[Feature flag] Cleanup of `operational_vulnerabilities`
Summary
This issue is to rollout the feature on production,
that is currently behind the :operational_vulnerabilities
feature flag.
Owners
- Team: Container Security
- Most appropriate slack channel to reach out to:
#g_protect_container_security
- Best individual to reach out to: Alexander Turinske (@aturinske)
- PM: Sam White
The Rollout Plan
- Rollout Feature for everyone as soon as it's ready
Testing Groups/Projects/Users
Expectations
What are we expecting to happen?
- there will be tabs with different types of vulnerabilities
What might happen if this goes wrong?
- the vulnerability pages (pipeline/project/group/instance) no longer work
What can we monitor to detect problems with this?
- #questions Slack channel
- #isThisKnown Slack channel
Rollout Steps
Rollout on non-production environments
-
Ensure that the feature MRs have been deployed to non-production environments. -
/chatops run auto_deploy status 842e902da028c14fc2d74e9c054eff8e1476c551
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set operational_vulnerabilities true --dev
-
/chatops run feature set operational_vulnerabilities true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable.
Preparation before production rollout
-
Ensure that the feature MRs have been deployed to both production and canary. -
/chatops run auto_deploy status 842e902da028c14fc2d74e9c054eff8e1476c551
-
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
If the feature might impact the user experience, notify #support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
All /chatops
commands that target production should be done in the #production
slack channel for visibility.
-
Confirm the feature flag is enabled on staging
without incident -
Roll out the feature to targeted testing projects/groups first -
/chatops run feature set --project=gitlab-org/gitlab operational_vulnerabilities true
-
/chatops run feature set --project=gitlab-org/gitlab-foss operational_vulnerabilities true
-
/chatops run feature set --project=gitlab-com/www-gitlab-com operational_vulnerabilities true
-
-
Enable the feature globally on production environment. /chatops run feature set operational_vulnerabilities true
-
Announce on the feature issue that the feature has been globally enabled.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry. (I forgot to do this. Next time I will remember)
-
-
Ensure that the default-enabling MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status 3fa04b4c9fd8eb5e1c95ff4af3b661890f6808a7
-
-
Close the feature epic to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup operational_vulnerabilities
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
-
Create a merge request to remove operational_vulnerabilities
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry. -
Remove the gon.features?.operationalVulnerabilities
ternary inee/app/assets/javascripts/security_dashboard/vulnerability_report_init.js
and use onlygetVulnerabilityComponent()
. -
Fix broken tests in ee/spec/frontend_integration/security_dashboard/vulnerability_report_init_integration_spec.js
.
-
-
Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status 61833c7f887d3fa0eab221bbf0daf8d1dba13954
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete operational_vulnerabilities --dev
-
/chatops run feature delete operational_vulnerabilities --staging
-
/chatops run feature delete operational_vulnerabilities
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set operational_vulnerabilities false