docs: update Lock deployment config #113
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,7 +16,7 @@ This stands true for deployment templates in: | |
|
|
||
| The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. Refer [Approval Policy](../global-configurations/approval-policy.md). | ||
|
|
||
| Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at the global level. --> | ||
|
|
||
| --- | ||
|
|
||
|
|
@@ -27,73 +27,208 @@ Whereas, the 'lock deployment configuration' feature goes one step further. It i | |
| Users need to have super-admin permission to lock deployment keys. | ||
| {% endhint %} | ||
|
|
||
| To lock deployment keys, you must first create a profile and apply it to the specific deployment templates. | ||
|
|
||
| {% hint style="Tip" %} | ||
| ### What is a Lock Deployment Profile? | ||
| A lock deployment configuration profile is a template that specifies which keys in the deployment template cannot be edited by non-super admin users. By using lock deployment configuration profiles, super-admins can manage edit access at different levels, such as global, cluster, environment, application, or a combination of application and environment. | ||
|
|
||
| This allows for better control by making sure critical deployment template keys are locked in sensitive environments (production), while giving flexibility to change deployment template keys in other less critical environments (QA, Staging, etc.). | ||
| {% endhint %} | ||
|
|
||
| ### Creating Profile | ||
|
|
||
| To create a profile, follow the steps below: | ||
|
|
||
| 1. Go to **Global Configurations** → **Lock Deployment Configuration**. Click **+ Create Profile**; a new **Create Profile** page will open. | ||
|
|
||
|  | ||
|
|
||
| 2. Enter the **Name** (Required) and a **Description** (Optional) for the profile. | ||
|
|
||
| 3. (Optional) Click **Refer Values.YAML** to check which keys you wish to lock. | ||
|
|
||
| * Select the relevant Chart type and its version to reference the keys. | ||
|
|
||
|  | ||
|
|
||
| 4. Enter the keys inside the editor on the left-hand side, e.g., `autoscaling.MaxReplicas`. Use [JSONpath expressions](https://goessner.net/articles/JsonPath/index.html) to enter specific keys, lists, or objects to lock. | ||
|
|
||
|  | ||
|
|
||
| 5. Click **Save Changes**. | ||
|
There was a problem hiding this comment. Suggestion: We should display a section of use cases followed by actual users to help understand via practical usage. |
||
|
|
||
|  | ||
|
|
||
| 6. Profile will be created, and available under the **Profiles** tab. | ||
|
There was a problem hiding this comment. There is a caveat with locking specific array index, maybe we should explain it somewhere in doc. @abhibhaw Can explain further |
||
|
|
||
|  | ||
|
|
||
| ### Applying Profile | ||
|
|
||
| After creating a profile, the next step is to apply the profile to the specific deployment templates according to your use case. To apply a profile, follow the steps below: | ||
|
|
||
| 1. Go to **Global Configurations** → **Lock Deployment Configuration**. Click **Apply Profile**; a new **Apply Profile** page will open. | ||
|
|
||
|  | ||
|
|
||
| 2. Select the profiles that you want to apply from the dropdown under **Select profiles to apply**. | ||
|
|
||
| * You can select multiple Profiles. | ||
|
|
||
|  | ||
|
|
||
| 3. Select how you want to apply the profiles under **Apply selected profiles to deployment templates of**. | ||
|
|
||
| There are three options you can choose from: | ||
|
|
||
| 1. **Specific deployment templates**: This option allows you to apply the lock deployment configuration profile to the deployment template of a specific application within a particular environment. | ||
|
|
||
|  | ||
|
|
||
| 2. **By match criteria**: This option allows you to use a combination of filters to create criteria. Lock deployment configuration profile will only apply to the deployment templates of the applications fulfilling your criteria (including existing and future ones). | ||
|
|
||
| Let's understand how to use **By match criteria** with the below example:<br> | ||
|
|
||
| Suppose you want to apply a lock deployment configuration profile to all applications in a particular project. You can achieve this by selecting that project as the match criteria. | ||
|
|
||
|  | ||
|
|
||
| 3. **Global (All deployment templates)**: This option allows you to apply the lock deployment configuration profile to all the existing and future deployment templates across all the applications. | ||
|
|
||
|  | ||
|
|
||
| 4. Click **Save Changes**, and the selected profiles will apply to the required deployment templates and be visible under the **Applied Profiles** tab. | ||
|
|
||
| --- | ||
|
|
||
| ## Result | ||
|
|
||
| Only super admins can edit the locked keys directly once the lock deployment configuration profile is applied to the deployment templates. Non-super admin users cannot edit the locked keys for those deployment templates. | ||
|
|
||
| Let's look at a scenario where a user (non-super-admin) tries to edit the same in an [unprotected](../../user-guide/creating-application/config-approval.md) base deployment template. | ||
|
|
||
|
|
||
| ### Viewing Locked Keys | ||
|
|
||
| * User can hide/unhide the locked keys as shown below. | ||
|
|
||
|  | ||
|
|
||
| {% hint style="info" %} | ||
| <span><img src="https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/mode.jpg" alt="GUI or YAML Mode"></span> <br /> | ||
| If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI, even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys. | ||
| {% endhint %} | ||
|
|
||
| ### Editing Locked Keys | ||
|
|
||
| * Let's assume the user edits one of the locked keys... | ||
|
|
||
|  | ||
|
|
||
| ...and saves the changes. | ||
|
|
||
|  | ||
|
|
||
| * A modal window highlighting the non-eligible edits will appear on the right. | ||
|
|
||
|  | ||
|
|
||
| ### Editing Unlocked Keys | ||
|
|
||
| * Let's assume the user edits a key that is not locked or adds a new key. | ||
|
|
||
|  | ||
|
|
||
| * The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: **Save changes which are eligible for update**. | ||
|
|
||
|  | ||
|
|
||
| {% hint style="warning" %} | ||
| ### Who Can Perform This Action? | ||
| Only a super-admin, manager, or application admin can edit the configuration values. | ||
| {% endhint %} | ||
|
|
||
| * Once the user clicks the **Save Changes** button, the permissible changes will reflect in the deployment template. | ||
|
|
||
|  | ||
|
|
||
| However, if it's a [protected template](../../user-guide/creating-application/config-approval.md), the user will require the approval of a [configuration approver](./user-access.md#devtron-apps-permissions) as shown below. | ||
|
|
||
|  | ||
|
|
||
| The same result can be seen if the user tries to edit environment-specific deployment templates. | ||
|
|
||
| --- | ||
|
|
||
| ## Updating an Applied Profile | ||
|
|
||
| To update an existing applied profile, follow the steps below: | ||
|
|
||
| 1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
|
||
| 2. Click the **Applied Profiles** tab and click the `⋮` button next to the preferred applied profile. | ||
|
|
||
| 3. Click **Manage Policy** to add or remove the profiles. If you have applied the profile using match criteria, then you can also click **Edit match criteria** to edit the match criteria. | ||
|
|
||
| 4. Click **Save Changes**. | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| --- | ||
|
|
||
| ## Removing an Applied Profile | ||
|
|
||
| To remove an applied profile, follow the steps below: | ||
|
|
||
| 1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
|
||
| 2. Click the **Applied Profiles** tab and click the `⋮` button next to the preferred applied profile. | ||
|
|
||
| 3. Click **Delete** and the applied profile will be removed. | ||
|
|
||
|  | ||
|
|
||
| {% hint style="warning" %} | ||
| ### Note | ||
| Removing an applied profile does not delete the lock deployment configuration profile. It only removes the associated restrictions from the deployment templates where the profile was applied. | ||
| {% endhint %} | ||
|
|
||
| --- | ||
|
|
||
| ## Updating Profile | ||
|
|
||
| To update a lock deployment configuration file, follow the steps below: | ||
|
|
||
| 1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
|
||
| 2. Click the **Profiles** tab and then click the edit button next to the preferred profile. | ||
|
|
||
| 3. Edit the profile. | ||
|
|
||
| 4. Click **Save Changes**. | ||
|
|
||
|  | ||
|
|
||
| --- | ||
|
|
||
| ## Deleting Profile | ||
|
|
||
| To delete a lock deployment configuration file, follow the steps below: | ||
|
|
||
| 1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
|
||
| 2. Click the **Profiles** tab and then click the delete button next to the preferred profile. | ||
|
|
||
| 3. A pop-up window will appear, prompting you to enter the profile name for confirmation. | ||
|
|
||
| 4. Enter the name of the profile and click **Delete**. | ||
|
|
||
|  | ||
|
|
||
| {% hint style="warning" %} | ||
| ### Note | ||
| Deleting a profile will automatically remove it from the Applied Profiles tab and remove its restrictions from all deployment templates where it was previously applied. | ||
| {% endhint %} | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are just sample values we can lock keys even outside these.