Feature flags in the development of GitLab
This document is the subject of continued work as part of an epic to improve internal usage of feature flags. Raise any suggestions as new issues and attach them to the epic.
For an overview of the feature flag lifecycle, or if you need help deciding if you should use a feature flag or not, see the feature flag lifecycle handbook page.
When to use feature flags
Moved to the “When to use feature flags” section in the handbook.
Feature flags in GitLab development
The following highlights should be considered when deciding if feature flags should be leveraged:
- The feature flag must be disabled by default.
- Feature flags should remain in the codebase for as short period as possible to reduce the need for feature flag accounting.
- The person operating the feature flag is responsible for clearly communicating the status of a feature behind the feature flag in the documentation and with other stakeholders. The issue description should be updated with the feature flag name and whether it is defaulted on or off as soon it is evident that a feature flag is needed.
- Merge requests that introduce a feature flag, update its state, or remove the existing feature flag because a feature is deemed stable must have the ~"feature flag" label assigned.
When the feature implementation is delivered over multiple merge requests:
- Create a new feature flag which is off by default, in the first merge request which uses the flag. Flags should not be added separately.
- Submit incremental changes via one or more merge requests, ensuring that any new code added can only be reached if the feature flag is on. You can keep the feature flag enabled on your local GDK during development.
- When the feature is ready to be tested by other team members, create the initial documentation. Include details about the status of the feature flag.
- Enable the feature flag for a specific project and ensure that there are no issues
with the implementation. Do not enable the feature flag for a public project
like
gitlab
if there is no documentation. Team members and contributors might search for documentation on how to use the feature if they see it enabled in a public project. - When the feature is ready for production use, open a merge request to:
- Update the documentation to describe the latest flag status.
- Add a changelog entry.
- Flip the feature flag to be on by default or remove it entirely to enable the new behavior.
One might be tempted to think that feature flags will delay the release of a feature by at least one month (= one release). This is not the case. A feature flag does not have to stick around for a specific amount of time (for example, at least one release), instead they should stick around until the feature is deemed stable. Stable means it works on GitLab.com without causing any problems, such as outages.
Risk of a broken main branch
Feature flags must be used in the MR that introduces them. Not doing so causes a
broken main branch scenario due
to the rspec:feature-flags
job that only runs on the main
branch.
Types of feature flags
Choose a feature flag type that matches the expected usage.
development
type
development
feature flags are short-lived feature flags,
used for deploying unfinished code to production. Most feature flags used at
GitLab are the development
type.
A development
feature flag must have a rollout issue
created from the Feature flag Roll Out template.
The format for development
feature flags is Feature.<state>(:<dev_flag_name>)
.
To enable and disable them, run on the GitLab Rails console:
# To enable it for the instance:
Feature.enable(:<dev_flag_name>)
# To disable it for the instance:
Feature.disable(:<dev_flag_name>)
# To enable for a specific project:
Feature.enable(:<dev_flag_name>, Project.find(<project id>))
# To disable for a specific project:
Feature.disable(:<dev_flag_name>, Project.find(<project id>))
To check a development
feature flag’s state:
# Check if the feature flag is enabled
Feature.enabled?(:dev_flag_name)
# Check if the feature flag is disabled
Feature.disabled?(:dev_flag_name)
For development
feature flags, the type doesn’t need to be specified (they’re the default type).
ops
type
ops
feature flags are long-lived feature flags that control operational aspects
of GitLab product behavior. For example, feature flags that disable features that might
have a performance impact such as Sidekiq worker behavior.
ops
feature flags likely do not have rollout issues, as it is hard to
predict when they are enabled or disabled.
To invoke ops
feature flags, you must append type: :ops
:
# Check if feature flag is enabled
Feature.enabled?(:my_ops_flag, project, type: :ops)
# Check if feature flag is disabled
Feature.disabled?(:my_ops_flag, project, type: :ops)
# Push feature flag to Frontend
push_frontend_feature_flag(:my_ops_flag, project, type: :ops)
experiment
type
experiment
feature flags are used for A/B testing on GitLab.com.
An experiment
feature flag should conform to the same standards as a development
feature flag,
although the interface has some differences. An experiment feature flag should have a rollout issue,
created using the Experiment Tracking template. More information can be found in the experiment guide.
worker
type
worker
feature flags are used for controlling Sidekiq workers behavior, such as deferring Sidekiq jobs.
worker
feature flags likely do not have any YAML definition as the name could be dynamically generated using
the worker name itself, for example, run_sidekiq_jobs_AuthorizedProjectsWorker
. Some examples for using worker
type feature
flags can be found in deferring Sidekiq jobs.
Feature flag definition and validation
Introduced in GitLab 13.3.
During development (RAILS_ENV=development
) or testing (RAILS_ENV=test
) all feature flag usage is being strictly validated.
This process is meant to ensure consistent feature flag usage in the codebase. All feature flags must:
- Be known. Only use feature flags that are explicitly defined.
- Not be defined twice. They have to be defined either in FOSS or EE, but not both.
- Use a valid and consistent
type:
across all invocations. - Have an owner.
All feature flags known to GitLab are self-documented in YAML files stored in:
Each feature flag is defined in a separate YAML file consisting of a number of fields:
Field | Required | Description |
---|---|---|
name
| yes | Name of the feature flag. |
type
| yes | Type of feature flag. |
default_enabled
| yes | The default state of the feature flag. |
introduced_by_url
| no | The URL to the merge request that introduced the feature flag. |
rollout_issue_url
| no | The URL to the Issue covering the feature flag rollout. |
milestone
| no | Milestone in which the feature flag was created. |
group
| no | The group that owns the feature flag. |
RAILS_ENV=production
.Create a new feature flag
The GitLab codebase provides bin/feature-flag
,
a dedicated tool to create new feature flag definitions.
The tool asks various questions about the new feature flag, then creates
a YAML definition in config/feature_flags
or ee/config/feature_flags
.
Only feature flags that have a YAML definition file can be used when running the development or testing environments.
$ bin/feature-flag my_feature_flag
>> Specify the group introducing the feature flag, like `group::project management`:
?> group::cloud connector
>> URL of the MR introducing the feature flag (enter to skip):
?> https://gitlab.com/gitlab-org/gitlab/-/merge_requests/38602
>> Open this URL and fill in the rest of the details:
https://gitlab.com/gitlab-org/gitlab/-/issues/new?issue%5Btitle%5D=%5BFeature+flag%5D+Rollout+of+%60test-flag%60&issuable_template=Feature+Flag+Roll+Out
>> URL of the rollout issue (enter to skip):
?> https://gitlab.com/gitlab-org/gitlab/-/issues/232533
create config/feature_flags/development/my_feature_flag.yml
---
name: my_feature_flag
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/38602
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/232533
group: group::cloud connector
type: development
default_enabled: false
All newly-introduced feature flags must be disabled by default.
Features that are developed and merged behind a feature flag should not include a changelog entry. The entry should be added either in the merge request removing the feature flag or the merge request where the default value of the feature flag is set to enabled. If the feature contains any database migrations, it should include a changelog entry for the database changes.
--ee
flag: bin/feature-flag --ee
Naming new flags
When choosing a name for a new feature flag, consider the following guidelines:
- A long, descriptive name is better than a short but confusing one.
- Write the name in snake case (
my_cool_feature_flag
). -
Avoid using
disable
in the name to avoid having to think (or document) with double negatives. Consider starting the name withhide_
,remove_
, ordisallow_
.In software engineering this problem is known as “negative names for boolean variables”. But we can’t forbid negative words altogether, to be able to introduce flags as disabled by default, use them to remove a feature by moving it behind a flag, or to selectively disable a flag by actor.
Risk of a broken master (main) branch
rspec:feature-flags
job that only runs on the master
branch.List all the feature flags
To use ChatOps to output all the feature flags in an environment to Slack, you can use the run feature list
command. For example:
/chatops run feature list --dev
/chatops run feature list --staging
Toggle a feature flag
See rolling out changes for more information about toggling feature flags.
Delete a feature flag
See cleaning up feature flags for more information about deleting feature flags.
Develop with a feature flag
There are two main ways of using feature flags in the GitLab codebase:
Backend
The feature flag interface is defined in lib/feature.rb
.
This interface provides a set of methods to check if the feature flag is enabled or disabled:
if Feature.enabled?(:my_feature_flag, project)
# execute code if feature flag is enabled
else
# execute code if feature flag is disabled
end
if Feature.disabled?(:my_feature_flag, project)
# execute code if feature flag is disabled
end
Default behavior for not configured feature flags is controlled
by default_enabled:
in YAML definition.
If feature flag does not have a YAML definition an error will be raised
in development or test environment, while returning false
on production.
If not specified, the default feature flag type for Feature.enabled?
and Feature.disabled?
is type: development
. For all other feature flag types, you must specify the type:
:
if Feature.enabled?(:feature_flag, project, type: :ops)
# execute code if ops feature flag is enabled
else
# execute code if ops feature flag is disabled
end
if Feature.disabled?(:my_feature_flag, project, type: :ops)
# execute code if feature flag is disabled
end
Feature
class in
config/initializers/*
or at the class level could cause an unexpected error. This error occurs
because a database that a feature flag adapter might depend on doesn’t exist at load time
(especially for fresh installations). Checking for the database’s existence at the caller isn’t
recommended, as some adapters don’t require a database at all (for example, the HTTP adapter). The
feature flag setup check must be abstracted in the Feature
namespace. This approach also requires
application reload when the feature flag changes. You must therefore ask SREs to reload the
Web/API/Sidekiq fleet on production, which takes time to fully rollout/rollback the changes. For
these reasons, use environment variables (for example, ENV['YOUR_FEATURE_NAME']
) or gitlab.yml
instead.Here’s an example of a pattern that you should avoid:
class MyClass
if Feature.enabled?(:...)
new_process
else
legacy_process
end
end
Recursion detection
When there are many feature flags, it is not always obvious where they are called. Avoid cycles where the evaluation of one feature flag requires the evaluation of other feature flags. If this causes a cycle, it will be broken and the default value will be returned.
To enable this recursion detection to work correctly, always access feature values through
Feature::enabled?
, and avoid the low-level use of Feature::get
. When this
happens, we track a Feature::RecursionError
exception to the error tracker.
Frontend
When using a feature flag for UI elements, make sure to also use a feature flag for the underlying backend code, if there is any. This ensures there is absolutely no way to use the feature until it is enabled.
Use the push_frontend_feature_flag
method which is available to all controllers that inherit from ApplicationController
. You can use this method to expose the state of a feature flag, for example:
before_action do
# Prefer to scope it per project or user, for example
push_frontend_feature_flag(:vim_bindings, project)
end
def index
# ...
end
def edit
# ...
end
You can then check the state of the feature flag in JavaScript as follows:
if ( gon.features.vimBindings ) {
// ...
}
The name of the feature flag in JavaScript is always camelCase,
so checking for gon.features.vim_bindings
would not work.
See the Vue guide for details about how to access feature flags in a Vue component.
If not specified, the default feature flag type for push_frontend_feature_flag
is type: development
. For all other feature flag types, you must specify the type:
:
before_action do
push_frontend_feature_flag(:vim_bindings, project, type: :ops)
end
Feature actors
It is strongly advised to use actors with feature flags. Actors provide a simple
way to enable a feature flag only for a given project, group or user. This makes debugging
easier, as you can filter logs and errors for example, based on actors. This also makes it possible
to enable the feature on the gitlab-org
or gitlab-com
groups first, while the rest of
the users aren’t impacted.
Actors also provide an easy way to do a percentage rollout of a feature in a sticky way. If a 1% rollout enabled a feature for a specific actor, that actor will continue to have the feature enabled at 10%, 50%, and 100%.
GitLab currently supports the following feature flag actors:
-
User
model -
Project
model -
Group
model - Current request
The actor is a second parameter of the Feature.enabled?
call. The
same actor type must be used consistently for all invocations of Feature.enabled?
.
# Bad
Feature.enabled?(:feature_flag, project)
Feature.enabled?(:feature_flag, group)
Feature.enabled?(:feature_flag, user)
# Good
Feature.enabled?(:feature_flag, group_a)
Feature.enabled?(:feature_flag, group_b)
# Also good - using separate flags for each actor type
Feature.enabled?(:feature_flag_group, group)
Feature.enabled?(:feature_flag_user, user)
See Feature flags in the development of GitLab for details on how to use ChatOps to selectively enable or disable feature flags in GitLab-provided environments, like staging and production.
Current request actor
Introduced in GitLab 16.5
It is not recommended to use percentage of time rollout, as each call may return inconsistent results.
Rather it is advised to use the current request as an actor.
# Bad
Feature.enable_percentage_of_time(:feature_flag, 40)
Feature.enabled?(:feature_flag)
# Good
Feature.enable_percentage_of_actors(:feature_flag, 40)
Feature.enabled?(:feature_flag, Feature.current_request)
When using the current request as the actor, the feature flag should return the
same value within the context of a request.
As the current request actor is implemented using SafeRequestStore
, we should
have consistent feature flag values within:
- a Rack request
- a Sidekiq worker execution
- an ActionCable worker execution
To migrate an existing feature from percentage of time to the current request
actor, it is recommended that you create a new feature flag.
This is because it is difficult to control the timing between existing
percentage_of_time
values, the deployment of the code change, and switching to
use percentage_of_actors
.
Use actors for verifying in production
While the staging environment provides a way to test features in an environment that resembles production, it doesn’t allow you to compare before-and-after performance metrics specific to production environment. It can be useful to have a project in production with your development feature flag enabled, to allow tools like Sitespeed reports to reveal the metrics of the new code under a feature flag.
This approach is even more useful if you’re already tracking the old codebase in Sitespeed, enabling you to compare performance accurately before and after the feature flag’s rollout.
Enable additional objects as actors
To use feature gates based on actors, the model needs to respond to
flipper_id
. For example, to enable for the Foo model:
class Foo < ActiveRecord::Base
include FeatureGate
end
Only models that include FeatureGate
or expose flipper_id
method can be
used as an actor for Feature.enabled?
.
Feature flags for licensed features
You can’t use a feature flag with the same name as a licensed feature name, because it would cause a naming collision. This was widely discussed and removed because it is confusing.
To check for licensed features, add a dedicated feature flag under a different name and check it explicitly, for example:
Feature.enabled?(:licensed_feature_feature_flag, project) &&
project.feature_available?(:licensed_feature)
Feature groups
Feature groups must be defined statically in lib/feature.rb
(in the
.register_feature_groups
method), but their implementation can be
dynamic (querying the DB, for example).
Once defined in lib/feature.rb
, you can to activate a
feature for a given feature group via the feature_group
parameter of the features API
The available feature groups are:
Group name | Scoped to | Description |
---|---|---|
gitlab_team_members
| Users | Enables the feature for users who are members of gitlab-com
|
Feature groups can be enabled via the group name:
Feature.enable(:feature_flag_name, :gitlab_team_members)
Enabling a feature flag locally (in development)
In the rails console (rails c
), enter the following command to enable a feature flag:
Feature.enable(:feature_flag_name)
Similarly, the following command disables a feature flag:
Feature.disable(:feature_flag_name)
You can also enable a feature flag for a given gate:
Feature.enable(:feature_flag_name, Project.find_by_full_path("root/my-project"))
Disabling a feature flag locally (in development)
When manually enabling or disabling a feature flag from the Rails console, its default value gets overwritten.
This can cause confusion when changing the flag’s default_enabled
attribute.
To reset the feature flag to the default status, you can disable it in the rails console (rails c
)
as follows:
Feature.remove(:feature_flag_name)
Changelog
We want to avoid introducing a changelog when features are not accessible by an end-user either directly (example: ability to use the feature) or indirectly (examples: ability to take advantage of background jobs, performance improvements, or database migration updates).
- Database migrations are always accessible by an end-user indirectly, as self-managed customers need to be aware of database changes before upgrading. For this reason, they should have a changelog entry.
- Any change behind a feature flag disabled by default should not have a changelog entry.
- Any change behind a feature flag that is enabled by default should have a changelog entry.
-
Changing the feature flag itself (flag removal, default-on setting) should have a changelog entry. Use the flowchart to determine the changelog entry type.
- The changelog for a feature flag should describe the feature and not the
flag, unless a default on feature flag is removed keeping the new code (
other
in the flowchart above). - A feature flag can also be used for rolling out a bug fix or a maintenance work. In this scenario, the changelog
must be related to it, for example;
fixed
orother
.
Feature flags in tests
Introducing a feature flag into the codebase creates an additional code path that should be tested. It is strongly advised to include automated tests for all code affected by a feature flag, both when enabled and disabled to ensure the feature works properly. If automated tests are not included for both states, the functionality associated with the untested code path should be manually tested before deployment to production.
When using the testing environment, all feature flags are enabled by default.
Flags can be disabled by default in the spec/spec_helper.rb
file.
Add a comment inline to explain why the flag needs to be disabled. You can also attach the issue URL for reference if possible.
To disable a feature flag in a test, use the stub_feature_flags
helper. For example, to globally disable the ci_live_trace
feature
flag in a test:
stub_feature_flags(ci_live_trace: false)
Feature.enabled?(:ci_live_trace) # => false
A common pattern of testing both paths looks like:
it 'ci_live_trace works' do
# tests assuming ci_live_trace is enabled in tests by default
Feature.enabled?(:ci_live_trace) # => true
end
context 'when ci_live_trace is disabled' do
before do
stub_feature_flags(ci_live_trace: false)
end
it 'ci_live_trace does not work' do
Feature.enabled?(:ci_live_trace) # => false
end
end
If you wish to set up a test where a feature flag is enabled only
for some actors and not others, you can specify this in options
passed to the helper. For example, to enable the ci_live_trace
feature flag for a specific project:
project1, project2 = build_list(:project, 2)
# Feature will only be enabled for project1
stub_feature_flags(ci_live_trace: project1)
Feature.enabled?(:ci_live_trace) # => false
Feature.enabled?(:ci_live_trace, project1) # => true
Feature.enabled?(:ci_live_trace, project2) # => false
The behavior of FlipperGate is as follows:
- You can enable an override for a specified actor to be enabled.
- You can disable (remove) an override for a specified actor, falling back to the default state.
- There’s no way to model that you explicitly disabled a specified actor.
Feature.enable(:my_feature)
Feature.disable(:my_feature, project1)
Feature.enabled?(:my_feature) # => true
Feature.enabled?(:my_feature, project1) # => true
Feature.disable(:my_feature2)
Feature.enable(:my_feature2, project1)
Feature.enabled?(:my_feature2) # => false
Feature.enabled?(:my_feature2, project1) # => true
have_pushed_frontend_feature_flags
Use have_pushed_frontend_feature_flags
to test if push_frontend_feature_flag
has added the feature flag to the HTML.
For example,
stub_feature_flags(value_stream_analytics_path_navigation: false)
visit group_analytics_cycle_analytics_path(group)
expect(page).to have_pushed_frontend_feature_flags(valueStreamAnalyticsPathNavigation: false)
stub_feature_flags
vs Feature.enable*
It is preferred to use stub_feature_flags
to enable feature flags
in the testing environment. This method provides a simple and well described
interface for simple use cases.
However, in some cases more complex behavior needs to be tested,
like percentage rollouts of feature flags. This can be done using
.enable_percentage_of_time
or .enable_percentage_of_actors
:
# Good: feature needs to be explicitly disabled, as it is enabled by default if not defined
stub_feature_flags(my_feature: false)
stub_feature_flags(my_feature: true)
stub_feature_flags(my_feature: project)
stub_feature_flags(my_feature: [project, project2])
# Bad
Feature.enable(:my_feature_2)
# Good: enable my_feature for 50% of time
Feature.enable_percentage_of_time(:my_feature_3, 50)
# Good: enable my_feature for 50% of actors/gates/things
Feature.enable_percentage_of_actors(:my_feature_4, 50)
Each feature flag that has a defined state is persisted during test execution time:
Feature.persisted_names.include?('my_feature') => true
Feature.persisted_names.include?('my_feature_2') => true
Feature.persisted_names.include?('my_feature_3') => true
Feature.persisted_names.include?('my_feature_4') => true
Stubbing actor
When you want to enable a feature flag for a specific actor only,
you can stub its representation. A gate that is passed
as an argument to Feature.enabled?
and Feature.disabled?
must be an object
that includes FeatureGate
.
In specs you can use the stub_feature_flag_gate
method that allows you to
quickly create a custom actor:
gate = stub_feature_flag_gate('CustomActor')
stub_feature_flags(ci_live_trace: gate)
Feature.enabled?(:ci_live_trace) # => false
Feature.enabled?(:ci_live_trace, gate) # => true
You can also disable a feature flag for a specific actor:
gate = stub_feature_flag_gate('CustomActor')
stub_feature_flags(ci_live_trace: false, thing: gate)
Controlling feature flags engine in tests
Our Flipper engine in the test environment works in a memory mode Flipper::Adapters::Memory
.
production
and development
modes use Flipper::Adapters::ActiveRecord
.
You can control whether the Flipper::Adapters::Memory
or ActiveRecord
mode is being used.
stub_feature_flags: true
(default and preferred)
In this mode Flipper is configured to use Flipper::Adapters::Memory
and mark all feature
flags to be on-by-default and persisted on a first use.
Make sure behavior under feature flag doesn’t go untested in some non-specific contexts.
stub_feature_flags: false
This disables a memory-stubbed flipper, and uses Flipper::Adapters::ActiveRecord
a mode that is used by production
and development
.
You should use this mode only when you really want to tests aspects of Flipper
with how it interacts with ActiveRecord
.
End-to-end (QA) tests
Toggling feature flags works differently in end-to-end (QA) tests. The end-to-end test framework does not have direct access to
Rails or the database, so it can’t use Flipper. Instead, it uses the public API. Each end-to-end test can enable or disable a feature flag during the test. Alternatively, you can enable or disable a feature flag before one or more tests when you run them from your GitLab repository’s qa
directory, or if you run the tests via GitLab QA.
As noted above, feature flags are not enabled by default in end-to-end tests. This means that end-to-end tests will run with feature flags in the default state implemented in the source code, or with the feature flag in its current state on the GitLab instance under test, unless the test is written to enable/disable a feature flag explicitly.
When a feature flag is changed on Staging or on GitLab.com, a Slack message will be posted to the #qa-staging
or #qa-production
channels to inform
the pipeline triage DRI so that they can more easily determine if any failures are related to a feature flag change. However, if you are working on a change you can
help to avoid unexpected failures by confirming that the end-to-end tests pass with a feature flag enabled.
Controlling Sidekiq worker behavior with feature flags
Feature flags with worker
type can be used to control the behavior of a Sidekiq worker.
Deferring Sidekiq jobs
When disabled, feature flags with the format of run_sidekiq_jobs_{WorkerName}
delay the execution of the worker
by scheduling the job at a later time. This feature flag is enabled by default for all workers.
Deferring jobs can be useful during an incident where contentious behavior from
worker instances are saturating infrastructure resources (such as database and database connection pool).
The implementation can be found at SkipJobs Sidekiq server middleware.
When set to false, 100% of the jobs are deferred. When you want processing to resume, you can use a percentage of time rollout. For example:
# not running any jobs, deferring all 100% of the jobs
/chatops run feature set run_sidekiq_jobs_SlowRunningWorker false
# only running 10% of the jobs, deferring 90% of the jobs
/chatops run feature set run_sidekiq_jobs_SlowRunningWorker 10
# running 50% of the jobs, deferring 50% of the jobs
/chatops run feature set run_sidekiq_jobs_SlowRunningWorker 50
# back to running all jobs normally
/chatops run feature delete run_sidekiq_jobs_SlowRunningWorker
Dropping Sidekiq jobs
Instead of deferring jobs, jobs can be entirely dropped by enabling the feature flag
drop_sidekiq_jobs_{WorkerName}
. Use this feature flag when you are certain the jobs are safe to be dropped, i.e.
the jobs do not need to be processed in the future.
# drop all the jobs
/chatops run feature set drop_sidekiq_jobs_SlowRunningWorker true
# process jobs normally
/chatops run feature delete drop_sidekiq_jobs_SlowRunningWorker
drop_sidekiq_jobs_{WorkerName}
) takes precedence over deferring feature flag (run_sidekiq_jobs_{WorkerName}
),
i.e. when drop_sidekiq_jobs
is enabled and run_sidekiq_jobs
is disabled, jobs are entirely dropped.