Commit 8775bf4a authored by Ethan Urie's avatar Ethan Urie

Merge branch 'cherry-pick-361643-ci-cache-setting' into '14-10-stable-ee-patch-3'

Backport: Add option to disable seperated caches

See merge request gitlab-org/gitlab!88016
parents c594ad6d 16509fee
......@@ -87,7 +87,7 @@ module Projects
def permitted_project_params
[
:runners_token, :builds_enabled, :build_allow_git_fetch,
:build_timeout_human_readable, :build_coverage_regex, :public_builds,
:build_timeout_human_readable, :build_coverage_regex, :public_builds, :ci_separated_caches,
:auto_cancel_pending_pipelines, :ci_config_path, :auto_rollback_enabled,
auto_devops_attributes: [:id, :domain, :enabled, :deploy_strategy],
ci_cd_settings_attributes: [:default_git_depth, :forward_deployment_enabled]
......
......@@ -451,6 +451,7 @@ class ProjectsController < Projects::ApplicationController
:initialize_with_sast,
:initialize_with_readme,
:autoclose_referenced_issues,
:ci_separated_caches,
:suggestion_commit_message,
:packages_enabled,
:service_desk_enabled,
......
......@@ -911,6 +911,8 @@ module Ci
end
end
return cache unless project.ci_separated_caches
type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
cache.map do |entry|
entry.merge(key: "#{entry[:key]}-#{type_suffix}")
......
......@@ -471,6 +471,7 @@ class Project < ApplicationRecord
delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true
delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, to: :ci_cd_settings, allow_nil: true
delegate :separated_caches, :separated_caches=, to: :ci_cd_settings, prefix: :ci, allow_nil: true
delegate :runner_token_expiration_interval, :runner_token_expiration_interval=, :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval_human_readable=, to: :ci_cd_settings, allow_nil: true
delegate :actual_limits, :actual_plan_name, :actual_plan, to: :namespace, allow_nil: true
delegate :allow_merge_on_skipped_pipeline, :allow_merge_on_skipped_pipeline?,
......
......@@ -18,6 +18,7 @@ class ProjectCiCdSetting < ApplicationRecord
allow_nil: true
default_value_for :forward_deployment_enabled, true
default_value_for :separated_caches, true
chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
......
- help_link_public_pipelines = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'change-which-users-can-view-your-pipelines'), target: '_blank', rel: 'noopener noreferrer'
- help_link_auto_canceling = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'auto-cancel-redundant-pipelines'), target: '_blank', rel: 'noopener noreferrer'
- help_link_skip_outdated =link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
- help_link_skip_outdated = link_to sprite_icon('question-o'), help_page_path('ci/pipelines/settings', anchor: 'skip-outdated-deployment-jobs'), target: '_blank', rel: 'noopener noreferrer'
- help_link_separated_caches = link_to sprite_icon('question-o'), help_page_path('ci/caching/index', anchor: 'cache-key-names'), target: '_blank', rel: 'noopener noreferrer'
.row.gl-mt-3
.col-lg-12
......@@ -24,6 +25,11 @@
= form.gitlab_ui_checkbox_component :forward_deployment_enabled, _("Skip outdated deployment jobs"),
help_text: (_('When a deployment job is successful, skip older deployment jobs that are still pending.') + ' ' + help_link_skip_outdated).html_safe
.form-group
= f.gitlab_ui_checkbox_component :ci_separated_caches,
s_("CICD|Use separate caches for protected branches"),
help_text: (s_('CICD|Unprotected branches will not have access to the cache from protected branches.') + ' ' + help_link_separated_caches).html_safe
.form-group
= f.label :ci_config_path, _('CI/CD configuration file'), class: 'label-bold'
= f.text_field :ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'
......
# frozen_string_literal: true
class AddSeparatedCachesOptionToProjectCiSettings < Gitlab::Database::Migration[2.0]
enable_lock_retries!
def change
add_column :project_ci_cd_settings, :separated_caches, :boolean, default: true, null: false
end
end
8014dcf24ac2f1171240daa349e0552cb313b06f756b84e09a16d76a8810132a
\ No newline at end of file
......@@ -19054,7 +19054,8 @@ CREATE TABLE project_ci_cd_settings (
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT false NOT NULL,
runner_token_expiration_interval integer
runner_token_expiration_interval integer,
separated_caches boolean DEFAULT true NOT NULL
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
......@@ -31,7 +31,7 @@ can't link to files outside it.
- Subsequent pipelines can use the cache.
- Subsequent jobs in the same pipeline can use the cache, if the dependencies are identical.
- Different projects cannot share the cache.
- Protected and non-protected branches do not share the cache.
- By default, protected and non-protected branches [do not share the cache](#cache-key-names). However, you can [change this behavior](#use-the-same-cache-for-all-branches).
### Artifacts
......@@ -447,7 +447,7 @@ is stored on the machine where GitLab Runner is installed. The location also dep
If you use cache and artifacts to store the same path in your jobs, the cache might
be overwritten because caches are restored before artifacts.
### Segregation of caches between protected and non-protected branches
#### Cache key names
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330047) in GitLab 15.0.
......@@ -463,6 +463,24 @@ and `feature`, then the following table represents the resulting cache keys:
| `main` | `main-protected` |
| `feature` | `feature-non_protected` |
##### Use the same cache for all branches
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361643) in GitLab 15.0.
If you do not want to use [cache key names](#cache-key-names),
you can have all branches (protected and unprotected) use the same cache.
The cache separation with [cache key names](#cache-key-names) is a security feature
and should only be disabled in an environment where all users with Developer role are highly trusted.
To use the same cache for all branches:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > CI/CD**.
1. Expand **General pipelines**.
1. Clear the **Use separate caches for protected branches** checkbox.
1. Select **Save changes**.
### How archiving and extracting works
This example shows two jobs in two consecutive stages:
......
......@@ -99,6 +99,7 @@ module API
expose :ci_default_git_depth
expose :ci_forward_deployment_enabled
expose :ci_job_token_scope_enabled
expose :ci_separated_caches
expose :public_builds, as: :public_jobs
expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
project.build_allow_git_fetch ? 'fetch' : 'clone'
......
......@@ -6660,6 +6660,12 @@ msgstr ""
msgid "CICD|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
msgstr ""
msgid "CICD|Unprotected branches will not have access to the cache from protected branches."
msgstr ""
msgid "CICD|Use separate caches for protected branches"
msgstr ""
msgid "CICD|group enabled"
msgstr ""
......
......@@ -1069,6 +1069,32 @@ RSpec.describe Ci::Build do
is_expected.to all(a_hash_including(key: a_string_matching(/-non_protected$/)))
end
end
context 'when separated caches are disabled' do
before do
allow_any_instance_of(Project).to receive(:ci_separated_caches).and_return(false)
end
context 'running on protected ref' do
before do
allow(build.pipeline).to receive(:protected_ref?).and_return(true)
end
it 'is expected to have no type suffix' do
is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
end
end
context 'running on not protected ref' do
before do
allow(build.pipeline).to receive(:protected_ref?).and_return(false)
end
it 'is expected to have no type suffix' do
is_expected.to match([a_hash_including(key: 'key-1'), a_hash_including(key: 'key2-1')])
end
end
end
end
context 'when project has jobs_cache_index' do
......
......@@ -99,6 +99,7 @@ ci_cd_settings:
default_git_depth: ci_default_git_depth
forward_deployment_enabled: ci_forward_deployment_enabled
job_token_scope_enabled: ci_job_token_scope_enabled
separated_caches: ci_separated_caches
build_import_state: # import_state
unexposed_attributes:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment