[Feature flag] Rollout of `prefix_ci_build_tokens`

Summary

This issue is to roll out the feature on production, that is currently behind the prefix_ci_build_tokens feature flag.

Owners

• Most appropriate Slack channel to reach out to: #g_pipeline-security
• Best individual to reach out to: @nmalcolm

Expectations

What are we expecting to happen?

1. This is a project-based feature flag.
2. When enabled for a project, there should be no observable impact.
3. CI Build Jobs should start using prefixed CI_JOB_TOKENs but, since they're always masked and behind the scenes, no user should notice. Services that use that token for authn/z should also have no problem using it.
4. If a CI Build Token is pasted into a comment field / issue description, our front-end based secret detection should display a warning confirmation modal

What can go wrong and how would we detect it?

• See gitlab-org/gitlab#426137 (closed)
• In summary, builds would either:
  • begin to fail because of authorization errors during a job
  • continue to succeed, but not behave correctly, because some part of the script (e.g. a curl command) fail in a non-blocking way

How would we detect it?

• https://dashboards.gitlab.net/d/ci-runners-main/ci-runners3a-overview?orgId=1
  • Elevated errors in CI runners due to 500 errors would show up here (not sure if there's a dashboard for 4XX errors)
• https://dashboards.gitlab.net/d/stage-groups-pipeline_execution/e8b8feb9-4384-5fd6-8b99-b1008cd89642?orgId=1
  • This was mentioned for the previous FF where we changed the token prefix: [Feature flag] Rollout of `ci_build_partition_i... (gitlab-org/gitlab#385401 - closed)
• https://dashboards.gitlab.net/d/api-rails-controller/api3a-rails-controller?orgId=1&var-PROMETHEUS_DS=PA258B30F88C30650&var-environment=gprd&var-stage=main&var-controller=Grape&var-action=PUT%20%2Fapi%2Fjobs%2F:id
  • API endpoint where runner requests for jobs using CI job token.
• https://log.gprd.gitlab.net/app/r/s/gk9RP
  • Logs on the same endpoint showing the status codes. We should monitor this for any spike in 400s.

Rollout Steps

Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command.

Rollout on non-production environments

• Verify the MR with the feature flag is merged to master and have been deployed to non-production environments with /chatops run auto_deploy status <merge-commit-of-your-feature>

• Deploy the feature flag at a percentage (recommended percentage: 50%) with /chatops run feature set prefix_ci_build_tokens <rollout-percentage> --actors --dev --pre --staging --staging-ref
• Monitor that the error rates did not increase (repeat with a different percentage as necessary).

• Enable the feature globally on non-production environments with /chatops run feature set prefix_ci_build_tokens true --dev --pre --staging --staging-ref
• Verify that the feature works as expected. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Make sure you are configured to use canary.
• If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking deployments.

For assistance with end-to-end test failures, please reach out via the #test-platform Slack channel. Note that end-to-end test failures on staging-ref don't block deployments.

Specific rollout on production

For visibility, all /chatops commands that target production should be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.

• Ensure that the feature MRs have been deployed to both production and canary with /chatops run auto_deploy status <merge-commit-of-your-feature>
• Depending on the type of actor you are using, pick one of these options:
  • For project-actor: /chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com prefix_ci_build_tokens true
  • For group-actor: /chatops run feature set --group=gitlab-org,gitlab-com prefix_ci_build_tokens true
  • For user-actor: /chatops run feature set --user=nmalcolm prefix_ci_build_tokens true
• Verify that the feature works for the specific actors.

Preparation before global rollout

• Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable.
• Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does.
• Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall Slack alias.
• Ensure that documentation exists for the feature, and the version history text has been updated.
• Leave a comment on the feature issue announcing estimated time when this feature flag will be enabled on GitLab.com.
• Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware.
• Notify the #support_gitlab-com Slack channel and your team channel (more guidance when this is necessary in the dev docs).
• Ensure that the feature flag rollout plan is reviewed by another developer familiar with the domain.

Proposal: start an incremental production rollout at 2024-01-17T2100Z (10am NZ time).

Global rollout on production

For visibility, all /chatops commands that target production should be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel (#g_pipeline-security).

• (Optional) Incrementally roll out the feature on production environment.
  • Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net.
  • Perform actor-based rollout: /chatops run feature set prefix_ci_build_tokens <rollout-percentage> --actors
• Enable the feature globally on production environment: /chatops run feature set prefix_ci_build_tokens true
• Observe appropriate graphs on https://dashboards.gitlab.net and verify that services are not affected.
• Leave a comment on [the feature issue][main-issue] announcing that the feature has been globally enabled.
• Wait for at least one day for the verification term.

(Optional) Release the feature with the feature flag

WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.

See instructions if you're sure about enabling the feature globally through the feature flag definition

If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:

• Create a merge request with the following changes. Ask for review and merge it.
  • Set the default_enabled attribute in the feature flag definition to true.
  • Decide which changelog entry is needed.
• Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140159 16.7
• Consider cleaning up the feature flag from all environments by running these chatops command in #production channel. Otherwise these settings may override the default enabled: /chatops run feature delete prefix_ci_build_tokens --dev --pre --staging --staging-ref --production
• Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone.
• Set the next milestone to this rollout issue for scheduling the flag removal.
• (Optional) You can create a separate issue for scheduling the steps below to Release the feature.
  • Set the title to "[Feature flag] Cleanup prefix_ci_build_tokens".
  • Execute the /copy_metadata <this-rollout-issue-link> quick action to copy the labels from this rollout issue.
  • Link this rollout issue as a related issue.
  • Close this rollout issue.

Release the feature

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.

• Create a merge request to remove the prefix_ci_build_tokens feature flag. Ask for review/approval/merge as usual. The MR should include the following changes:
  • Remove all references to the feature flag from the codebase.
  • Remove the YAML definitions for the feature from the repository.
  • Create a changelog entry.
• Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140159 16.7
• Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone.
• Clean up the feature flag from all environments by running these chatops command in #production channel: /chatops run feature delete prefix_ci_build_tokens --dev --pre --staging --staging-ref --production
• Close this rollout issue.

Rollback Steps

• This feature can be disabled by running the following Chatops command:

/chatops run feature set prefix_ci_build_tokens false