Automatic merge of gitlab-org/gitlab-ce master

app/models/clusters/applications/cert_manager.rb

@@ -3,7 +3,8 @@
 module Clusters
   module Applications
     class CertManager < ApplicationRecord
-      VERSION = 'v0.5.2'.freeze
+      VERSION = 'v0.9.1'
+      CRD_VERSION = '0.9'
 
       self.table_name = 'clusters_applications_cert_managers'
 
@@ -21,16 +22,22 @@ module Clusters
       validates :email, presence: true
 
       def chart
-        'stable/cert-manager'
+        'certmanager/cert-manager'
+      end
+
+      def repository
+        'https://charts.jetstack.io'
       end
 
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
           name: 'certmanager',
+          repository: repository,
           version: VERSION,
           rbac: cluster.platform_kubernetes_rbac?,
           chart: chart,
           files: files.merge(cluster_issuer_file),
+          preinstall: pre_install_script,
           postinstall: post_install_script
         )
       end
@@ -46,16 +53,30 @@ module Clusters
 
       private
 
+      def pre_install_script
+        [
+          apply_file("https://raw.githubusercontent.com/jetstack/cert-manager/release-#{CRD_VERSION}/deploy/manifests/00-crds.yaml"),
+          "kubectl label --overwrite namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} certmanager.k8s.io/disable-validation=true"
+        ]
+      end
+
       def post_install_script
-        ["kubectl create -f /data/helm/certmanager/config/cluster_issuer.yaml"]
+        [retry_command(apply_file('/data/helm/certmanager/config/cluster_issuer.yaml'))]
+      end
+
+      def retry_command(command)
+        "for i in $(seq 1 30); do #{command} && break; sleep 1s; echo \"Retrying ($i)...\"; done"
       end
 
       def post_delete_script
         [
           delete_private_key,
           delete_crd('certificates.certmanager.k8s.io'),
+          delete_crd('certificaterequests.certmanager.k8s.io'),
+          delete_crd('challenges.certmanager.k8s.io'),
           delete_crd('clusterissuers.certmanager.k8s.io'),
-          delete_crd('issuers.certmanager.k8s.io')
+          delete_crd('issuers.certmanager.k8s.io'),
+          delete_crd('orders.certmanager.k8s.io')
         ].compact
       end
 
@@ -75,6 +96,10 @@ module Clusters
         Gitlab::Kubernetes::KubectlCmd.delete("crd", definition, "--ignore-not-found")
       end
 
+      def apply_file(filename)
+        Gitlab::Kubernetes::KubectlCmd.apply_file(filename)
+      end
+
       def cluster_issuer_file
         {
           'cluster_issuer.yaml': cluster_issuer_yaml_content

changelogs/unreleased/cert_manager_v0_9.yml

+---
+title: Install cert-manager v0.9.1
+merge_request: 32243
+author:
+type: changed

doc/user/application_security/security_dashboard/index.md

@@ -65,16 +65,11 @@ Once you're on the dashboard, at the top you should see a series of filters for:
 NOTE: **Note:**
 The dashboard only shows projects with [security reports](#supported-reports) enabled in a group.
 
-![dashboard with action buttons and metrics](img/group_security_dashboard.png)
+![dashboard with action buttons and metrics](img/group_security_dashboard_v12_3.png)
 
 Selecting one or more filters will filter the results in this page.
-The first section is an overview of all the vulnerabilities, grouped by severity.
-Underneath this overview is a timeline chart that shows how many open
-vulnerabilities your projects had at various points in time. You can filter among 30, 60, and
-90 days, with the default being 90. Hover over the chart to get more details about
-the open vulnerabilities at a specific time.
 
-Finally, there is a list of all the vulnerabilities in the group, sorted by severity.
+The main section is a list of all the vulnerabilities in the group, sorted by severity.
 In that list, you can see the severity of the vulnerability, its name, its
 confidence (likelihood of the vulnerability to be a positive one), and the project
 it's from.
@@ -85,6 +80,11 @@ If you hover over a row, there will appear some actions you can take:
 - "Create issue"
 - "Dismiss vulnerability"
 
+Next to the list is a timeline chart that shows how many open
+vulnerabilities your projects had at various points in time. You can filter among 30, 60, and
+90 days, with the default being 90. Hover over the chart to get more details about
+the open vulnerabilities at a specific time.
+
 Read more on how to [interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
 
 ## Keeping the dashboards up to date

doc/user/project/integrations/prometheus.md

@@ -393,6 +393,27 @@ The following requirements must be met for the metric to unfurl:
 
 ![Embedded Metrics](img/embed_metrics.png)
 
+### Embedding live Grafana charts
+
+It is also possible to embed live [Grafana](https://docs.gitlab.com/omnibus/settings/grafana.html) charts within issues, as a [Direct Linked Rendered Image](https://grafana.com/docs/reference/sharing/#direct-link-rendered-image).
+
+The sharing dialog within Grafana provides the link, as highlighted below.
+
+![Grafana Direct Linked Rendered Image](img/grafana_live_embed.png)
+
+NOTE: **Note:**
+For this embed to display correctly the Grafana instance must be available to the target user, either as a public dashboard or on the same network.
+
+Copy the link and add an image tag as [inline HTML](../../markdown.md#inline-html) in your markdown. You may tweak the query parameters as required. For instance, removing the `&from=` and `&to=` parameters will give you a live chart. Here is example markup for a live chart from GitLab's public dashboard:
+
+```html
+<img src="https://dashboards.gitlab.com/render/d-solo/RZmbBr7mk/gitlab-triage?orgId=1&refresh=30s&var-env=gprd&var-environment=gprd&var-prometheus=prometheus-01-inf-gprd&var-prometheus_app=prometheus-app-01-inf-gprd&var-backend=All&var-type=All&var-stage=main&panelId=1247&width=1000&height=300"/>
+```
+
+This will render like so:
+
+<img src="https://dashboards.gitlab.com/render/d-solo/RZmbBr7mk/gitlab-triage?orgId=1&refresh=30s&var-env=gprd&var-environment=gprd&var-prometheus=prometheus-01-inf-gprd&var-prometheus_app=prometheus-app-01-inf-gprd&var-backend=All&var-type=All&var-stage=main&panelId=1247&width=1000&height=300"/>
+
 ## Troubleshooting
 
 If the "No data found" screen continues to appear, it could be due to:

spec/models/clusters/applications/cert_manager_spec.rb

@@ -44,11 +44,18 @@ describe Clusters::Applications::CertManager do
 
     it 'is initialized with cert_manager arguments' do
       expect(subject.name).to eq('certmanager')
-      expect(subject.chart).to eq('stable/cert-manager')
-      expect(subject.version).to eq('v0.5.2')
+      expect(subject.chart).to eq('certmanager/cert-manager')
+      expect(subject.repository).to eq('https://charts.jetstack.io')
+      expect(subject.version).to eq('v0.9.1')
       expect(subject).to be_rbac
       expect(subject.files).to eq(cert_manager.files.merge(cluster_issuer_file))
-      expect(subject.postinstall).to eq(['kubectl create -f /data/helm/certmanager/config/cluster_issuer.yaml'])
+      expect(subject.preinstall).to eq([
+        'kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.9/deploy/manifests/00-crds.yaml',
+        'kubectl label --overwrite namespace gitlab-managed-apps certmanager.k8s.io/disable-validation=true'
+      ])
+      expect(subject.postinstall).to eq([
+        'for i in $(seq 1 30); do kubectl apply -f /data/helm/certmanager/config/cluster_issuer.yaml && break; sleep 1s; echo "Retrying ($i)..."; done'
+      ])
     end
 
     context 'for a specific user' do
@@ -75,7 +82,7 @@ describe Clusters::Applications::CertManager do
       let(:cert_manager) { create(:clusters_applications_cert_manager, :errored, version: '0.0.1') }
 
       it 'is initialized with the locked version' do
-        expect(subject.version).to eq('v0.5.2')
+        expect(subject.version).to eq('v0.9.1')
       end
     end
   end
@@ -93,10 +100,13 @@ describe Clusters::Applications::CertManager do
 
     it 'specifies a post delete command to remove custom resource definitions' do
       expect(subject.postdelete).to eq([
-        "kubectl delete secret -n gitlab-managed-apps letsencrypt-prod --ignore-not-found",
+        'kubectl delete secret -n gitlab-managed-apps letsencrypt-prod --ignore-not-found',
         'kubectl delete crd certificates.certmanager.k8s.io --ignore-not-found',
+        'kubectl delete crd certificaterequests.certmanager.k8s.io --ignore-not-found',
+        'kubectl delete crd challenges.certmanager.k8s.io --ignore-not-found',
         'kubectl delete crd clusterissuers.certmanager.k8s.io --ignore-not-found',
-        'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found'
+        'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found',
+        'kubectl delete crd orders.certmanager.k8s.io --ignore-not-found'
       ])
     end
 
@@ -111,8 +121,11 @@ describe Clusters::Applications::CertManager do
       it 'does not try and delete the secret' do
         expect(subject.postdelete).to eq([
           'kubectl delete crd certificates.certmanager.k8s.io --ignore-not-found',
+          'kubectl delete crd certificaterequests.certmanager.k8s.io --ignore-not-found',
+          'kubectl delete crd challenges.certmanager.k8s.io --ignore-not-found',
           'kubectl delete crd clusterissuers.certmanager.k8s.io --ignore-not-found',
-          'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found'
+          'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found',
+          'kubectl delete crd orders.certmanager.k8s.io --ignore-not-found'
         ])
       end
     end