Add latest changes from gitlab-org/gitlab@master

app/assets/stylesheets/framework/common.scss

@@ -573,6 +573,7 @@ img.emoji {
 .gl-font-size-large { font-size: $gl-font-size-large; }
 .gl-line-height-24 { line-height: $gl-line-height-24; }
+.gl-line-height-14 { line-height: $gl-line-height-14; }
 .gl-font-size-12 { font-size: $gl-font-size-12; }
 .gl-font-size-14 { font-size: $gl-font-size-14; }

app/controllers/concerns/sourcegraph_gon.rb → app/controllers/concerns/sourcegraph_decorator.rb

 # frozen_string_literal: true
-module SourcegraphGon
+module SourcegraphDecorator
   extend ActiveSupport::Concern
   included do
     before_action :push_sourcegraph_gon, if: :html_request?
+
+    content_security_policy do |p|
+      next if p.directives.blank?
+      next unless Gitlab::CurrentSettings.sourcegraph_enabled
+
+      default_connect_src = p.directives['connect-src'] || p.directives['default-src']
+      connect_src_values = Array.wrap(default_connect_src) | [Gitlab::CurrentSettings.sourcegraph_url]
+      p.connect_src(*connect_src_values)
+    end
   end
   private

app/controllers/projects/blob_controller.rb

@@ -8,7 +8,7 @@ class Projects::BlobController < Projects::ApplicationController
   include NotesHelper
   include ActionView::Helpers::SanitizeHelper
   include RedirectsForMissingPathOnTree
-  include SourcegraphGon
+  include SourcegraphDecorator
   prepend_before_action :authenticate_user!, only: [:edit]

app/controllers/projects/commit_controller.rb

@@ -8,7 +8,7 @@ class Projects::CommitController < Projects::ApplicationController
   include CreatesCommit
   include DiffForPath
   include DiffHelper
-  include SourcegraphGon
+  include SourcegraphDecorator
   # Authorize
   before_action :require_non_empty_project

app/controllers/projects/merge_requests_controller.rb

@@ -9,7 +9,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
   include ToggleAwardEmoji
   include IssuableCollections
   include RecordUserLastActivity
-  include SourcegraphGon
+  include SourcegraphDecorator
   skip_before_action :merge_request, only: [:index, :bulk_update]
   before_action :whitelist_query_limiting, only: [:assign_related_issues, :update]

app/finders/clusters/knative_serving_namespace_finder.rb

-# frozen_string_literal: true
-
-module Clusters
-  class KnativeServingNamespaceFinder
-    attr_reader :cluster
-
-    def initialize(cluster)
-      @cluster = cluster
-    end
-
-    def execute
-      cluster.kubeclient&.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
-    rescue Kubeclient::ResourceNotFoundError
-      nil
-    rescue Kubeclient::HttpError => e
-      # If the kubernetes auth engine is enabled, it will return 403
-      if e.error_code == 403
-        Gitlab::ErrorTracking.track_exception(e)
-        nil
-      else
-        raise
-      end
-    end
-  end
-end

app/finders/clusters/knative_version_role_binding_finder.rb

-# frozen_string_literal: true
-
-module Clusters
-  class KnativeVersionRoleBindingFinder
-    attr_reader :cluster
-
-    def initialize(cluster)
-      @cluster = cluster
-    end
-
-    def execute
-      cluster.kubeclient&.get_cluster_role_binding(Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME)
-    rescue Kubeclient::ResourceNotFoundError
-      nil
-    end
-  end
-end

app/services/clusters/kubernetes.rb

@@ -12,8 +12,5 @@ module Clusters
     GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
     GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'
     GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
-    GITLAB_KNATIVE_VERSION_ROLE_NAME = 'gitlab-knative-version-role'
-    GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME = 'gitlab-knative-version-rolebinding'
-    KNATIVE_SERVING_NAMESPACE = 'knative-serving'
   end
 end

app/services/clusters/kubernetes/create_or_update_service_account_service.rb

@@ -49,14 +49,8 @@ module Clusters
         create_or_update_knative_serving_role
         create_or_update_knative_serving_role_binding
-
         create_or_update_crossplane_database_role
         create_or_update_crossplane_database_role_binding
-
-        return unless knative_serving_namespace
-
-        create_or_update_knative_version_role
-        create_or_update_knative_version_role_binding
       end
       private
@@ -70,12 +64,6 @@ module Clusters
         ).ensure_exists!
       end
-      def knative_serving_namespace
-        kubeclient.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
-      rescue Kubeclient::ResourceNotFoundError
-        nil
-      end
-
       def create_role_or_cluster_role_binding
         if namespace_creator
           kubeclient.create_or_update_role_binding(role_binding_resource)
@@ -100,14 +88,6 @@ module Clusters
         kubeclient.update_role_binding(crossplane_database_role_binding_resource)
       end
-      def create_or_update_knative_version_role
-        kubeclient.update_cluster_role(knative_version_role_resource)
-      end
-
-      def create_or_update_knative_version_role_binding
-        kubeclient.update_cluster_role_binding(knative_version_role_binding_resource)
-      end
-
       def service_account_resource
         Gitlab::Kubernetes::ServiceAccount.new(
           service_account_name,
@@ -186,27 +166,6 @@ module Clusters
           service_account_name: service_account_name
         ).generate
       end
-
-      def knative_version_role_resource
-        Gitlab::Kubernetes::ClusterRole.new(
-          name: Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_NAME,
-          rules: [{
-            apiGroups: %w(apps),
-            resources: %w(deployments),
-            verbs: %w(list get)
-          }]
-        ).generate
-      end
-
-      def knative_version_role_binding_resource
-        subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: service_account_namespace }]
-
-        Gitlab::Kubernetes::ClusterRoleBinding.new(
-          Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME,
-          Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_NAME,
-          subjects
-        ).generate
-      end
     end
   end
 end

changelogs/unreleased/revert-knative-version-prerequisite.yml

+---
+title: Reverts Add RBAC permissions for getting knative version
+merge_request: 22560
+author:
+type: fixed

changelogs/unreleased/sh-fix-unique-ips-limiter.yml

+---
+title: Fix deploy tokens erroneously triggering unique IP limits
+merge_request: 22445
+author:
+type: fixed

doc/ci/yaml/README.md

@@ -2313,6 +2313,23 @@ This example creates three paths of execution:
 - Related to the above, stages must be explicitly defined for all jobs
   that have the keyword `needs:` or are referred to by one.
+##### Changing the `needs:` job limit
+
+The maximum number of jobs that can be defined within `needs:` defaults to 10, but
+can be changed to 50 via a feature flag. To change the limit to 50,
+[start a Rails console session](https://docs.gitlab.com/omnibus/maintenance/#starting-a-rails-console-session)
+and run:
+
+```ruby
+Feature::disable(:ci_dag_limit_needs)
+```
+
+To set it back to 10, run the opposite command:
+
+```ruby
+Feature::enable(:ci_dag_limit_needs)
+```
+
 #### Artifact downloads with `needs`
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14311) in GitLab v12.6.

doc/user/project/clusters/serverless/index.md

@@ -118,8 +118,7 @@ You must do the following:
 1. Ensure GitLab can manage Knative:
    - For a non-GitLab managed cluster, ensure that the service account for the token
-     provided can manage resources in the `serving.knative.dev` API group. It will also
-     need list access to the deployments in the `knative-serving` namespace.
+     provided can manage resources in the `serving.knative.dev` API group.
    - For a GitLab managed cluster, if you added the cluster in [GitLab 12.1 or later](https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/30235),
      then GitLab will already have the required access and you can proceed to the next step.
@@ -156,19 +155,6 @@ You must do the following:
        - delete
        - patch
        - watch
-     ---
-     apiVersion: rbac.authorization.k8s.io/v1
-     kind: ClusterRole
-     metadata:
-       name: gitlab-knative-version-role
-     rules:
-     - apiGroups:
-       - apps
-       resources:
-       - deployments
-       verbs:
-       - list
-       - get
      ```
      Then run the following command:

lib/api/remote_mirrors.rb

@@ -7,6 +7,8 @@ module API
     before do
       # TODO: Remove flag: https://gitlab.com/gitlab-org/gitlab/issues/38121
       not_found! unless Feature.enabled?(:remote_mirrors_api, user_project)
+
+      unauthorized! unless can?(current_user, :admin_remote_mirror, user_project)
     end
     params do
@@ -20,11 +22,35 @@ module API
         use :pagination
       end
       get ':id/remote_mirrors' do
-        unauthorized! unless can?(current_user, :admin_remote_mirror, user_project)
-
         present paginate(user_project.remote_mirrors),
           with: Entities::RemoteMirror
       end
+
+      desc 'Update the attributes of a single remote mirror' do
+        success Entities::RemoteMirror
+      end
+      params do
+        requires :mirror_id, type: String, desc: 'The ID of a remote mirror'
+        optional :enabled, type: Boolean, desc: 'Determines if the mirror is enabled'
+        optional :only_protected_branches, type: Boolean, desc: 'Determines if only protected branches are mirrored'
+      end
+      put ':id/remote_mirrors/:mirror_id' do
+        mirror = user_project.remote_mirrors.find(params[:mirror_id])
+
+        mirror_params = declared_params(include_missing: false)
+        mirror_params[:id] = mirror_params.delete(:mirror_id)
+        update_params = { remote_mirrors_attributes: mirror_params }
+
+        result = ::Projects::UpdateService
+          .new(user_project, current_user, update_params)
+          .execute
+
+        if result[:status] == :success
+          present mirror.reset, with: Entities::RemoteMirror
+        else
+          render_api_error!(result[:message], result[:http_status])
+        end
+      end
     end
   end
 end

lib/gitlab/auth.rb

@@ -54,7 +54,7 @@ module Gitlab
           Gitlab::Auth::Result.new
         rate_limit!(rate_limiter, success: result.success?, login: login)
-        Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
+        look_to_limit_user(result.actor)
         return result if result.success? || authenticate_using_internal_or_ldap_password?
@@ -129,6 +129,10 @@ module Gitlab
         ::Ci::Build::CI_REGISTRY_USER == login
       end
+      def look_to_limit_user(actor)
+        Gitlab::Auth::UniqueIpsLimiter.limit_user!(actor) if actor.is_a?(User)
+      end
+
       def authenticate_using_internal_or_ldap_password?
         Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::LDAP::Config.enabled?
       end

lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb

@@ -8,7 +8,7 @@ module Gitlab
           def unmet?
             deployment_cluster.present? &&
               deployment_cluster.managed? &&
-              (missing_namespace? || need_knative_version_role_binding?)
+              missing_namespace?
           end
           def complete!
@@ -23,10 +23,6 @@ module Gitlab
             kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank?
           end
-          def need_knative_version_role_binding?
-            !knative_serving_namespace.nil? && knative_version_role_binding.nil?
-          end
-
           def deployment_cluster
             build.deployment&.cluster
           end
@@ -35,22 +31,6 @@ module Gitlab
             build.deployment.environment
           end
-          def knative_serving_namespace
-            strong_memoize(:knative_serving_namespace) do
-              Clusters::KnativeServingNamespaceFinder.new(
-                deployment_cluster
-              ).execute
-            end
-          end
-
-          def knative_version_role_binding
-            strong_memoize(:knative_version_role_binding) do
-              Clusters::KnativeVersionRoleBindingFinder.new(
-                deployment_cluster
-              ).execute
-            end
-          end
-
           def kubernetes_namespace
             strong_memoize(:kubernetes_namespace) do
               Clusters::KubernetesNamespaceFinder.new(

lib/gitlab/kubernetes/cluster_role.rb

-# frozen_string_literal: true
-
-module Gitlab
-  module Kubernetes
-    class ClusterRole
-      attr_reader :name, :rules
-
-      def initialize(name:, rules:)
-        @name = name
-        @rules = rules
-      end
-
-      def generate
-        ::Kubeclient::Resource.new(
-          metadata: metadata,
-          rules: rules
-        )
-      end
-
-      private
-
-      def metadata
-        {
-          name: name
-        }
-      end
-    end
-  end
-end

lib/gitlab/kubernetes/kube_client.rb

@@ -57,7 +57,6 @@ module Gitlab
       # group client
       delegate :create_cluster_role_binding,
         :get_cluster_role_binding,
-        :get_cluster_role_bindings,
         :update_cluster_role_binding,
         to: :rbac_client
@@ -68,13 +67,6 @@ module Gitlab
       :update_role,
       to: :rbac_client
-      # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
-      # group client
-      delegate :create_cluster_role,
-      :get_cluster_role,
-      :update_cluster_role,
-      to: :rbac_client
-
       # RBAC methods delegates to the apis/rbac.authorization.k8s.io api
       # group client
       delegate :create_role_binding,

locale/gitlab.pot

@@ -10365,9 +10365,6 @@ msgstr ""
 msgid "Label"
 msgstr ""
-msgid "Label List"
-msgstr ""
-
 msgid "Label actions dropdown"
 msgstr ""
@@ -10791,6 +10788,9 @@ msgstr ""
 msgid "List"
 msgstr ""
+msgid "List Label"
+msgstr ""
+
 msgid "List Settings"
 msgstr ""
@@ -16882,6 +16882,9 @@ msgstr ""
 msgid "Something went wrong while stopping this environment. Please try again."
 msgstr ""
+msgid "Something went wrong while updating your list settings"
+msgstr ""
+
 msgid "Something went wrong, unable to add %{project} to dashboard"
 msgstr ""
@@ -20653,6 +20656,9 @@ msgstr ""
 msgid "Withdraw Access Request"
 msgstr ""
+msgid "Work in Progress Limit"
+msgstr ""
+
 msgid "Workflow Help"
 msgstr ""

scripts/trigger-build

@@ -18,11 +18,16 @@ module Trigger
   class Base
     def invoke!(post_comment: false, downstream_job_name: nil)
+      pipeline_variables = variables
+
+      puts "Triggering downstream pipeline on #{downstream_project_path}"
+      puts "with variables #{pipeline_variables}"
+
       pipeline = Gitlab.run_trigger(
         downstream_project_path,
         trigger_token,
         ref,
-        variables)
+        pipeline_variables)
       puts "Triggered downstream pipeline: #{pipeline.web_url}\n"
       puts "Waiting for downstream pipeline status"