
service account of the cluster integration.
NOTE: **Note:**
If your cluster was created before GitLab 12.2, default `KUBE_NAMESPACE` will be set to `<project_name>-<project_id>`.
### Troubleshooting
Before the deployment jobs starts, GitLab creates the following specifically for
......
......@@ -1090,6 +1090,7 @@ module API
end
class Label < LabelBasic
with_options if: lambda { |_, options| options[:with_counts] } do
expose :open_issues_count do |label, options|
label.open_issues_count(options[:current_user])
end
......@@ -1101,6 +1102,7 @@ module API
expose :open_merge_requests_count do |label, options|
label.open_merge_requests_count(options[:current_user])
end
end
expose :subscribed do |label, options|
label.subscribed?(options[:current_user], options[:parent])
......
......@@ -16,6 +16,8 @@ module API
success Entities::GroupLabel
end
params do
optional :with_counts, type: Boolean, default: false,
desc: 'Include issue and merge request counts'
use :pagination
end
get ':id/labels' do
......
......@@ -19,7 +19,11 @@ module API
end
def get_labels(parent, entity)
present paginate(available_labels_for(parent)), with: entity, current_user: current_user, parent: parent
present paginate(available_labels_for(parent)),
with: entity,
current_user: current_user,
parent: parent,
with_counts: params[:with_counts]
end
def create_label(parent, entity)
......
......@@ -489,32 +489,6 @@ module API
desc: 'The ID of a transition that moves issues to a closed state. You can find this number under the Jira workflow administration (**Administration > Issues > Workflows**) by selecting **View** under **Operations** of the desired workflow of your project. The ID of each state can be found inside the parenthesis of each transition name under the **Transitions (id)** column ([see screenshot][trans]). By default, this ID is set to `2`'
}
],
'kubernetes' => [
{
required: true,
name: :namespace,
type: String,
desc: 'The Kubernetes namespace to use'
},
{
required: true,
name: :api_url,
type: String,
desc: 'The URL to the Kubernetes cluster API, e.g., https://kubernetes.example.com'
},
{
required: true,
name: :token,
type: String,
desc: 'The service token to authenticate against the Kubernetes cluster with'
},
{
required: false,
name: :ca_pem,
type: String,
desc: 'A custom certificate authority bundle to verify the Kubernetes cluster with (PEM format)'
}
],
'mattermost-slash-commands' => [
{
required: true,
......@@ -739,7 +713,6 @@ module API
::HipchatService,
::IrkerService,
::JiraService,
::KubernetesService,
::MattermostSlashCommandsService,
::SlackSlashCommandsService,
::PackagistService,
......
......@@ -15,6 +15,8 @@ module API
success Entities::ProjectLabel
end
params do
optional :with_counts, type: Boolean, default: false,
desc: 'Include issue and merge request counts'
use :pagination
end
get ':id/labels' do
......
......@@ -3,7 +3,7 @@
module Gitlab
class GitLogger < JsonLogger
def self.file_name_noext
'githost'
'git_json'
end
end
end
......@@ -36,6 +36,7 @@ module Gitlab
description: description_for(release),
created_at: release.created_at,
updated_at: release.updated_at,
released_at: release.published_at,
project_id: project.id
}
end
......
......@@ -325,10 +325,6 @@ FactoryBot.define do
jira_service
end
factory :kubernetes_project, parent: :project do
kubernetes_service
end
factory :mock_deployment_project, parent: :project do
mock_deployment_service
end
......
......@@ -16,18 +16,6 @@ FactoryBot.define do
)
end
factory :kubernetes_service do
project
type 'KubernetesService'
active true
properties({
api_url: 'https://kubernetes.example.com',
token: 'a' * 40
})
skip_deprecation_validation true
end
factory :mock_deployment_service do
project
type 'MockDeploymentService'
......
......@@ -11,7 +11,7 @@ describe 'Admin browses logs' do
visit admin_logs_path
expect(page).to have_link 'application.log'
expect(page).to have_link 'githost.log'
expect(page).to have_link 'git_json.log'
expect(page).to have_link 'test.log'
expect(page).to have_link 'sidekiq.log'
expect(page).to have_link 'repocheck.log'
......
{
"type": "array",
"items": {
"type": "object",
"properties" : {
"id" : { "type": "integer" },
"name" : { "type": "string "},
"color" : { "type": "string "},
"text_color" : { "type": "string "},
"description" : { "type": "string "},
"open_issues_count" : { "type": "integer "},
"closed_issues_count" : { "type": "integer "},
"open_merge_requests_count" : { "type": "integer "},
"subscribed" : { "type": "boolean" },
"priority" : { "type": "null" }
},
"additionalProperties": false
}
}
{
"type": "object",
"properties": {
"id": { "type": "integer" },
"name": { "type": "string" },
"color": { "type": "string" },
"text_color": { "type": "string" },
"description": { "type": ["string", "null"] },
"subscribed": { "type": "boolean" }
}
}
{
"type": "object",
"properties": {
"allOf": [
{ "$ref": "label.json" },
{
"type": "object",
"properties": {
"open_issues_count": { "type": "integer" },
"closed_issues_count": { "type": "integer" },
"open_merge_requests_count": { "type": "integer" }
}
}
]
}
}
{
"type": "object",
"properties": {
"allOf": [
{ "$ref": "label.json" },
{
"type": "object",
"properties": {
"priority": { "type": ["integer", "null"] },
"is_project_label": { "type": "boolean" }
}
}
]
}
}
{
"type": "object",
"properties": {
"allOf": [
{ "$ref": "project_label.json" },
{ "$ref": "label_with_counts.json" }
]
}
}
......@@ -31,13 +31,6 @@ describe('Tracking', () => {
expect(snowplowSpy).not.toHaveBeenCalled();
});
it('skips tracking if ', () => {
window.snowplow = false;
Tracking.event('_category_', '_eventName_');
expect(snowplowSpy).not.toHaveBeenCalled();
});
});
describe('tracking interface events', () => {
......
......@@ -6,6 +6,7 @@ describe Gitlab::GithubImport::Importer::ReleasesImporter do
let(:importer) { described_class.new(project, client) }
let(:created_at) { Time.new(2017, 1, 1, 12, 00) }
let(:updated_at) { Time.new(2017, 1, 1, 12, 15) }
let(:released_at) { Time.new(2017, 1, 1, 12, 00) }
let(:release) do
double(
......@@ -13,7 +14,8 @@ describe Gitlab::GithubImport::Importer::ReleasesImporter do
tag_name: '1.0',
body: 'This is my release',
created_at: created_at,
updated_at: updated_at
updated_at: updated_at,
published_at: released_at
)
end
......@@ -23,7 +25,8 @@ describe Gitlab::GithubImport::Importer::ReleasesImporter do
tag_name: '1.0',
description: 'This is my release',
created_at: created_at,
updated_at: updated_at
updated_at: updated_at,
released_at: released_at
}
expect(importer).to receive(:build_releases).and_return([release_hash])
......
......@@ -277,7 +277,6 @@ project:
- bugzilla_service
- gitlab_issue_tracker_service
- external_wiki_service
- kubernetes_service
- mock_ci_service
- mock_deployment_service
- mock_monitoring_service
......
# frozen_string_literal: true
require 'spec_helper'
describe KubernetesService, :use_clean_rails_memory_store_caching do
include KubernetesHelpers
include ReactiveCachingHelpers
let(:project) { create(:kubernetes_project) }
let(:service) { create(:kubernetes_service, project: project) }
describe 'Associations' do
it { is_expected.to belong_to :project }
end
describe 'Validations' do
context 'when service is active' do
before do
subject.active = true
subject.skip_deprecation_validation = true
end
it { is_expected.not_to validate_presence_of(:namespace) }
it { is_expected.to validate_presence_of(:api_url) }
it { is_expected.to validate_presence_of(:token) }
context 'namespace format' do
before do
subject.project = project
subject.api_url = "http://example.com"
subject.token = "test"
end
{
'foo' => true,
'1foo' => true,
'foo1' => true,
'foo-bar' => true,
'-foo' => false,
'foo-' => false,
'a' * 63 => true,
'a' * 64 => false,
'a.b' => false,
'a*b' => false,
'FOO' => true
}.each do |namespace, validity|
it "validates #{namespace} as #{validity ? 'valid' : 'invalid'}" do
subject.namespace = namespace
expect(subject.valid?).to eq(validity)
end
end
end
end
context 'when service is inactive' do
before do
subject.project = project
subject.active = false
end
it { is_expected.not_to validate_presence_of(:api_url) }
it { is_expected.not_to validate_presence_of(:token) }
end
context 'with a deprecated service' do
let(:kubernetes_service) { create(:kubernetes_service) }
before do
kubernetes_service.update_attribute(:active, false)
kubernetes_service.skip_deprecation_validation = false
kubernetes_service.properties['namespace'] = "foo"
end
it 'does not update attributes' do
expect(kubernetes_service.save).to be_falsy
end
it 'includes an error with a deprecation message' do
kubernetes_service.valid?
expect(kubernetes_service.errors[:base].first).to match(/Kubernetes service integration has been disabled/)
end
end
context 'with an active and deprecated service' do
let(:kubernetes_service) { create(:kubernetes_service) }
before do
kubernetes_service.skip_deprecation_validation = false
kubernetes_service.active = false
kubernetes_service.properties['namespace'] = 'foo'
kubernetes_service.save
end
it 'deactivates the service' do
expect(kubernetes_service.active?).to be_falsy
end
it 'does not include a deprecation message as error' do
expect(kubernetes_service.errors.messages.count).to eq(0)
end
it 'updates attributes' do
expect(kubernetes_service.properties['namespace']).to eq("foo")
end
end
end
describe '#initialize_properties' do
context 'without a project' do
it 'leaves the namespace unset' do
expect(described_class.new.namespace).to be_nil
end
end
end
describe '#fields' do
let(:kube_namespace) do
subject.fields.find { |h| h[:name] == 'namespace' }
end
context 'as template' do
before do
subject.template = true
end
it 'sets the namespace to the default' do
expect(kube_namespace).not_to be_nil
expect(kube_namespace[:placeholder]).to eq(subject.class::TEMPLATE_PLACEHOLDER)
end
end
context 'with associated project' do
before do
subject.project = project
end
it 'sets the namespace to the default' do
expect(kube_namespace).not_to be_nil
expect(kube_namespace[:placeholder]).to match(/\A#{Gitlab::PathRegex::PATH_REGEX_STR}-\d+\z/)
end
end
end
describe "#deprecated?" do
let(:kubernetes_service) { create(:kubernetes_service) }
it 'returns true' do
expect(kubernetes_service.deprecated?).to be_truthy
end
end
describe "#deprecation_message" do
let(:kubernetes_service) { create(:kubernetes_service) }
it 'indicates the service is deprecated' do
expect(kubernetes_service.deprecation_message).to match(/Kubernetes service integration has been disabled/)
end
context 'if the service is not active' do
it 'returns a message' do
kubernetes_service.update_attribute(:active, false)
expect(kubernetes_service.deprecation_message).to match(/Fields on this page are not used by GitLab/)
end
end
end
end
......@@ -14,12 +14,25 @@ describe API::GroupLabels do
get api("/groups/#{group.id}/labels", user)
expect(response).to have_gitlab_http_status(200)
expect(response).to match_response_schema('public_api/v4/group_labels')
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response).to all(match_schema('public_api/v4/labels/label'))
expect(json_response.size).to eq(2)
expect(json_response.map {|r| r['name'] }).to contain_exactly('feature', 'bug')
end
context 'when the with_counts parameter is set' do
it 'includes counts in the response' do
get api("/groups/#{group.id}/labels", user), params: { with_counts: true }
expect(response).to have_gitlab_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response).to all(match_schema('public_api/v4/labels/label_with_counts'))
expect(json_response.size).to eq(2)
expect(json_response.map { |r| r['open_issues_count'] }).to contain_exactly(0, 0)
end
end
end
describe 'POST /groups/:id/labels' do
......
......@@ -11,65 +11,76 @@ describe API::Labels do
end
describe 'GET /projects/:id/labels' do
let(:group) { create(:group) }
let!(:group_label) { create(:group_label, title: 'feature', group: group) }
before do
project.update!(group: group)
end
it 'returns all available labels to the project' do
group = create(:group)
group_label = create(:group_label, title: 'feature', group: group)
project.update(group: group)
get api("/projects/#{project.id}/labels", user)
expect(response).to have_gitlab_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to all(match_schema('public_api/v4/labels/project_label'))
expect(json_response.size).to eq(3)
expect(json_response.map { |l| l['name'] }).to match_array([group_label.name, priority_label.name, label1.name])
end
context 'when the with_counts parameter is set' do
before do
create(:labeled_issue, project: project, labels: [group_label], author: user)
create(:labeled_issue, project: project, labels: [label1], author: user, state: :closed)
create(:labeled_merge_request, labels: [priority_label], author: user, source_project: project )
end
expected_keys = %w(
id name color text_color description
open_issues_count closed_issues_count open_merge_requests_count
subscribed priority is_project_label
)
get api("/projects/#{project.id}/labels", user)
it 'includes counts in the response' do
get api("/projects/#{project.id}/labels", user), params: { with_counts: true }
expect(response).to have_gitlab_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response).to all(match_schema('public_api/v4/labels/project_label_with_counts'))
expect(json_response.size).to eq(3)
expect(json_response.first.keys).to match_array expected_keys
expect(json_response.map { |l| l['name'] }).to match_array([group_label.name, priority_label.name, label1.name])
label1_response = json_response.find { |l| l['name'] == label1.title }
group_label_response = json_response.find { |l| l['name'] == group_label.title }
priority_label_response = json_response.find { |l| l['name'] == priority_label.title }
expect(label1_response['open_issues_count']).to eq(0)
expect(label1_response['closed_issues_count']).to eq(1)
expect(label1_response['open_merge_requests_count']).to eq(0)
expect(label1_response['name']).to eq(label1.name)
expect(label1_response['color']).to be_present
expect(label1_response['text_color']).to be_present
expect(label1_response['description']).to be_nil
expect(label1_response['priority']).to be_nil
expect(label1_response['subscribed']).to be_falsey
expect(label1_response['is_project_label']).to be_truthy
expect(group_label_response['open_issues_count']).to eq(1)
expect(group_label_response['closed_issues_count']).to eq(0)
expect(group_label_response['open_merge_requests_count']).to eq(0)
expect(group_label_response['name']).to eq(group_label.name)
expect(group_label_response['color']).to be_present
expect(group_label_response['text_color']).to be_present
expect(group_label_response['description']).to be_nil
expect(group_label_response['priority']).to be_nil
expect(group_label_response['subscribed']).to be_falsey
expect(group_label_response['is_project_label']).to be_falsey
expect(priority_label_response['open_issues_count']).to eq(0)
expect(priority_label_response['closed_issues_count']).to eq(0)
expect(priority_label_response['open_merge_requests_count']).to eq(1)
expect(priority_label_response['name']).to eq(priority_label.name)
expect(priority_label_response['color']).to be_present
expect(priority_label_response['text_color']).to be_present
expect(priority_label_response['description']).to be_nil
expect(priority_label_response['priority']).to eq(3)
expect(priority_label_response['subscribed']).to be_falsey
expect(priority_label_response['is_project_label']).to be_truthy
expect(label1_response).to include('open_issues_count' => 0,
'closed_issues_count' => 1,
'open_merge_requests_count' => 0,
'name' => label1.name,
'description' => nil,
'color' => a_string_matching(/^#\h{6}$/),
'text_color' => a_string_matching(/^#\h{6}$/),
'priority' => nil,
'subscribed' => false,
'is_project_label' => true)
expect(group_label_response).to include('open_issues_count' => 1,
'closed_issues_count' => 0,
'open_merge_requests_count' => 0,
'name' => group_label.name,
'description' => nil,
'color' => a_string_matching(/^#\h{6}$/),
'text_color' => a_string_matching(/^#\h{6}$/),
'priority' => nil,
'subscribed' => false,
'is_project_label' => false)
expect(priority_label_response).to include('open_issues_count' => 0,
'closed_issues_count' => 0,
'open_merge_requests_count' => 1,
'name' => priority_label.name,
'description' => nil,
'color' => a_string_matching(/^#\h{6}$/),
'text_color' => a_string_matching(/^#\h{6}$/),
'priority' => 3,
'subscribed' => false,
'is_project_label' => true)
end
end
end
......
......@@ -10,10 +10,7 @@ describe API::Services do
end
Service.available_services_names.each do |service|
# TODO: Remove below `if: (service != "kubernetes")` in the next release
# KubernetesService was deprecated and it can't be updated. Right now it's
# only readable. It should be completely removed in the next iteration.
describe "PUT /projects/:id/services/#{service.dasherize}", if: (service != "kubernetes") do
describe "PUT /projects/:id/services/#{service.dasherize}" do
include_context service
it "updates #{service} settings" do
......@@ -62,10 +59,7 @@ describe API::Services do
end
end
# TODO: Remove below `if: (service != "kubernetes")` in the next release
# KubernetesService was deprecated and it can't be updated. Right now it's
# only readable. It should be completely removed in the next iteration.
describe "DELETE /projects/:id/services/#{service.dasherize}", if: (service != "kubernetes") do
describe "DELETE /projects/:id/services/#{service.dasherize}" do
include_context service
before do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment