15 files changed, 79 insertions, 50 deletions

diff --git a/app/models/ci/job_artifact.rb b/app/models/ci/job_artifact.rb
index 4853b23513c..93fc1b145b2 100644
--- a/app/models/ci/job_artifact.rb
+++ b/app/models/ci/job_artifact.rb
@@ -87,7 +87,9 @@ module Ci
     end
 
     def hashed_path?
-      super || self.try(:file_location).nil?
+      return true if trace? # ArchiveLegacyTraces background migration might not have `file_location` column
+
+      super || self.file_location.nil?
     end
 
     def expire_in
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb
index 55bbf7cae7e..423071ec024 100644
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -32,7 +32,8 @@ module Clusters
       def install_command
         Gitlab::Kubernetes::Helm::InitCommand.new(
           name: name,
-          files: files
+          files: files,
+          rbac: cluster.platform_kubernetes_rbac?
         )
       end
 
diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb
index 93f654e0638..bd0286ee3f9 100644
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -39,6 +39,7 @@ module Clusters
         Gitlab::Kubernetes::Helm::InstallCommand.new(
           name: name,
           version: VERSION,
+          rbac: cluster.platform_kubernetes_rbac?,
           chart: chart,
           files: files
         )
diff --git a/app/models/clusters/applications/jupyter.rb b/app/models/clusters/applications/jupyter.rb
index ef1c76c03bd..3d84eeed5a8 100644
--- a/app/models/clusters/applications/jupyter.rb
+++ b/app/models/clusters/applications/jupyter.rb
@@ -40,6 +40,7 @@ module Clusters
         Gitlab::Kubernetes::Helm::InstallCommand.new(
           name: name,
           version: VERSION,
+          rbac: cluster.platform_kubernetes_rbac?,
           chart: chart,
           files: files,
           repository: repository
diff --git a/app/models/clusters/applications/prometheus.rb b/app/models/clusters/applications/prometheus.rb
index 88399dbbb95..46d0388a464 100644
--- a/app/models/clusters/applications/prometheus.rb
+++ b/app/models/clusters/applications/prometheus.rb
@@ -48,6 +48,7 @@ module Clusters
         Gitlab::Kubernetes::Helm::InstallCommand.new(
           name: name,
           version: VERSION,
+          rbac: cluster.platform_kubernetes_rbac?,
           chart: chart,
           files: files
         )
@@ -71,7 +72,7 @@ module Clusters
       private
 
       def kube_client
-        cluster&.kubeclient
+        cluster&.kubeclient&.core_client
       end
     end
   end
diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb
index bde255723c8..a4a2e2b79a6 100644
--- a/app/models/clusters/applications/runner.rb
+++ b/app/models/clusters/applications/runner.rb
@@ -33,6 +33,7 @@ module Clusters
         Gitlab::Kubernetes::Helm::InstallCommand.new(
           name: name,
           version: VERSION,
+          rbac: cluster.platform_kubernetes_rbac?,
           chart: chart,
           files: files,
           repository: repository
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index 7cf75403ab6..d7011ef447a 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -42,6 +42,7 @@ module Clusters
     delegate :on_creation?, to: :provider, allow_nil: true
 
     delegate :active?, to: :platform_kubernetes, prefix: true, allow_nil: true
+    delegate :rbac?, to: :platform_kubernetes, prefix: true, allow_nil: true
     delegate :installed?, to: :application_helm, prefix: true, allow_nil: true
     delegate :installed?, to: :application_ingress, prefix: true, allow_nil: true
 
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index e6ddca0d5d0..3a335909101 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -5,6 +5,7 @@ module Clusters
     class Kubernetes < ActiveRecord::Base
       include Gitlab::Kubernetes
       include ReactiveCaching
+      include EnumWithNil
 
       self.table_name = 'cluster_platforms_kubernetes'
       self.reactive_cache_key = ->(kubernetes) { [kubernetes.class.model_name.singular, kubernetes.id] }
@@ -47,6 +48,12 @@ module Clusters
 
       alias_method :active?, :enabled?
 
+      enum_with_nil authorization_type: {
+        unknown_authorization: nil,
+        rbac: 1,
+        abac: 2
+      }
+
       def actual_namespace
         if namespace.present?
           namespace
@@ -95,7 +102,7 @@ module Clusters
       end
 
       def kubeclient
-        @kubeclient ||= build_kubeclient!
+        @kubeclient ||= build_kube_client!(api_groups: ['api', 'apis/rbac.authorization.k8s.io'])
       end
 
       private
@@ -115,15 +122,16 @@ module Clusters
         slug.gsub(/[^-a-z0-9]/, '-').gsub(/^-+/, '')
       end
 
-      def build_kubeclient!(api_path: 'api', api_version: 'v1')
+      def build_kube_client!(api_groups: ['api'], api_version: 'v1')
         raise "Incomplete settings" unless api_url && actual_namespace
 
         unless (username && password) || token
           raise "Either username/password or token is required to access API"
         end
 
-        ::Kubeclient::Client.new(
-          join_api_url(api_path),
+        Gitlab::Kubernetes::KubeClient.new(
+          api_url,
+          api_groups,
           api_version,
           auth_options: kubeclient_auth_options,
           ssl_options: kubeclient_ssl_options,
@@ -133,7 +141,7 @@ module Clusters
 
       # Returns a hash of all pods in the namespace
       def read_pods
-        kubeclient = build_kubeclient!
+        kubeclient = build_kube_client!
 
         kubeclient.get_pods(namespace: actual_namespace).as_json
       rescue Kubeclient::HttpError => err
@@ -157,15 +165,6 @@ module Clusters
         { bearer_token: token }
       end
 
-      def join_api_url(api_path)
-        url = URI.parse(api_url)
-        prefix = url.path.sub(%r{/+\z}, '')
-
-        url.path = [prefix, api_path].join("/")
-
-        url.to_s
-      end
-
       def terminal_auth
         {
           token: token,
diff --git a/app/models/commit.rb b/app/models/commit.rb
index 594972ad344..49c36ad9d3f 100644
--- a/app/models/commit.rb
+++ b/app/models/commit.rb
@@ -22,6 +22,7 @@ class Commit
   attr_accessor :project, :author
   attr_accessor :redacted_description_html
   attr_accessor :redacted_title_html
+  attr_accessor :redacted_full_title_html
   attr_reader :gpg_commit
 
   DIFF_SAFE_LINES = Gitlab::Git::DiffCollection::DEFAULT_LIMITS[:max_lines]
diff --git a/app/models/concerns/case_sensitivity.rb b/app/models/concerns/case_sensitivity.rb
index 6e80365ee5b..c93b6589ee7 100644
--- a/app/models/concerns/case_sensitivity.rb
+++ b/app/models/concerns/case_sensitivity.rb
@@ -9,23 +9,46 @@ module CaseSensitivity
     #
     # Unlike other ActiveRecord methods this method only operates on a Hash.
     def iwhere(params)
-      criteria   = self
-      cast_lower = Gitlab::Database.postgresql?
+      criteria = self
 
       params.each do |key, value|
-        column = ActiveRecord::Base.connection.quote_table_name(key)
+        criteria = case value
+                   when Array
+                     criteria.where(value_in(key, value))
+                   else
+                     criteria.where(value_equal(key, value))
+                   end
+      end
+
+      criteria
+    end
 
-        condition =
-          if cast_lower
-            "LOWER(#{column}) = LOWER(:value)"
-          else
-            "#{column} = :value"
-          end
+    private
+
+    def value_equal(column, value)
+      lower_value = lower_value(value)
+
+      lower_column(arel_table[column]).eq(lower_value).to_sql
+    end
 
-        criteria = criteria.where(condition, value: value)
+    def value_in(column, values)
+      lower_values = values.map do |value|
+        lower_value(value)
       end
 
-      criteria
+      lower_column(arel_table[column]).in(lower_values).to_sql
+    end
+
+    def lower_value(value)
+      return value if Gitlab::Database.mysql?
+
+      Arel::Nodes::NamedFunction.new('LOWER', [Arel::Nodes.build_quoted(value)])
+    end
+
+    def lower_column(column)
+      return column if Gitlab::Database.mysql?
+
+      column.lower
     end
   end
 end
diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb
index f881ce2321c..7f14d78e976 100644
--- a/app/models/concerns/issuable.rb
+++ b/app/models/concerns/issuable.rb
@@ -49,7 +49,7 @@ module Issuable
       end
     end
 
-    has_many :label_links, as: :target, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
+    has_many :label_links, as: :target, dependent: :destroy, inverse_of: :target # rubocop:disable Cop/ActiveRecordDependent
     has_many :labels, through: :label_links
     has_many :todos, as: :target, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
 
diff --git a/app/models/label_link.rb b/app/models/label_link.rb
index 779657b25d5..1d93a55e8e9 100644
--- a/app/models/label_link.rb
+++ b/app/models/label_link.rb
@@ -3,7 +3,7 @@
 class LabelLink < ActiveRecord::Base
   include Importable
 
-  belongs_to :target, polymorphic: true # rubocop:disable Cop/PolymorphicAssociations
+  belongs_to :target, polymorphic: true, inverse_of: :label_links # rubocop:disable Cop/PolymorphicAssociations
   belongs_to :label
 
   validates :target, presence: true, unless: :importing?
diff --git a/app/models/project_services/kubernetes_service.rb b/app/models/project_services/kubernetes_service.rb
index bda1f67b8ff..f119555f16b 100644
--- a/app/models/project_services/kubernetes_service.rb
+++ b/app/models/project_services/kubernetes_service.rb
@@ -96,10 +96,10 @@ class KubernetesService < DeploymentService
 
   # Check we can connect to the Kubernetes API
   def test(*args)
-    kubeclient = build_kubeclient!
+    kubeclient = build_kube_client!
 
-    kubeclient.discover
-    { success: kubeclient.discovered, result: "Checked API discovery endpoint" }
+    kubeclient.core_client.discover
+    { success: kubeclient.core_client.discovered, result: "Checked API discovery endpoint" }
   rescue => err
     { success: false, result: err }
   end
@@ -144,7 +144,7 @@ class KubernetesService < DeploymentService
   end
 
   def kubeclient
-    @kubeclient ||= build_kubeclient!
+    @kubeclient ||= build_kube_client!(api_groups: ['api', 'apis/rbac.authorization.k8s.io'])
   end
 
   def deprecated?
@@ -182,11 +182,12 @@ class KubernetesService < DeploymentService
     slug.gsub(/[^-a-z0-9]/, '-').gsub(/^-+/, '')
   end
 
-  def build_kubeclient!(api_path: 'api', api_version: 'v1')
+  def build_kube_client!(api_groups: ['api'], api_version: 'v1')
     raise "Incomplete settings" unless api_url && actual_namespace && token
 
-    ::Kubeclient::Client.new(
-      join_api_url(api_path),
+    Gitlab::Kubernetes::KubeClient.new(
+      api_url,
+      api_groups,
       api_version,
       auth_options: kubeclient_auth_options,
       ssl_options: kubeclient_ssl_options,
@@ -196,7 +197,7 @@ class KubernetesService < DeploymentService
 
   # Returns a hash of all pods in the namespace
   def read_pods
-    kubeclient = build_kubeclient!
+    kubeclient = build_kube_client!
 
     kubeclient.get_pods(namespace: actual_namespace).as_json
   rescue Kubeclient::HttpError => err
@@ -220,15 +221,6 @@ class KubernetesService < DeploymentService
     { bearer_token: token }
   end
 
-  def join_api_url(api_path)
-    url = URI.parse(api_url)
-    prefix = url.path.sub(%r{/+\z}, '')
-
-    url.path = [prefix, api_path].join("/")
-
-    url.to_s
-  end
-
   def terminal_auth
     {
       token: token,
diff --git a/app/models/repository.rb b/app/models/repository.rb
index cf255c8951f..929d28b9d88 100644
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -580,7 +580,12 @@ class Repository
   end
 
   def rendered_readme
-    MarkupHelper.markup_unsafe(readme.name, readme.data, project: project, markdown_engine: :redcarpet) if readme
+    return unless readme
+
+    context = { project: project }
+    context[:markdown_engine] = :redcarpet unless MarkupHelper.commonmark_for_repositories_enabled?
+
+    MarkupHelper.markup_unsafe(readme.name, readme.data, context)
   end
   cache_method :rendered_readme
 
diff --git a/app/models/user.rb b/app/models/user.rb
index f21ca1c569f..0fcc952b5cd 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -257,6 +257,7 @@ class User < ActiveRecord::Base
   scope :order_recent_sign_in, -> { reorder(Gitlab::Database.nulls_last_order('current_sign_in_at', 'DESC')) }
   scope :order_oldest_sign_in, -> { reorder(Gitlab::Database.nulls_last_order('current_sign_in_at', 'ASC')) }
   scope :confirmed, -> { where.not(confirmed_at: nil) }
+  scope :by_username, -> (usernames) { iwhere(username: usernames) }
 
   # Limits the users to those that have TODOs, optionally in the given state.
   #
@@ -444,11 +445,11 @@ class User < ActiveRecord::Base
     end
 
     def find_by_username(username)
-      iwhere(username: username).take
+      by_username(username).take
     end
 
     def find_by_username!(username)
-      iwhere(username: username).take!
+      by_username(username).take!
     end
 
     def find_by_personal_access_token(token_string)