The export finalization process expects that each CSV entry is on a
newline. As a quick fix, this change replaces newline characters with
literal "\n" values.

This commit adds a new RuboCop rule `Gitlab/NoFindInWorkers` to prevent
the use of `.find` in workers. It also enabled "grace period" and generated TODOs.

Co-authored-by: Peter Leitzen <pleitzen@gitlab.com>

This updates the default commit message and MR description for
housekeeper MRs to no longer include a link to the feedback issue.

This linked feedback issue has become too difficult to load as it has
hundreds of mentions. It's not really serving it's purpose and a label
and a ping is likely to be just as good for communicating feedback.

Used the new process to generate the gitleaks.toml. The rules themselves
are unchanged, but the formatting is completely different.

Changelog: changed

Co-authored-by: Peter Leitzen <pleitzen@gitlab.com>

Fix rule names

Add missing rules keyword

Use absolute path for qa bundle path

Fix cng patterns path

`UrlBlocker` changes its behavior based on `Rails.env.test?`, which
depends on `RAILS_ENV`. Locally the tests were not passing unless
`RAILS_ENV` were set to `test`. In CI we already set this.

Previously anytime `ApplicationSetting` were updated `UrlBlocker`
would attempt to resolve the IPs and determine whether they were
allowed by the current settings. However, in an offline environment,
services like Diagrams.net may not be resolved even if they are
enabled by default.

This commit skips the validations that require resolving IP addresses
if there are no restrictions on outgoing requests:

- Allow requests to the local network is checked
- Allow requests to the local network from system hooks is checked
- DNS rebinding attack protection is disabled
- Block all requests, except for IP addresses, IP ranges, and domain
  names defined in the allowlist (`deny_all_requests_except_allowed`)
  is disabled

Note that the URL validators in `ApplicationSetting` only pass in the
current `deny_all_requests_except_allowed` setting, so if that is
active then IP resolution will occur.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/467524

Changelog: fixed

This breaks up the methods that validate the URL itself
and those that validate the resolved IP. This will
make it easier to disable the latter.

Add spec for existing token

Fix copy/paste mistake in comment

Signed-off-by: Rémy Coutable <remy@rymai.me>

Co-authored-by: Evan Read <eread@gitlab.com>

Instead of using a double negative @splattael suggested matching on
all params, ehn permitting when params is used safely.

With that we could simplify the node pattern while making the cop rule
faster and perhaps more secure. There's no special case made for methods
like page, per, puts, has_key, etc.

The downside is the number of rubocop exceptions when from 225 to 379.

Use helm client

Move all logic in to uninstall method

Add more logging for cluster deletion

Add command spec

Add namespace deletion

Fix value print

Move them into a separate so it can be included by templates or
projects.

Signed-off-by: Rémy Coutable <remy@rymai.me>

Update spec name

Add test for installation with chart sha

Add specs for chart repo method

Add specs for upgrade command

Fix response check

Add disable reason for rubocop

The diffing library was not taking into account that notebook code cells
can have no output entry, and assumed there would be an empty output
entry instead, which was causing errors

Changelog: fixed

Extract timeout arg and remove extra admin cred methods

Update qa gemfile

Log url of deployed app

Add missing ngingx configuration

Add admin token creation and default values

Update specs for installation and configuration class

Remove unused shell code

Move kubeclient to a method

Update warning message for license

This is documentation for how housekeeper could be used in other
projects. In testing this I found there was a problem with requiring
active_support in other projects so I fixed that as well.

When RSpec's main process terminates and attempts to clean up
child processes upon completion, it terminates subprocesses
where the scans might be still ongoing. This behavior is not
recognized by the upstream library (parallel), which manages
all forked subprocesses it created for running scans.
When the upstream library attempts to close its forked
subprocesses which already terminated, it raises an
'ArgumentError' with the message 'bad signal type NilClass,'
resulting in flaky failures in the test expectations.

This reverts commit bc2d6985.

Signed-off-by: Rémy Coutable <remy@rymai.me>

This will ensure that SNI is used with the hostname override patch.

Due to https://github.com/ruby/net-http/pull/36, the SNI hostname
was not being set because the `connect` method always received
an IP address. We patch this change so that SNI will be used if
the hostname override is present.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/413528

This is needed in preparation for patching DNS rebinding support to
net-http v0.4.1.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/396223