Geo: Replicate Vulnerabilities::ArchiveExport uploads

Victor Prêtérequested to merge
589920-geo-replicate-vulnerabilities-archive-export-uploads into master

What does this MR do and why?

Add Geo SSF (self-service framework) replication and verification for the vulnerability_archive_export_uploads partition table, so vulnerability archive export attachments are mirrored from the primary to secondary Geo sites alongside other upload types.

Generated with scripts/geo/generate-blob-replicator and adjusted to match the upload-partition pattern established in !229718 (merged):

  • Shorten Postgres identifiers (vae_upl prefix) to fit the 63-character limit on the registry, state, and partition indexes.
  • Point the upload-states foreign key at the partition table (vulnerability_archive_export_uploads) and add a unique index on its id, since the parent uploads table has a composite primary key.
  • Override Geo::VulnerabilityArchiveExportUploadRegistry.model_updated_last to :created_at because partition tables don't carry updated_at.

Replication is gated by the ops feature flag geo_vulnerability_archive_export_upload_replication (default disabled); flipping it on for general availability is tracked separately under the parent epic.

Changelog: added EE: true

References

How to set up and validate locally

Validation requires a local Geo setup (primary + secondary), and make sure you run geo migrations with: rails db:migrate:geo. Then:

  1. On the primary, enable the feature flag:

    Feature.enable(:geo_vulnerability_archive_export_upload_replication)

  2. Create a Vulnerabilities::ArchiveExport with an attached file (via the security dashboard's "Export" action on a project's vulnerability report, or in the Rails console).

  3. On the secondary, watch the registry get populated:

    Geo::VulnerabilityArchiveExportUploadRegistry.last

    Confirm it transitions through pending → started → synced and that verification_state reaches succeeded.

  4. Confirm the file exists on the secondary's object storage / disk at the same path as the primary.

  5. Spot-check the GraphQL API:

    {
  geoNode(name: "<secondary-name>") {
    vulnerabilityArchiveExportUploadRegistries { nodes { id state } }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Victor Prêté

Merge request reports