This issue is to cleanup the merge_sbom_api feature flag, after the feature flag has been enabled by default for an appropriate amount of time in production.
Owners
Team: composition analysis
Most appropriate slack channel to reach out to: #g_secure-composition-analysis
Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post.
/chatops run auto_deploy status <merge-commit-of-cleanup-mr>
Close the feature issue to indicate the feature will be released in the current milestone.
If not already done, clean up the feature flag from all environments by running these chatops command in #production channel:
/chatops run feature delete <feature-flag-name> --dev
/chatops run feature delete <feature-flag-name> --staging
Thank you @atiwari71 ! The feature was made experimental I believe due to performance concerns from Threat Insights. The Slack thread indicates that the feature is stable but doesn't meet beta or GA requirements. Which beta/GA requirements are missing today?
@smeadzinger IMO, we should mark it GA. Following requirements of beta does not make sense in case of this feature as we are presenting it as a replacement feature for License scanning job and intended to use it in production env. Also, it's stable.
May not be ready for production use.
Support on a commercially-reasonable effort basis.
@atiwari71 have we verified the performance of the new API endpoint and the absence of negative impact on TI's error budget since we've launched it? Has it been used enough times to have relevant data?
If yes, that should probably be enough to convince TI we can remove the flag and call it GA? In any case, this feature belongs to TI's product area so we should get their approval. Please ping Thiago and Alana once you've shared the data.
@atiwari71 when looking at the error budget dashboard, you can dive into the Budget spend attribution section to find more about it. In the Failure log link panel (on the right), the All request violations: slow requests + failing requests link will point you to a list all endpoints impacting the budget. You can read more on how to use the error budget dashboard on the documentation: https://docs.gitlab.com/ee/development/stage_group_observability/index.html#error-budget
@gonzoyumo and @thiagocsf are we good to go ahead and mark this as GA for 16.6 then? If so, I would love for us to create a release post, and potentially a blog post/demo.
@smeadzinger it doesn't look like so. The current performance of this endpoint is not great and it is eating budget apparently. I'd leave a bit more time for @atiwari71 to measure the impact and refine the performance issue but we might have to do some improvement before calling this GA. cc @thiagocsf
The endpoint dependency_list_exports/:export_id/download is showing an apdex score of 99.95 in the last 30 days. This endpoint is a pre-existing endpoint and when I looked at the past data, I found that the data to measure the performance of this endpoint is not great as it was not used much before. The one good thing is that the error rate is 0%. Here is some more data:
a. Performance between now-30 days to now: 1271 operation - apdex 99.95%
b. Performance between now-60 to now-30 days: 200 operation - apdex 100%
c. Performance between now-90 to now-60 days: 26 operation - apdex 99.87%
Please note that the endpoint is a pre-existing endpoint and is used before the introduction of merge sbom feature.
So, to conclude, I think we can wait for one more milestone to gather more data. WDYT?
As I predicted, the performance isn't great. But it doesn't seem to be impacting the TI budget at the moment. If this happens, I'd be happy to look into prioritizing work to improve its performance. Note that this will happen as part of the roadmap anyway, as the CI artifacts will be replaced with DB queries.
Aditya Tiwarimarked the checklist item Create a merge request to remove <feature-flag-name> feature flag. Ask for review and merge it. as completed
marked the checklist item Create a merge request to remove <feature-flag-name> feature flag. Ask for review and merge it. as completed
Aditya Tiwarimarked the checklist item Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. as completed
marked the checklist item Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. as completed
Aditya Tiwarimarked the checklist item Close the feature issue to indicate the feature will be released in the current milestone. as completed
marked the checklist item Close the feature issue to indicate the feature will be released in the current milestone. as completed
Aditya Tiwarimarked the checklist item If not already done, clean up the feature flag from all environments by running these chatops command in #production channel: as completed
marked the checklist item If not already done, clean up the feature flag from all environments by running these chatops command in #production channel: as completed
Aditya Tiwarimarked the checklist item Close this rollout issue. as completed
marked the checklist item Close this rollout issue. as completed