Enabling "Allow pre-receive secret detection" on Production
Production Change
Change Summary
Provide a high-level summary of the change and its purpose.
This is a follow-on to the same request for Staging.
In order to support dogfooding of pre-receive secret detection on internal gitlab.com projects, we want to enable the feature on gitlab.com. This request is to have someone with admin access on gitlab.com enable Allow pre-receive secret detection
through the admin panel. The docs have not been updated, so ignore the mention of Dedicated, but the steps for enabling are here.
The pre_receive_secret_detection_beta_release
feature flag (Issue) has been enabled on Production:
https://gitlab.slack.com/archives/C101F3796/p1714068897328299
Once this setting is enabled (through the UI), I will do further testing, as documented here: gitlab-org/gitlab#455910 (comment 1881192211)
While not a requirement, ideally this would be enabled during a standard workday in the 5:00am-2:00pm timeframe (Pacific Timezone).
Change Details
- Services Impacted - Gitaly pre-receive hook, staging.gitlab.com, pre-receive secret detection (it's not technically a service)
- Change Technician - @ahanselka
- Change Reviewer - @ahanselka
- Time tracking - 5m
- Downtime Component - no
Set Maintenance Mode in GitLab
If your change involves scheduled maintenance, add a step to set and unset maintenance mode per our runbooks. This will make sure SLA calculations adjust for the maintenance period.
Detailed steps for the change
Change Steps - steps to take to execute the change
Estimated Time to Complete (mins) - Estimated Time to Complete in Minutes
-
Set label changein-progress /label ~change::in-progress
-
Visit the Secret Detection section in the Security and Compliance Admin section (https://gitlab.com/admin -> Settings -> Security and Compliance) -
Check the Allow pre-receive secret detection
checkbox to enable the feature -
Click Save Changes
-
Set label changecomplete /label ~change::complete
Rollback
Rollback steps - steps to be taken in the event of a need to rollback this change
Estimated Time to Complete (mins) - Estimated Time to Complete in Minutes
-
Visit the Secret Detection section in the Security and Compliance Admin section (https://gitlab.com/admin -> Settings -> Security and Compliance) -
Un-check the Allow pre-receive secret detection
checkbox to enable the feature -
Click Save Changes
-
Set label changeaborted /label ~change::aborted
Monitoring
Key metrics to observe
- Metric: Gitaly latency for PreReceiveHook
- Location: Gitaly Latency dashboard for PreReceiveHook (Production)
- What changes to this metric should prompt a rollback: Significant increases in latency. We have Alerting established for key components as a goal post for the Beta epic to further refine what "Significant increases" looks like.
Change Reviewer checklist
-
Check if the following applies: - The scheduled day and time of execution of the change is appropriate.
- The change plan is technically accurate.
- The change plan includes estimated timing values based on previous testing.
- The change plan includes a viable rollback plan.
- The specified metrics/monitoring dashboards provide sufficient visibility for the change.
-
Check if the following applies: - The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
- The change plan includes success measures for all steps/milestones during the execution.
- The change adequately minimizes risk within the environment/service.
- The performance implications of executing the change are well-understood and documented.
- The specified metrics/monitoring dashboards provide sufficient visibility for the change.
- If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
- The change has a primary and secondary SRE with knowledge of the details available during the change window.
- The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
- The labels blocks deployments and/or blocks feature-flags are applied as necessary.
Change Technician checklist
-
Check if all items below are complete: - The change plan is technically accurate.
- This Change Issue is linked to the appropriate Issue and/or Epic
- Change has been tested in staging and results noted in a comment on this issue.
- A dry-run has been conducted and results noted in a comment on this issue.
- The change execution window respects the Production Change Lock periods.
- For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
- For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention
@sre-oncall
and this issue and await their acknowledgement.) - For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
- For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
- Release managers have been informed prior to any C1, C2, or blocks deployments change being rolled out. (In #production channel, mention
@release-managers
and this issue and await their acknowledgment.) - There are currently no active incidents that are severity1 or severity2
- If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.