[Feature flag] Rollout of `ci_scoped_job_token`
Summary
This issue is to rollout secured workflow for CI Job Token on production,
that is currently behind the ci_scoped_job_token
feature flag.
Owners
- Team: grouppipeline execution
- Most appropriate slack channel to reach out to:
#g_pipeline-execution
- Best individual to reach out to: @fabiopitino
- PM: @jreporter
Expectations
What are we expecting to happen?
This feature flag starts tracking authentications via CI_JOB_TOKEN and compares permissions with the new job token scope. The job token scope is however disabled for all projects at the project settings level. Users will need to enable the setting to benefit of the feature.
What might happen if this goes wrong?
In case of unexpected issues we can turn off the feature flag and investigate the matter.
Things that might go wrong could be CI_JOB_TOKEN not having proper access to expected projects.
What can we monitor to detect problems with this?
- Sentry https://sentry.gitlab.net/gitlab/gitlabcom/ for any unexpected errors
- 401 API status - ensure this does not go up unexpectedly
- 404 API status - ensure this does not go up unexpectedly
Rollout Steps
Pre-rollout requirements
-
Reset existing project_cd_cd_settings.job_token_scope_enabled
tofalse
- During the previous rollout we had created some projects with
job_token_scope_enabled: true
by default but then we disabled the feature flag. - We need to set those back to
false
before we attempt to rollout the FF on production. - To do that we could drop and recreate the column with
default: false
in the same migration transaction.
- During the previous rollout we had created some projects with
-
Ensure the post-deployment migration that disables the project setting by default ran successfully, leaving it enabled only for projects that were already using the feature.
Rollout on non-production environments
-
Ensure that the feature MRs have been deployed to non-production environments. -
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set ci_scoped_job_token true --dev
-
/chatops run feature set ci_scoped_job_token true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable. -
Enable job token scope via project settings for specific projects and run manual tests -
Ensure public projects data (e.g. clone repo, downloading package or image) is always allowed as long as the user has the right permissions -
Ensure internal projects data (e.g. clone repo, downloading package or image) is always allowed as long as the user has the right permissions -
Ensure private projects data (e.g. clone repo, downloading package or image) is prevented if target project is not added to the job token's scope. Once added or if whole job token setting is disabled, access should be allowed. -
Ensure new projects get created with job token scope disabled via project's settings.
-
Preparation before production rollout
-
Ensure that the feature MRs have been deployed to both production and canary. -
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
If the feature flag in code has an actor, enable it on GitLab.com for testing groups/projects. -
/chatops run feature set --<actor-type>=<actor> ci_scoped_job_token true
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable.
Global rollout on production
-
Incrementally roll out the feature. - If the feature flag in code has an actor, perform actor-based rollout.
-
/chatops run feature set ci_scoped_job_token <rollout-percentage> --actors
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
/chatops run feature set ci_scoped_job_token <rollout-percentage>
-
- Enable the feature globally on production environment.
-
/chatops run feature set ci_scoped_job_token true
-
- If the feature flag in code has an actor, perform actor-based rollout.
-
Announce on the feature issue that the feature has been globally enabled. -
Cross-post chatops slack command to #support_gitlab-com
. (more guidance when this is necessary in the dev docs) and in your team channel -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry.
-
-
Ensure that the above MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status <merge-commit>
-
-
Close the feature issue to indicate the feature will be released in the current milestone.
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
-
Create a merge request to remove ci_scoped_job_token
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the above MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status <merge-commit>
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete ci_scoped_job_token --dev
-
/chatops run feature delete ci_scoped_job_token --staging
-
/chatops run feature delete ci_scoped_job_token
-
-
Close this rollout issue.
Context
Old rollout checklist from before the incident
## Rollout StepsRollout on non-production environments
-
Ensure that the feature MRs have been deployed to non-production environments. -
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set ci_scoped_job_token true --dev
-
/chatops run feature set ci_scoped_job_token true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable.
Preparation before production rollout
-
Ensure that the feature MRs have been deployed to both production and canary. -
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
If the feature flag in code has an actor, enable it on GitLab.com for testing groups/projects. -
/chatops run feature set --<actor-type>=<actor> ci_scoped_job_token true
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable.
Global rollout on production
-
Incrementally roll out the feature. - If the feature flag in code has an actor, perform actor-based rollout.
-
/chatops run feature set ci_scoped_job_token <rollout-percentage> --actors
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
/chatops run feature set ci_scoped_job_token <rollout-percentage>
-
- Enable the feature globally on production environment.
-
/chatops run feature set ci_scoped_job_token true
-
- If the feature flag in code has an actor, perform actor-based rollout.
-
Announce on the feature issue that the feature has been globally enabled. -
Cross-post chatops slack command to #support_gitlab-com
. (more guidance when this is necessary in the dev docs) and in your team channel -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry.
-
-
Ensure that the above MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status <merge-commit>
-
-
Close the feature issue to indicate the feature will be released in the current milestone.
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
-
Create a merge request to remove ci_scoped_job_token
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the above MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status <merge-commit>
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete ci_scoped_job_token --dev
-
/chatops run feature delete ci_scoped_job_token --staging
-
/chatops run feature delete ci_scoped_job_token
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set ci_scoped_job_token false