[Feature flag] Enable compliance violations GraphQL type

Summary

This issue is to roll out the feature on production, that is currently behind the compliance_violations_graphql_type feature flag.

The compliance violations GraphQL type adds the ability to retrieve compliance violations via the GraphQL API. This will be used by &7222 (closed)

Owners

• Team: Manage::Compliance
• Most appropriate slack channel to reach out to: #g_manage_compliance
• Best individual to reach out to: @rob.hunt
• PM: @stkerr

Stakeholders

Expectations

What are we expecting to happen?

We swap over the UI without issues

When is the feature viable?

Once the feature flag is rolled out

What might happen if this goes wrong?

Turn off the feature flag

What can we monitor to detect problems with this?

Staging

• Grafana
• Kabana

Production

• Sentry
• Grafana
• Kabana

What can we check for monitoring production after rollouts?

• Look for failures in ComplianceViolationsWorker, ComplianceViolation (model), CreateComplianceViolationsService, ComplianceViolationResolver and ComplianceViolationsFinder.
• Keep an eye on merge failures.

Rollout Steps

Rollout on non-production environments

• Ensure that the feature MRs have been deployed to non-production environments.
  • /chatops run auto_deploy status <merge-commit-of-your-feature>
• Enable the feature globally on non-production environments.
  • /chatops run feature set compliance_violations_graphql_type true --dev
  • /chatops run feature set compliance_violations_graphql_type true --staging
• Verify that the feature works as expected. Posting the QA result in this issue is preferable.

Preparation before global rollout

• Check if the feature flag change needs to be accompanied with a change management issue. Crosslink the issue here if it does.
• Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the on-call SRE by using the @sre-oncall Slack alias.
• Ensure that documentation has been updated (More info).
• Announce on the feature issue an estimated time this will be enabled on GitLab.com.
• Notify #support_gitlab-com and your team channel (more guidance when this is necessary in the dev docs).

Global rollout on production

For visibility, all /chatops commands that target production should be executed in the #production slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME).

• Incrementally roll out the feature.
  • If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
    • /chatops run feature set compliance_violations_graphql_type <rollout-percentage>
  • If the feature flag in code DOES have an actor, perform actor-based rollout.
    • /chatops run feature set compliance_violations_graphql_type 25 --actors
  • Enable the feature globally on production environment.
    • /chatops run feature set compliance_violations_graphql_type true
• Announce on the feature issue that the feature has been globally enabled.
• Wait for at least one day for the verification term.

(Optional) Release the feature with the feature flag

If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:

• Create a merge request with the following changes. Ask for review and merge it.
  • Set the default_enabled attribute in the feature flag definition to true.
  • Create a changelog entry.
• Ensure that the default-enabling MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post.
  • /chatops run auto_deploy status <merge-commit-of-default-enabling-mr>
• Close the feature issue to indicate the feature will be released in the current milestone.
• Set the next milestone to this rollout issue for scheduling the flag removal.
• (Optional) You can create a separate issue for scheduling the steps below to Release the feature.
  • Set the title to "[Feature flag] Cleanup compliance_violations_graphql_type".
  • Execute the /copy_metadata https://gitlab.com/gitlab-org/gitlab/-/issues/346266 quick action to copy the labels from this rollout issue.
  • Link this rollout issue as a related issue.
  • Close this rollout issue.

WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.

Release the feature

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

• Create a merge request to remove compliance_violations_graphql_type feature flag. Ask for review and merge it.
  • Remove all references to the feature flag from the codebase.
  • Remove the YAML definitions for the feature from the repository.
  • Create a changelog entry.
• Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post.
  • /chatops run auto_deploy status <merge-commit-of-cleanup-mr>
• Close the feature issue to indicate the feature will be released in the current milestone.
• Clean up the feature flag from all environments by running these chatops command in #production channel:
  • /chatops run feature delete compliance_violations_graphql_type --dev
  • /chatops run feature delete compliance_violations_graphql_type --staging
  • /chatops run feature delete compliance_violations_graphql_type
• Close this rollout issue.

Rollback Steps

• This feature can be disabled by running the following Chatops command:

/chatops run feature set compliance_violations_graphql_type false

added Category:Compliance Management Enterprise Edition GitLab Ultimate backend devopsmanage feature flag groupcompliance sectiondev typefeature workflowblocked labels

set weight to 1

assigned to @rob.hunt

added to epic &7222 (closed)

changed the description

Note: With the final removal of the feature flag we should be able to move the finder/resolver authorization logic back to the permissions system rather than just silently returning an empty collection.

mentioned in merge request !78681 (closed)

mentioned in issue #342897 (closed)

marked the checklist item /chatops run auto_deploy status <merge-commit-of-your-feature> as completed

marked the checklist item Enable the feature globally on non-production environments. as completed

marked the checklist item /chatops run feature set compliance_violations_graphql_type true --dev as completed

marked the checklist item /chatops run feature set compliance_violations_graphql_type true --staging as completed

marked the checklist item Verify that the feature works as expected. Posting the QA result in this issue is preferable. as completed

marked the checklist item Check if the feature flag change needs to be accompanied with a as completed

marked the checklist item Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. as completed

marked the checklist item Ensure that documentation has been updated (More info). as completed

I'm going to roll this out to gitlab-org and gitlab-com groups and monitor for changes now. If all goes well over the next few hours I will look at incrementing this to the rest of gitlab.com tomorrow in 25% increments

Enabled on mwoolf-verification-group as well to test violations are saving as expected

Sidekiq is happy:

No error budget changes:

And with the brilliant help of @mwoolf we can confirm that:

• MR’s are being merged without violations
• MR’s are being merged and creating violations
• GraphQL handles permissions correctly
• GraphQL returns the violations

We're all good for tomorrow to start the incremental rollout

@rob.hunt I also validated that violations were being created in the database for gitlab-com and gitlab-org and they were, but do not have permissions to see the result in the GraphQL output.

marked the checklist item Announce on the feature issue an estimated time this will be enabled on GitLab.com. as completed

marked the checklist item Notify #support_gitlab-com and your team channel (more guidance when this is necessary in the dev docs). as completed

changed the description

Started the incremental rollout at 08:30 UTC, set to 25%: /chatops run feature set compliance_violations_graphql_type 25 --actors

No errors

Increased incremental rollout at 09:31 UTC, set to 50%: /chatops run feature set compliance_violations_graphql_type 50 --actors

No errors

Increased incremental rollout at 10:31 UTC, set to 75%: /chatops run feature set compliance_violations_graphql_type 75 --actors

No errors

The feature flag is now enabled for every GitLab Ultimate group as of 12:21 UTC.

created branch 350249-remove-compliance-violations-graphql-type-feature-flag to address this issue

mentioned in merge request !82603 (merged)

added workflowin dev label and removed workflowblocked label

marked the checklist item Incrementally roll out the feature. as completed

marked the checklist item /chatops run feature set compliance_violations_graphql_type 25 --actors as completed

marked the checklist item Announce on the feature issue that the feature has been globally enabled. as completed

marked the checklist item Remove all references to the feature flag from the codebase. as completed

marked the checklist item Create a changelog entry. as completed

marked the checklist item Remove the YAML definitions for the feature from the repository. as completed

marked the checklist item Create a merge request to remove compliance_violations_graphql_type feature flag. Ask for review and merge it. as completed

mentioned in merge request gitlab-com/www-gitlab-com!99921 (merged)

Feature flag removed from codebase

marked the checklist item Ensure that the cleanup MR has been deployed to both production and canary. as completed

marked the checklist item /chatops run auto_deploy status <merge-commit-of-cleanup-mr> as completed

marked the checklist item Clean up the feature flag from all environments by running these chatops command in #production channel: as completed

marked the checklist item /chatops run feature delete compliance_violations_graphql_type --dev as completed

marked the checklist item /chatops run feature delete compliance_violations_graphql_type as completed

marked the checklist item /chatops run feature delete compliance_violations_graphql_type --staging as completed

marked the checklist item Close the feature issue to indicate the feature will be released in the current milestone. as completed

marked the checklist item Close this rollout issue. as completed

closed