Merge branch 'master' into ce-to-ee-2018-03-27

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 10.6.1 (2018-03-27)
+
+### Fixed (8 changes)
+
+- Fix LDAP group sync permission override UI. !5003
+- Hard failing a mirror no longer fails for a blocked user's personal project. !5063
+- Geo - Avoid rescheduling the same project again in a backfill condition. !5069
+- Mark disabled wikis as fully synced. !5104
+- Fix excessive updates to file_registry when wiki is disabled. !5119
+- Geo: Recovery from temporary directory doesn't work if the namespace directory doesn't exist.
+- Define a chat responder for the Slack app.
+- Resolve "undefined method 'log_transfer_error'".
+
+### Added (1 change)
+
+- Also log Geo Prometheus metrics from primary. !5058
+
+### Other (1 change)
+
+- Update Epic documentation to include labels.
+
+
 ## 10.6.0 (2018-03-22)
 
 ### Security (2 changes)

CHANGELOG.md

@@ -2,6 +2,27 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 10.6.1 (2018-03-27)
+
+### Security (1 change)
+
+- Bump rails-html-sanitizer to 1.0.4.
+
+### Fixed (3 changes)
+
+- Prevent auto-retry AccessDenied error from stopping transition to failed. !17862
+- Fix 500 error when trying to resolve non-ASCII conflicts in the editor. !17962
+- Don't capture trailing punctuation when autolinking. !17965
+
+### Performance (1 change)
+
+- Add indexes for user activity queries. !17890
+
+### Other (1 change)
+
+- Add documentation for runner IP address (#44232). !17837
+
+
 ## 10.6.0 (2018-03-22)
 
 ### Security (4 changes)

app/models/clusters/cluster.rb

@@ -11,6 +11,7 @@ module Clusters
       Applications::Prometheus.application_name => Applications::Prometheus,
       Applications::Runner.application_name => Applications::Runner
     }.freeze
+    DEFAULT_ENVIRONMENT = '*'.freeze
 
     belongs_to :user
 
@@ -52,6 +53,7 @@ module Clusters
 
     scope :enabled, -> { where(enabled: true) }
     scope :disabled, -> { where(enabled: false) }
+    scope :default_environment, -> { where(environment_scope: DEFAULT_ENVIRONMENT) }
 
     def status_name
       if provider

app/models/concerns/deployment_platform.rb

 module DeploymentPlatform
-  # EE would override this and utilize the extra argument
+  # EE would override this and utilize environment argument
+  # rubocop:disable Gitlab/ModuleWithInstanceVariables
   def deployment_platform(environment: nil)
-    @deployment_platform ||=
-      find_cluster_platform_kubernetes ||
-      find_kubernetes_service_integration ||
-      build_cluster_and_deployment_platform
+    @deployment_platform ||= {}
+
+    @deployment_platform[environment] ||= find_deployment_platform(environment)
   end
 
   private
 
-  def find_cluster_platform_kubernetes
-    clusters.find_by(enabled: true)&.platform_kubernetes
+  def find_deployment_platform(environment)
+    find_cluster_platform_kubernetes(environment: environment) ||
+      find_kubernetes_service_integration ||
+      build_cluster_and_deployment_platform
+  end
+
+  # EE would override this and utilize environment argument
+  def find_cluster_platform_kubernetes(environment: nil)
+    clusters.enabled.default_environment
+      .last&.platform_kubernetes
   end
 
   def find_kubernetes_service_integration

app/views/admin/application_settings/_account_and_limit.html.haml

@@ -16,6 +16,9 @@
       = f.label :max_attachment_size, 'Maximum attachment size (MB)', class: 'control-label col-sm-2'
       .col-sm-10
         = f.number_field :max_attachment_size, class: 'form-control'
+
+      = render 'repository_size_limit_setting', form: f
+
     .form-group
       = f.label :session_expire_delay, 'Session duration (minutes)', class: 'control-label col-sm-2'
       .col-sm-10
@@ -36,4 +39,14 @@
             = f.check_box :user_default_external
             Newly registered users will by default be external
 
+    - if ::Gitlab.dev_env_or_com?
+      .form-group
+        = f.label :check_namespace_plan, 'Check feature availability on namespace plan', class: 'control-label col-sm-2'
+        .col-sm-10
+          .checkbox
+            = f.label :check_namespace_plan do
+              = f.check_box :check_namespace_plan
+              Enabling this will only make licensed EE features available to projects if the project namespace's plan
+              includes the feature or if the project is public.
+
   = f.submit 'Save changes', class: 'btn btn-success'

app/views/admin/application_settings/_form.html.haml

 = form_for @application_setting, url: admin_application_settings_path, html: { class: 'form-horizontal fieldset-form' } do |f|
   = form_errors(@application_setting)
 
-  %fieldset
-<<<<<<< HEAD
-    %legend Visibility and Access Controls
-    .form-group
-      = f.label :default_branch_protection, class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.select :default_branch_protection, options_for_select(Gitlab::Access.protection_options, @application_setting.default_branch_protection), {}, class: 'form-control'
-    = render partial: 'admin/application_settings/ee/project_creation_level', locals: { form: f, application_setting: @application_setting }
-    .form-group.visibility-level-setting
-      = f.label :default_project_visibility, class: 'control-label col-sm-2'
-      .col-sm-10
-        = render('shared/visibility_radios', model_method: :default_project_visibility, form: f, selected_level: @application_setting.default_project_visibility, form_model: Project.new)
-    .form-group.visibility-level-setting
-      = f.label :default_snippet_visibility, class: 'control-label col-sm-2'
-      .col-sm-10
-        = render('shared/visibility_radios', model_method: :default_snippet_visibility, form: f, selected_level: @application_setting.default_snippet_visibility, form_model: ProjectSnippet.new)
-    .form-group.visibility-level-setting
-      = f.label :default_group_visibility, class: 'control-label col-sm-2'
-      .col-sm-10
-        = render('shared/visibility_radios', model_method: :default_group_visibility, form: f, selected_level: @application_setting.default_group_visibility, form_model: Group.new)
-    .form-group
-      = f.label :restricted_visibility_levels, class: 'control-label col-sm-2'
-      .col-sm-10
-        - checkbox_name = 'application_setting[restricted_visibility_levels][]'
-        = hidden_field_tag(checkbox_name)
-        - restricted_level_checkboxes('restricted-visibility-help', checkbox_name).each do |level|
-          .checkbox
-            = level
-        %span.help-block#restricted-visibility-help
-          Selected levels cannot be used by non-admin users for projects or snippets.
-          If the public level is restricted, user profiles are only visible to logged in users.
-    .form-group
-      = f.label :import_sources, class: 'control-label col-sm-2'
-      .col-sm-10
-        - import_sources_checkboxes('import-sources-help').each do |source|
-          .checkbox= source
-        %span.help-block#import-sources-help
-          Enabled sources for code import during project creation. OmniAuth must be configured for GitHub
-          = link_to "(?)", help_page_path("integration/github")
-          , Bitbucket
-          = link_to "(?)", help_page_path("integration/bitbucket")
-          and GitLab.com
-          = link_to "(?)", help_page_path("integration/gitlab")
-
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :project_export_enabled do
-            = f.check_box :project_export_enabled
-            Project export enabled
-
-    -# EE-only
-    - if ldap_enabled?
-      .form-group
-        = f.label :allow_group_owners_to_manage_ldap, 'LDAP settings', class: 'control-label col-sm-2'
-        .col-sm-10
-          .checkbox
-            = f.label :allow_group_owners_to_manage_ldap do
-              = f.check_box :allow_group_owners_to_manage_ldap
-              Allow group owners to manage LDAP-related settings
-          %span.help-block
-            If checked, group owners can manage LDAP group links and LDAP member overrides
-            = link_to icon('question-circle'), help_page_path('administration/auth/ldap-ee')
-
-    .form-group
-      %label.control-label.col-sm-2 Enabled Git access protocols
-      .col-sm-10
-        = select(:application_setting, :enabled_git_access_protocol, [['Both SSH and HTTP(S)', nil], ['Only SSH', 'ssh'], ['Only HTTP(S)', 'http']], {}, class: 'form-control')
-        %span.help-block#clone-protocol-help
-          Allow only the selected protocols to be used for Git access.
-
-    - ApplicationSetting::SUPPORTED_KEY_TYPES.each do |type|
-      - field_name = :"#{type}_key_restriction"
-      .form-group
-        = f.label field_name, "#{type.upcase} SSH keys", class: 'control-label col-sm-2'
-        .col-sm-10
-          = f.select field_name, key_restriction_options_for_select(type), {}, class: 'form-control'
-
-  %fieldset
-    %legend Account and Limit Settings
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :gravatar_enabled do
-            = f.check_box :gravatar_enabled
-            Gravatar enabled
-    .form-group
-      = f.label :default_projects_limit, class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.number_field :default_projects_limit, class: 'form-control'
-    .form-group
-      = f.label :max_attachment_size, 'Maximum attachment size (MB)', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.number_field :max_attachment_size, class: 'form-control'
-
-    = render 'repository_size_limit_setting', form: f
-
-    .form-group
-      = f.label :session_expire_delay, 'Session duration (minutes)', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.number_field :session_expire_delay, class: 'form-control'
-        %span.help-block#session_expire_delay_help_block GitLab restart is required to apply changes
-    .form-group
-      = f.label :user_oauth_applications, 'User OAuth applications', class: 'control-label col-sm-2'
-      .col-sm-10
-        .checkbox
-          = f.label :user_oauth_applications do
-            = f.check_box :user_oauth_applications
-            Allow users to register any application to use GitLab as an OAuth provider
-    .form-group
-      = f.label :user_default_external, 'New users set to external', class: 'control-label col-sm-2'
-      .col-sm-10
-        .checkbox
-          = f.label :user_default_external do
-            = f.check_box :user_default_external
-            Newly registered users will by default be external
-
-    - if ::Gitlab.dev_env_or_com?
-      .form-group
-        = f.label :check_namespace_plan, 'Check feature availability on namespace plan', class: 'control-label col-sm-2'
-        .col-sm-10
-          .checkbox
-            = f.label :check_namespace_plan do
-              = f.check_box :check_namespace_plan
-              Enabling this will only make licensed EE features available to projects if the project namespace's plan
-              includes the feature or if the project is public.
-
   - if License.feature_available?(:repository_mirrors)
     = render partial: 'repository_mirrors_form', locals: { f: f }
 
   %fieldset
-    %legend Sign-up Restrictions
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :signup_enabled do
-            = f.check_box :signup_enabled
-            Sign-up enabled
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :send_user_confirmation_email do
-            = f.check_box :send_user_confirmation_email
-            Send confirmation email on sign-up
-    .form-group
-      = f.label :domain_whitelist, 'Whitelisted domains for sign-ups', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_area :domain_whitelist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
-        .help-block ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
-    .form-group
-      = f.label :domain_blacklist_enabled, 'Domain Blacklist', class: 'control-label col-sm-2'
-      .col-sm-10
-        .checkbox
-          = f.label :domain_blacklist_enabled do
-            = f.check_box :domain_blacklist_enabled
-            Enable domain blacklist for sign ups
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .radio
-          = label_tag :blacklist_type_file do
-            = radio_button_tag :blacklist_type, :file
-            .option-title
-              Upload blacklist file
-        .radio
-          = label_tag :blacklist_type_raw do
-            = radio_button_tag :blacklist_type, :raw, @application_setting.domain_blacklist.present? || @application_setting.domain_blacklist.blank?
-            .option-title
-              Enter blacklist manually
-    .form-group.blacklist-file
-      = f.label :domain_blacklist_file, 'Blacklist file', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.file_field :domain_blacklist_file, class: 'form-control', accept: '.txt,.conf'
-        .help-block Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines or commas for multiple entries.
-    .form-group.blacklist-raw
-      = f.label :domain_blacklist, 'Blacklisted domains for sign-ups', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_area :domain_blacklist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
-        .help-block Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
-
-    .form-group
-      = f.label :after_sign_up_text, class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_area :after_sign_up_text, class: 'form-control', rows: 4
-        .help-block Markdown enabled
-
-  %fieldset
-    %legend Sign-in Restrictions
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :password_authentication_enabled_for_web do
-            = f.check_box :password_authentication_enabled_for_web
-            Password authentication enabled for web interface
-            .help-block
-              When disabled, an external authentication provider must be used.
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :password_authentication_enabled_for_git do
-            = f.check_box :password_authentication_enabled_for_git
-            Password authentication enabled for Git over HTTP(S)
-            .help-block
-              When disabled, a Personal Access Token
-              - if Gitlab::Auth::LDAP::Config.enabled?
-                or LDAP password
-              must be used to authenticate.
-    - if omniauth_enabled? && button_based_providers.any?
-      .form-group
-        = f.label :enabled_oauth_sign_in_sources, 'Enabled OAuth sign-in sources', class: 'control-label col-sm-2'
-        .col-sm-10
-          .btn-group{ data: { toggle: 'buttons' } }
-            - oauth_providers_checkboxes.each do |source|
-              = source
-    .form-group
-      = f.label :two_factor_authentication, 'Two-factor authentication', class: 'control-label col-sm-2'
-      .col-sm-10
-        .checkbox
-          = f.label :require_two_factor_authentication do
-            = f.check_box :require_two_factor_authentication
-            Require all users to setup Two-factor authentication
-    .form-group
-      = f.label :two_factor_authentication, 'Two-factor grace period (hours)', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.number_field :two_factor_grace_period, min: 0, class: 'form-control', placeholder: '0'
-        .help-block Amount of time (in hours) that users are allowed to skip forced configuration of two-factor authentication
-    .form-group
-      = f.label :home_page_url, 'Home page URL', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_field :home_page_url, class: 'form-control', placeholder: 'http://company.example.com', :'aria-describedby' => 'home_help_block'
-        %span.help-block#home_help_block We will redirect non-logged in users to this page
-    .form-group
-      = f.label :after_sign_out_path, class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_field :after_sign_out_path, class: 'form-control', placeholder: 'http://company.example.com', :'aria-describedby' => 'after_sign_out_path_help_block'
-        %span.help-block#after_sign_out_path_help_block We will redirect users to this page after they sign out
-    .form-group
-      = f.label :sign_in_text, class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_area :sign_in_text, class: 'form-control', rows: 4
-        .help-block Markdown enabled
-
-  %fieldset
-    %legend Help Page
-    .form-group
-      = f.label :help_text, class: 'control-label'
-      .col-sm-10
-        = f.text_area :help_text, class: 'form-control', rows: 4
-        .help-block Markdown enabled
-    .form-group
-      = f.label :help_page_text, class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_area :help_page_text, class: 'form-control', rows: 4
-        .help-block Markdown enabled
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :help_page_hide_commercial_content do
-            = f.check_box :help_page_hide_commercial_content
-            Hide marketing-related entries from help
-    .form-group
-      = f.label :help_page_support_url, 'Support page URL', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.text_field :help_page_support_url, class: 'form-control', placeholder: 'http://company.example.com/getting-help', :'aria-describedby' => 'support_help_block'
-        %span.help-block#support_help_block Alternate support URL for help page
-
-  %fieldset
-    %legend Pages
-    .form-group
-      = f.label :max_pages_size, 'Maximum size of pages (MB)', class: 'control-label col-sm-2'
-      .col-sm-10
-        = f.number_field :max_pages_size, class: 'form-control'
-        .help-block 0 for unlimited
-    .form-group
-      .col-sm-offset-2.col-sm-10
-        .checkbox
-          = f.label :pages_domain_verification_enabled do
-            = f.check_box :pages_domain_verification_enabled
-            Require users to prove ownership of custom domains
-        .help-block
-          Domain verification is an essential security measure for public GitLab
-          sites. Users are required to demonstrate they control a domain before
-          it is enabled
-          = link_to icon('question-circle'), help_page_path('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
-
-  %fieldset
-=======
->>>>>>> upstream/master
     %legend Continuous Integration and Deployment
     .form-group
       .col-sm-offset-2.col-sm-10

app/views/admin/application_settings/_help_page.html.haml

@@ -2,6 +2,11 @@
   = form_errors(@application_setting)
 
   %fieldset
+    .form-group
+      = f.label :help_text, class: 'control-label'
+      .col-sm-10
+        = f.text_area :help_text, class: 'form-control', rows: 4
+        .help-block Markdown enabled
     .form-group
       = f.label :help_page_text, class: 'control-label col-sm-2'
       .col-sm-10

app/views/admin/application_settings/_visibility_and_access.html.haml

@@ -6,6 +6,7 @@
       = f.label :default_branch_protection, class: 'control-label col-sm-2'
       .col-sm-10
         = f.select :default_branch_protection, options_for_select(Gitlab::Access.protection_options, @application_setting.default_branch_protection), {}, class: 'form-control'
+    = render partial: 'admin/application_settings/ee/project_creation_level', locals: { form: f, application_setting: @application_setting }
     .form-group.visibility-level-setting
       = f.label :default_project_visibility, class: 'control-label col-sm-2'
       .col-sm-10
@@ -42,6 +43,19 @@
           and GitLab.com
           = link_to "(?)", help_page_path("integration/gitlab")
 
+    -# EE-only
+    - if ldap_enabled?
+      .form-group
+        = f.label :allow_group_owners_to_manage_ldap, 'LDAP settings', class: 'control-label col-sm-2'
+        .col-sm-10
+          .checkbox
+            = f.label :allow_group_owners_to_manage_ldap do
+              = f.check_box :allow_group_owners_to_manage_ldap
+              Allow group owners to manage LDAP-related settings
+          %span.help-block
+            If checked, group owners can manage LDAP group links and LDAP member overrides
+            = link_to icon('question-circle'), help_page_path('administration/auth/ldap-ee')
+
     .form-group
       .col-sm-offset-2.col-sm-10
         .checkbox

changelogs/unreleased/44232-docs-for-runner-ip-address.yml

----
-title: Add documentation for runner IP address (#44232)
-merge_request: 17837
-author:
-type: other

changelogs/unreleased/44564-error-500-while-attempting-to-resolve-conflicts-due-to-utf-8-conversion-error.yml

----
-title: Fix 500 error when trying to resolve non-ASCII conflicts in the editor
-merge_request: 17962
-author:
-type: fixed

changelogs/unreleased/44587-autolinking-includes-trailing-exclamation-marks.yml

----
-title: Don't capture trailing punctuation when autolinking
-merge_request: 17965
-author:
-type: fixed

changelogs/unreleased/ab-44446-add-indexes-for-user-activity-queries.yml

----
-title: Add indexes for user activity queries.
-merge_request: 17890
-author:
-type: performance

changelogs/unreleased/fix-ci-job-auto-retry.yml

----
-title: Prevent auto-retry AccessDenied error from stopping transition to failed
-merge_request: 17862
-author:
-type: fixed

changelogs/unreleased/sh-update-loofah.yml

----
-title: Bump rails-html-sanitizer to 1.0.4
-merge_request:
-author:
-type: security

doc/administration/geo/replication/configuration.md

 # Geo configuration (GitLab Omnibus)
 
->**Note:**
+NOTE: **Note:**
 This is the documentation for the Omnibus GitLab packages. For installations
 from source, follow the [**Geo nodes configuration for installations
 from source**][configuration-source] guide.
 
 ## Configuring a new secondary node
 
->**Note:**
+NOTE: **Note:**
 This is the final step in setting up a secondary Geo node. Stages of the
 setup process must be completed in the documented order.
 Before attempting the steps in this stage, [complete all prior stages][setup-geo-omnibus].
@@ -20,9 +20,9 @@ You are encouraged to first read through all the steps before executing them
 in your testing/production environment.
 
 > **Notes:**
-- **Do not** setup any custom authentication in the secondary nodes, this will be
+> - **Do not** setup any custom authentication in the secondary nodes, this will be
   handled by the primary node.
-- Any change that requires access to the **Admin Area** needs to be done in the
+> - Any change that requires access to the **Admin Area** needs to be done in the
   primary node, as the secondary node is a read-only replica.
 
 ### Step 1. Manually replicate secret GitLab values

doc/administration/geo/replication/configuration_source.md

 # Geo configuration (source)
 
->**Note:**
+NOTE: **Note:**
 This is the documentation for installations from source. For installations
 using the Omnibus GitLab packages, follow the
 [**Omnibus Geo nodes configuration**][configuration] guide.
 
 ## Configuring a new secondary node
 
->**Note:**
+NOTE: **Note:**
 This is the final step in setting up a secondary Geo node. Stages of the setup
 process must be completed in the documented order. Before attempting the steps
 in this stage, [complete all prior stages][setup-geo-source].
@@ -20,7 +20,7 @@ You are encouraged to first read through all the steps before executing them
 in your testing/production environment.
 
 
->**Notes:**
+NOTE: **Notes:**
 - **Do not** setup any custom authentication in the secondary nodes, this will be
   handled by the primary node.
 - **Do not** add anything in the secondaries Geo nodes admin area

doc/administration/geo/replication/database.md

 # Geo database replication (GitLab Omnibus)
 
->**Note:**
+NOTE: **Note:**
 This is the documentation for the Omnibus GitLab packages. For installations
 from source, follow the
 [**database replication for installations from source**][database-source] guide.
 
->**Note:**
+NOTE: **Note:**
 If your GitLab installation uses external PostgreSQL, the Omnibus roles
 will not be able to perform all necessary configuration steps. Refer to the
 section on [External PostreSQL][external postgresql] for additional instructions.
 
->**Note:**
+NOTE: **Note:**
 The stages of the setup process must be completed in the documented order.
 Before attempting the steps in this stage, [complete all prior stages][toc].
 
@@ -28,7 +28,7 @@ The GitLab primary node where the write operations happen will connect to
 the primary database server, and the secondary nodes which are read-only will
 connect to the secondary database servers (which are also read-only).
 
->**Note:**
+NOTE: **Note:**
 In database documentation you may see "primary" being referenced as "master"
 and "secondary" as either "slave" or "standby" server (read-only).
 
@@ -261,7 +261,8 @@ The following guide assumes that:
     gitlab-ctl stop sidekiq
     ```
 
-   > **Note**: This step is important so we don't try to execute anything before the node is fully configured. 
+    NOTE: **Note**: 
+    This step is important so we don't try to execute anything before the node is fully configured. 
 
 1. [Check TCP connectivity][rake-maintenance] to the primary's PostgreSQL server:
 
@@ -269,7 +270,8 @@ The following guide assumes that:
     gitlab-rake gitlab:tcp_check[1.2.3.4,5432]
     ```
 
-    > **Note**: If this step fails, you may be using the wrong IP address, or a firewall may
+    NOTE: **Note**: 
+    If this step fails, you may be using the wrong IP address, or a firewall may
     be preventing access to the server. Check the IP address, paying close
     attention to the difference between public and private addresses and ensure
     that, if a firewall is present, the secondary is permitted to connect to the
@@ -368,7 +370,7 @@ The directories used are the defaults that are set up in Omnibus. If you have
 changed any defaults or are using a source installation, configure it as you
 see fit replacing the directories and paths.
 
->**Warning:**
+CAUTION: **Warning:**
 Make sure to run this on the **secondary** server as it removes all PostgreSQL's
 data before running `pg_basebackup`.
 
@@ -384,8 +386,8 @@ data before running `pg_basebackup`.
    name as shown in the commands below.
 
 1. Execute the command below to start a backup/restore and begin the replication
-   >**Warning:** Each Geo secondary must have its own unique replication slot name.
-   Using the same slot name between two secondaries will break PostgreSQL replication.
+    CAUTION: **Warning:** Each Geo secondary must have its own unique replication slot name.
+    Using the same slot name between two secondaries will break PostgreSQL replication.
 
     ```bash
     gitlab-ctl replicate-geo-database --slot-name=secondary_example --host=1.2.3.4

doc/administration/geo/replication/database_source.md

 # Geo database replication (source)
 
->**Note:**
+NOTE: **Note:**
 This is the documentation for installations from source. For installations
 using the Omnibus GitLab packages, follow the
 [**database replication for Omnibus GitLab**][database] guide.
 
->**Note:**
+NOTE: **Note:**
 The stages of the setup process must be completed in the documented order.
 Before attempting the steps in this stage, [complete all prior stages][toc].
 
@@ -22,7 +22,7 @@ The GitLab primary node where the write operations happen will connect to
 primary database server, and the secondary ones which are read-only will
 connect to secondary database servers (which are read-only too).
 
->**Note:**
+NOTE: **Note:**
 In many databases documentation you will see "primary" being referenced as "master"
 and "secondary" as either "slave" or "standby" server (read-only).
 
@@ -91,10 +91,11 @@ The following guide assumes that:
 
 1. Set up TLS support for the PostgreSQL primary server
 
-    > **Warning**: Only skip this step if you **know** that PostgreSQL traffic
-    > between the primary and secondary will be secured through some other
-    > means, e.g., a known-safe physical network path or a site-to-site VPN that
-    > you have configured.
+    CAUTION: **Warning**: 
+    Only skip this step if you **know** that PostgreSQL traffic
+    between the primary and secondary will be secured through some other
+    means, e.g., a known-safe physical network path or a site-to-site VPN that
+    you have configured.
 
     If you are replicating your database across the open Internet, it is
     **essential** that the connection is TLS-secured. Correctly configured, this
@@ -141,6 +142,7 @@ The following guide assumes that:
     hot_standby = on
     ```
 
+    NOTE: **Note**:
     Be sure to set `max_replication_slots` to the number of Geo secondary
     nodes that you may potentially have (at least 1).
 
@@ -302,7 +304,7 @@ needed files for streaming replication.
 The directories used are the defaults for Debian/Ubuntu. If you have changed
 any defaults, configure it as you see fit replacing the directories and paths.
 
->**Warning:**
+CAUTION: **Warning:**
 Make sure to run this on the **secondary** server as it removes all PostgreSQL's
 data before running `pg_basebackup`.
 

ee/app/models/concerns/ee/deployment_platform.rb

@@ -2,15 +2,12 @@ module EE
   module DeploymentPlatform
     extend ::Gitlab::Utils::Override
 
-    override :deployment_platform
-    def deployment_platform(environment: nil)
+    override :find_cluster_platform_kubernetes
+    def find_cluster_platform_kubernetes(environment: nil)
       return super unless environment && feature_available?(:multiple_clusters)
 
-      @deployment_platform ||= # rubocop:disable Gitlab/ModuleWithInstanceVariables
-        clusters.enabled.on_environment(environment.name)
-          .last&.platform_kubernetes
-
-      super # Wildcard or KubernetesService
+      clusters.enabled.on_environment(environment.name)
+        .last&.platform_kubernetes
     end
   end
 end

ee/changelogs/unreleased/5335-undefined-method-log_transfer_error-for-gitlab-geo-jobartifacttransfer-0x00007fea0ac401e8.yml

----
-title: Resolve "undefined method 'log_transfer_error'"
-merge_request:
-author:
-type: fixed

ee/changelogs/unreleased/5347-fix-multiple-clusters-incorrect-details-injected.yml

+---
+title: Fixes incorrect assignation of cluster details
+merge_request: 5047
+author:
+type: fixed

ee/changelogs/unreleased/5358-hard-failing-mirror-fails-for-personal-project-with-blocked-owners.yml

----
-title: Hard failing a mirror no longer fails for a blocked user's personal project
-merge_request: 5063
-author:
-type: fixed

ee/changelogs/unreleased/5409-geo-recovery-from-geo-temporary-directory-doesn-t-work-if-the-namespace-directory-doesn-t-exist.yml

----
-title: 'Geo: Recovery from temporary directory doesn''t work if the namespace directory
-  doesn''t exist'
-merge_request:
-author:
-type: fixed

ee/changelogs/unreleased/chat-responder-slack-app.yml

----
-title: Define a chat responder for the Slack app
-merge_request:
-author:
-type: fixed

ee/changelogs/unreleased/da-scheduler-rescheduling-the-same-project.yml

----
-title: Geo - Avoid rescheduling the same project again in a backfill condition
-merge_request: 5069
-author:
-type: fixed

ee/changelogs/unreleased/docs-3727-labels-support-epics.yml

----
-title: Update Epic documentation to include labels
-merge_request:
-author:
-type: other

ee/changelogs/unreleased/mk-fix-ldap-group-sync-permission-override.yml

----
-title: Fix LDAP group sync permission override UI
-merge_request: 5003
-author:
-type: fixed

ee/changelogs/unreleased/mk-geo-fix-disabled-wiki-registry.yml

----
-title: Mark disabled wikis as fully synced
-merge_request: 5104
-author:
-type: fixed

ee/changelogs/unreleased/mk-geo-fix-noise-when-wiki-is-disabled.yml

----
-title: Fix excessive updates to file_registry when wiki is disabled
-merge_request: 5119
-author:
-type: fixed

ee/changelogs/unreleased/tc-geo-primary-prometheus.yml

----
-title: Also log Geo Prometheus metrics from primary
-merge_request: 5058
-author:
-type: added

ee/spec/features/projects/show_project_spec.rb

@@ -17,7 +17,7 @@ describe 'Project show page', :feature do
 
         it '"Kubernetes cluster" button linked to clusters page' do
           create(:cluster, :provided_by_gcp, projects: [project])
-          create(:cluster, :provided_by_gcp, projects: [project])
+          create(:cluster, :provided_by_gcp, :production_environment, projects: [project])
 
           visit project_path(project)
 

ee/spec/models/concerns/ee/deployment_platform_spec.rb

@@ -4,56 +4,56 @@ describe EE::DeploymentPlatform do
   describe '#deployment_platform' do
     let(:project) { create(:project) }
 
-    context 'when environment is specified' do
-      let(:environment) { create(:environment, project: project, name: 'review/name') }
-      let!(:default_cluster) { create(:cluster, :provided_by_user, projects: [project], environment_scope: '*') }
-      let!(:cluster) { create(:cluster, :provided_by_user, environment_scope: 'review/*', projects: [project]) }
-
-      subject { project.deployment_platform(environment: environment) }
-
-      shared_examples 'matching environment scope' do
-        context 'when multiple clusters is available' do
-          before do
-            stub_licensed_features(multiple_clusters: true)
-          end
+    shared_examples 'matching environment scope' do
+      context 'when multiple clusters license is available' do
+        before do
+          stub_licensed_features(multiple_clusters: true)
+        end
 
-          it 'returns environment specific cluster' do
-            is_expected.to eq(cluster.platform_kubernetes)
-          end
+        it 'returns environment specific cluster' do
+          is_expected.to eq(cluster.platform_kubernetes)
         end
+      end
 
-        context 'when multiple clusters is unavailable' do
-          before do
-            stub_licensed_features(multiple_clusters: false)
-          end
+      context 'when multiple clusters licence is unavailable' do
+        before do
+          stub_licensed_features(multiple_clusters: false)
+        end
 
-          it 'returns a kubernetes platform' do
-            is_expected.to be_kind_of(Clusters::Platforms::Kubernetes)
-          end
+        it 'returns a kubernetes platform' do
+          is_expected.to be_kind_of(Clusters::Platforms::Kubernetes)
         end
       end
+    end
 
-      shared_examples 'not matching environment scope' do
-        context 'when multiple clusters is available' do
-          before do
-            stub_licensed_features(multiple_clusters: true)
-          end
+    shared_examples 'not matching environment scope' do
+      context 'when multiple clusters license is available' do
+        before do
+          stub_licensed_features(multiple_clusters: true)
+        end
 
-          it 'returns default cluster' do
-            is_expected.to eq(default_cluster.platform_kubernetes)
-          end
+        it 'returns default cluster' do
+          is_expected.to eq(default_cluster.platform_kubernetes)
         end
+      end
 
-        context 'when multiple clusters is unavailable' do
-          before do
-            stub_licensed_features(multiple_clusters: false)
-          end
+      context 'when multiple clusters license is unavailable' do
+        before do
+          stub_licensed_features(multiple_clusters: false)
+        end
 
-          it 'returns a kubernetes platform' do
-            is_expected.to be_kind_of(Clusters::Platforms::Kubernetes)
-          end
+        it 'returns a kubernetes platform' do
+          is_expected.to be_kind_of(Clusters::Platforms::Kubernetes)
         end
       end
+    end
+
+    context 'when environment is specified' do
+      let!(:default_cluster) { create(:cluster, :provided_by_user, projects: [project], environment_scope: '*') }
+      let!(:cluster) { create(:cluster, :provided_by_user, environment_scope: 'review/*', projects: [project]) }
+      let(:environment) { create(:environment, project: project, name: 'review/name') }
+
+      subject { project.deployment_platform(environment: environment) }
 
       context 'when environment scope is exactly matched' do
         before do
@@ -133,5 +133,21 @@ describe EE::DeploymentPlatform do
         end
       end
     end
+
+    context 'with multiple clusters and multiple environments' do
+      let!(:cluster_1) { create(:cluster, :provided_by_user, projects: [project], environment_scope: 'staging/*') }
+      let!(:cluster_2) { create(:cluster, :provided_by_user, projects: [project], environment_scope: 'test/*') }
+      let(:environment_1) { create(:environment, project: project, name: 'staging/name') }
+      let(:environment_2) { create(:environment, project: project, name: 'test/name') }
+
+      before do
+        stub_licensed_features(multiple_clusters: true)
+      end
+
+      it 'should return the appropriate cluster' do
+        expect(project.deployment_platform(environment: environment_1)).to eq(cluster_1.platform_kubernetes)
+        expect(project.deployment_platform(environment: environment_2)).to eq(cluster_2.platform_kubernetes)
+      end
+    end
   end
 end

spec/controllers/projects/clusters_controller_spec.rb

@@ -18,7 +18,7 @@ describe Projects::ClustersController do
       context 'when project has one or more clusters' do
         let(:project) { create(:project) }
         let!(:enabled_cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }
-        let!(:disabled_cluster) { create(:cluster, :disabled, :provided_by_gcp, projects: [project]) }
+        let!(:disabled_cluster) { create(:cluster, :disabled, :provided_by_gcp, :production_environment, projects: [project]) }
         it 'lists available clusters' do
           go
 
@@ -32,7 +32,7 @@ describe Projects::ClustersController do
 
           before do
             allow(Clusters::Cluster).to receive(:paginates_per).and_return(1)
-            create_list(:cluster, 2, :provided_by_gcp, projects: [project])
+            create_list(:cluster, 2, :provided_by_gcp, :production_environment, projects: [project])
             get :index, namespace_id: project.namespace, project_id: project, page: last_page
           end
 
@@ -420,7 +420,7 @@ describe Projects::ClustersController do
 
       context 'when cluster is provided by GCP' do
         context 'when cluster is created' do
-          let!(:cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }
+          let!(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, projects: [project]) }
 
           it "destroys and redirects back to clusters list" do
             expect { go }
@@ -434,7 +434,7 @@ describe Projects::ClustersController do
         end
 
         context 'when cluster is being created' do
-          let!(:cluster) { create(:cluster, :providing_by_gcp, projects: [project]) }
+          let!(:cluster) { create(:cluster, :providing_by_gcp, :production_environment, projects: [project]) }
 
           it "destroys and redirects back to clusters list" do
             expect { go }
@@ -448,7 +448,7 @@ describe Projects::ClustersController do
       end
 
       context 'when cluster is provided by user' do
-        let!(:cluster) { create(:cluster, :provided_by_user, projects: [project]) }
+        let!(:cluster) { create(:cluster, :provided_by_user, :production_environment, projects: [project]) }
 
         it "destroys and redirects back to clusters list" do
           expect { go }
@@ -463,7 +463,7 @@ describe Projects::ClustersController do
     end
 
     describe 'security' do
-      set(:cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }
+      set(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, projects: [project]) }
 
       it { expect { go }.to be_allowed_for(:admin) }
       it { expect { go }.to be_allowed_for(:owner).of(project) }

spec/factories/clusters/clusters.rb

@@ -2,7 +2,6 @@ FactoryBot.define do
   factory :cluster, class: Clusters::Cluster do
     user
     name 'test-cluster'
-    sequence(:environment_scope) { |n| "production#{n}/*" }
 
     trait :project do
       before(:create) do |cluster, evaluator|
@@ -33,5 +32,9 @@ FactoryBot.define do
     trait :disabled do
       enabled false
     end
+
+    trait :production_environment do
+      sequence(:environment_scope) { |n| "production#{n}/*" }
+    end
   end
 end

spec/features/admin/admin_settings_spec.rb

@@ -32,15 +32,16 @@ feature 'Admin updates settings' do
     expect(find('#application_setting_visibility_level_20')).not_to be_checked
   end
 
-<<<<<<< HEAD
   describe 'LDAP settings' do
     context 'with LDAP enabled' do
       scenario 'Change allow group owners to manage ldap' do
         allow(Gitlab::Auth::LDAP::Config).to receive(:enabled?).and_return(true)
         visit admin_application_settings_path
 
-        find('#application_setting_allow_group_owners_to_manage_ldap').set(false)
-        click_button 'Save'
+        page.within('.as-visibility-access') do
+          find('#application_setting_allow_group_owners_to_manage_ldap').set(false)
+          click_button 'Save'
+        end
 
         expect(page).to have_content('Application settings saved successfully')
         expect(find('#application_setting_allow_group_owners_to_manage_ldap')).not_to be_checked
@@ -56,15 +57,6 @@ feature 'Admin updates settings' do
     end
   end
 
-  scenario 'Change application settings' do
-    uncheck 'Gravatar enabled'
-    fill_in 'Home page URL', with: 'https://about.gitlab.com/'
-    fill_in 'Help page text', with: 'Example text'
-    check 'Hide marketing-related entries from help'
-    fill_in 'Support page URL', with: 'http://example.com/help'
-    uncheck 'Project export enabled'
-    click_button 'Save'
-=======
   scenario 'Change Visibility and Access Controls' do
     page.within('.as-visibility-access') do
       uncheck 'Project export enabled'
@@ -80,7 +72,6 @@ feature 'Admin updates settings' do
       uncheck 'Gravatar enabled'
       click_button 'Save changes'
     end
->>>>>>> upstream/master
 
     expect(Gitlab::CurrentSettings.gravatar_enabled).to be_falsey
     expect(page).to have_content "Application settings saved successfully"

spec/finders/clusters_finder_spec.rb

@@ -6,7 +6,7 @@ describe ClustersFinder do
 
   describe '#execute' do
     let(:enabled_cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }
-    let(:disabled_cluster) { create(:cluster, :disabled, :provided_by_gcp, projects: [project]) }
+    let(:disabled_cluster) { create(:cluster, :disabled, :provided_by_gcp, :production_environment, projects: [project]) }
 
     subject { described_class.new(project, user, scope).execute }
 

spec/models/environment_spec.rb

@@ -378,7 +378,7 @@ describe Environment do
 
       shared_examples 'same behavior between KubernetesService and Platform::Kubernetes' do
         it 'returns the terminals from the deployment service' do
-          expect(project.deployment_platform)
+          expect(project.deployment_platform(environment: environment))
             .to receive(:terminals).with(environment)
             .and_return(:fake_terminals)
 
@@ -419,7 +419,7 @@ describe Environment do
         end
 
         it 'returns the rollout status from the deployment service' do
-          expect(project.deployment_platform)
+          expect(project.deployment_platform(environment: environment))
             .to receive(:rollout_status).with(environment)
             .and_return(:fake_rollout_status)
 

spec/presenters/project_presenter_spec.rb

@@ -339,7 +339,7 @@ describe ProjectPresenter do
 
         it 'returns link to clusters page if more than one exists' do
           project.add_master(user)
-          create(:cluster, projects: [project])
+          create(:cluster, :production_environment, projects: [project])
           create(:cluster, projects: [project])
 
           expect(presenter.kubernetes_cluster_anchor_data).to eq(OpenStruct.new(enabled: true,

spec/services/clusters/create_service_spec.rb

@@ -81,7 +81,7 @@ describe Clusters::CreateService do
     end
 
     context 'when project has a cluster' do
-      let!(:cluster) { create(:cluster, :provided_by_gcp, projects: [project]) }
+      let!(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, projects: [project]) }
 
       before do
         allow(project).to receive(:feature_available?).and_call_original