Merge branch 'master' into deps/5a89a91-3b3d888

doc/maintenance/README.md

@@ -112,7 +112,7 @@ the user or the `RAILS_ENV` environment variable; this is taken care of by the
 This content has been moved to the
 [GitLab debugging tips documentation](https://docs.gitlab.com/ee/administration/troubleshooting/debug.html#starting-a-rails-console-session).
-## Starting a PostgreSQL superuser psql session
+## Starting a PostgreSQL superuser `psql` session
 If you need superuser access to the bundled PostgreSQL service you can
 use the `gitlab-psql` command. It takes the same arguments as the
@@ -128,7 +128,7 @@ least once. The `gitlab-psql` command cannot be used to connect to a
 remote PostgreSQL server, nor to connect to a local non-Omnibus PostgreSQL
 server.
-### Starting a PostgreSQL superuser psql session in Geo tracking database
+### Starting a PostgreSQL superuser `psql` session in Geo tracking database
 Similar to the previous command, if you need superuser access to the bundled
 Geo tracking database (`geo-postgresql`), you can use the `gitlab-geo-psql`.

doc/package-information/defaults.md

@@ -51,6 +51,7 @@ by default:
 | <a name="pgbouncer"></a>           PgBouncer           | No            | Port             | X           | 6432                                   |
 | <a name="consul"></a>              Consul              | No            | Port             | X           | 8300, 8500                             |
 | <a name="patroni"></a>             Patroni             | No            | Port             | X           | 8008                                   |
+| <a name="gitlab-kas"></a>          GitLab KAS          | No            | Port             | X           | 8150                                   |
 Legend:

doc/package-information/deprecated_os.md

@@ -45,6 +45,7 @@ The following lists the currently supported OSs and their possible EOL dates.
 | Debian 9         | GitLab CE / GitLab EE 9.3.0    | amd64           | 2022          | <https://wiki.debian.org/DebianReleases#Production_Releases> |
 | Debian 10        | GitLab CE / GitLab EE 12.2.0   | amd64           | TBD           | <https://wiki.debian.org/DebianReleases#Production_Releases> |
 | OpenSUSE 15.1    | GitLab CE / GitLab EE 12.4.0   | x86_64, aarch64 | Nov 2020      | <https://en.opensuse.org/Lifetime>                           |
+| OpenSUSE 15.2    | GitLab CE / GitLab EE 13.5.0   | x86_64, aarch64 | Dec 2021      | <https://en.opensuse.org/Lifetime>                           |
 | SLES 12          | GitLab EE 9.0.0                | x86_64          | Oct 2027      | <https://www.suse.com/lifecycle/>                            |
 | Ubuntu 16.04     | GitLab CE / GitLab EE 8.7.1    | amd64           | April 2021    | <https://wiki.ubuntu.com/Releases>                           |
 | Ubuntu 18.04     | GitLab CE / GitLab EE 10.7.0   | amd64           | April 2023    | <https://wiki.ubuntu.com/Releases>                           |

doc/settings/configuration.md

@@ -280,6 +280,12 @@ redis['uid'] = 1236
 redis['gid'] = 1236
 web_server['uid'] = 1237
 web_server['gid'] = 1237
+registry['uid'] = 1238
+registry['gid'] = 1238
+mattermost['uid'] = 1239
+mattermost['gid'] = 1239
+prometheus['uid'] = 1240
+prometheus['gid'] = 1240
 ```
 Run `sudo gitlab-ctl reconfigure` for the changes to take effect.
@@ -499,27 +505,31 @@ manage_storage_directories['enable'] = false
 ```
 **Warning** The Omnibus GitLab package still expects these directories to exist
-on the filesystem. It is up to the administrator to create and set correct
+on the file system. It is up to the administrator to create and set correct
 permissions if this setting is set.
 Enabling this setting will prevent the creation of the following directories:
-| Default location                                  | Permissions | Ownership        | Purpose |
-|---------------------------------------------------|-------------|------------------|---------|
-| `/var/opt/gitlab/git-data`                        | 0700        | `git:root`       | Holds repositories directory |
-| `/var/opt/gitlab/git-data/repositories`           | 2770        | `git:git`        | Holds Git repositories |
-| `/var/opt/gitlab/gitlab-rails/shared`             | 0751        | `git:gitlab-www` | Holds large object directories |
-| `/var/opt/gitlab/gitlab-rails/shared/artifacts`   | 0700        | `git:root`       | Holds CI artifacts |
-| `/var/opt/gitlab/gitlab-rails/shared/lfs-objects` | 0700        | `git:root`       | Holds LFS objects |
-| `/var/opt/gitlab/gitlab-rails/uploads`            | 0700        | `git:root`       | Holds user attachments |
-| `/var/opt/gitlab/gitlab-rails/shared/pages`       | 0750        | `git:gitlab-www` | Holds user pages |
-| `/var/opt/gitlab/gitlab-ci/builds`                | 0700        | `git:root`       | Holds CI build logs |
-| `/var/opt/gitlab/.ssh`                            | 0700        | `git:git`        | Holds authorized keys |
-
-## Only start Omnibus GitLab services after a given filesystem is mounted
+| Default location                                       | Permissions | Ownership        | Purpose |
+|--------------------------------------------------------|-------------|------------------|---------|
+| `/var/opt/gitlab/git-data`                             | `0700`        | `git`            | Holds repositories directory |
+| `/var/opt/gitlab/git-data/repositories`                | `2770`        | `git:git`        | Holds Git repositories |
+| `/var/opt/gitlab/gitlab-rails/shared`                  | `0751`        | `git:gitlab-www` | Holds large object directories |
+| `/var/opt/gitlab/gitlab-rails/shared/artifacts`        | `0700`        | `git`            | Holds CI artifacts |
+| `/var/opt/gitlab/gitlab-rails/shared/external-diffs`   | `0700`        | `git`            | Holds external merge request diffs |
+| `/var/opt/gitlab/gitlab-rails/shared/lfs-objects`      | `0700`        | `git`            | Holds LFS objects |
+| `/var/opt/gitlab/gitlab-rails/shared/packages`         | `0700`        | `git`            | Holds package repository |
+| `/var/opt/gitlab/gitlab-rails/shared/dependency_proxy` | `0700`        | `git`            | Holds dependency proxy |
+| `/var/opt/gitlab/gitlab-rails/shared/terraform_state`  | `0700`        | `git`            | Holds terraform state |
+| `/var/opt/gitlab/gitlab-rails/shared/pages`            | `0750`        | `git:gitlab-www` | Holds user pages |
+| `/var/opt/gitlab/gitlab-rails/uploads`                 | `0700`        | `git`            | Holds user attachments |
+| `/var/opt/gitlab/gitlab-ci/builds`                     | `0700`        | `git`            | Holds CI build logs |
+| `/var/opt/gitlab/.ssh`                                 | `0700`        | `git:git`        | Holds authorized keys |
+
+## Only start Omnibus GitLab services after a given file system is mounted
 If you want to prevent Omnibus GitLab services (NGINX, Redis, Puma, etc.)
-from starting before a given filesystem is mounted, add the following to
+from starting before a given file system is mounted, add the following to
 `/etc/gitlab/gitlab.rb`:
 ```ruby
@@ -562,8 +572,7 @@ Run `sudo gitlab-ctl reconfigure` for the settings to take effect.
 ## Configuring Rack Attack
 To prevent abusive clients from doing damage, GitLab uses the Rack Attack gem.
-Check [this page](https://docs.gitlab.com/ee/security/rack_attack.html)
-for more information.
+Learn how to [configure Rack Attack](https://docs.gitlab.com/ee/security/rack_attack.html).
 ## Disabling automatic cache cleaning during installation
@@ -604,8 +613,8 @@ Disabling impersonation is documented in
 ## Error Reporting and Logging with Sentry
 [Sentry](https://sentry.io) is an error reporting and logging tool which can be
-used as SaaS or on premise. It's Open Source and you can browse its source code
-repositories [here](https://github.com/getsentry).
+used as SaaS or on premise. It's Open Source, and you can [browse its source code
+repositories](https://github.com/getsentry).
 The following settings can be used to configure Sentry:

doc/settings/grafana.md

@@ -17,6 +17,9 @@ automatically configured. Grafana will be available on `https://gitlab.example.c
 ## Enable login using username and password
+NOTE: **Note:**
+The admin account's username is `admin`.
+
 Logging in to Grafana using username/password combo is disabled , and only
 GitLab SSO is available by default. However, to access the admin account, you
 need to enable login using username/password. For that, add the following line

doc/update/README.md

@@ -1299,3 +1299,7 @@ ALTER TABLE push_rules ADD COLUMN commit_message_negative_regex VARCHAR;
 # Restart GitLab
 sudo gitlab-ctl restart
 ```
+
+### Error `Failed to connect to the internal GitLab API` on a separate GitLab Pages server
+
+Please see [GitLab Pages troubleshooting](https://docs.gitlab.com/ee/administration/pages/index.html#failed-to-connect-to-the-internal-gitlab-api).

docker/assets/download-package

@@ -9,3 +9,9 @@ else
     # to authenticate to access it. Hence, we pass PRIVATE-TOKEN header.
     wget --quiet --header "PRIVATE-TOKEN: ${TRIGGER_PRIVATE_TOKEN}" ${DOWNLOAD_URL} -O /tmp/gitlab.deb
 fi
+
+results=$?
+if [ ${results} -ne 0 ]; then
+    >&2 echo "There was an error downloading ${DOWNLOAD_URL}. Please check the output for more information"
+    exit ${results}
+fi

files/gitlab-config-template/gitlab.rb.template

@@ -73,8 +73,26 @@ external_url 'GENERATED_EXTERNAL_URL'
 ###! By default, we'll allow 95% of the the worker timeout
 # gitlab_rails['max_request_duration_seconds'] = 57
+### GitLab email server settings
+###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
+###! **Use smtp instead of sendmail/postfix.**
+
+# gitlab_rails['smtp_enable'] = true
+# gitlab_rails['smtp_address'] = "smtp.server"
+# gitlab_rails['smtp_port'] = 465
+# gitlab_rails['smtp_user_name'] = "smtp user"
+# gitlab_rails['smtp_password'] = "smtp password"
+# gitlab_rails['smtp_domain'] = "example.com"
+# gitlab_rails['smtp_authentication'] = "login"
+# gitlab_rails['smtp_enable_starttls_auto'] = true
+# gitlab_rails['smtp_tls'] = false
+
 ### Email Settings
+
 # gitlab_rails['gitlab_email_enabled'] = true
+
+##! If your SMTP server does not like the default 'From: gitlab@gitlab.example.com'
+##! can change the 'From' with this setting.
 # gitlab_rails['gitlab_email_from'] = 'example@example.com'
 # gitlab_rails['gitlab_email_display_name'] = 'Example'
 # gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
@@ -143,6 +161,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"
 # gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *"
 # gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *"
+# gitlab_rails['remove_unaccepted_member_invites_cron_worker'] = "10 15 * * *"
 # gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *"
 # gitlab_rails['ci_platform_metrics_update_cron_worker'] = '47 9 * * *'
 # gitlab_rails['analytics_instance_statistics_count_job_trigger_worker_cron'] = "50 23 */1 * *"
@@ -259,17 +278,17 @@ external_url 'GENERATED_EXTERNAL_URL'
 ###!
 ###! Be sure to use different buckets for each type of object.
 ###! Docs: https://docs.gitlab.com/ee/administration/object_storage.html
-gitlab_rails['object_store']['enabled'] = false
-gitlab_rails['object_store']['connection'] = {}
-gitlab_rails['object_store']['storage_options'] = {}
-gitlab_rails['object_store']['proxy_download'] = false
-gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil
-gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil
-gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil
-gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil
-gitlab_rails['object_store']['objects']['packages']['bucket'] = nil
-gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil
-gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
+# gitlab_rails['object_store']['enabled'] = false
+# gitlab_rails['object_store']['connection'] = {}
+# gitlab_rails['object_store']['storage_options'] = {}
+# gitlab_rails['object_store']['proxy_download'] = false
+# gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil
+# gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil
+# gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil
+# gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil
+# gitlab_rails['object_store']['objects']['packages']['bucket'] = nil
+# gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil
+# gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 ### Job Artifacts
 # gitlab_rails['artifacts_enabled'] = true
@@ -373,6 +392,21 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 #   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
 # }
+### GitLab Pages
+# gitlab_rails['pages_object_store_enabled'] = false
+# gitlab_rails['pages_object_store_remote_directory'] = "pages"
+# gitlab_rails['pages_object_store_connection'] = {
+#   'provider' => 'AWS',
+#   'region' => 'eu-west-1',
+#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
+#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
+#   # # The below options configure an S3 compatible host instead of AWS
+#   # 'host' => 's3.amazonaws.com',
+#   # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
+#   # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
+#   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
+# }
+
 ### Impersonation settings
 # gitlab_rails['impersonation_enabled'] = true
@@ -473,6 +507,13 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 #   }
 # ]
+### FortiAuthenticator authentication settings
+# gitlab_rails['forti_authenticator_enabled'] = false
+# gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com'
+# gitlab_rails['forti_authenticator_port'] = 443
+# gitlab_rails['forti_authenticator_username'] = 'admin'
+# gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'
+
 ### Backup Settings
 ###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
@@ -654,20 +695,6 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # gitlab_rails['redis_actioncable_instance'] = nil
 # gitlab_rails['redis_actioncable_sentinels'] = nil
-### GitLab email server settings
-###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
-###! **Use smtp instead of sendmail/postfix.**
-
-# gitlab_rails['smtp_enable'] = true
-# gitlab_rails['smtp_address'] = "smtp.server"
-# gitlab_rails['smtp_port'] = 465
-# gitlab_rails['smtp_user_name'] = "smtp user"
-# gitlab_rails['smtp_password'] = "smtp password"
-# gitlab_rails['smtp_domain'] = "example.com"
-# gitlab_rails['smtp_authentication'] = "login"
-# gitlab_rails['smtp_enable_starttls_auto'] = true
-# gitlab_rails['smtp_tls'] = false
-
 ###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
 ###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html
 # gitlab_rails['smtp_openssl_verify_mode'] = 'none'
@@ -779,7 +806,7 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # gitlab_workhorse['ha'] = false
 # gitlab_workhorse['listen_network'] = "unix"
 # gitlab_workhorse['listen_umask'] = 000
-# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket"
+# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
 # gitlab_workhorse['auth_backend'] = "http://localhost:8080"
 ##! the empty string is the default in gitlab-workhorse option parser
@@ -1027,10 +1054,17 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # postgresql['ssl_key_file'] = 'server.key'
 # postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
 # postgresql['ssl_crl_file'] = nil
+# postgresql['cert_auth_addresses'] = {
+#   'ADDRESS' => {
+#     database: 'gitlabhq_production',
+#     user: 'gitlab'
+#   }
+# }
 ### Replication settings
 ###! Note, some replication settings do not require a full restart. They are documented below.
 # postgresql['wal_level'] = "hot_standby"
+# postgresql['wal_log_hints'] = 'off'
 # postgresql['max_wal_senders'] = 5
 # postgresql['max_replication_slots'] = 0
 # postgresql['max_locks_per_transaction'] = 128
@@ -1534,6 +1568,38 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # gitlab_ci['gitlab_ci_add_pusher'] = true
 # gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'
+################################################################################
+## GitLab Kubernetes Agent Server
+##! Docs: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/blob/master/README.md
+################################################################################
+
+##! Enable GitLab KAS
+# gitlab_kas['enable'] = true
+
+##! Agent configuration for GitLab KAS
+# gitlab_kas['agent_configuration_poll_period'] = 20
+# gitlab_kas['agent_gitops_poll_period'] = 20
+# gitlab_kas['agent_gitops_project_info_cache_ttl'] = 300
+# gitlab_kas['agent_gitops_project_info_cache_error_ttl'] = 60
+# gitlab_kas['agent_info_cache_ttl'] = 300
+# gitlab_kas['agent_info_cache_error_ttl'] = 60
+
+##! Shared secret used for authentication between KAS and GitLab
+# gitlab_kas['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.
+
+##! Listen configuration for GitLab KAS
+# gitlab_kas['listen_address'] = 'localhost:8150'
+# gitlab_kas['listen_network'] = 'tcp'
+# gitlab_kas['listen_websocket'] = true
+
+##! Metrics configuration for GitLab KAS
+# gitlab_kas['metrics_usage_reporting_period'] = 60
+
+##! Directories for GitLab KAS
+# gitlab_kas['dir'] = '/var/opt/gitlab/gitlab-kas'
+# gitlab_kas['log_directory'] = '/var/log/gitlab/gitlab-kas'
+# gitlab_kas['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'
+
 ################################################################################
 ## GitLab Mattermost
 ##! Docs: https://docs.gitlab.com/omnibus/gitlab-mattermost
@@ -1936,6 +2002,11 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 #     'max_per_repo' => 5
 #   }
 # ]
+#
+# gitaly['daily_maintenance_start_hour'] = 22
+# gitaly['daily_maintenance_start_minute'] = 30
+# gitaly['daily_maintenance_duration'] = '30m'
+# gitaly['daily_maintenance_storages'] = ["default"]
 ################################################################################
 ## Praefect
@@ -1990,8 +2061,8 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # praefect['sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
 # praefect['sentry_environment'] = "production"
 # praefect['auto_migrate'] = true
-# praefect['database_host'] = 'postgres.internal'
-# praefect['database_port'] = 5432
+# praefect['database_host'] = 'postgres.external'
+# praefect['database_port'] = 6432
 # praefect['database_user'] = 'praefect'
 # praefect['database_password'] = 'secret'
 # praefect['database_dbname'] = 'praefect_production'
@@ -2001,6 +2072,8 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # praefect['database_sslrootcert'] = '/path/to/rootcert'
 # praefect['reconciliation_scheduling_interval'] = '5m'
 # praefect['reconciliation_histogram_buckets'] = '[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0]'
+# praefect['database_host_no_proxy'] = 'postgres.internal'
+# praefect['database_port_no_proxy'] = 5432
 ################################################################################
 # Storage check
@@ -2068,6 +2141,7 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # gitlab_rails['kerberos_enabled'] = true
 # gitlab_rails['kerberos_keytab'] = /etc/http.keytab
 # gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
+# gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com']
 # gitlab_rails['kerberos_use_dedicated_port'] = true
 # gitlab_rails['kerberos_port'] = 8443
 # gitlab_rails['kerberos_https'] = true

files/gitlab-cookbooks/consul/resources/consul_service.rb

 resource_name :consul_service
+provides :consul_service
 property :service_name, String, name_property: true
 property :ip_address, [String, nil], default: nil

files/gitlab-cookbooks/gitaly/attributes/default.rb

@@ -30,3 +30,7 @@ default['gitaly']['ruby_restart_delay'] = nil
 default['gitaly']['ruby_num_workers'] = nil
 default['gitaly']['ruby_rugged_git_config_search_path'] = "/opt/gitlab/embedded/etc"
 default['gitaly']['concurrency'] = nil
+default['gitaly']['daily_maintenance_start_hour'] = nil
+default['gitaly']['daily_maintenance_start_minute'] = nil
+default['gitaly']['daily_maintenance_duration'] = nil
+default['gitaly']['daily_maintenance_storages'] = nil

files/gitlab-cookbooks/gitaly/recipes/enable.rb

@@ -71,10 +71,7 @@ env_dir env_directory do
   notifies :restart, "runit_service[gitaly]" if omnibus_helper.should_notify?('gitaly')
 end
-# If no internal_api_url is specified, default to the IP/port Unicorn listens on
-webserver_service = WebServerHelper.service_name
-gitlab_url = node['gitlab']['gitlab-rails']['internal_api_url']
-gitlab_url ||= "http://#{node['gitlab'][webserver_service]['listen']}:#{node['gitlab'][webserver_service]['port']}#{node['gitlab'][webserver_service]['relative_url']}"
+gitlab_url, gitlab_relative_path = WebServerHelper.internal_api_url(node)
 template "Create Gitaly config.toml" do
   path config_path
@@ -84,7 +81,8 @@ template "Create Gitaly config.toml" do
   mode "0640"
   variables node['gitaly'].to_hash.merge(
     { gitlab_shell: node['gitlab']['gitlab-shell'].to_hash,
-      gitlab_url: gitlab_url }
+      gitlab_url: gitlab_url,
+      gitlab_relative_path: gitlab_relative_path }
   )
   notifies :hup, "runit_service[gitaly]" if omnibus_helper.should_notify?('gitaly')
 end

files/gitlab-cookbooks/gitaly/templates/default/gitaly-config.toml.erb

@@ -103,6 +103,10 @@ dir = "/opt/gitlab/embedded/service/gitlab-shell"
 <% if @gitlab_url %>
 url = '<%= @gitlab_url %>'
 <% end %>
+<% if @gitlab_relative_path %>
+relative_url_root = '<%= @gitlab_relative_path %>'
+<% end %>
+
 <% if @gitlab_shell['http_settings'] %>
 <% http_settings = @gitlab_shell['http_settings'] %>
 [gitlab.http-settings]
@@ -140,3 +144,11 @@ rpc = "<%= endpoint['rpc'] %>"
 max_per_repo = <%= endpoint['max_per_repo'] %>
   <% end %>
 <% end %>
+
+<% if @daily_maintenance_duration %>
+[daily_maintenance]
+<%= "start_hour = #{@daily_maintenance_start_hour}" if @daily_maintenance_start_hour %>
+<%= "start_minute = #{@daily_maintenance_start_minute}" if @daily_maintenance_start_minute %>
+<%= "duration = '#{@daily_maintenance_duration}'" if @daily_maintenance_duration %>
+<%= "storages = #{@daily_maintenance_storages}" if @daily_maintenance_storages %>
+<% end %>

files/gitlab-cookbooks/gitlab-ee/attributes/default.rb

@@ -119,6 +119,7 @@ default['gitlab']['geo-postgresql']['default_statistics_target'] = 1000
 # Replication settings
 default['gitlab']['geo-postgresql']['wal_level'] = 'minimal'
+default['gitlab']['geo-postgresql']['wal_log_hints'] = 'off'
 default['gitlab']['geo-postgresql']['max_wal_senders'] = 0
 default['gitlab']['geo-postgresql']['wal_keep_segments'] = 10
 default['gitlab']['geo-postgresql']['hot_standby'] = 'off'

files/gitlab-cookbooks/gitlab-ee/resources/pgbouncer_user.rb

 resource_name :pgbouncer_user
+provides :pgbouncer_user
 property :type, String, name_property: true
 property :account_helper, default: AccountHelper.new(node)

files/gitlab-cookbooks/gitlab-ee/resources/postgresql_fdw.rb

 resource_name :postgresql_fdw
+provides :postgresql_fdw
 property :server_name, String, name_property: true
 property :db_name, String

files/gitlab-cookbooks/gitlab-ee/resources/sentinel_service.rb

 resource_name :sentinel_service
+provides :sentinel_service
 property :config_path, String
 property :redis_configuration, Hash

files/gitlab-cookbooks/gitlab-kas/attributes/default.rb

+####
+# GitLab Kubernetes Agent Server
+####
+default['gitlab-kas']['enable'] = false
+default['gitlab-kas']['agent_configuration_poll_period'] = 20
+default['gitlab-kas']['agent_gitops_poll_period'] = 20
+default['gitlab-kas']['agent_gitops_project_info_cache_ttl'] = 300
+default['gitlab-kas']['agent_gitops_project_info_cache_error_ttl'] = 60
+default['gitlab-kas']['agent_info_cache_ttl'] = 300
+default['gitlab-kas']['agent_info_cache_error_ttl'] = 60
+default['gitlab-kas']['gitlab_address'] = ''
+default['gitlab-kas']['api_secret_key'] = nil
+default['gitlab-kas']['listen_address'] = 'localhost:8150'
+default['gitlab-kas']['listen_network'] = 'tcp'
+default['gitlab-kas']['listen_websocket'] = true
+default['gitlab-kas']['metrics_usage_reporting_period'] = 60
+default['gitlab-kas']['dir'] = '/var/opt/gitlab/gitlab-kas'
+default['gitlab-kas']['log_directory'] = '/var/log/gitlab/gitlab-kas'
+default['gitlab-kas']['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'

files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb

+#
+# Copyright:: Copyright (c) 2020 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative '../../package/libraries/helpers/secrets_helper'
+
+module GitlabKas
+  class << self
+    def parse_variables
+      parse_address
+    end
+
+    def parse_address
+      Gitlab['gitlab_kas']['gitlab_address'] ||= Gitlab['external_url']
+    end
+
+    def parse_secrets
+      # KAS and GitLab expects exactly 32 bytes, encoded with base64
+      Gitlab['gitlab_kas']['api_secret_key'] ||= Base64.strict_encode64(SecretsHelper.generate_hex(16))
+
+      api_secret_key = Base64.strict_decode64(Gitlab['gitlab_kas']['api_secret_key'])
+      raise "gitlab_kas['api_secret_key'] should be exactly 32 bytes" if api_secret_key.length != 32
+    end
+  end
+end

files/gitlab-cookbooks/gitlab-kas/metadata.rb

+name 'gitlab-kas'
+maintainer 'GitLab.com'
+maintainer_email 'support@gitlab.com'
+license 'Apache 2.0'
+description 'Installs/Configures GitLab KAS'
+long_description 'Installs/Configures the GitLab Kubernetes Agent Server'
+version '0.1.0'
+chef_version '>= 12.1' if respond_to?(:chef_version)
+
+issues_url 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
+source_url 'https://gitlab.com/gitlab-org/omnibus-gitlab'
+
+depends 'package'
+depends 'gitlab'