Sep 22, 2020 - 转载自: - Eric Schurter  

GitLab 13.4 released with Vault for CI variables and Kubernetes Agent

GitLab 13.4 released with Vault for CI variables, Kubernetes Agent, and Security Center... and we’re open sourcing feature flags!

GitLab 13.4 released with Vault for CI variables, Kubernetes Agent, and Security Center… and we’re bringing feature flags to Starter!

At GitLab, we are always focusing on how to help your team reduce risk, increase their efficiency, and accelerate their delivery speed with a platform you love. This month, we’re bringing all sorts of goodness that expands visibility into security, lowers vulnerabilities, improves efficiency, makes the user experience better, and helps your team deploy even faster. We hope that you find these top features, and the 53 other new features packed in this release, useful.

Expanded security capabilities

True to form, this month’s release adds several capabilities to your GitLab DevSecOps kit. First, secrets stored in HashiCorp Vault can now be injected into CI/CD jobs as part of the build and deploy process. Next, organizations who want to maintain a separation of code deployment duties can promote specific users with Reporter access to the role of Deployer. The Deployer role follows the principle of least privilege access, allowing them to approve merge requests and deploy code to protected environments without requiring access to modify the code itself. Another way you can reduce risk is by using the new GitLab Kubernetes Agent. Operators can deploy to their Kubernetes clusters from GitLab without the need to open their cluster to the entire Internet. We are also introducing automatic versioning support for new Terraform state files with GitLab Managed Terraform state to support compliance and debugging needs. Last but not least, the Instance Security Dashboard has evolved into the GitLab Security Center featuring Vulnerability Reporting and Settings.

Better UX & efficiency

We’ve improved our global search capabilities with quick navigation from the search bar to quickly jump to recent issues, groups, projects, settings, and Help topics. We're excited about GitLab Pages Redirects for redirecting individual pages and directories within a site, which makes users more efficient at deploying pages sites. And for those who have been wishing for enhanced deployment information, this release enables you to manage hundreds of supported project deployments from the Environments dashboard. Tada! 🎉

Open source contribution highlights

We’re introducing inline code coverage remarks inside MR diffs, (contributed by this month's MVP, Fabio Huser!), providing developers a visual representation of code coverage in the Merge Request diff when doing a review. Knowing whether modified code is covered by a unit test helps speed up code reviews and time to merge and deploy a feature. We have moved feature flags to Starter and plan to move feature flags to Core in 13.5.

But wait, wait… there’s more!

As usual, we have way too little space, but still lots and lots of new things we packed into 13.4 to tell you about. Here are a few more of them:

If you'd like to preview what's coming in next month’s release, be sure to check out our 13.5 kickoff video!

Join us for Resiliency In Challenging Times

极狐GitLab MVP badge

本月GitLab最有价值人物 (MVP) 是 Fabio Huser

Fabio made notable contributions to inline code coverage remarks inside MR diffs, a long-awaited feature by the wider GitLab Community. This is a significant contribution with non-trivial changes that required constant collaboration with GitLab team members and touched on multiple areas of the project such as the user experience, frontend, and backend.

Use HashiCorp Vault secrets in CI jobs

In GitLab 12.10, GitLab introduced functionality for GitLab Runner to fetch and inject secrets into CI jobs. GitLab is now expanding the JWT Vault Authentication method by building a new secrets syntax in the .gitlab-ci.yml file. This makes it easier for you to configure and use HashiCorp Vault with GitLab.

Use HashiCorp Vault secrets in CI jobs

Introducing the GitLab Kubernetes Agent

GitLab’s Kubernetes integration has long enabled deployment to Kubernetes clusters without manual setup. Many users have enjoyed the ease-of-use, while others have run into some challenges. The current integration requires your cluster to be open to the Internet for GitLab to access it. For many organizations, this isn’t possible, because they must lock down their cluster access for security, compliance, or regulatory purposes. To work around these restrictions, users needed to create custom tooling on top of GitLab, or they couldn’t use the feature.

Today, we’re announcing the GitLab Kubernetes Agent: a new way to deploy to Kubernetes clusters. The Agent runs inside of your cluster, so you don’t need to open it to the internet. The Agent orchestrates deployments by pulling new changes from GitLab, rather than GitLab pushing updates to the cluster. No matter what method of GitOps you use, GitLab has you covered.

Note this is the first release of the Agent. Currently, the GitLab Kubernetes Agent has a configuration-driven setup, and enables deployment management by code. Some existing Kubernetes integration features, such as Deploy Boards and GitLab Managed Apps, are not yet supported. Our vision is to eventually implement these capabilities, and provide new security- and compliance-focused integrations with the Agent.

Introducing the GitLab Kubernetes Agent

Grant users deployment permissions without code access

If your team needs to maintain separation of duties between team members who own development, and team members who own deployments, the permissions paradigm in GitLab has made this challenging. In GitLab 13.4, you can give non-code contributors permission to approve merge requests for deployment, and actually deploy code, without also granting them maintainer access.

Grant users deployment permissions without code access

Security Center

Today, the Vulnerability Management experience at the Instance level is limited in both functionality and flexibility. The current experience is a single page that combines vulnerability details, metrics visualizations, and configuration. There’s not much room to expand these functions or leverage other security features.

We’ve made a foundational change to security visibility and management in GitLab. The Instance Security Dashboard has been transformed into a Security Center. The biggest change is introducing a new menu structure. Rather than a single page, you can now find a Security Dashboard, Vulnerability Report, and Settings area. While the functionality hasn’t changed, breaking things apart enables future enhancements that would have been difficult otherwise. This also creates a top-level framework for including other security-related functionality in the future.

The dedicated Vulnerability Report now has more room to display important details and inherits those currently found on the Project vulnerability list. Separating the vulnerability metrics widgets into their own area creates a true Security Dashboard. This is now a dedicated canvas for future visualizations—-not just for managing vulnerabilities but for any of our security-related metrics. Finally, splitting Settings out into its own area creates a new shared space for instance-level security configuration beyond Vulnerability Management.

Security Center

Feature Flags made available in GitLab Starter

In GitLab 11.4 Feature Flags were introduced. In 12.2 we introduced percent rollout and user ID feature flag strategies. In 13.1 we introduced feature flag user lists and support for multiple feature flag strategies per environment.

Earlier this year, GitLab committed to moving 18 features to our open source core product. With this release of GitLab we’ve finished moving Feature Flags to Starter, and we are continuing to migrate our Feature Flag service to Core in GitLab 13.5. We’re excited about bringing these features to more users and seeing what use cases and workflows you use them for.

When navigating through GitLab, sometimes you just want to go to a specific project and not a search result page.

Using the Global search bar, you can now quickly jump to recent issues, groups, projects, settings, and help topics. You can even use the / keyboard shortcut to move the cursor to the search bar, to navigate GitLab even more efficiently!

Quick navigation using the Search bar

Inline code coverage remarks inside MR diffs

When Reviewing a Merge Request it is difficult to determine if the modified code is covered by a unit test or not. Reviewers may instead rely on the overall coverage value and require an increase in the value before they approve the Merge Request. This can lead to a scattershot approach of test writing by developers that may not actually improve code quality or coverage.

Now a developer will see a visual representation of code coverage in the Merge Request diff when doing a review. This visual indicator makes it easy to see if the modified code is covered by a unit test or not, helping speed up code reviews and the time for a feature to be merged and deployed.

Thank you to Fabio Huser and Siemens for the contribution!

Inline code coverage remarks inside MR diffs

Track environments at scale with the Environments Dashboard

Since GitLab 12.5, you could only see 7 environments across 3 projects with the Environment Dashboard. We’ve improved the Environment Dashboard in GitLab 13.4 by paginating the dashboard to help you support and manage your environments at scale. You can now see more environments across many projects.

Track environments at scale with the Environments Dashboard

Taking ownership of the GitLab Terraform provider

We’ve recently received maintainer rights to the GitLab Terraform provider and plan to enhance it in upcoming releases. In the past month we’ve merged 21 pull requests and closed 31 issues, including some long outstanding bugs and missing features, like supporting instance clusters. You can read more about the GitLab Terraform provider in the Terraform documentation.

Taking ownership of the GitLab Terraform provider

API Fuzz Testing with OpenAPI specs or HAR files

API Fuzz Testing is a great way to find bugs and vulnerabilities in your web apps and APIs that other scanners and testing techniques miss.

GitLab’s API fuzz testing lets you provide an OpenAPI v2 specification or a HAR file of your application, and then automatically generates random inputs designed to exercise edge cases and find bugs. Results are then immediately shown as part of the pipeline.

This is our first release of API fuzz testing and we’d love to hear from you and know what you think. We have a lot more in store for fuzz testing that we’re excited to build on top of this release!

Preview new metrics charts in the user interface

Previously, creating a chart in your GitLab metrics dashboard was challenging. After you defined a chart in the dashboard YAML file, you committed the changes to master without knowing the newly-created chart was what you wanted. Since GitLab 13.3, you can preview a panel’s YAML as the chart is created, getting you early feedback before committing the changes to your dashboard’s YAML file.

Code Coverage Data for all projects in a group

When you or your team manages multiple GitLab projects, you should be able to easily see a single data point showing how code coverage is trending over time across all projects. Previously, visualizing this trend involved tedious, manual, work to download the coverage data from each project and insert it into a spreadsheet.

Now, as team lead, you can quickly and easily gather all the code coverage data available in each of your group’s projects or a selection of projects as a .csv file. This is an MVC feature that will be followed by the ability to graph the average coverage over time.

Code Coverage Data for all projects in a group

New language support for coverage-guided fuzz testing

This release introduces support for multiple new languages to coverage-guided fuzz testing.

You can now leverage all the power of fuzz testing for your apps written in Java, Rust, and Swift to find bugs and security vulnerabilities that other processes miss!

New language support for coverage-guided fuzz testing

Show alerts in the environment index page

The environments page shows the general status of your environments. In this release, we improved the environment page by adding alerts. Seeing triggered alerts alongside the status of your environments enables you to take immediate action to remedy situations.

Show alerts in the environment index page

Child pipelines can now trigger their own child pipelines

When using parent/child pipelines, it is now possible for child pipelines to trigger their own child pipelines. This added depth can be useful when you want the flexibility to generate a variable number of child pipelines.

Before, with a parent/child configuration, every child pipeline needed a trigger job manually defined in the parent. Now you can generate child pipelines that dynamically trigger any number of new child pipelines. If you have a monorepo, for example, you can dynamically generate a first child pipeline that itself generates a variable number of new child pipelines, based on the changes in a branch.

Child pipelines can now trigger their own child pipelines

Improved navigation between parent and child pipelines

Navigating between parent and child pipelines was a bit cumbersome, requiring multiple clicks. It also wasn’t easy to tell which job triggered which child pipeline. It’s now easier and faster to see how parent pipelines connect with their children.

Improved navigation between parent and child pipelines

Parallel matrix jobs show relevant variables in job name

If you used matrix jobs, you probably noticed it was difficult to determine which matrix variables were used for each job, because the job names were formatted like matrix 1/4. In 13.4, you will now see the relevant variable values that were used in that job, instead of seeing a generic job name. For example, if you are building a debug target for x86 architecture, the job will now be named matrix: debug x86.

Parallel matrix jobs show relevant variables in job name

极狐GitLab 13.4 其他功能

Connect an Atlassian Account

GitLab users will now be able to connect their GitLab account to their Atlassian Cloud account. Connecting accounts allows users to sign in to GitLab with their Atlassian credentials. This change also lays the foundation for future enhancements to the Gitlab Jira integration and integrating with other products in the Atlassian suite.

Connect an Atlassian Account

Export a list of all merge commits

Compliance-minded organizations need a way to show auditors a holistic view of the components involved with any particular change to production. Within GitLab, this means connecting all of the dots: MRs, issues, pipelines, security scans, and other data about a commit. Until now, you had to either dig through the GitLab application and/or build custom tooling to aggregate the information - which was not very efficient.

Now, you can programmatically collect and export this data to satisfy auditing requirements or perform other analyses by navigating to the Compliance Dashboard and clicking the button to export a list of all merge commits for the group. The resulting file will contain all merge commits and their author, related merge request ID, group, project, approvers, and more.

Export a list of all merge commits

List and Revoke Personal Access Tokens via API

Managing access to your GitLab namespace is an important part of your compliance program. From the principles of least privilege to timely termination of access, there are several compliance requirements related to Personal Access Tokens within GitLab. To support easier, better and bulk management of these user credentials within your namespace we’ve introduced the ability to list all user PATs and optionally revoke them via API.

These improvements to GitLab’s API capabilities enable users to list and revoke their own PATs and enables administrators to list and revoke the PATs of their users. Administrators now have better visibility into who has access to their namespace, can make data-informed decisions about their users’ credentials, and are empowered to revoke PATs that may be compromised or which may exceed corporate policy for credential rotation.

A few months ago, we announced a plan to open source 18 features. In working towards honoring that commitment, Related Issues[1], Issues CSV Export, and Issue Board Focus Mode are now available in Core. This only applies to the “relates to” relationship. “Blocks” and “is blocked by” remain in paid tiers.

Display source branch name in merge request sidebar

When reviewing code changes, discussions, and commits in a merge request, it is often desirable to checkout the branch locally for a more in-depth review. However, finding the branch name becomes harder as more content is added to the merge request description as more scrolling is necessary.

The branch name has now been added to the merge request sidebar, making it easily accessible at all times and removing the need for scrolling. Just as the merge request reference, the source branch section provides a convenient “copy” button for easy local checkout.

Many thanks to Ethan Reesor for this great contribution.

Emphasize collapsed diffs in merge request diffs

Merge requests which apply changes to multiple files will sometimes collapse large file diffs in order to improve performance. When this happens, it’s easy to overlook a file and not review it, especially in merge requests with many files. Starting with GitLab 13.4, the merge request will emphasize diffs containing collapsed files which will ensure those files are not missed by reviewers during the code review process. For added clarity, we are planning to highlight these files in a future release. Follow gitlab#16047 for updates.

Emphasize collapsed diffs in merge request diffs

Gitaly Cluster automatic repository repair

When a primary Gitaly Cluster node went offline, repositories on the node were marked as read only to prevent data loss when there were changes that hadn’t been replicated. If the node came back online, GitLab did not automatically recover and administrators had to manually trigger reconciliation, otherwise, you had to accept data loss. Other situations could also result in outdated or read only repositories, such as a replication job failing to be processed on a secondary node. In this case, the repository would stay out of date until another write came in and triggered a replication job.

To address these situations, Praefect now schedules a replication job when it detects an outdated repository on one node, but the latest version of the repository on a different node. This replication job brings the outdated repository up to date automatically, mitigating concerns about manual data recovery. Automatic repair also ensures that secondary nodes are brought back up to date quickly if a replication job has failed, rather than needing to wait for the next write to occur. Since many Gitaly clusters store a large number of repositories, this significantly reduces the time that administrators and site reliability engineers need to spend recovering data after a failover.

In addition, automatic repair initiates replication of repositories to any new Gitaly node that is added to the cluster, removing the need for manual intervention when adding new nodes.

Mark a to do as Done in the Design View

Effective communication in GitLab relies on the To-Do List. If you are mentioned in a comment, it’s critical to be able to follow the to do and either take action or mark it as done. It’s also important to be able to give yourself to dos when you need to remember to work on something or come back later.

Until now, it was super frustrating that you could not add a to do or mark it as done on Designs. This really impaired the effectiveness of communication between product teams as to dos are essential to managing the flow of work in GitLab.

As of 13.4, Designs achieve parity with Issue comments and their use of to dos for a more consistent and useful experience!

Mark a to do as Done in the Design View

Warning on merge request diff when files are collapsed

Collapsing large files on a merge request diff is done to enhance the performance and responsiveness of the diff section in a merge request. However, during code review, some files may be missed by the reviewer when scrolling through the list of files, because large files are collapsed.

We have introduced a visible warning at the top of the merge request diff page, clearly informing the user that a file in the section is collapsed. This ensures all related changes in the merge request are reviewed.

Warning on merge request diff when files are collapsed

GitLab Runner 13.4

We’re also releasing GitLab Runner 13.4 today! GitLab Runner is the lightweight, highly-scalable agent that runs your build jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What’s new:

Bug fixes:

The list of all changes is in the GitLab Runner CHANGELOG.

Improved troubleshooting guide for CI/CD

We have improved the GitLab CI/CD troubleshooting guide with additional information on common issues you might run into. We hope the improved documentation is a valuable resource to help you get up and running quickly and easily with GitLab CI/CD.

Merge requests not accidentally dropped from merge train

Previously, merge requests could be dropped from the Merge Train accidentally by late comments. If a merge request was already on the merge train, and someone added a comment that created a new unresolved thread, the merge request was then considered unmergeable and dropped from the train. Now, after the merge request is added to the train, new comments can be made without any worries about disrupting the merge process.

Show job data for Code Coverage value in MR

As a developer, you should be able to easily see code coverage after a pipeline finishes running, even in complex scenarios that make this more difficult, like when your pipeline has multiple jobs that are parsed to calculate the coverage value. Until now, the Merge Request widget only showed the average of those values, which meant you had to navigate to the jobs page and then back to the Merge Request itself to get more granular details for the coverage value. To save you time and eliminate those extra steps, you’re now presented with the average coverage value, how it has changed from the target and source branch, and a tooltip that shows the coverage for each job used to calculate the average.

Show job data for Code Coverage value in MR

Delete Package Registry packages while viewing a group

The GitLab Package Registry is where you store and share a variety of package formats. When your project or group has a large number of packages, you want to quickly identify unused packages and delete them, to prevent people from installing the wrong package. You can delete packages from your registry by using the Packages API or from the Package Registry user interface. However, until recently, you could not delete packages when viewing a group in the UI. As a result, you were forced to delete packages for each project, which was inefficient.

Now you can delete packages while you’re viewing the Package Registry for a group. Simply navigate to your group’s Package Registry, filter by package name, and delete any unwanted packages.

Scope Conan packages to a project

You can use the GitLab Conan Repository to publish and share C/C++ dependencies. However, packages could previously only be scoped to the instance. This was problematic because Conan package names must be 51 characters or fewer. For anyone trying to publish a package that lived within a sub-group, like gitlab-org/ci-cd/package-stage/feature-testing/conan, it was nearly impossible to use this feature.

Now you can scope your Conan packages to a project, making it easy to publish and share your project’s dependencies.

Expand package managers and languages supported by Dependency Scanning

We are pleased to add Dependency Scans for C, C++, C#, and .Net projects that use NuGet 4.9+ or Conan package managers to our supported languages and frameworks. As part of our Secure stage, you can enable Dependency Scanning to check the dependencies included via package managers for known vulnerabilities. These vulnerabilities will be shown in your merge request, along with their severity level, so you can know before merging what risks that new dependency may introduce. You can also configure your project to require a merge request approval for any vulnerabilities with severity Critical, High, or Unknown.

Notifications when 'Merge When Pipeline Succeeds' is set on a merge request

When a reviewer sets a merge request (MR) to Merge When Pipeline Succeeds (MWPS), no email notification is sent. You must manually check to see the status or wait for the notification when the MR is merged. In this release we are excited to include a community contribution by @ravishankar2kool which solves this problem by automatically notifying all the subscribers in the merge request thread when a reviewer sets the MR to MWPS.

Notifications when 'Merge When Pipeline Succeeds' is set on a merge request

Create EKS clusters with user-specified Kubernetes version

GitLab users can now choose their preferred Kubernetes version to be provisioned on EKS. In line with the supported Kubernetes versions available on EKS, users can choose between versions 1.14 - 1.17.

Create incidents as a type of issue

Not every problem that arises triggers an alert first: customers report outages, and team members identify performance problems. Incidents are now a type of issue, so your team members can quickly create incidents through a familiar workflow. Click New Issue from anywhere within GitLab, and in the Type field, select Incident.

Create incidents as a type of issue

Reference GitLab alerts in Markdown

We improved alerts by adding an alert-specific reference in GitLab-flavored Markdown, making it easy for you to share and reference alerts. Use ^alert#1234 to reference an alert in any Markdown field in incidents, issues, or merge requests. This alert reference also helps you identify to-dos resulting from alerts, rather than issues or merge requests!

View alert payload on incidents

An alert’s payload contains critical information to diagnosing outages and restoring service, and this information must be easily accessible so you don’t need to switch tools or tabs when working to resolve the incident. Incidents created from alerts display the alert’s full payload in the Alert Details tab.

View alert payload on incidents

As a single application, GitLab has a unique opportunity to make locating content across the entire DevOps workflow delightful. In GitLab 13.4, Advanced Search now outputs results 75% faster when it is limited to specific namespaces and projects, like on

GitLab chart improvements

  • A RedHat Universal Base Image (UBI) version of the alpine-certificates image is now available. Previously, deployments using UBI-based images needed to use a non-UBI image for the certificate container. To deploy GitLab with this new image, specify global.certificates.image.tag=master-ubi8 in your values.yaml file. For more information on deploying GitLab using UBI images, see GitLab with UBI-based images.
  • Helm installs now support smartcard authentication. See the smartcard announcement for more details.
  • A sub chart has been added for deploying and configuring the Praefect service. Praefect allows you to manage storage of Git repositories across a cluster of Gitaly nodes for a fault tolerant configuration. To learn more about Gitaly clusters, see the Gitaly documenation.
  • Caches of archive files downloaded to Workhorse have been disabled for Helm chart installations. Storing archive caches on local disk was carried over from the Omnibus installation method. With Kubernetes deployments, the disk is not shared across pods. Archives build up over time because there is no way to clean up the archive files. This can cause excessive disk usage issues on nodes.
  • It is now possible to enable a Content Security Policy (CSP) in the chart to help prevent JavaScript cross-site scripting (XSS) attacks. For details, see the Global Settings documentation.
  • A bug has been resolved that prevented Helm-based installs on VMWare clusters when a job name contained a dot.
  • Instructions for migrating from Helm 2 to Helm 3 are now available.

Omnibus improvements

  • Support for deploying GitLab on ARM64 is now available. See the announcement for more details.
  • This release includes minor version updates for PostgreSQL from 11.7 to 11.9, and 12.3 to 12.4. For details of the changes made in these releases, see the PosgreSQL release announcement.
  • GitLab 13.4 includes Mattermost 5.26, an open source Slack-alternative. This release includes the ability to categorize and reorder channels with experimental channel sidebar enhancements, the ability to get help from the Mattermost community via ‘Ask the community’ link, and much more. It also includes security updates. We recommend you upgrade from earlier versions.

Bug fixes

Some of the notable bug fixes in 13.4 are:

Deleted projects view for administrators

Thank you to Ashesh Vidyut (@asheshvidyut7) for this community contribution!

The ability to delay project deletion was introduced in 12.6. However, previously there was no way to see all projects pending deletion in one place. Now self-managed administrators can view all projects pending deletion in a single view, along with buttons to easily restore these projects.

This capability allows self-managed administrators to have better control of project deletion by aggregating this information in a single place and providing the opportunity to undo undesirable deletion activity.

Group Push Rules Support Added to API

Previously, group push rules could only be configured by visiting each group individually via GitLab UI and applying these rules. Now you can manage these rules via API to support your custom GitLab tooling and automation.

Revoke PATs for self-managed credential inventory

The Credentials inventory provides the insight administrators need to manage user access credentials for their GitLab instance. As compliance-minded organizations vary in the strictness of their credential management policies, we’ve added a button that allows administrators to optionally revoke a user’s Personal Access Token (PAT). Administrators can now easily revoke PATs that may be compromised. This feature supports organizations that want more flexible enforcement options, to minimize disruptions to their users.

Revoke PATs for self-managed credential inventory

Configuration file for the Static Site Editor

In GitLab 13.4, we’re introducing a new way to configure the Static Site Editor. While the configuration file doesn’t store or retrieve any values in this release, we’re laying the foundation for customization of the editor’s behavior. In upcoming releases, we’ll add values to .gitlab/static-site-editor.yml for setting the site’s base URL, where images uploaded from the editor are stored, overriding Markdown syntax preferences, and other editor-specific settings.

Edit front matter using the Static Site Editor

Front matter is a flexible and convenient way to define page-specific variables in data files intended to be parsed by a static site generator. It is commonly used for setting a page’s title, layout template, or author, but can be used to pass any kind of metadata to the generator as the page renders out to HTML. Included at the very top of each data file, the front matter is often formatted as YAML or JSON and requires consistent and accurate syntax. Collaborators unfamiliar with the specific syntax rules can inadvertently introduce invalid markup that can in turn cause formatting issues or even build failures.

The Static Site Editor’s WYSIWYG editing mode already removes the front matter from the editor to prevent these formatting errors. However, that leaves you with no way to modify the values stored in the front matter without reverting to editing the raw source of the file. In GitLab 13.4, you can access and edit the values for each front matter field in a familiar form-based interface. Clicking the Settings button will reveal a panel that displays a form field for each key defined in the front matter. The fields are populated with the current value and editing any of them is as simple as typing into a web form. Editing front matter in this way allows you to avoid syntax complexities and gives you complete control over the content while ensuring the final output is formatted consistently.

Edit front matter using the Static Site Editor

GitLab for Jira and DVCS Connector now in Core

For users of Jira GitLab, the GitLab for Jira app and the DVCS Connector allow you to display information about GitLab commits and merge requests directly in Jira. Combined with our native integration with Jira, you can easily move back and forth between the two applications as you work.

These features were previously available only in our Premium plan, but are now available to all users! 🎉

Gitaly Cluster majority-wins reference transactions (beta)

Gitaly Cluster allows Git repositories to be replicated on multiple warm Gitaly nodes. This improves fault tolerance by removing single points of failure. Reference transactions, introduced in GitLab 13.3, causes changes to be broadcast to all the Gitaly nodes in the cluster, but only the Gitaly nodes that vote in agreement with the primary node persist the changes to disk. If all the replica nodes dissented, only one copy of the change would be persisted to disk, creating a single point of failure until asynchronous replication completed.

Majority-wins voting improves fault tolerance by requiring a majority of nodes to agree before persisting changes to disk. When the feature flag is enabled, writes must succeed on multiple nodes. Dissenting nodes are automatically brought in sync by asynchronous replication from the nodes that formed the quorum.

Support custom JSON schema validation in the Web IDE

Projects that rely on people writing configurations in JSON or YAML format can cause problems because it’s easy to make a typo and break things. It’s possible to write validation tools that catch this in the CI pipeline but using a JSON schema file can be helpful for offering documentation and hints.

Project contributors can define a custom schema path in the .gitlab/.gitlab-webide.yml file in their repository which specifies the schema and path of files to validate. When loading the defined file in the Web IDE additional feedback and validation will be visible to help create the file.

Support custom JSON schema validation in the Web IDE

Directed Acyclic Graph (DAG) relationship limit increased to 50

If you’re using Directed Acyclic Graph (DAG) pipelines, you might have found that the limit of 10 jobs that a job can list in needs: is insufficient. In 13.4, the default limit was raised from 10 to 50 to allow for more complicated networks of relationships between jobs in your pipelines.

If you are an administrator for a self-managed instance, you can make this even higher by adjusting a feature flag setting, though we don’t offer official support for this.

Improved the behavior of `needs` with skipped jobs

In certain edge cases, it was possible for a skipped job in your pipeline to be considered successful for needs dependencies, which allowed later jobs to run that shouldn’t have. This is fixed in 13.4, and the behavior of skipped jobs is now handled properly by needs.

Lock the latest job artifact to prevent deletion

GitLab will now automatically lock the latest artifact of a successful job and pipeline on any active branch, MR, or tag to prevent it from being deleted based on expiration. This makes it easier to set a more aggressive expiration policy to clean up older artifacts, helps reduce disk space consumption, and ensures you’ve always got a copy of the latest artifact from your pipeline.

Pipeline efficiency guide for CI/CD

Optimizing your CI/CD pipeline runs can result in improved speed and cost-savings. We’ve improved our documentation with a short guide on how to get the most out of optimizing your pipelines.

Test Report Sorted by Test Status

The Unit Test Report is an easy way to see results from all tests in a pipeline. However, if there are a large number of tests, it can be time consuming to find the failing tests. Other problems that made the report hard to use include difficulty scrolling long trace output, and data often rounding down to 0 for tests running in less than 1 second. Now, by default the Test Report sorts the failed tests to the top of the report first, then by duration. This makes finding failures and long running tests easier. Also, the duration of tests now displays in milliseconds or seconds so it is much quicker to read and the previous issues with scrolling have also been resolved.

Limits for file size uploads to the Package Registry

There are now limits that restrict the size of package files that can be uploaded to the GitLab Package Registry. The limits were added to prevent abuse and optimize the performance of the Package Registry. The limits vary by package format. For, the maximum file sizes are:

  • Conan: 250MB
  • Maven: 3GB
  • NPM: 300MB
  • NuGet: 250MB
  • PyPI: 3GB

For self-managed instances, the defaults are the same. However, an administrator can update the limits by using the Rails console.

Use CI_JOB_TOKEN to publish PyPI packages

You can use the GitLab PyPI Repository to build, publish, and share python packages, right alongside your source code and CI/CD Pipelines. However, previously you couldn’t authenticate with the repository by using the pre-defined environment variable CI_JOB_TOKEN. As a result, you were forced to use your personal credentials for making updates to the PyPI Repository, or you may have decided not to use the repository at all.

Now it is easier than ever to use GitLab CI/CD to publish and install PyPI packages by using the predefined CI_JOB_TOKEN environment variable.

On-demand DAST Scanner Profiles

Adding onto the DAST On-demand scans that were introduced in the last release, DAST Scanner Profiles extend the configuration options of these scans by allowing for the quick creation of multiple profiles, to cover multiple scan types. In 13.4, the Scanner Profile initially includes a spider timeout option, which sets how long the DAST spider should run when it tries to discover all the pages of a site to be scanned. It also includes a target timeout option, to set how long the scanner should wait for a site to become available before it aborts the scan, if the site does not respond with a 200 or 300 status code. As we continue to iterate on this feature in upcoming releases, more configuration options will be added to the Scanner Profile.

On-demand DAST Scanner Profiles

Simple redirect configuration file for GitLab Pages

If you are a user of GitLab Pages wanting to better manage URL changes, you’ve encountered the pain point of being unable to manage redirects in your GitLab Pages site. GitLab now allows you to configure rules to forward one URL to another for your Pages site by adding a configuration file to your repository. This feature was made possible by contributions from Kevin Barnett (@PopeDrFreud), our very own Eric Eastwood (@MadLittleMods), and the GitLab team. Thank you all for your contributions.

GitLab Managed Terraform State

Having access to previous versions of a Terraform state is necessary both for compliance and occasional debugging needs. Support for versioning of GitLab Managed Terraform state is provided starting with GitLab 13.4. Versioning is turned on automatically for new Terraform state files. Existing GitLab Managed Terraform state files will be migrated automatically to versioned storage in a later release.

Highlight critical alert details on incidents

When triaging incidents, it should be easy for you to identify how long an alert has been open and how many times the event has fired. These details are often critical when determining customer impact and what your team needs to respond to right now. In the new incident highlight bar, we surface the alert start time, events count, and a link to the originating alert front and center. This information is available on incidents that are promoted from alerts.

Highlight critical alert details on incidents

Set and edit incident severity

An incident’s severity tells responders and stakeholders the impact of an outage, and the methods and urgency needed for responses. As your team shares findings during the fire-fight and remediates the outage, they can edit the incident’s severity. You can now edit the severity of the incident in the right-hand sidebar of the Incident Details page, and the severity is displayed in the incident list.

Set and edit incident severity

Create, Edit, and Delete for Container Network Policies

This improvement to the Container Network Policy editor allows users to easily create, edit, and delete their policies from directly within the GitLab UI. The editor’s capabilities include a .yaml mode for experienced users and an intuitive rules editor UI for users new to Network Policies. You can find the new policy management capabilities at Security & Compliance > Threat Management > Policies.

Create, Edit, and Delete for Container Network Policies

Azure Blob storage support

Both GitLab and GitLab Runner now support Azure Blob storage, making it easier to run GitLab services on Azure.

GitLab instances support Azure for all object storage types, including: LFS files, CI artifacts, backups, and more. To configure Azure Blob storage, follow the instructions for Omnibus or Helm chart installations.

GitLab Runners also support Azure for storing the distributed cache. Azure storage can be configured using the [] section.

Omnibus ARM64 packages for Ubuntu and OpenSUSE

In response to increasing demand for support running GitLab on the 64-bit ARM architecture, we are excited to announce the availability of an official ARM64 Ubuntu 20.04 Omnibus package. A huge thanks to Zitai Chen and Guillaume Gardet for the enormous contribution they have made - their merge requests have been a key enabler to making this happen!

To download and install the Ubuntu 20.04 package, go to our Install page and select Ubuntu.

Smartcard authentication support for GitLab Helm chart

Smartcards, such as Common Access Cards (CAC), can now be used to authenticate against a Helm chart-deployed GitLab instance. Smartcards are authenticated against a local database using X.509 certificates. This brings the Helm chart in parity with the smartcard support available in Omnibus deployments.

Performance Improvements

In every release, we continue to make great strides improving GitLab’s performance. We’re committed to making every GitLab instance faster. This includes, an instance with over 1 million users!

In GitLab 13.4, we’re shipping performance improvements for issues, projects, milestones, and much more! Some improvements in GitLab 13.4 are:


Debian Jessie and Raspbian Stretch no longer supported

Debian Jessie and Raspbian Stretch reached end of life in June 2020 and are not supported in GitLab 13.4. GitLab 13.3 was the last supported version for these distributions. Please visit the Deprecated OSes page for more information.

Deprecation date: September 22nd, 2020

Deprecate Container Registry log formatters

Currently, GitLab supports text/json/logstash log formatting for app logs and text/json/combined for access logs. We will deprecate both logstash and combined, unifying the formatters for both app and access logs with only two options, text (for development) and json.

Deprecation date: January 22nd, 2021

Deprecate Container Registry logging hooks

The Container Registry supports logging hooks, which currently can only be used for email notifications.

These days, alerts based on log entries are commonly handled by separate tools. As far as we know, none of our users rely on this functionality and it is not used at GitLab either. The implementation of this feature is tightly coupled with the underlying logging library, which is a limitation for our ability to switch dependencies without affecting the available features.

In an effort to simplify the registry features and configurations, we will drop support for logging hooks.

Deprecation date: January 22nd, 2021

Deprecate Container Registry maxidle and maxactive Redis pool settings

Some of the configuration settings that we currently expose for the Redis connection pool are tied to the underlying Redis client and do not have an equivalent in alternative libraries. As we start working on improving the Redis integration, such as adding support for Sentinel, we decided to start working towards replacing the current Redis client dependency with a more feature-rich and better-supported alternative. To do this we need to replace the current Redis pool configuration settings that are tied to the current client library.

We intend to remove the redis.pool.maxidle and redis.pool.maxactive settings and add redis.pool.size (maximum number of connections), redis.pool.minidle (minimum number of idle connections), and redis.pool.maxlifetime (maximum amount of time a connection may be reused).

Deprecation date: January 22nd, 2021

Deprecate Container Registry proxy pull-through cache

After a recent survey of GitLab admins, we’ve decided not to deprecate this feature.

The proxy section allows the Container Registry to be set up as a local mirror to an upstream repository.

Deprecation date: Postponed indefinitely

Deprecate Container Registry support for Bugsnag

Bugsnag is one of the error reporting services supported by the Container Registry. As far as we know, none of our users rely on this service, and at GitLab we use Sentry. In an effort to simplify and consolidate the supported error reporting services, we intend to add support for Sentry and remove support for Bugsnag.

Deprecation date: January 22nd, 2021

Deprecate Container Registry support for NewRelic

NewRelic is one of the error reporting services supported by the Container Registry. As far as we know, none of our users rely on this service, and at GitLab we use Sentry. In an effort to simplify and consolidate the supported error reporting services, we intend to add support for Sentry and remove support for NewRelic.

Deprecation date: January 22nd, 2021

Deprecate pulls that use v1 of the Docker registry API

GitLab is disabling pulls via the Docker registry v1 APIs on January 22nd, 2021. Deprecated by Docker in June, 2019, deprecating this feature allows the GitLab team to focus on features and fixes that target current registry use cases.

Deprecation date: January 22nd, 2021

End of support for CentOS 6

CentOS 6 reaches end of life in November 2020. GitLab 13.6 will be the last supported version for deploying GitLab on CentOS 6. You are advised to upgrade to CentOS 7 or 8. Visit the deprecated OSes page for more information on the supported distributions.

Deprecation date: November 22, 2020

Legacy Feature Flags made Read Only

Legacy Feature Flags will become read-only. They will still work, but cannot be edited through the UI, only via API. We recommend migrating your legacy feature flags to the Feature Flag strategies. You can do this by first taking a screenshot of the legacy flag for tracking. Then delete the flag via API/UI (you don’t need to alter the code) and create a new Feature Flag with the same name as the legacy flag that was deleted. Also, make sure the strategies and environments match flag that was deleted. We have created a video tutorial to help with this migration.

Deprecation date: September 22, 2020

PowerShell as default for newly-registered Windows runners

In GitLab Runner 13.2, PowerShell Core support was added to the shell executor. In 14.0, pwsh will be the default shell for runners that are registered on Windows. The Windows Command shell will still be available as an option for Windows runners. Refer to issue #26419 for additional details.

Deprecation date: Jun 22, 2021

In GitLab Runner 13.3, a symlink was added from /user/lib/gitlab-runner/gitlab-runner to /usr/bin/gitlab-runner. In 14.0, we will remove this symlink and GitLab Runner will be installed in /usr/bin/gitlab-runner. Refer to issue #26651 for additional details.

Deprecation date: Jun 22, 2021


In GitLab Runner 13.1, issue #3376, we began sending sigterm and then sigkill to a process in the Shell executor. We also introduced a new feature flag, FF_SHELL_EXECUTOR_USE_LEGACY_PROCESS_KILL, which allowed you to use the previous process termination method. In GitLab Runner 14.0, issue #6413, we will remove the feature flag.

Deprecation date: Jun 22, 2021

Remove Ubuntu 19.10 (Eoan Ermine) package

Ubuntu 19.10 (Eoan Ermine) reached end of life on Friday, July 17, 2020. In GitLab Runner 14.0, we will remove Ubuntu 19.10 from our package distribution. Refer to issue #26036 for additional details.

Deprecation date: Jun 22, 2021

Remove off peak time mode for Docker Machine autoscaling

In GitLab Runner 13.0, issue #5069, we introduced new configuration setting timing options for the GitLab Docker Machine executor. In GitLab Runner 14.0, we will remove the old configuration option, Off Peak time mode.

Deprecation date: Jun 22, 2021

Remove success and failure build metric conversions

In GitLab Runner 13.5, we introduced failed and success states for a job. To support Prometheus rules, we chose to convert success and failure to finished for the metric. In 14.0, we will remove the conversion. Refer to issue #26900 for additional details.

Deprecation date: Jun 22, 2021

Remove translation from step_script to build_script in custom executor

In GitLab Runner 13.2, a translation for step_script to build_script was added to the custom executor. In 14.0, the build_script stage will be replaced with step_script. Refer to issue #26426 for additional details.

Deprecation date: Jun 22, 2021

Important notes on upgrading to GitLab 13.4

In GitLab 13.0, legacy storage was deprecated, and we announced that all projects that were in legacy storage would be automatically upgraded to the new hashed storage in GitLab 13.2. This background migration was delayed to GitLab 13.4.

Upon upgrading to 13.4, all projects still in legacy storage will be automatically migrated via a background migration.