[Feature flag] Enable Secrets management / Vault integration
What
Remove the ci_secrets_syntax
and ci_secrets_management
feature flags.
We want to release #28321 (closed) in %13.4. Currently the Rails part of it is merged and behind two feature flags:
-
ci_secrets_syntax
- Global, enables/disables thesecrets
section in CI yaml. -
ci_secrets_management
- This is the name of the feature, currently doubled as feature flag on project level - https://gitlab.com/gitlab-org/gitlab/-/blob/71d74443f9a616983a4615ef35c93b1ad0d32edb/ee/app/models/ee/ci/build.rb#L138-140. Ifci_secrets_syntax
is enabled butci_secrets_management
is disabled then secrets configuration is ignored and not passed to the runner.
We are waiting on some Runner work, plan is to test and remove the feature flags on time so we can have it in %13.4.
Owners
- Team: Release Management
- Most appropriate slack channel to reach out to:
#g_release-management
- Best individual to reach out to: @krasio @jreporter
Expectations
What are we expecting to happen?
Secrets management (the new secrets
keyword in CI yaml) and Vault integration to be available for all GitLab Premium.
What might happen if this goes wrong?
Break CI for jobs that have secrets configured.
What can we monitor to detect problems with this?
ci_secrets_syntax
- Errors when creating pipeline https://sentry.gitlab.net/gitlab/gitlabcom/?query=is%3Aunresolved+%22Ci%3A%3ACreatePipelineService%3A%3ACreateError%22
ci_secrets_management
- Jobs failures on Runners (by Runner type) - https://dashboards.gitlab.net/d/000000159/ci?viewPanel=83&orgId=1
- Runners error 5m rate (by job&level) - https://dashboards.gitlab.net/d/000000159/ci?viewPanel=48&orgId=1
Beta groups/projects
If applicable, any groups/projects that are happy to have this feature turned on early. Some organizations may wish to test big changes they are interested in with a small subset of users ahead of time for example.
Roll Out Steps
-
Enable on staging -
Test on staging -
Coordinate a time to enable the ci_secrets_syntax
flag with#production
and#g_delivery
on slack. -
Announce on the issue an estimated time ci_secrets_syntax
will be enabled on GitLab.com -
Enable ci_secrets_syntax
on GitLab.com by running chatops command in#production
-
Cross post chatops slack command to #support_gitlab-com
(more guidance when this is necessary in the dev docs) and in your team channel -
Announce on the issue that the ci_secrets_syntax
flag has been enabled -
Ensure that documentation has been updated -
Enable ci_secrets_management
on GitLab.com for individual groups/projects listed above and verify behaviour -
Coordinate a time to enable the ci_secrets_management
flag with#production
and#g_delivery
on slack. -
Announce on the issue an estimated time ci_secrets_management
will be enabled on GitLab.com -
Enable ci_secrets_management
on GitLab.com by running chatops command in#production
-
Cross post chatops slack command to #support_gitlab-com
(more guidance when this is necessary in the dev docs) and in your team channel -
Announce on the issue that the ci_secrets_management
flag has been enabled -
Remove feature flags and add changelog entry -
After the flags removal is deployed, clean up the feature flags by running chatops command in #production
channel
Edited by Krasimir Angelov