Switch to new DWS runway fleet via feature flag

Shinya Maedarequested to merge
allow-to-switch-to-new-dws-uri into master

What does this MR do and why?

This MR is a part of the snapshot migration of Duo Workflow Service. It introduces new_duo_workflow_service feature flag to switch to the new Duo Workflow Service runway fleet that is deployed from AI Gateway project. With this feature flag, we will test if the phase 2 - repository migration is ready to proceed.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/535545+ and #540641 (closed)

Side notes:

  • Current DWS runway fleet is exposed to 443 port via Runway/CloudRun (fyi. internally port forwarded to 8080 in the container, which is exposed at PORT in the GRPC server). Since Cloud Connector (e.g. https://cloud.gitlab.com) and these intermediate layers use HTTPS (443) for the protocol by default, using Gitlab.config.cloud_connector.base_url to construct the endpoint to the DWS in GitLab-Rails is OK.
  • New DWS runway fleet is the same configuration.
  • Tested with curl -v https://duo-workflow.runway.gitlab.net and curl -v https://duo-workflow-svc.runway.gitlab.net, and confirmed that the requests reached via logs (example)
  • This MR doesn't affect GDK installation. It affects only production and staging.
  • Related to Allow configuring Duo Workflow Service URL in c... (!163565 - merged)

Screenshots or screen recordings

Before After

How to set up and validate locally

When new_duo_workflow_service feature flag is disabled:

[6] pry(main)> Gitlab.config.duo_workflow.service_url
=> nil
[7] pry(main)> Gitlab.config.duo_workflow.secure
=> true
[8] pry(main)> Gitlab::DuoWorkflow::Client.url
=> "duo-workflow.runway.gitlab.net:443"
[9] pry(main)> Gitlab::DuoWorkflow::Client.secure?
=> true

When new_duo_workflow_service feature flag is enabled:

[7] pry(main)> Gitlab.config.duo_workflow.service_url
=> nil
[8] pry(main)> Gitlab.config.duo_workflow.secure
=> true
[9] pry(main)> Gitlab::DuoWorkflow::Client.url
=> "duo-workflow-svc.runway.gitlab.net:443"
[10] pry(main)> Gitlab::DuoWorkflow::Client.secure?
=> true

When service_url and secure is specified in gitlab.yml:

[1] pry(main)> Gitlab.config.duo_workflow.service_url
=> "gdk.test:50052"
[2] pry(main)> Gitlab.config.duo_workflow.secure
=> false
[3] pry(main)> Gitlab::DuoWorkflow::Client.url
=> "gdk.test:50052"
[4] pry(main)> Gitlab::DuoWorkflow::Client.secure?
=> false

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Shinya Maeda

Merge request reports