Add latest changes from gitlab-org/gitlab@master

app/assets/stylesheets/pages/merge_requests.scss

@@ -708,7 +708,7 @@
 .mr-version-controls {
   position: relative;
   z-index: 203;
-  background: $gray-light;
+  background: $white-light;
   color: $gl-text-color;
   margin-top: -1px;
@@ -732,7 +732,7 @@
   }
   .content-block {
-    padding: $gl-padding-top $gl-padding;
+    padding: $gl-padding;
     border-bottom: 0;
   }

app/controllers/concerns/confirm_email_warning.rb

@@ -10,7 +10,7 @@ module ConfirmEmailWarning
   protected
   def show_confirm_warning?
-    html_request? && request.get? && Feature.enabled?(:soft_email_confirmation)
+    html_request? && request.get?
   end
   def set_confirm_warning

app/controllers/confirmations_controller.rb

@@ -11,7 +11,7 @@ class ConfirmationsController < Devise::ConfirmationsController
   protected
   def after_resending_confirmation_instructions_path_for(resource)
-    Feature.enabled?(:soft_email_confirmation) ? stored_location_for(resource) || dashboard_projects_path : users_almost_there_path
+    stored_location_for(resource) || dashboard_projects_path
   end
   def after_confirmation_path_for(resource_name, resource)

app/controllers/dashboard/snippets_controller.rb

@@ -7,6 +7,10 @@ class Dashboard::SnippetsController < Dashboard::ApplicationController
   skip_cross_project_access_check :index
   def index
+    @snippet_counts = Snippets::CountService
+      .new(current_user, author: current_user)
+      .execute
+
     @snippets = SnippetsFinder.new(current_user, author: current_user, scope: params[:scope])
       .execute
       .page(params[:page])

app/controllers/projects/snippets_controller.rb

@@ -30,6 +30,10 @@ class Projects::SnippetsController < Projects::ApplicationController
   respond_to :html
   def index
+    @snippet_counts = Snippets::CountService
+      .new(current_user, project: @project)
+      .execute
+
     @snippets = SnippetsFinder.new(current_user, project: @project, scope: params[:scope])
       .execute
       .page(params[:page])

app/controllers/registrations_controller.rb

@@ -53,7 +53,7 @@ class RegistrationsController < Devise::RegistrationsController
   def welcome
     return redirect_to new_user_registration_path unless current_user
-    return redirect_to stored_location_or_dashboard_or_almost_there_path(current_user) if current_user.role.present? && !current_user.setup_for_company.nil?
+    return redirect_to stored_location_or_dashboard(current_user) if current_user.role.present? && !current_user.setup_for_company.nil?
     current_user.name = nil if current_user.name == current_user.username
   end
@@ -65,7 +65,7 @@ class RegistrationsController < Devise::RegistrationsController
     if result[:status] == :success
       track_experiment_event(:signup_flow, 'end') # We want this event to be tracked when the user is _in_ the experimental group
       set_flash_message! :notice, :signed_up
-      redirect_to stored_location_or_dashboard_or_almost_there_path(current_user)
+      redirect_to stored_location_or_dashboard(current_user)
     else
       render :welcome
     end
@@ -112,12 +112,12 @@ class RegistrationsController < Devise::RegistrationsController
     return users_sign_up_welcome_path if experiment_enabled?(:signup_flow)
-    stored_location_or_dashboard_or_almost_there_path(user)
+    stored_location_or_dashboard(user)
   end
   def after_inactive_sign_up_path_for(resource)
     Gitlab::AppLogger.info(user_created_message)
-    Feature.enabled?(:soft_email_confirmation) ? dashboard_projects_path : users_almost_there_path
+    dashboard_projects_path
   end
   private
@@ -179,18 +179,10 @@ class RegistrationsController < Devise::RegistrationsController
     Gitlab::Utils.to_boolean(params[:terms_opt_in])
   end
-  def confirmed_or_unconfirmed_access_allowed(user)
-    user.confirmed? || Feature.enabled?(:soft_email_confirmation) || experiment_enabled?(:signup_flow)
-  end
-
   def stored_location_or_dashboard(user)
     stored_location_for(user) || dashboard_projects_path
   end
-  def stored_location_or_dashboard_or_almost_there_path(user)
-    confirmed_or_unconfirmed_access_allowed(user) ? stored_location_or_dashboard(user) : users_almost_there_path
-  end
-
   # Part of an experiment to build a new sign up flow. Will be resolved
   # with https://gitlab.com/gitlab-org/growth/engineering/issues/64
   def choose_layout

app/helpers/projects/error_tracking_helper.rb

@@ -22,7 +22,6 @@ module Projects::ErrorTrackingHelper
     {
       'issue-id' => issue_id,
       'project-path' => project.full_path,
-      'issue-details-path' => details_project_error_tracking_index_path(*opts),
       'issue-update-path' => update_project_error_tracking_index_path(*opts),
       'project-issues-path' => project_issues_path(project),
       'issue-stack-trace-path' => stack_trace_project_error_tracking_index_path(*opts)

app/models/clusters/applications/knative.rb

@@ -74,7 +74,7 @@ module Clusters
       end
       def ingress_service
-        cluster.kubeclient.get_service('istio-ingressgateway', 'istio-system')
+        cluster.kubeclient.get_service('istio-ingressgateway', Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE)
       end
       def uninstall_command

app/models/serverless/domain_cluster.rb

@@ -10,6 +10,11 @@ module Serverless
     belongs_to :knative, class_name: 'Clusters::Applications::Knative', foreign_key: 'clusters_applications_knative_id'
     belongs_to :creator, class_name: 'User', optional: true
+    attr_encrypted :key,
+      mode: :per_attribute_iv,
+      key: Settings.attr_encrypted_db_key_base_truncated,
+      algorithm: 'aes-256-gcm'
+
     validates :pages_domain, :knative, presence: true
     validates :uuid, presence: true, uniqueness: true, length: { is: Gitlab::Serverless::Domain::UUID_LENGTH },
               format: { with: HEX_REGEXP, message: 'only allows hex characters' }

app/models/user.rb

@@ -1638,13 +1638,6 @@ class User < ApplicationRecord
     super
   end
-  # override from Devise::Confirmable
-  def confirmation_period_valid?
-    return false if Feature.disabled?(:soft_email_confirmation)
-
-    super
-  end
-
   private
   def default_private_profile_to_false

app/services/clusters/kubernetes.rb

@@ -12,5 +12,7 @@ module Clusters
     GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
     GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'
     GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
+    KNATIVE_SERVING_NAMESPACE = 'knative-serving'
+    ISTIO_SYSTEM_NAMESPACE = 'istio-system'
   end
 end

app/services/clusters/kubernetes/configure_istio_ingress_service.rb

+# frozen_string_literal: true
+
+require 'openssl'
+
+module Clusters
+  module Kubernetes
+    class ConfigureIstioIngressService
+      PASSTHROUGH_RESOURCE = Kubeclient::Resource.new(
+        mode: 'PASSTHROUGH'
+      ).freeze
+
+      MTLS_RESOURCE = Kubeclient::Resource.new(
+        mode: 'MUTUAL',
+        privateKey: '/etc/istio/ingressgateway-certs/tls.key',
+        serverCertificate: '/etc/istio/ingressgateway-certs/tls.crt',
+        caCertificates: '/etc/istio/ingressgateway-ca-certs/cert.pem'
+      ).freeze
+
+      def initialize(cluster:)
+        @cluster = cluster
+        @platform = cluster.platform
+        @kubeclient = platform.kubeclient
+        @knative = cluster.application_knative
+      end
+
+      def execute
+        return configure_certificates if serverless_domain_cluster
+
+        configure_passthrough
+      end
+
+      private
+
+      attr_reader :cluster, :platform, :kubeclient, :knative
+
+      def serverless_domain_cluster
+        knative&.serverless_domain_cluster
+      end
+
+      def configure_certificates
+        create_or_update_istio_cert_and_key
+        set_gateway_wildcard_https(MTLS_RESOURCE)
+      end
+
+      def create_or_update_istio_cert_and_key
+        name = OpenSSL::X509::Name.parse("CN=#{knative.hostname}")
+
+        key = OpenSSL::PKey::RSA.new(2048)
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.serial = 0
+        cert.not_before = Time.now
+        cert.not_after = Time.now + 1000.years
+
+        cert.public_key = key.public_key
+        cert.subject = name
+        cert.issuer = name
+        cert.sign(key, OpenSSL::Digest::SHA256.new)
+
+        serverless_domain_cluster.update!(
+          key: key.to_pem,
+          certificate: cert.to_pem
+        )
+
+        kubeclient.create_or_update_secret(istio_ca_certs_resource)
+        kubeclient.create_or_update_secret(istio_certs_resource)
+      end
+
+      def istio_ca_certs_resource
+        Gitlab::Kubernetes::GenericSecret.new(
+          'istio-ingressgateway-ca-certs',
+          {
+            'cert.pem': Base64.strict_encode64(serverless_domain_cluster.certificate)
+          },
+          Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE
+        ).generate
+      end
+
+      def istio_certs_resource
+        Gitlab::Kubernetes::TlsSecret.new(
+          'istio-ingressgateway-certs',
+          serverless_domain_cluster.certificate,
+          serverless_domain_cluster.key,
+          Clusters::Kubernetes::ISTIO_SYSTEM_NAMESPACE
+        ).generate
+      end
+
+      def set_gateway_wildcard_https(tls_resource)
+        gateway_resource = gateway
+        gateway_resource.spec.servers.each do |server|
+          next unless server.hosts == ['*'] && server.port.name == 'https'
+
+          server.tls = tls_resource
+        end
+        kubeclient.update_gateway(gateway_resource)
+      end
+
+      def configure_passthrough
+        set_gateway_wildcard_https(PASSTHROUGH_RESOURCE)
+      end
+
+      def gateway
+        kubeclient.get_gateway('knative-ingress-gateway', Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
+      end
+    end
+  end
+end

app/services/snippets/count_service.rb

+# frozen_string_literal: true
+
+# Service for calculating visible Snippet counts via one query
+# for the given user or project.
+#
+# Authorisation level checks will be included, ensuring the correct
+# counts will be returned for the given user (if any).
+#
+# Basic usage:
+#
+#   user = User.find(1)
+#
+#   Snippets::CountService.new(user, author: user).execute
+#   #=> {
+#     are_public: 1,
+#     are_internal: 1,
+#     are_private: 1,
+#     all: 3
+#   }
+#
+# Counts can be scoped to a project:
+#
+#   user = User.find(1)
+#   project = Project.find(1)
+#
+#   Snippets::CountService.new(user, project: project).execute
+#   #=> {
+#     are_public: 1,
+#     are_internal: 1,
+#     are_private: 0,
+#     all: 2
+#   }
+#
+# Either a project or an author *must* be supplied.
+module Snippets
+  class CountService
+    def initialize(current_user, author: nil, project: nil)
+      if !author && !project
+        raise(
+          ArgumentError, 'Must provide either an author or a project'
+        )
+      end
+
+      @snippets_finder = SnippetsFinder.new(current_user, author: author, project: project)
+    end
+
+    def execute
+      counts = snippet_counts
+      return {} unless counts
+
+      counts.slice(
+        :are_public,
+        :are_private,
+        :are_internal,
+        :are_public_or_internal,
+        :total
+      )
+    end
+
+    private
+
+    # rubocop: disable CodeReuse/ActiveRecord
+    def snippet_counts
+      @snippets_finder.execute
+        .reorder(nil)
+        .select("
+          count(case when snippets.visibility_level=#{Snippet::PUBLIC} and snippets.secret is FALSE then 1 else null end) as are_public,
+          count(case when snippets.visibility_level=#{Snippet::INTERNAL} then 1 else null end) as are_internal,
+          count(case when snippets.visibility_level=#{Snippet::PRIVATE} then 1 else null end) as are_private,
+          count(case when visibility_level=#{Snippet::PUBLIC} OR visibility_level=#{Snippet::INTERNAL} then 1 else null end) as are_public_or_internal,
+          count(*) as total
+        ")
+        .first
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+  end
+end

app/views/dashboard/snippets/index.html.haml

@@ -5,7 +5,7 @@
 = render 'dashboard/snippets_head'
 - if current_user.snippets.exists?
-  = render partial: 'snippets/snippets_scope_menu', locals: { include_private: true }
+  = render partial: 'snippets/snippets_scope_menu', locals: { include_private: true, counts: @snippet_counts }
 - if current_user.snippets.exists?
   = render partial: 'shared/snippets/list', locals: { link_project: true }

app/views/projects/snippets/index.html.haml

@@ -5,7 +5,7 @@
   - if current_user
     .top-area
       - include_private = @project.team.member?(current_user) || current_user.admin?
-      = render partial: 'snippets/snippets_scope_menu', locals: { subject: @project, include_private: include_private }
+      = render partial: 'snippets/snippets_scope_menu', locals: { subject: @project, include_private: include_private, counts: @snippet_counts }
       - if new_project_snippet_link.present?
         .nav-controls

app/views/snippets/_snippets_scope_menu.html.haml

@@ -7,25 +7,25 @@
       = _("All")
       %span.badge.badge-pill
         - if include_private
-          = subject.snippets.count
+          = counts[:total]
         - else
-          = subject.snippets.public_and_internal_only.count
+          = counts[:are_public_or_internal]
   - if include_private
     %li{ class: active_when(params[:scope] == "are_private") }
       = link_to subject_snippets_path(subject, scope: 'are_private') do
         = _("Private")
         %span.badge.badge-pill
-          = subject.snippets.are_private.count
+          = counts[:are_private]
   %li{ class: active_when(params[:scope] == "are_internal") }
     = link_to subject_snippets_path(subject, scope: 'are_internal') do
       = _("Internal")
       %span.badge.badge-pill
-        = subject.snippets.are_internal.count
+        = counts[:are_internal]
   %li{ class: active_when(params[:scope] == "are_public") }
     = link_to subject_snippets_path(subject, scope: 'are_public') do
       = _("Public")
       %span.badge.badge-pill
-        = subject.snippets.are_public.count
+        = counts[:are_public]

app/workers/all_queues.yml

@@ -231,6 +231,12 @@
   :latency_sensitive: 
   :resource_boundary: :unknown
   :weight: 1
+- :name: gcp_cluster:cluster_configure_istio
+  :feature_category: :kubernetes_management
+  :has_external_dependencies: true
+  :latency_sensitive: 
+  :resource_boundary: :unknown
+  :weight: 1
 - :name: gcp_cluster:cluster_install_app
   :feature_category: :kubernetes_management
   :has_external_dependencies: true

app/workers/cluster_configure_istio_worker.rb

+# frozen_string_literal: true
+
+class ClusterConfigureIstioWorker
+  include ApplicationWorker
+  include ClusterQueue
+
+  worker_has_external_dependencies!
+
+  def perform(cluster_id)
+    Clusters::Cluster.find_by_id(cluster_id).try do |cluster|
+      Clusters::Kubernetes::ConfigureIstioIngressService.new(cluster: cluster).execute
+    end
+  end
+end

changelogs/unreleased/118442-restyle-changes-header-and-file-tree.yml

+---
+title: Restyle changes header & file tree
+merge_request: 22364
+author:
+type: changed

changelogs/unreleased/201893-resolve-soft-email-confirmation-flow.yml

+---
+title: Allow a grace period for new users to confirm their email
+merge_request: 24371
+author:
+type: added