Add application limits to instance level variables

Enables application limits for instance level CI/CD variables

app/models/ci/instance_variable.rb

@@ -6,6 +6,10 @@ module Ci
     extend Gitlab::ProcessMemoryCache::Helper
     include Ci::NewHasVariable
     include Ci::Maskable
+    include Limitable
+
+    self.limit_name = 'ci_instance_level_variables'
+    self.limit_scope = Limitable::GLOBAL_SCOPE
 
     alias_attribute :secret_value, :value
 
@@ -41,5 +45,13 @@ module Ci
         end
       end
     end
+
+    private
+
+    def validate_plan_limit_not_exceeded
+      if Gitlab::Ci::Features.instance_level_variables_limit_enabled?
+        super
+      end
+    end
   end
 end

changelogs/unreleased/216097-add-application-limits-to-ci-instancevariable.yml

+---
+title: Add application limits to instance level CI/CD variables
+merge_request: 32575
+author:
+type: added

db/migrate/20200519141534_add_instance_level_variables_column_to_plan_limits.rb

+# frozen_string_literal: true
+
+class AddInstanceLevelVariablesColumnToPlanLimits < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def change
+    add_column :plan_limits, :ci_instance_level_variables, :integer, default: 25, null: false
+  end
+end

db/structure.sql

@@ -4915,7 +4915,8 @@ CREATE TABLE public.plan_limits (
     group_hooks integer DEFAULT 50 NOT NULL,
     ci_project_subscriptions integer DEFAULT 2 NOT NULL,
     ci_pipeline_schedules integer DEFAULT 10 NOT NULL,
-    offset_pagination_limit integer DEFAULT 50000 NOT NULL
+    offset_pagination_limit integer DEFAULT 50000 NOT NULL,
+    ci_instance_level_variables integer DEFAULT 25 NOT NULL
 );
 
 CREATE SEQUENCE public.plan_limits_id_seq
@@ -13772,6 +13773,7 @@ COPY "schema_migrations" (version) FROM STDIN;
 20200519074709
 20200519101002
 20200519115908
+20200519141534
 20200519171058
 20200519194042
 20200520103514

doc/administration/instance_limits.md

@@ -199,6 +199,24 @@ To set this limit on a self-managed installation, run the following in the
 Plan.default.limits.update!(ci_pipeline_schedules: 100)
 ```
 
+### Number of instance level variables
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/216097) in GitLab 13.1.
+
+The total number of instance level CI/CD variables is limited at the instance level.
+This limit is checked each time a new instance level variable is created. If a new variable
+would cause the total number of variables to exceed the limit, the new variable will not be created.
+
+On self-managed instances this limit is defined for the `default` plan. By default,
+this limit is set to `25`.
+
+To update this limit to a new value on a self-managed installation, run the following in the
+[GitLab Rails console](troubleshooting/debug.md#starting-a-rails-console-session):
+
+```ruby
+Plan.default.limits.update!(ci_instance_level_variables: 30)
+```
+
 ## Instance monitoring and metrics
 
 ### Incident Management inbound alert limits

doc/api/instance_level_ci_variables.md

@@ -67,8 +67,7 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
 
 Create a new instance-level variable.
 
-NOTE: **Note:**
-The maximum number of instance-level variables is [planned to be 25](https://gitlab.com/gitlab-org/gitlab/-/issues/216097).
+[Since GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/issues/216097), the maximum number of allowed instance-level variables can be changed.
 
 ```plaintext
 POST /admin/ci/variables

doc/user/gitlab_com/index.md

@@ -82,6 +82,7 @@ Below are the current settings regarding [GitLab CI/CD](../../ci/README.md).
 | Scheduled Pipeline Cron | `*/5 * * * *` | `19 * * * *` |
 | [Max jobs in active pipelines](../../administration/instance_limits.md#number-of-jobs-in-active-pipelines) | `500` for Free tier, unlimited otherwise | Unlimited
 | [Max pipeline schedules in projects](../../administration/instance_limits.md#number-of-pipeline-schedules) | `10` for Free tier, `50` for all paid tiers | Unlimited |
+| [Max number of instance level variables](../../administration/instance_limits.md#number-of-instance-level-variables) | `25` | `25` |
 
 ## Repository size limit
 

lib/gitlab/ci/features.rb

@@ -17,6 +17,10 @@ module Gitlab
       def self.job_heartbeats_runner?(project)
         ::Feature.enabled?(:ci_job_heartbeats_runner, project, default_enabled: true)
       end
+
+      def self.instance_level_variables_limit_enabled?
+        ::Feature.enabled?(:ci_instance_level_variables_limit, default_enabled: true)
+      end
     end
   end
 end

spec/models/ci/instance_variable_spec.rb

@@ -11,6 +11,25 @@ describe Ci::InstanceVariable do
   it { is_expected.to validate_uniqueness_of(:key).with_message(/\(\w+\) has already been taken/) }
   it { is_expected.to validate_length_of(:encrypted_value).is_at_most(1024).with_message(/Variables over 700 characters risk exceeding the limit/) }
 
+  it_behaves_like 'includes Limitable concern' do
+    subject { build(:ci_instance_variable) }
+  end
+
+  context 'with instance level variable feature flag disabled' do
+    let(:plan_limits) { create(:plan_limits, :default_plan) }
+
+    before do
+      stub_feature_flags(ci_instance_level_variables_limit: false)
+      plan_limits.update(described_class.limit_name => 1)
+      create(:ci_instance_variable)
+    end
+
+    it 'can create new models exceeding the plan limits', :aggregate_failures do
+      expect { subject.save }.to change { described_class.count }
+      expect(subject.errors[:base]).to be_empty
+    end
+  end
+
   describe '.unprotected' do
     subject { described_class.unprotected }