Enable setting "Enforce PIPL compliance"

Production Change

Change Summary

We need to enable setting Enforce PIPL compliance in .com so that MR can be merged gitlab-org/gitlab!203208 (merged) . Currently this setting has a default value as ON in model level but we are changing that as part of Issue - gitlab-org/gitlab#566486 (closed). Since default is false for the application setting at model level we need to make sure the value is TRUE in database for .com.

Additional context PIPL is enforced to ensure free users from certain territories are redirected to use Jihu. The work was done by another team and enabled as a FF for GitLab.com, however when groupauthentication took that over it was moved to an application setting such that it isn't inadvertently disabled. It is however also set the setting to ON for all deployment types. Dedicated being paid namespaces didn't suffer any consequence, but we should still fix the setting to be default off, and only enabled by GitLab.com instance admins for .com

Change Details

1. Services Impacted - ServiceGitlab
2. Change Technician - @cmcfarland
3. Change Reviewer - @mkaeppler
4. Scheduled Date and Time (UTC in format YYYY-MM-DD HH:MM) - Start date and time planned to execute change steps YYYY-MM-DD HH:MM
5. Time tracking - 10
6. Downtime Component - No Downtime will be there

Set Maintenance Mode in GitLab

Not required

Pre-execution steps

• Make sure all tasks in Change Technician checklist are done
• For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • The SRE on-call provided approval with the eoc_approved label on the issue.
• For C1, C2, or blocks deployments change issues, Release managers have been informed prior to change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
• There are currently no active incidents that are severity1 or severity2
• If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.

Change steps - steps to take to execute the change

Estimated Time to Complete (mins) - 5

• Set label changein-progress /label ~change::in-progress
• With admin access to GitLab.com, navigate to GitLab Admin settings
• Under Security and compliance settings, find PIPL Compliance
• Check the setting Enforce PIPL Compliance if it is unchecked
• Click Save changes at the bottom of this section, even if it was already checked
• Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 5

• With admin access to GitLab.com, navigate to GitLab Admin settings
• Under Security and compliance settings, find PIPL Compliance
• Uncheck the setting Enforce PIPL Compliance
• Click Save changes at the bottom of this section
• Set label changecomplete /label ~change::complete
• Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

• Metric: Kibana logs
  • Location: {https://log.gprd.gitlab.net/app/r/s/96yJ6}
  • Keep an eye there should not be any registration related errors in the application

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary.

Change Technician checklist

• The change plan is technically accurate.
• This Change Issue is linked to the appropriate Issue and/or Epic
• Change has been tested in staging and results noted in a comment on this issue.
• A dry-run has been conducted and results noted in a comment on this issue.
• The change execution window respects the Production Change Lock periods.
• For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
• For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue. Mention @gitlab-org/saas-platforms/inframanagers in this issue to request approval and provide visibility to all infrastructure managers.
• For C1, C2, or blocks deployments change issues, confirm with Release managers that the change does not overlap or hinder any release process (In #production channel, mention @release-managers and this issue and await their acknowledgment.)