2022-05-23: Update auth scopes to include service.management
Production Change
Change Summary
We are adding the scope service.management for google auth to GitLab.com per https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/15637. We have made changes and sanity checked the effects on that issue.
Change Details
- Services Impacted - ServiceWeb ServiceFrontend
-
Change Technician -
@dawsmith
- Change Reviewer - @alejandro
- Time tracking - 30m minutes
- Downtime Component - none
Detailed steps for the change
Change Steps - steps to take to execute the change
Estimated Time to Complete (mins) - 30min
-
Set label changein-progress /label ~change::in-progress
-
Go to https://console.cloud.google.com/apis/credentials/consent/edit?project=gitlab-production and follow the pages there to add the service.management scope. -
Wait for Google to review the change. We have check with Google and there should be no immediate affect to existing auths. -
Set label changecomplete /label ~change::complete
Rollback
Rollback steps - steps to be taken in the event of a need to rollback this change
Estimated Time to Complete (mins) - Estimated Time to Complete in Minutes
-
Go to https://console.cloud.google.com/apis/credentials/consent/edit?project=gitlab-production and follow the pages there to remove the service.management scope. -
Set label changeaborted /label ~change::aborted
Monitoring
Key metrics to observe
- Metric: Authentication Events
- Location: https://dashboards.gitlab.net/d/JyaDfEWWz/user-authentication-events?orgId=1&refresh=5m&from=now-3h&to=now
- What changes to this metric should prompt a rollback: If we hear cases around failed auths or see a drop in successful auth events.
Change Reviewer checklist
-
Check if the following applies: - The scheduled day and time of execution of the change is appropriate.
- The change plan is technically accurate.
- The change plan includes estimated timing values based on previous testing.
- The change plan includes a viable rollback plan.
- The specified metrics/monitoring dashboards provide sufficient visibility for the change.
-
Check if the following applies: - The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
- The change plan includes success measures for all steps/milestones during the execution.
- The change adequately minimizes risk within the environment/service.
- The performance implications of executing the change are well-understood and documented.
- The specified metrics/monitoring dashboards provide sufficient visibility for the change.
- If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
- The change has a primary and secondary SRE with knowledge of the details available during the change window.
Change Technician checklist
-
Check if all items below are complete: - The change plan is technically accurate.
- This Change Issue is linked to the appropriate Issue and/or Epic
- Change has been tested in staging and results noted in a comment on this issue.
- A dry-run has been conducted and results noted in a comment on this issue.
- For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention
@sre-oncall
and this issue and await their acknowledgement.) - Release managers have been informed (If needed! Cases include DB change) prior to change being rolled out. (In #production channel, mention
@release-managers
and this issue and await their acknowledgment.) - There are currently no active incidents that are severity1 or severity2
- If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.
Edited by Steve Xuereb