Merge branch 'master' into 'deps/5a89a91-3b3d888'

# Conflicts:
#   config/software/openssl.rb

.custom_sources.yml

 gitlab-rails:
   remote: "git@dev.gitlab.org:gitlab/gitlabhq.git"
   alternative: "https://gitlab.com/gitlab-org/gitlab-foss.git"
+  security: "https://gitlab.com/gitlab-org/security/gitlab-foss.git"
+  # When running it on your local machine, use the SSH version to make it easier to authenticate:
+  #security: "git@gitlab.com:gitlab-org/security/gitlab-foss.git"
 gitlab-rails-ee:
   remote: "git@dev.gitlab.org:gitlab/gitlab-ee.git"
   alternative: "https://gitlab.com/gitlab-org/gitlab.git"
+  security: "https://gitlab.com/gitlab-org/security/gitlab.git"
+  # When running it on your local machine, use the SSH version to make it easier to authenticate:
+  #security: "git@gitlab.com:gitlab-org/security/gitlab.git"
 gitlab-shell:
   remote: "git@dev.gitlab.org:gitlab/gitlab-shell.git"
   alternative: "https://gitlab.com/gitlab-org/gitlab-shell.git"
@@ -97,6 +103,9 @@ libpng:
 libjpeg-turbo:
   remote: "git@dev.gitlab.org:omnibus-mirror/libjpeg-turbo.git"
   alternative: "https://gitlab.com/gitlab-org/build/omnibus-mirror/libjpeg-turbo.git"
+libtiff:
+  remote: "git@dev.gitlab.org:omnibus-mirror/libtiff.git"
+  alternative: "https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff.git"
 exiftool:
   remote: "git@dev.gitlab.org:omnibus-mirror/exiftool.git"
   alternative: "https://gitlab.com/gitlab-org/build/omnibus-mirror/exiftool.git"
@@ -121,3 +130,6 @@ ohai:
 redis:
   remote: "git@dev.gitlab.org:omnibus-mirror/redis.git"
   alternative: "https://gitlab.com/gitlab-org/build/omnibus-mirror/redis.git"
+psycopg2:
+  remote: "git@dev.gitlab.org:omnibus-mirror/psycopg2.git"
+  alternative: "https://gitlab.com/gitlab-org/build/omnibus-mirror/psycopg2.git"

.cveignore

@@ -42,6 +42,16 @@ CVE-2019-13232
 # gnupg/2.2.10
 CVE-2019-13050
 CVE-2018-1000858
+## https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5211
+CVE-2019-14855
 # postgresql/9.6.14
 CVE-2019-9193
+
+# grafana/6.3.5
+## https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5437
+CVE-2020-12458
+CVE-2020-12459
+
+# Entries from CVEIGNORE variable go below this line
+

.gitignore

@@ -12,6 +12,7 @@ vendor/cookbooks
 build.txt
 Vagrantfile
 .idea
+.vscode
 *.log
 docker/RELEASE
 *.swp
@@ -20,3 +21,5 @@ tags
 gitlab-licenses/*
 public/*
 config/projects/simple.rb
+.markdownlintrc
+.DS_Store

.gitlab-ci.yml

@@ -23,12 +23,20 @@ stages:
 workflow:
   rules:
-    # For branches, create a pipeline.
-    # FIXME: We should change the following to `- if: 'CI_MERGE_REQUEST_IID'`
+    # Do not create a pipeline on branch push to QA mirror
+    - if: '$CI_PROJECT_NAME == "omnibus-gitlab-mirror" && $CI_PIPELINE_SOURCE == "push"'
+      when: never
+    # No pipeline on auto-deploy branches as a tag will definitely follow
+    - if: '$CI_COMMIT_BRANCH =~ /^[0-9]+-[0-9]+-auto-deploy-[0-9]+$/'
+      when: never
+    # For all other branches, create a pipeline. We are explicitly specifying
+    # this so that this rule gets matched earlier before MR pipelines gets
+    # triggered, thus causing two pipelines for a branch push - a regular one
+    # and a detached one. If we ever decide not to run pipelines on branch
+    # pushes that doesn't cause an MR, we can change the following to
+    # $CI_MERGE_REQUEST_IID
     - if: '$CI_COMMIT_BRANCH'
-    # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
-    - if: '$CI_COMMIT_BRANCH == "master"'
-    # For tags, create a pipeline.
+    # For tags, always create a pipeline.
     - if: '$CI_COMMIT_TAG'
 default:
@@ -36,16 +44,20 @@ default:
     - gitlab-org
 variables:
-  BUILDER_IMAGE_REGISTRY: "dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder"
+  # BUILDER_IMAGE_REGISTRY is set to
+  # `dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder` in the project
+  # settings of omnibus-gitlab mirror in dev.gitlab.org so that builds there
+  # will use images from that registry and not depend on GitLab.com
+  BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
   PUBLIC_BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
-  BUILDER_IMAGE_REVISION: "0.0.60"
+  BUILDER_IMAGE_REVISION: "0.0.72"
   # The registry to pull the assets image from
   ASSET_REGISTRY: "${CI_REGISTRY}"
   ASSET_SYNC_EXISTING_REMOTE_FILES: "keep"
   ASSET_SYNC_GZIP_COMPRESSION: "true"
   ASSET_PATH: "assets-${CI_COMMIT_REF_SLUG}"
   COMPILE_ASSETS: "false"
-  RUBY_IMAGE: "ruby:2.5"
+  RUBY_IMAGE: "ruby:2.6"
   BUNDLE_PATH__SYSTEM: "false"
   # Format of the auto-deploy tag for auto-deploy builds.
   # https://gitlab.com/gitlab-org/release/docs/blob/master/general/deploy/auto-deploy.md#auto-deploy-tagging
@@ -53,6 +65,7 @@ variables:
   # Default environment for auto-deploy
   AUTO_DEPLOY_ENVIRONMENT: 'pre'
   MAX_PACKAGE_SIZE_MB: "850"
+  OMNIBUS_GITLAB_MIRROR_ID: "14588374"
 ### For services that need a docker daemon
 .docker_job: &docker_job
@@ -131,21 +144,17 @@ fetch-assets:
   artifacts:
     paths:
       - ${ASSET_PATH}
-  only:
-    refs:
-      - schedules@gitlab-org/omnibus-gitlab
-      - branches@gitlab/omnibus-gitlab
-      - tags@gitlab/omnibus-gitlab
-      - triggers
-      - pipelines
-  except:
-    variables:
-      - $COMPILE_ASSETS == "true"
-      - $DEPS_PIPELINE
-      # Format of the auto-deploy tag
-      - $CI_COMMIT_TAG =~ /^\d+\.\d+\.\d+\+[^ ]{7,}\.[^ ]{7,}$/
-      - $CI_COMMIT_REF_NAME =~ /^[0-9]+-[0-9]+-auto-deploy-[0-9]+$/
-
+  rules:
+    - if: '$COMPILE_ASSETS == "true"'
+      when: never
+    - if: '$DEPS_PIPELINE'
+      when: never
+    - if: '$CI_COMMIT_TAG =~ /^\d+\.\d+\.\d+\+[^ ]{7,}\.[^ ]{7,}$/'
+      when: never
+    # Run on dev.gitlab.org (except auto-deploy tag covered above) and
+    # multi-project pipelines on omnibus-gitlab-mirror
+    - if: '$CI_PROJECT_PATH == "gitlab/omnibus-gitlab"'
+    - if: '$CI_PIPELINE_SOURCE == "pipeline" && $CI_PROJECT_PATH == "gitlab-org/build/omnibus-gitlab-mirror"'
 include:
   - '/gitlab-ci-config/gitlab-com.yml'
   - '/gitlab-ci-config/dev-gitlab-org.yml'

.gitlab/issue_templates/Security developer workflow.md

@@ -39,7 +39,6 @@ After your merge request has been approved according to our approval guidelines,
 - [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details)
 - [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details)
 - [ ] Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the [details section](#details)
-- [ ] Once your `master` MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
 ### Summary

.gitlab/merge_request_templates/Documentation update.md

-<!-- See the general Documentation guidelines: https://docs.gitlab.com/ee/development/documentation -->
+<!-- Follow the documentation workflow https://docs.gitlab.com/ee/development/documentation/workflow.html -->
+<!-- Additional information is located at https://docs.gitlab.com/ee/development/documentation/ -->
+<!-- To find the designated Tech Writer for the stage/group, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers -->
 <!-- Mention "documentation" or "docs" in the MR title -->
+<!-- For changing documentation location use the "Change documentation location" template -->
 ## What does this MR do?
@@ -10,17 +13,48 @@
 <!-- Link related issues below. Insert the issue link or reference after the word "Closes" if merging this should automatically close it. -->
-## Changing the header title?
-- [ ] Is it completely necessary to change the title? Changing titles breaks deep linking. If yes, proceed further.
-- [ ] Move the old heading title to the bottom of the page.
-- [ ] Change the header tag to h5, `#####`.
-## Moving docs to a new location?
-<!-- See the guidelines: https://docs.gitlab.com/ee/development/documentation/#changing-document-location -->
-- [ ] Make sure the old link is not removed and has its contents replaced with a link to the new location.
-- [ ] Make sure internal links pointing to the document in question are not broken.
+## Author's checklist (required)
+- [ ] Follow the [Documentation Guidelines](https://docs.gitlab.com/ee/development/documentation/) and [Style Guide](https://docs.gitlab.com/ee/development/documentation/styleguide.html).
+- If you have `developer` access or higher (for example, GitLab team members or [Core Team](https://about.gitlab.com/community/core-team/) members)
+  - [ ] Apply the ~documentation label, plus:
+    - The corresponding DevOps stage and group label, if applicable.
+    - ~"development guidelines" when changing docs under `doc/development/*`, `CONTRIBUTING.md`, or `README.md`.
+    - ~"development guidelines" and ~"Documentation guidelines" when changing docs under `development/documentation/*`.
+    - ~"development guidelines" and ~"Description templates (.gitlab/\*)" when creating/updating issue and MR description templates.
+  - [ ] Assign the [designated Technical Writer](https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments).
+Do not add the ~"feature", ~"frontend", ~"backend", ~"bug", or ~"database" labels if you are only updating documentation. These labels will cause the MR to be added to code verification QA issues.
+When applicable:
+- [ ] Update the [permissions table](https://docs.gitlab.com/ee/user/permissions.html).
+- [ ] Link docs to and from the higher-level index page, plus other related docs where helpful.
+- [ ] Add [GitLab's version history note(s)](https://docs.gitlab.com/ee/development/documentation/styleguide.html#text-for-documentation-requiring-version-text).
+- [ ] Add the [product tier badge](https://docs.gitlab.com/ee/development/documentation/styleguide.html#product-badges).
+- [ ] Add/update the [feature flag section](https://docs.gitlab.com/ee/development/documentation/feature_flags.html).
+- [ ] If you're changing document headings, search `doc/*`, `app/views/*`, and `ee/app/views/*` for old headings replacing with the new ones to [avoid broken anchors](https://docs.gitlab.com/ee/development/documentation/styleguide.html#anchor-links).
+
+## Review checklist
+
+All reviewers can help ensure accuracy, clarity, completeness, and adherence to the [Documentation Guidelines](https://docs.gitlab.com/ee/development/documentation/) and [Style Guide](https://docs.gitlab.com/ee/development/documentation/styleguide.html).
+
+**1. Primary Reviewer**
+
+* [ ] Review by a code reviewer or other selected colleague to confirm accuracy, clarity, and completeness. This can be skipped for minor fixes without substantive content changes.
+
+**2. Technical Writer**
+
+- [ ] Technical writer review. If not requested for this MR, must be scheduled post-merge. To request for this MR, assign the writer listed for the applicable [DevOps stage](https://about.gitlab.com/handbook/product/product-categories/#devops-stages).
+  - [ ] Ensure ~"Technical Writing", ~"documentation", and a `docs::` scoped label are added.
+  - [ ] Add ~docs-only when the only files changed are under `doc/*`.
+  - [ ] Add ~"tw::doing" when starting work on the MR.
+  - [ ] Add ~"tw::finished" if Technical Writing team work on the MR is complete but it remains open.
+
+**3. Maintainer**
+
+1. [ ] Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.
+1. [ ] Ensure a release milestone is set.
+1. [ ] If there has not been a technical writer review, [create an issue for one using the Doc Review template](https://gitlab.com/gitlab-org/gitlab/issues/new?issuable_template=Doc%20Review).
 /label ~documentation

.gitlab/merge_request_templates/General Change.md

+<!-- After merging changes to this template, update the `Default description template for merge requests` -->
+<!-- found under Settings - General Merge Requests -->
 ## What does this MR do?
 <!-- Briefly describe what this MR is about. -->
@@ -10,17 +12,18 @@
 See [Definition of done](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/CONTRIBUTING.md#definition-of-done).
-- [ ] Changelog entry created. Not applicable for Documentation changes and minor changes.
-- [ ] Documentation created/updated
-- [ ] Tests added
-- [ ] Integration tests added to [GitLab QA](https://gitlab.com/gitlab-org/gitlab-qa), if applicable
-- [ ] MR targeting `master` branch
+For anything in this list which will not be completed, please provide a reason in the MR discussion
+
+### Required
+- [ ] Merge Request Title, and Description are up to date, accurate, and descriptive
+- [ ] MR targeting the appropriate branch
 - [ ] MR has a green pipeline on GitLab.com
-- [ ] Equivalent MR/issue for CNG opened if applicable
+- [ ] Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
 - [ ] `trigger-package` has a green pipeline running against latest commit
-### Reviewer Checklist
-
-In addition to above, reviewer must:
-
-- [ ] Pipeline is green on dev.gitlab.org if the change is not touching documentation or internal cookbooks
+### Expected (please provide an explanation if not completing)
+- [ ] Test plan indicating conditions for success has been posted and passes
+- [ ] Documentation created/updated
+- [ ] Tests added
+- [ ] Integration tests added to [GitLab QA](https://gitlab.com/gitlab-org/gitlab-qa)
+- [ ] Equivalent MR/issue for the [GitLab Chart](https://gitlab.com/gitlab-org/charts/gitlab) opened

.markdownlint.json

@@ -7,6 +7,7 @@
   "ul-style": {
     "style": "dash"
   },
+  "no-trailing-spaces": false,
   "line-length": false,
   "no-duplicate-header": {
     "allow_different_nesting": true
@@ -43,8 +44,12 @@
       "Consul",
       "Debian",
       "DevOps",
+      "Docker",
       "Elasticsearch",
       "Facebook",
+      "fastlane",
+      "GDK",
+      "Geo",
       "Git LFS",
       "git-annex",
       "Git",
@@ -59,11 +64,14 @@
       "GitLab Shell",
       "GitLab Workhorse",
       "GitLab",
+      "Gitleaks",
       "Gmail",
       "Google",
       "Grafana",
+      "Gzip",
       "Helm",
       "HipChat",
+      "ID",
       "Ingress",
       "jasmine-jquery",
       "JavaScript",
@@ -73,6 +81,7 @@
       "Jira Cloud",
       "Jira Server",
       "jQuery",
+      "JSON",
       "JupyterHub",
       "Karma",
       "Kerberos",
@@ -97,8 +106,10 @@
       "OpenShift",
       "PgBouncer",
       "PostgreSQL",
+      "Praefect",
       "Prometheus",
       "Puma",
+      "puma-worker-killer",
       "Python",
       "Rake",
       "Redis",
@@ -113,8 +124,10 @@
       "Shibboleth",
       "Slack",
       "SMTP",
+      "SpotBugs",
       "SSH",
       "Tiller",
+      "TOML",
       "Trello",
       "Trello Power-Ups",
       "TypeScript",
@@ -123,7 +136,9 @@
       "Ultra Auth",
       "Unicorn",
       "unicorn-worker-killer",
+      "URL",
       "WebdriverIO",
+      "YAML",
       "YouTrack"
     ],
     "code_blocks": false

.rubocop.yml

@@ -71,3 +71,6 @@ Cop/AvoidUsingEnv:
     - docker/**/*
     - lib/gitlab/util.rb
     - spec/gitlab/util_spec.rb
+
+Style/MultilineIfModifier:
+  Enabled: false

.ruby-version

-2.6.3
+2.6.6

Gemfile

@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 require_relative "lib/gitlab/version"
-omnibus_gem_version = Gitlab::Version.new('omnibus', "v5.6.12.01")
+omnibus_gem_version = Gitlab::Version.new('omnibus', "7.0.10.01")
 # Note that omnibus is from a fork with additional gitlab changes.  You can
 # check what they are with the following comparison link:
@@ -21,8 +21,8 @@ omnibus_gem_version = Gitlab::Version.new('omnibus', "v5.6.12.01")
 #    definitions in `config/software`.  You can find them quickly with:
 #      grep "gem 'install " config/software/*
 gem 'omnibus', git: omnibus_gem_version.remote, tag: omnibus_gem_version.print(false)
-gem 'chef', '~> 14.14'
-gem 'ohai', '~> 14.14'
+gem 'chef', '~> 15.12.22'
+gem 'ohai', '~> 15.12.0'
 gem 'package_cloud'
 gem 'rainbow', '~> 2.2' # This is used by gitlab-ctl and the chef formatter
 gem 'thor', '0.18.1' # This specific version is required by package_cloud
@@ -31,7 +31,6 @@ gem 'rspec'
 gem 'rake'
 gem 'knapsack'
 gem 'docker-api'
-gem 'aws-sdk'
 gem 'google_drive'
 gem 'http'

changelogs/unreleased/add_member_invitation_reminder_emails_cron_job_to_omnibus.yml

+---
+title: Add member invitation reminder emails cron worker
+merge_request: 4582
+author:
+type: other

changelogs/unreleased/brodock-patroni-slots.yml

+---
+title: Allow configuring permanent replication slots in patroni
+merge_request: 4534
+author:
+type: added

changelogs/unreleased/deps-b2ed305-db136ae.yml

+---
+title: Update unixcharles/acme-client from 2.0.6 to 2.0.7
+merge_request: 4581
+author:
+type: changed

changelogs/unreleased/feat-smime-extra-cas.yml

----
-title: 'Add new extra CAs configuration file to smime email signing'
-merge_request: 4085
-author: Diego Louzán
-type: added

changelogs/unreleased/fix-el8-posttrans.yml

----
-title: Rhel/centos8 rpm changed the arg input to posttrans
-merge_request: 4093
-author:
-type: fixed

changelogs/unreleased/fix-geo-psql-bin.yml

----
-title: Ensure the pg bin files fallback for geo-postgresql
-merge_request: 4118
-author:
-type: fixed

changelogs/unreleased/mask-env-variable-content.yml

----
-title: Env dir content should not be displayed by chef
-merge_request: 4119
-author:
-type: fixed