[staging] Update tokens and URL to enable secret detection token revocation API

Staging Change

Change Summary

At some point on reconfiguration of our staging environment we removed the application_settings enabling the instance-level Secret Detection Revocation API. This is configured via the following application settings:

• secret_detection_token_revocation_enabled
• secret_detection_token_revocation_url
• secret_detection_token_revocation_token
• secret_detection_revocation_token_types_url

These credentials to the srs-dev instance can be found within 1Password Engineering vault under Revocation api credential.

See previous change request https://gitlab.com/gitlab-com/gl-infra/production/-/issues/3292#plan for configuration on gitlab.com

Change Details

1. Services Impacted - ServiceGitLab Rails
2. Change Technician - @fshabir
3. Change Reviewer - @theoretick
4. Time tracking - 30 minutes
5. Downtime Component - No downtime needed

Detailed steps for the change

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - 20 minutes

Steps taken from https://gitlab.com/gitlab-com/gl-infra/production/-/issues/3292#plan.

NOTE: Should be SRS-DEV, not SRS-LIVE

• Set label changein-progress /label ~change::in-progress
• Sign-in to 1Password

eval $(op signin --account gitlab)

• Examine the settings schema

export GITLAB_GSTG_ADMIN_API_PRIVATE_TOKEN='changeme'
curl --silent --show-error --location --request GET --header "PRIVATE-TOKEN: ${GITLAB_GSTG_ADMIN_API_PRIVATE_TOKEN}" "https://staging.gitlab.com/api/v4/application/settings" | jq | grep -E "(secret_detection_token_revocation_token|secret_detection_revocation_token_types_url|secret_detection_token_revocation_url|secret_detection_token_revocation_enabled)"

• Update the application settings with the new key-value settings as url query parameters

export secret_detection_token_revocation_token=$(op item get dalqpifgyncj5jgmwmluazotrm --vault 6gq44ckmq23vqk5poqunurdgay --fields srs-dev.secret_detection_token_revocation_token)
export secret_detection_revocation_token_types_url=$(op item get dalqpifgyncj5jgmwmluazotrm --vault 6gq44ckmq23vqk5poqunurdgay --fields srs-dev.secret_detection_revocation_token_types_url)
export secret_detection_token_revocation_url=$(op item get dalqpifgyncj5jgmwmluazotrm --vault 6gq44ckmq23vqk5poqunurdgay --fields srs-dev.secret_detection_token_revocation_url)
export secret_detection_token_revocation_enabled=$(op item get dalqpifgyncj5jgmwmluazotrm --vault 6gq44ckmq23vqk5poqunurdgay --fields srs-dev.secret_detection_token_revocation_enabled)

echo "[Dry-run] url: https://staging.gitlab.com/api/v4/application/settings?secret_detection_token_revocation_token=${secret_detection_token_revocation_token}&secret_detection_revocation_token_types_url=${secret_detection_revocation_token_types_url}&secret_detection_token_revocation_url=${secret_detection_token_revocation_url}&secret_detection_token_revocation_enabled=${secret_detection_token_revocation_enabled}"

curl --silent --show-error --location --request PUT --header "PRIVATE-TOKEN: ${GITLAB_GSTG_ADMIN_API_PRIVATE_TOKEN}" "https://staging.gitlab.com/api/v4/application/settings?secret_detection_token_revocation_token=${secret_detection_token_revocation_token}&secret_detection_revocation_token_types_url=${secret_detection_revocation_token_types_url}&secret_detection_token_revocation_url=${secret_detection_token_revocation_url}&secret_detection_token_revocation_enabled=${secret_detection_token_revocation_enabled}" | jq

• Verify that the changes have been persisted by the gitlab.com application

curl --silent --show-error --location --request GET --header "PRIVATE-TOKEN: ${GITLAB_GSTG_ADMIN_API_PRIVATE_TOKEN}" "https://staging.gitlab.com/api/v4/application/settings" | jq | grep -E "(secret_detection_token_revocation_token|secret_detection_revocation_token_types_url|secret_detection_token_revocation_url|secret_detection_token_revocation_enabled)"

• Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 10 minutes

• Use the previous values of URLs and update settings:

export secret_detection_token_revocation_token=null
export secret_detection_revocation_token_types_url=null
export secret_detection_token_revocation_url=null
export secret_detection_token_revocation_enabled=false

curl --silent --show-error --location --request PUT --header "PRIVATE-TOKEN: ${GITLAB_GSTG_ADMIN_API_PRIVATE_TOKEN}" "https://staging.gitlab.com/api/v4/application/settings?secret_detection_token_revocation_token=${secret_detection_token_revocation_token}&secret_detection_revocation_token_types_url=${secret_detection_revocation_token_types_url}&secret_detection_token_revocation_url=${secret_detection_token_revocation_url}&secret_detection_token_revocation_enabled=${secret_detection_token_revocation_enabled}" | jq

• Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

• Metric: Metric Name
  • Location: Dashboard URL
  • What changes to this metric should prompt a rollback: Describe Changes

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
  • Release managers have been informed (If needed! Cases include DB change) prior to change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.