Disable container_registry_phase_2_deny_list feature flag for VIPs in bulk

Production Change

Change Summary

We're about to start Migrating VIP namespaces for the container registry migration (https://gitlab.com/gitlab-org/gitlab/-/issues/350933).

We need to disable this feature flag (container_registry_phase_2_deny_list) in bulk for all target top-level namespaces. This is similar to #6817 (closed), but we're disabling the FF instead.

The list of target VIP top-level namespaces can be seen at https://gitlab.com/gitlab-com/gl-infra/production/-/snippets/2376659. This snippet contains a single JSON file with an array of integers, one for each top-level namespace ID.

This change is to execute a script on a production Rails console that will do the following:

1. Read JSON document from the private snippet.
2. Iterate over the list of top-level namespace IDs and for each:
   1. Find the corresponding Group object by ID;
   2. Disable container_registry_phase_2_deny_list feature flag for the Group.

This change won't trigger any application behavior, either on GitLab Rails or the Container Registry, as all the functionality sits behind the container_registry_migration_phase2 feature flag which is disabled. We'll enable this FF once it's safe to do so and we're in a position to monitor the migration.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/350933.

Change Details

1. Services Impacted - ServiceGitLab Rails
2. Change Technician - @skarbek
3. Change Reviewer - @hswimelar
4. Time tracking - 10 minutes PER RUN
5. Downtime Component - 0

Detailed steps for the change

Pre-Change Steps - steps to be completed before execution of the change

Estimated Time to Complete (mins) - 5 minutes

• Set label changein-progress on this issue

Obtain a PAT for the GitLab API with read access to private snippets in this project

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - 5 minutes

• Open rails console with write access in production

Execute the following script. Make sure to fill the PAT variable with your private access token, acquire the latest SNIPPET_URL from the target comment in this CR, and keep the console open for the validation and rollback steps if necessary:

PAT = "<TOKEN>"
SNIPPET_URL = "<SNIPPET_URL>"
FEATURE_FLAG = :container_registry_phase_2_deny_list

response = Gitlab::HTTP.get(SNIPPET_URL, headers: { 'PRIVATE-TOKEN' => PAT })
ids = JSON.parse(response.body)

puts "Loaded #{ids.size} group IDs"

before_count = Feature::FlipperGate.where(feature_key: FEATURE_FLAG.to_s).count

ids.each do |id|
  group = Group.find_by_id(id)
  unless group
    puts "WARNING: #{id} not found!"
    next
  end
  Feature.disable(FEATURE_FLAG, group)
end

after_count = Feature::FlipperGate.where(feature_key: FEATURE_FLAG.to_s).count
diff_count =  before_count - after_count

if diff_count == ids.size
  puts "enabled for #{after_count} groups"
else
  puts "WARNING: Expected feature flag to be enabled for #{ids.size} groups, but only did for #{diff_count}"
end

Post-Change Steps - steps to take to verify the change

Estimated Time to Complete (mins) - 1 Minute

• No WARNING: .* messages should be seen during the execution of the script. Otherwise, report to @hswimelar.

Run /chatops run feature get container_registry_phase_2_deny_list on Slack to ensure the feature flag scope was updated.

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 2 Minutes

• Execute the following snippet:

before_count = Feature::FlipperGate.where(feature_key: FEATURE_FLAG.to_s).count

ids.each do |id|
    group = Group.find_by_id(id)
    Feature.enable(FEATURE_FLAG, group) if group
end

after_count = Feature::FlipperGate.where(feature_key: FEATURE_FLAG.to_s).count
unless after_count == 0
   puts "WARNING: Expected feature flag to be disabled for all groups, but #{after_count} remain"
end

Report any WARNING: .* messages to @hswimelar.

Monitoring

Key metrics to observe

This change won't trigger any behavior change, either on GitLab Rails or the Container Registry, as all the functionality sits behind the container_registry_migration_phase2 feature flag.

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
  • Release managers have been informed (If needed! Cases include DB change) prior to change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.