Add option to disable seperated caches

Changelog: added Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/361643

Add option to disable seperated caches
daccb0b3 · Niklas · Ethan Urie · b19e6b55 · daccb0b3 · daccb0b3
Commit daccb0b3 authored 2 years ago by Niklas Committed by Ethan Urie 2 years ago
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -88,7 +88,7 @@ def update_params
      def permitted_project_params
        [
          :runners_token, :builds_enabled, :build_allow_git_fetch,
-          :build_timeout_human_readable, :public_builds,
+          :build_timeout_human_readable, :public_builds, :ci_separated_caches,
          :auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled,
          auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
          ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled]

--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -464,6 +464,7 @@ def project_params_attributes
      :initialize_with_sast,
      :initialize_with_readme,
      :autoclose_referenced_issues,
+      :ci_separated_caches,
      :suggestion_commit_message,
      :packages_enabled,
      :service_desk_enabled,

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -909,6 +909,8 @@ def cache
        end
      end
  
+      return cache unless project.ci_separated_caches
+
      type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
      cache.map do |entry|
        entry.merge(key: "#{entry[:key]}-#{type_suffix}")

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -473,6 +473,7 @@ def self.integration_association_name(name)
  delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
  delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true
  delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true
+  delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
  delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true
  delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true
  delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?,

--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord
    allow_nil: true
  
  default_value_for :forward_deployment_enabled, true
+  default_value_for :separated_caches, true
  
  chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
  

--- a/app/views/projects/settings/ci_cd/_form.html.haml
+++ b/app/views/projects/settings/ci_cd/_form.html.haml
 - help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer'
 - help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer'
- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
+- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer'
  
 .row.gl-mt-3
  .col-lg-12
@@ -24,6 +25,11 @@
            = form.gitlab_ui_checkbox_component :forward_deployment_enabled, _("Skip outdated deployment jobs"),
              help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe
  
+        .form-group
+          = f.gitlab_ui_checkbox_component :ci_separated_caches,
+            s_("CICD|Use separate caches for protected branches"),
+            help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
+
        .form-group
          = f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold'
          = f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'

--- a/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb
+++ b/db/migrate/20220507204024_add_separated_caches_option_to_project_ci_settings.rb
+# frozen_string_literal: true
+
+class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0]
+  enable_lock_retries!
+
+  def change
+    add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false
+  end
+end
--- a/db/schema_migrations/20220507204024
+++ b/db/schema_migrations/20220507204024
+8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -19111,7 +19111,8 @@ CREATE TABLE project_ci_cd_settings (
    keep_latest_artifact boolean DEFAULT true NOT NULL,
    restrict_user_defined_variables boolean DEFAULT false NOT NULL,
    job_token_scope_enabled boolean DEFAULT false NOT NULL,
-    runner_token_expiration_interval integer
+    runner_token_expiration_interval integer,
+    separated_caches boolean DEFAULT true NOT NULL
 );
  
 CREATE SEQUENCE project_ci_cd_settings_id_seq
--- a/doc/ci/caching/index.md
+++ b/doc/ci/caching/index.md
@@ -30,7 +30,7 @@ can't link to files outside it.
 - Subsequent pipelines can use the cache.
 - Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical.
 - Different projects cannot share the cache.
- Protected and non-protected branches do not share the cache.
+- By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches).
  
 ### Artifacts
  
@@ -460,6 +460,24 @@ and `feature`, then the following table represents the resulting cache keys:
 | `main`      | `main-protected` |
 | `feature`   | `feature-non_protected` |
  
+##### Use the same cache for all branches
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0.
+
+If you do not want to use [cache key names](#cache-key-names),
+you can have all branches (protected and unprotected) use the same cache.
+
+The cache separation with [cache key names](#cache-key-names) is a security feature
+and should only be disabled in an environment where all users with Developer role are highly trusted.
+
+To use the same cache for all branches:
+
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Settings > CI/CD**.
+1. Expand **General pipelines**.
+1. Clear the **Use separate caches for protected branches** checkbox.
+1. Select **Save changes**.
+
 ### How archiving and extracting works
  
 This example shows two jobs in two consecutive stages:

--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -103,6 +103,7 @@ class Project < BasicProjectDetails
      expose :ci_default_git_depth
      expose :ci_forward_deployment_enabled
      expose :ci_job_token_scope_enabled
+      expose :ci_separated_caches
      expose :public_builds, as: :public_jobs
      expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
        project.build_allow_git_fetch ? 'fetch' : 'clone'

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -6927,6 +6927,12 @@ msgstr ""
 msgid "CICD|There are several CI/CD limits in place."
 msgstr ""
  
+msgid "CICD|Unprotected branches will not have access to the cache from protected branches."
+msgstr ""
+
+msgid "CICD|Use separate caches for protected branches"
+msgstr ""
+
 msgid "CICD|group enabled"
 msgstr ""
  

--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1078,6 +1078,32 @@
            is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/)))
          end
        end
+
+        context 'when separated caches are disabled' do
+          before do
+            allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false)
+          end
+
+          context 'running on protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(true)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+
+          context 'running on not protected ref' do
+            before do
+              allow(build.pipeline).to receive(:protected_ref?).and_return(false)
+            end
+
+            it 'is expected to have no type suffix' do
+              is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
+            end
+          end
+        end
      end
  
      context 'when project has jobs_cache_index' do

--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -99,6 +99,7 @@ ci_cd_settings:
    default_git_depth: ci_default_git_depth
    forward_deployment_enabled: ci_forward_deployment_enabled
    job_token_scope_enabled: ci_job_token_scope_enabled
+    separated_caches: ci_separated_caches
  
 build_import_state: # import_state
  unexposed_attributes: