[Feature flag] Rollout of `deprecate_vulnerabilities_feedback`

Summary

This issue is to rollout Deprecate and remove Vulnerabilities::Feedback on production, that is currently behind the deprecate_vulnerabilities_feedback feature flag.

Owners

• Team: Threat Insights
• Most appropriate slack channel to reach out to: #g_secure_threat_insights
• Best individual to reach out to: Subashis Chakraborty(@subashis) Michał Zając (@Quintasan)

Stakeholders

Expectations

What are we expecting to happen?

When is the feature viable?

Vulnerability Feedback Deprecation is dependent on the MR Security Widget V2 releasing first (feature flag rollout issue). Therefore there are a number of ordered steps we will take to release both features. Below is the time table we are planning against.

Date	Change	Complete	Notes
2023-03-14	Smoke test: Enable Feedback Deprecation on Staging for one project	✅
2023-03-14	Trigger QA E2E tests	✅
2023-03-15	Smoke test: Enable Feedback Deprecation on Production for one project	✅
2023-03-29	Enable MR V2 globally on Staging	✅	Rescheduled as we needed to rollback due to E2E failures
2023-03-29	Enable MR V2 on test projects on Production	✅
2023-04-03	Enable Feedback Deprecation globally on Staging	✅
2023-04-03	Enable MR V2 on main gitlab-org/gitlab on Production. Notify #whats-happening-at-gitlab and #sec-appsec	✅
2023-04-03	Enable Feedback Deprecation on test projects on Production	✅
2023-04-04	Enable MR V2 globally on Production. Notify #whats-happening-at-gitlab and #sec-appsec	✅
2023-04-04	Run full E2E tests	✅	Tests passed
2023-04-11	Enable Vulnerabilities Feedback Deprecation for gitlab-org/gitlab on Production; Notify #whats-happening-at-gitlab and #sec-appsec	✅
2023-04-13	Enable Vulnerabilities Feedback Deprecation globally on Production; Notify #whats-happening-at-gitlab and #sec-appsec	✅
2023-04-13	Run full E2E tests	✅	Tests passed
2023-04-22	15.11 release is a mandatory upgrade that includes migrations required for feedback deprecation (done in 15.9, 15.10). This step is to ensure self-managed instances have completed the migrations before enabling the FF by default.
2023-05-22	Enable MR V2 by default for 16.0 release	✅	!118843 (merged)
2023-05-22	Enable Vulnerabilities Feedback Deprecation by default for 16.0 release	✅	!118963 (merged)

Test projects

Please ensure they are available to the team. The best way is to put them into the govern-team-test (staging) or threat-insights-demos (production) groups, which inherit access and have an ultimate license.

Staging

1. https://staging.gitlab.com/secure-team-test/threat-insights/security-reports/-/merge_requests/1
2. https://staging.gitlab.com/govern-team-test/vulnerabilities-feedback-tests/security-reports/-/merge_requests/3
3. https://staging.gitlab.com/govern-team-test/vulnerabilities-feedback-tests/test-solutions-available/-/merge_requests/1 (solution available - ability to create MR from finding)

Production

1. https://gitlab.com/gitlab-org/govern/threat-insights-demos/personal-test-projects/neil-test-remediations-solutions-available
2. gitlab-org/govern/threat-insights-demos/personal-test-projects/security-reports-empty!1 (closed) (project with MR that shows added findings for every report type)
3. https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/test-remediations-for-issue-390071/-/pipelines/806658688/security (project with 21 findings that can be auto remediated/create MR off of)

What might happen if this goes wrong?

The feature flag drives where vulnerability state comes from:

• On: the new StateTransition model
• Off: the old Feedback model

Possible problems:

• Incorrect item states on vulnerability report
• Incorrect MR security widget information (i.e. added/fixed findings)

In particular, the new model depends on database migrations that can take days to run (for large number of vulnerabilities, such as we have on gitlab.com). If the feature flag is turned-on before these migrations are finished, users may see incorrect states until the migrations finish.

What can we monitor to detect problems with this?

Consider mentioning checks for 5xx errors or other anomalies like an increase in redirects (302 HTTP response status)

What can we check for monitoring production after rollouts?

Consider adding links to check for Sentry errors, Production logs for 5xx, 302s, etc.

Rollout Steps

Rollout on non-production environments

• Ensure that the feature MRs have been deployed to non-production environments.
  • /chatops run auto_deploy status <merge-commit-of-your-feature>
• Enable the feature globally on non-production environments.
  • /chatops run feature set <feature-flag-name> true --dev
  • /chatops run feature set <feature-flag-name> true --staging
• Verify that the feature works as expected. Posting the QA result in this issue is preferable. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined here when accessing the staging environment in order to make sure you are testing appropriately.

Specific rollout on production

• Ensure that the feature MRs have been deployed to both production and canary.
  • /chatops run auto_deploy status <merge-commit-of-your-feature>
• If you're using project-actor, you must enable the feature on these entries:
  • /chatops run feature set --project=gitlab-org/gitlab deprecate_vulnerabilities_feedback true
  • /chatops run feature set --project=gitlab-org/gitlab-foss deprecate_vulnerabilities_feedback true
  • /chatops run feature set --project=gitlab-com/www-gitlab-com deprecate_vulnerabilities_feedback true
• If you're using group-actor, you must enable the feature on these entries:
  • /chatops run feature set --group=gitlab-org deprecate_vulnerabilities_feedback true
  • /chatops run feature set --group=gitlab-com deprecate_vulnerabilities_feedback true
• If you're using user-actor, you must enable the feature on these entries:
  • /chatops run feature set --user=<your-username> deprecate_vulnerabilities_feedback true
• Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.

Preparation before global rollout

• Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does.
• Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall Slack alias.
• Ensure that documentation has been updated (More info).
• Announce on the feature issue an estimated time this will be enabled on GitLab.com.
• Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware.
• Notify #support_gitlab-com and your team channel (more guidance when this is necessary in the dev docs).

Global rollout on production

For visibility, all /chatops commands that target production should be executed in the #production slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME).

• Incrementally roll out the feature.
  • If the feature flag in code has an actor, perform actor-based rollout.
    • /chatops run feature set deprecate_vulnerabilities_feedback <rollout-percentage> --actors
  • If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
    • /chatops run feature set deprecate_vulnerabilities_feedback <rollout-percentage> --random
  • Enable the feature globally on production environment.
    • /chatops run feature set deprecate_vulnerabilities_feedback true
• Announce on the feature issue that the feature has been globally enabled.
• Wait for at least one day for the verification term.

(Optional) Release the feature with the feature flag

If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:

• Create a merge request with the following changes. Ask for review and merge it.
  • Set the default_enabled attribute in the feature flag definition to true.
  • Create a changelog entry.
• Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post.
  • /chatops run release check <merge-request-url> <milestone>
• Close the feature issue to indicate the feature will be released in the current milestone.
• Set the next milestone to this rollout issue for scheduling the flag removal.
• (Optional) You can create a separate issue for scheduling the steps below to Release the feature.
  • Set the title to "[Feature flag] Cleanup deprecate_vulnerabilities_feedback".
  • Execute the /copy_metadata <this-rollout-issue-link> quick action to copy the labels from this rollout issue.
  • Link this rollout issue as a related issue.
  • Close this rollout issue.

WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.

Release the feature

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.

• Create a merge request to remove <feature-flag-name> feature flag. Ask for review and merge it.
  • Remove all references to the feature flag from the codebase.
  • Remove the YAML definitions for the feature from the repository.
  • Create a changelog entry.
• Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post.
  • /chatops run release check <merge-request-url> <milestone>
• Close the feature issue to indicate the feature will be released in the current milestone.
• Clean up the feature flag from all environments by running these chatops command in #production channel:
  • /chatops run feature delete deprecate_vulnerabilities_feedback --dev
  • /chatops run feature delete deprecate_vulnerabilities_feedback --staging
  • /chatops run feature delete deprecate_vulnerabilities_feedback
• Close this rollout issue.

Rollback Steps

• This feature can be disabled by running the following Chatops command:

/chatops run feature set deprecate_vulnerabilities_feedback false