Commit a27b2e45 authored by Steve Abrams's avatar Steve Abrams

Container policy past projects application setting

Add container_expiration_policies_enable_historic_entries to
application settings.
parent 669d3c3f
...@@ -184,6 +184,7 @@ module ApplicationSettingsHelper ...@@ -184,6 +184,7 @@ module ApplicationSettingsHelper
:authorized_keys_enabled, :authorized_keys_enabled,
:auto_devops_enabled, :auto_devops_enabled,
:auto_devops_domain, :auto_devops_domain,
:container_expiration_policies_enable_historic_entries,
:container_registry_token_expire_delay, :container_registry_token_expire_delay,
:default_artifacts_expire_in, :default_artifacts_expire_in,
:default_branch_protection, :default_branch_protection,
......
...@@ -142,6 +142,9 @@ class ApplicationSetting < ApplicationRecord ...@@ -142,6 +142,9 @@ class ApplicationSetting < ApplicationRecord
validates :default_artifacts_expire_in, presence: true, duration: true validates :default_artifacts_expire_in, presence: true, duration: true
validates :container_expiration_policies_enable_historic_entries,
inclusion: { in: [true, false], message: 'must be a boolean value' }
validates :container_registry_token_expire_delay, validates :container_registry_token_expire_delay,
presence: true, presence: true,
numericality: { only_integer: true, greater_than: 0 } numericality: { only_integer: true, greater_than: 0 }
......
...@@ -42,6 +42,7 @@ module ApplicationSettingImplementation ...@@ -42,6 +42,7 @@ module ApplicationSettingImplementation
asset_proxy_enabled: false, asset_proxy_enabled: false,
authorized_keys_enabled: true, # TODO default to false if the instance is configured to use AuthorizedKeysCommand authorized_keys_enabled: true, # TODO default to false if the instance is configured to use AuthorizedKeysCommand
commit_email_hostname: default_commit_email_hostname, commit_email_hostname: default_commit_email_hostname,
container_expiration_policies_enable_historic_entries: false,
container_registry_token_expire_delay: 5, container_registry_token_expire_delay: 5,
default_artifacts_expire_in: '30 days', default_artifacts_expire_in: '30 days',
default_branch_protection: Settings.gitlab['default_branch_protection'], default_branch_protection: Settings.gitlab['default_branch_protection'],
......
...@@ -5,5 +5,14 @@ ...@@ -5,5 +5,14 @@
.form-group .form-group
= f.label :container_registry_token_expire_delay, 'Authorization token duration (minutes)', class: 'label-bold' = f.label :container_registry_token_expire_delay, 'Authorization token duration (minutes)', class: 'label-bold'
= f.number_field :container_registry_token_expire_delay, class: 'form-control' = f.number_field :container_registry_token_expire_delay, class: 'form-control'
.form-group
.form-check
= f.check_box :container_expiration_policies_enable_historic_entries, class: 'form-check-input'
= f.label :container_expiration_policies_enable_historic_entries, class: 'form-check-label' do
= _("Enable container expiration and retention policies for projects created earlier than GitLab 12.7.")
= link_to icon('question-circle'), help_page_path('user/packages/container_registry/index', anchor: 'expiration-policy')
.form-text.text-muted
= _("Existing projects will be able to use expiration policies. Avoid enabling this if an external Container Registry is being used, as there is a performance risk if many images exist on one project.")
= link_to icon('question-circle'), help_page_path('user/packages/container_registry/index', anchor: 'use-with-external-container-registries')
= f.submit 'Save changes', class: "btn btn-success" = f.submit 'Save changes', class: "btn btn-success"
---
title: Add application setting to enable container expiration and retention policies
on pre 12.8 projects
merge_request: 28479
author:
type: added
# frozen_string_literal: true
class AddContainerExpirationPoliciesEnableHistoricEntriesToApplicationSettings < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
add_column_with_default(:application_settings,
:container_expiration_policies_enable_historic_entries,
:boolean,
default: false,
allow_null: false)
end
def down
remove_column(:application_settings,
:container_expiration_policies_enable_historic_entries)
end
end
...@@ -397,7 +397,8 @@ CREATE TABLE public.application_settings ( ...@@ -397,7 +397,8 @@ CREATE TABLE public.application_settings (
email_restrictions text, email_restrictions text,
npm_package_requests_forwarding boolean DEFAULT true NOT NULL, npm_package_requests_forwarding boolean DEFAULT true NOT NULL,
namespace_storage_size_limit bigint DEFAULT 0 NOT NULL, namespace_storage_size_limit bigint DEFAULT 0 NOT NULL,
seat_link_enabled boolean DEFAULT true NOT NULL seat_link_enabled boolean DEFAULT true NOT NULL,
container_expiration_policies_enable_historic_entries boolean DEFAULT false NOT NULL
); );
CREATE SEQUENCE public.application_settings_id_seq CREATE SEQUENCE public.application_settings_id_seq
...@@ -12934,6 +12935,7 @@ COPY "schema_migrations" (version) FROM STDIN; ...@@ -12934,6 +12935,7 @@ COPY "schema_migrations" (version) FROM STDIN;
20200330121000 20200330121000
20200330123739 20200330123739
20200330132913 20200330132913
20200331195952
20200331220930 20200331220930
20200403184110 20200403184110
20200403185127 20200403185127
......
...@@ -516,6 +516,10 @@ on how to achieve that. ...@@ -516,6 +516,10 @@ on how to achieve that.
## Use an external container registry with GitLab as an auth endpoint ## Use an external container registry with GitLab as an auth endpoint
NOTE: **Note:**
In using an external container registry, some features associated with the
container registry may be unavailable or have [inherant risks](./../../user/packages/container_registry/index.md#use-with-external-container-registries)
**Omnibus GitLab** **Omnibus GitLab**
You can use GitLab as an auth endpoint with an external container registry. You can use GitLab as an auth endpoint with an external container registry.
......
...@@ -45,6 +45,7 @@ Example response: ...@@ -45,6 +45,7 @@ Example response:
"default_group_visibility" : "private", "default_group_visibility" : "private",
"gravatar_enabled" : true, "gravatar_enabled" : true,
"sign_in_text" : null, "sign_in_text" : null,
"container_expiration_policies_enable_historic_entries": true,
"container_registry_token_expire_delay": 5, "container_registry_token_expire_delay": 5,
"repository_storages": ["default"], "repository_storages": ["default"],
"plantuml_enabled": false, "plantuml_enabled": false,
......
...@@ -61,7 +61,7 @@ Access the default page for admin area settings by navigating to ...@@ -61,7 +61,7 @@ Access the default page for admin area settings by navigating to
| ------ | ----------- | | ------ | ----------- |
| [Continuous Integration and Deployment](continuous_integration.md) | Auto DevOps, runners and job artifacts. | | [Continuous Integration and Deployment](continuous_integration.md) | Auto DevOps, runners and job artifacts. |
| [Required pipeline configuration](continuous_integration.md#required-pipeline-configuration-premium-only) **(PREMIUM ONLY)** | Set an instance-wide auto included [pipeline configuration](../../../ci/yaml/README.md). This pipeline configuration will be run after the project's own configuration. | | [Required pipeline configuration](continuous_integration.md#required-pipeline-configuration-premium-only) **(PREMIUM ONLY)** | Set an instance-wide auto included [pipeline configuration](../../../ci/yaml/README.md). This pipeline configuration will be run after the project's own configuration. |
| [Package Registry](continuous_integration.md#package-registry-configuration-premium-only) **(PREMIUM ONLY)**| Settings related to the use and experience of using GitLab's Package Registry. | | [Package Registry](continuous_integration.md#package-registry-configuration-premium-only) **(PREMIUM ONLY)**| Settings related to the use and experience of using GitLab's Package Registry. Note there are [risks involved](./../../packages/container_registry/index.md#use-with-external-container-registries) in enabling some of these settings. |
## Reporting ## Reporting
......
...@@ -488,7 +488,9 @@ older tags and images are regularly removed from the Container Registry. ...@@ -488,7 +488,9 @@ older tags and images are regularly removed from the Container Registry.
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/15398) in GitLab 12.8. > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/15398) in GitLab 12.8.
NOTE: **Note:** NOTE: **Note:**
Expiration policies are only available for projects created in GitLab 12.8 and later. Expiration policies for projects created before GitLab 12.8 may be enabled by an
admin in the [CI/CD Package Registry settings](./../../admin_area/settings/index.md#cicd).
Note the inherant [risks involved](./index.md#use-with-external-container-registries).
It is possible to create a per-project expiration policy, so that you can make sure that It is possible to create a per-project expiration policy, so that you can make sure that
older tags and images are regularly removed from the Container Registry. older tags and images are regularly removed from the Container Registry.
...@@ -539,6 +541,15 @@ Examples: ...@@ -539,6 +541,15 @@ Examples:
See the API documentation for further details: [Edit project](../../../api/projects.md#edit-project). See the API documentation for further details: [Edit project](../../../api/projects.md#edit-project).
### Use with external container registries
When using an [external container registry](./../../../administration/packages/container_registry.md#use-an-external-container-registry-with-gitlab-as-an-auth-endpoint),
running an experation policy on a project may have some performance risks. If a project is going to run
a policy that will remove large quantities of tags (in the thousands), the GitLab background jobs that
run the policy may get backed up or fail completely. It is recommended you only enable container expiration
policies for projects that were created before GitLab 12.8 if you are confident the amount of tags
being cleaned up will be minimal.
## Limitations ## Limitations
Moving or renaming existing Container Registry repositories is not supported Moving or renaming existing Container Registry repositories is not supported
......
...@@ -7529,6 +7529,9 @@ msgstr "" ...@@ -7529,6 +7529,9 @@ msgstr ""
msgid "Enable classification control using an external service" msgid "Enable classification control using an external service"
msgstr "" msgstr ""
msgid "Enable container expiration and retention policies for projects created earlier than GitLab 12.7."
msgstr ""
msgid "Enable email restrictions for sign ups" msgid "Enable email restrictions for sign ups"
msgstr "" msgstr ""
...@@ -8348,6 +8351,9 @@ msgstr "" ...@@ -8348,6 +8351,9 @@ msgstr ""
msgid "Existing members and groups" msgid "Existing members and groups"
msgstr "" msgstr ""
msgid "Existing projects will be able to use expiration policies. Avoid enabling this if an external Container Registry is being used, as there is a performance risk if many images exist on one project."
msgstr ""
msgid "Existing shares" msgid "Existing shares"
msgstr "" msgstr ""
......
...@@ -34,6 +34,10 @@ describe ApplicationSetting do ...@@ -34,6 +34,10 @@ describe ApplicationSetting do
it { is_expected.to allow_value("dev.gitlab.com").for(:commit_email_hostname) } it { is_expected.to allow_value("dev.gitlab.com").for(:commit_email_hostname) }
it { is_expected.not_to allow_value("@dev.gitlab").for(:commit_email_hostname) } it { is_expected.not_to allow_value("@dev.gitlab").for(:commit_email_hostname) }
it { is_expected.to allow_value(true).for(:container_expiration_policies_enable_historic_entries) }
it { is_expected.to allow_value(false).for(:container_expiration_policies_enable_historic_entries) }
it { is_expected.not_to allow_value(nil).for(:container_expiration_policies_enable_historic_entries) }
it { is_expected.to allow_value("myemail@gitlab.com").for(:lets_encrypt_notification_email) } it { is_expected.to allow_value("myemail@gitlab.com").for(:lets_encrypt_notification_email) }
it { is_expected.to allow_value(nil).for(:lets_encrypt_notification_email) } it { is_expected.to allow_value(nil).for(:lets_encrypt_notification_email) }
it { is_expected.not_to allow_value("notanemail").for(:lets_encrypt_notification_email) } it { is_expected.not_to allow_value("notanemail").for(:lets_encrypt_notification_email) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment