Enable content embeds in Markdown on GitLab.com

Production Change

Context: I was directed to try creating a change request for this after asking in #questions for an instance admin to make it.

Change Summary

We've recently shipped the first iteration of allowing embedded (iframe) content in Markdown, and we'd like to enable it on GitLab.com!

The feature is enabled at an instance level with a domain allowlist to configure which embeds are permitted (and what to add to the frame-src CSP), but it's also gated by a wip FF at the actor level, so this configuration won't allow its indiscriminate use yet.

Change Details

The setting is located in the Admin area → Settings → General → Embedded content.

The domains to add are:

embed.figma.com
www.figma.com
www.youtube.com

The correct configuration looks like this:

image

  1. Services Impacted - GitLab.com Rails app
  2. Change Technician - DRI for the execution of this change
  3. Change Reviewer - DRI for the review of this change
  4. Scheduled Date and Time (UTC in format YYYY-MM-DD HH:MM) - Start date and time planned to execute change steps YYYY-MM-DD HH:MM
  5. Time tracking - 2 minutes
  6. Downtime Component - not required

Preparation

Change Reviewer checklist

C4 C3 C2 C1:

  • Check if the following applies:
    • The scheduled day and time of execution of the change is appropriate.
    • The change plan is technically accurate.
    • The change plan includes estimated timing values based on previous testing.
    • The change plan includes a viable rollback plan.
    • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

  • Check if the following applies:
    • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
    • The change plan includes success measures for all steps/milestones during the execution.
    • The change adequately minimizes risk within the environment/service.
    • The performance implications of executing the change are well-understood and documented.
    • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
      • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
    • The change has a primary and secondary SRE with knowledge of the details available during the change window.
    • The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
    • The labels blocks deployments and/or blocks feature-flags are applied as necessary.

Change Technician checklist

  • The Change Criticality has been set appropriately and requirements have been reviewed.
  • The change plan is technically accurate.
  • The rollback plan is technically accurate and detailed enough to be executed by anyone with access.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • The change execution window respects the Production Change Lock periods.
  • Once all boxes above are checked, mark the change request as scheduled: /label ~"change::scheduled"
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar by the change-scheduler bot. It is schedule to run every 2 hours.
  • For C1 change issues, a Senior Infrastructure Manager has provided approval with the manager_approved label on the issue.
  • For C2 change issues, an Infrastructure Manager provided approval with the manager_approved label on the issue.
  • For C1 and C2 changes, mention @gitlab-org/saas-platforms/inframanagers in this issue to provide visibility to all infrastructure managers.
  • For C1, C2, or blocks deployments change issues, confirm with Release managers that the change does not overlap or hinder any release process (In #production channel, mention @release-managers and this issue and await their acknowledgment.)

Detailed steps for the change

Pre-execution steps

Note

The following steps should be done right at the scheduled time of the change request. The preparation steps are listed below.

  • Make sure all tasks in Change Technician checklist are done
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (Check the incident.io GitLab.com Production EOC schedule to find who will be on-call at the scheduled day and time. SREs on-call must be informed of plannable C1 changes at least 2 weeks in advance.)
    • The SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1, C2, or blocks deployments change issues, Release managers have been informed prior to change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.

Change steps - steps to take to execute the change

Estimated Time to Complete (mins) - 2 minutes

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 2 min

Monitoring

Key metrics to observe

N/A — the only immediate change will be that we have three new entries in our frame-src CSP. There is no particular metric that will change; if the site were to somehow suddenly become unresponsive as a result of this codepath getting hit, existing monitoring should pick it up?