2025-01-31: [GSTG] Add omnibus active_record_encryption secrets

Production Change

Change Summary

Adds the secrets which were added in K8S Add active_record_encryption secrets (gitlab-com/gl-infra/k8s-workloads/gitlab-com!4014 - merged) to Omnibus, from k8s vault to ombnibus vault at the same level as gitlab-rails['db_key_base'], for the GSTG environment.

Part of recovering #incident-19182: #19182 (comment 2318125915).

Change Details

1. Services Impacted - ServiceGitLab Rails
2. Change Technician - @rehab
3. Change Reviewer - @dat.tang.gitlab
4. Scheduled Date and Time (UTC in format YYYY-MM-DD HH:MM) - 2025-01-31 11:15
5. Time tracking - 30 minutes
6. Downtime Component - none

Set Maintenance Mode in GitLab

If your change involves scheduled maintenance, add a step to set and unset maintenance mode per our runbooks. This will make sure SLA calculations adjust for the maintenance period.

Detailed steps for the change

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - Estimated Time to Complete in Minutes

• Set label changein-progress /label ~change::in-progress

0. Verify config doesn't exist

• ssh redis-sidekiq-01-db-gstg.c.gitlab-staging-1.internal
• Expect not to see the secret at first: cat /etc/gitlab/gitlab.rb | grep -e "active_record_encryption"

1. Copy the secrets

• Copy the secrets from env/gstg/ns/gitlab/rails/active_record_encryption
• Add the secrets under gitlab_rails['active_record_encryption'] in env/gstg/shared/gitlab-omnibus-secrets

2. Verify the secrets

• ssh redis-sidekiq-01-db-gstg.c.gitlab-staging-1.internal
• Ensure chef is enabled: sudo chef-client-is-enabled
• sudo chef-client
• Expect to see the secret: cat /etc/gitlab/gitlab.rb | grep -e "active_record_encryption"
• Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - Estimated Time to Complete in Minutes

• Restore the previous secret version in env/gstg/shared/gitlab-omnibus-secrets
• Wait for chef-client to complete in all affected machines.
• Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

• Metric: [GSTG] internal-api: Rails Controller

  • Location: https://dashboards.gitlab.net/goto/hQaVFwOHR?orgId=1
  • What changes to this metric should prompt a rollback: Describe Changes

• Metric: [GSTG] web: Rails Controller

  • Location: https://dashboards.gitlab.net/goto/eJxvKQdHR?orgId=1
  • What changes to this metric should prompt a rollback: Describe Changes

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary.

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • The change execution window respects the Production Change Lock periods.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue. Mention @gitlab-org/saas-platforms/inframanagers in this issue to request approval and provide visibility to all infrastructure managers.
  • Release managers have been informed prior to any C1, C2, or blocks deployments change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.