Increase Release Environment Cost efficiency through transition from canonical to security

Context

We currently deploy from both the canonical gitlab repo's and security mirror gitlab repo's stable branch commits & tags to release environment (RE) to perform QA testing for backport commits.

• Example RE downstream pipeline from canonical gitlab repo
• Example RE downstream pipeline from security gitlab repo

The commits from the canonical repository always get mirrored to the security repository, but during the preparation phase of a patch release, the security repository will have more commits until the patch release gets published. (After it gets published, the commits get mirrored back to canonical).

Initially we only had this integration from the canonical gitlab repo, but that cannot test backport security fixes prior to the patch release being published. Integrating it to the security repo allowed us to test the backport security fixes during the preparation phase of the patch release process.

However currently, we're essentially duplicating the deployment resources on the canonical repository, since we'll be deploying and testing the integrity of the same commits in the security mirror. We decided to only deploy from security as it will always have the same or more commits on the stable branches.

Desired workflow

This issue is to transition the integration of release-environments to only be deployed from the security mirror (security/gitlab) repo.

Cost Savings Analysis

Currently we spin up double the workload in the release-gitlab-gke cluster (in gitlab-release GCP project), one set for the canonical stable branch (e.g. gitlab-16-11-stable), and another set for the security stable branch (e.g. gitlab-16-11-stable-security).

We spun up the extra workloads for -security in June-July and this is what I observed in the billing report (internal link):

• Average billing cost before June 2024 was around $2,000 a month for the project's resources
• In July 2024 the billing cost was $3,700
• Difference of $1700 a month

Note that:

• There haven't been any other noticeable changes in the gitlab-release GCP project besides RE integration with gitlab/security, so I think this cost is mostly, if not all, due to the new integration
  • Which means that we'll probably go back down to around $2,000 a month once we complete this effort. (Saving of $1700 a month)
• RE was still under active development during the month of July, so that billing of $3,700 not not be the most accurate depiction of billing going forward if the canonical workload were to be left alone, but there's no real reason to keep it around.
  • I predict that the cost savings will be $1500-2000 a month by tearing down the canonical workload.

Exit Criteria

• Feasibility of the migration process was discussed (complete in #20203 (closed), description changed accordingly)
• release-environments pipelines do not deploy clusters for gitlab canonical repository