Skip to content

[Feature flag] Rollout of `deduplicate_security_report_ingestion_jobs`

Summary

This issue is to roll out the feature on production, that is currently behind the deduplicate_security_report_ingestion_jobs feature flag.

Owners

  • Most appropriate Slack channel to reach out to: #g_govern_threat_insights
  • Best individual to reach out to: @wandering_person

Expectations

What are we expecting to happen?

  1. no new issues or alerts around the StoreSecurityReports job
  2. These errors stop happening GITLABCOM-2PMD

What can go wrong and how would we detect it?

We could introduce a new bug into the vulnerability ingestion process, causing the blockage of new vulnerabilities being saved in the database

Rollout Steps

Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command.

Rollout on non-production environments

  • Verify the MR with the feature flag is merged to master and have been deployed to non-production environments with /chatops run auto_deploy status c048552683664825f59cd4c15543ccff340ae0bc
  • Enable the feature globally on non-production environments with /chatops run feature set deduplicate_security_report_ingestion_jobs true --dev --pre --staging --staging-ref
  • Verify that the feature works as expected. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Make sure you are configured to use canary. For assistance with end-to-end test failures, please reach out via the #test-platform Slack channel. Note that end-to-end test failures on staging-ref don't block deployments.

Specific rollout on production

For visibility, all /chatops commands that target production should be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.

  • Ensure that the feature MRs have been deployed to both production and canary with /chatops run auto_deploy status c048552683664825f59cd4c15543ccff340ae0bc
  • Depending on the type of actor you are using, pick one of these options:
    • For project-actor: /chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com deduplicate_security_report_ingestion_jobs true
  • Verify that the feature works for the specific actors.

Preparation before global rollout

  • Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable.
  • Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall Slack alias.
  • Leave a comment on the feature issue announcing estimated time when this feature flag will be enabled on GitLab.com.
  • Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware.
  • Notify the #support_gitlab-com Slack channel and your team channel (more guidance when this is necessary in the dev docs).

Global rollout on production

For visibility, all /chatops commands that target production should be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel (#g_govern_threat_insights).

  • Enable the feature globally on production environment: /chatops run feature set deduplicate_security_report_ingestion_jobs true
  • Observe appropriate graphs on https://dashboards.gitlab.net and verify that services are not affected.
  • Leave a comment on [the feature issue][main-issue] announcing that the feature has been globally enabled.
  • Wait for at least one day for the verification term.

Release the feature

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.

  • Create a merge request to remove the deduplicate_security_report_ingestion_jobs feature flag. Ask for review/approval/merge as usual. The MR should include the following changes:
    • Remove all references to the feature flag from the codebase.
    • Remove the YAML definitions for the feature from the repository.
    • Create a changelog entry.
  • Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151541 17.2
  • Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone.
  • Clean up the feature flag from all environments by running these chatops command in #production channel: /chatops run feature delete deduplicate_security_report_ingestion_jobs --dev --pre --staging --staging-ref --production
  • Close this rollout issue.

Rollback Steps

  • This feature can be disabled on production by running the following Chatops command:
/chatops run feature set deduplicate_security_report_ingestion_jobs false
  • Disable the feature flag on non-production environments:
/chatops run feature set deduplicate_security_report_ingestion_jobs false --dev --pre --staging --staging-ref
  • Delete feature flag from all environments:
/chatops run feature delete deduplicate_security_report_ingestion_jobs --dev --pre --staging --staging-ref --production
Edited by Michael Becker