[Feature flag] Rollout dependency_proxy_for_private_groups
What
Remove the :dependency_proxy_for_private_groups
feature flag.
Owners
- Team: ~"group::package"
- Most appropriate slack channel to reach out to:
#s_package
- Best individual to reach out to: @sabrams
Expectations
What are we expecting to happen?
We expect the dependency proxy to work for public and private groups, with public group users now requiring authentication to use the dependency proxy.
What might happen if this goes wrong?
We added the feature flag because !46042 (merged) caused a change in the behavior of how public groups are able to use the dependency proxy. Previously users could use the dependency proxy without authentication, but with !46042 (merged), users now need to authenticate.
This means this may be a breaking change for users of the dependency proxy. If they have a pipeline that uses it, for example, they will receive an unauthorized
error and will need to update their CI to log in.
What can we monitor to detect problems with this?
-
Kibana chart showing requests to the applicable controller
- Watch the
json.status
aggregation for errors. 200, 302, and 401 are expected. The 401 is part of the authentication workflow (the 401 returns a header that instructs the docker client to request an access token). - 403 errors tell us that users are trying to access the Dependency Proxy without proper credentials, these are the errors that show users that may be running into problems.
- Watch the
Documentation for helping anyone surprised/affected by this change
- Users will need to authenticate with the Dependency Proxy in order to continue using it. Please see https://docs.gitlab.com/ee/user/packages/dependency_proxy/#authenticate-with-the-dependency-proxy for details on how to authenticate, and how to update CI scripts that may use the Dependency Proxy.
Beta groups/projects
N/A, this is scoped to the instance and could not be scoped to groups or projects.
Roll Out Steps
-
Enable on staging ( /chatops run feature set dependency_proxy_for_private_groups true --staging
) -
Test feature on staging -
Ensure that documentation has been updated - [-] Enable on GitLab.com and verify behaviour (
/chatops run feature set dependency_proxy_for_private_groups true
) -
Coordinate a time to enable the flag with the SRE oncall and release managers - In
#production
mention@sre-oncall
and@release-managers
. Once an SRE on call and Release Manager on call confirm, you can proceed with the rollout
- In
-
Announce on the issue an estimated time this will be enabled on GitLab.com -
Enable on GitLab.com by running chatops command in #production
(/chatops run feature set dependency_proxy_for_private_groups true
) -
Cross post chatops Slack command to #support_gitlab-com
(more guidance when this is necessary in the dev docs) and in your team channel -
Announce on the issue that the flag has been enabled -
Enable feature flag by default in 13.7 and add changelog entry -
Remove feature flag in 13.9 -
After the flag removal is deployed, clean up the feature flag by running chatops command in #production
channel
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set dependency_proxy_for_private_groups false