Skip to content

Disable optional runner token encryption for groups and projects

Vladimir Shushlin requested to merge vshushlin/group-project-runner-token-encryption-ff-disable into master

What does this MR do and why?

Disable optional runner token encryption for groups and projects

This FF was disabled in #27350 (closed), But the default wasn't changed.

I'm hesitant to just remove these feature flags, so disabling them first

And in the next milestone, we can remove them completely

Part of [Feature flag] Clean up groups_tokens_optional_... (#333862 - closed) and [Feature flag] Clean up projects_tokens_optiona... (#333864 - closed)

Here's the data about migration from production:

[ gprd ] production> ActiveRecord::Base.connection.execute('select runners_token IS NOT NULL as has_token, runners_token_encrypted I
S NOT NULL as has_token_encrypted, count(*), max(created_at) from projects group by runners_token IS NOT NULL, runners_token_encrypt
ed IS NOT NULL').to_a
=> 
[{"has_token"=>false,
  "has_token_encrypted"=>false,
  "count"=>5715781,
  "max"=>2019-03-23 22:28:51.412937 +0000},
 {"has_token"=>false,
  "has_token_encrypted"=>true,
  "count"=>24273494,
  "max"=>2023-05-09 11:33:28.067896 +0000},
 {"has_token"=>true,
  "has_token_encrypted"=>false,
  "count"=>7710,
  "max"=>2017-08-09 15:53:19.46134 +0000},
 {"has_token"=>true,
  "has_token_encrypted"=>true,
  "count"=>184051,
  "max"=>2017-08-25 15:42:03.457056 +0000}]
[ gprd ] production> ActiveRecord::Base.connection.execute('select runners_token IS NOT NULL as has_token, runners_token_encrypted I
S NOT NULL as has_token_encrypted, count(*), max(created_at) from namespaces group by runners_token IS NOT NULL, runners_token_encry
pted IS NOT NULL').to_a
=> 
[{"has_token"=>false,
  "has_token_encrypted"=>false,
  "count"=>46772945,
  "max"=>2023-05-09 11:35:19.486278 +0000},
 {"has_token"=>false,
  "has_token_encrypted"=>true,
  "count"=>1442740,
  "max"=>2023-05-09 11:33:28.276219 +0000}]

As you can see, groups were migrated fully, and projects aren't, but the last project which has the runner token and doesn't have an encrypted token was created in 2017.

And the feature flags were disabled on .com for 3 years already, so I don't expect any issues.

I'm probably being too cautious not removing them right away.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Vladimir Shushlin

Merge request reports