-
Notifications
You must be signed in to change notification settings - Fork 3
docs: update Lock deployment config #113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
34c3873
84c035c
a79c54f
8e4f511
73c60dc
ffd8477
dd3efec
a9df273
4e63193
a5ba792
6c6e644
5c0c8f3
dfbfd7a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,7 +16,7 @@ This stands true for deployment templates in: | |
|
||
The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. Refer [Approval Policy](../global-configurations/approval-policy.md). | ||
|
||
Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at global-level. --> | ||
Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at the global level. --> | ||
|
||
--- | ||
|
||
|
@@ -27,73 +27,208 @@ Whereas, the 'lock deployment configuration' feature goes one step further. It i | |
Users need to have super-admin permission to lock deployment keys. | ||
{% endhint %} | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Config**. Click **Configure Lock**. | ||
To lock deployment keys, you must first create a profile and apply it to the specific deployment templates. | ||
|
||
 | ||
{% hint style="Tip" %} | ||
### What is a Lock Deployment Profile? | ||
A lock deployment configuration profile is a template that specifies which keys in the deployment template cannot be edited by non-super admin users. By using lock deployment configuration profiles, super-admins can manage edit access at different levels, such as global, cluster, environment, application, or a combination of application and environment. | ||
|
||
2. (Optional) Click **Refer Values.YAML** to check which keys you wish to lock. | ||
This allows for better control by making sure critical deployment template keys are locked in sensitive environments (production), while giving flexibility to change deployment template keys in other less critical environments (QA, Staging, etc.). | ||
{% endhint %} | ||
|
||
### Creating Profile | ||
|
||
To create a profile, follow the steps below: | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Configuration**. Click **+ Create Profile**; a new **Create Profile** page will open. | ||
|
||
 | ||
|
||
2. Enter the **Name** (Required) and a **Description** (Optional) for the profile. | ||
|
||
3. (Optional) Click **Refer Values.YAML** to check which keys you wish to lock. | ||
|
||
* Select the relevant Chart type and its version to reference the keys. | ||
|
||
 | ||
|
||
3. Enter the keys inside the editor on the left-hand side, e.g., `autoscaling.MaxReplicas`. Use <a href="https://goessner.net/articles/JsonPath/index.html" target="_blank">JSONpath expressions</a> to enter specific keys, lists, or objects to lock. | ||
4. Enter the keys inside the editor on the left-hand side, e.g., `autoscaling.MaxReplicas`. Use [JSONpath expressions](https://goessner.net/articles/JsonPath/index.html) to enter specific keys, lists, or objects to lock. | ||
|
||
 | ||
|
||
4. Click **Save**. | ||
5. Click **Save Changes**. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Suggestion: We should display a section of use cases followed by actual users to help understand via practical usage. |
||
|
||
 | ||
|
||
5. A confirmation dialog box would appear. Read it and click **Confirm**. | ||
6. Profile will be created, and available under the **Profiles** tab. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is a caveat with locking specific array index, maybe we should explain it somewhere in doc. @abhibhaw Can explain further |
||
|
||
 | ||
|
||
### Applying Profile | ||
|
||
After creating a profile, the next step is to apply the profile to the specific deployment templates according to your use case. To apply a profile, follow the steps below: | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Configuration**. Click **Apply Profile**; a new **Apply Profile** page will open. | ||
|
||
 | ||
|
||
2. Select the profiles that you want to apply from the dropdown under **Select profiles to apply**. | ||
|
||
* You can select multiple Profiles. | ||
|
||
 | ||
|
||
3. Select how you want to apply the profiles under **Apply selected profiles to deployment templates of**. | ||
|
||
There are three options you can choose from: | ||
|
||
1. **Specific deployment templates**: This option allows you to apply the lock deployment configuration profile to the deployment template of a specific application within a particular environment. | ||
|
||
 | ||
|
||
2. **By match criteria**: This option allows you to use a combination of filters to create criteria. Lock deployment configuration profile will only apply to the deployment templates of the applications fulfilling your criteria (including existing and future ones). | ||
|
||
Let's understand how to use **By match criteria** with the below example:<br> | ||
|
||
Suppose you want to apply a lock deployment configuration profile to all applications in a particular project. You can achieve this by selecting that project as the match criteria. | ||
|
||
 | ||
|
||
3. **Global (All deployment templates)**: This option allows you to apply the lock deployment configuration profile to all the existing and future deployment templates across all the applications. | ||
|
||
 | ||
|
||
4. Click **Save Changes**, and the selected profiles will apply to the required deployment templates and be visible under the **Applied Profiles** tab. | ||
|
||
--- | ||
|
||
## Result | ||
|
||
While super-admins can directly edit the locked keys, let's look at a scenario where a user (non-super-admin) tries to edit the same in an [unprotected](../../user-guide/creating-application/config-approval.md) base deployment template. | ||
Only super admins can edit the locked keys directly once the lock deployment configuration profile is applied to the deployment templates. Non-super admin users cannot edit the locked keys for those deployment templates. | ||
|
||
Let's look at a scenario where a user (non-super-admin) tries to edit the same in an [unprotected](../../user-guide/creating-application/config-approval.md) base deployment template. | ||
|
||
|
||
### Viewing Locked Keys | ||
|
||
* User can hide/unhide the locked keys as shown below. | ||
|
||
 | ||
 | ||
|
||
{% hint style="info" %} | ||
<span><img src="https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/mode.jpg" alt="GUI or YAML Mode"></span> <br /> | ||
If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys. | ||
{% endhint %} | ||
{% hint style="info" %} | ||
<span><img src="https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/mode.jpg" alt="GUI or YAML Mode"></span> <br /> | ||
If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI, even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys. | ||
{% endhint %} | ||
|
||
### Editing Locked Keys | ||
|
||
* Let's assume the user edits one of the locked keys... | ||
|
||
 | ||
 | ||
|
||
...and saves the changes. | ||
|
||
 | ||
 | ||
|
||
* A modal window will appear on the right highlighting the non-eligible edits. | ||
* A modal window highlighting the non-eligible edits will appear on the right. | ||
|
||
 | ||
 | ||
|
||
### Editing Unlocked Keys | ||
|
||
* Let's assume the user edits a key that is not locked or adds a new key. | ||
|
||
 | ||
 | ||
|
||
* The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: **Save changes which are eligible for update**. | ||
|
||
 | ||
 | ||
|
||
{% hint style="warning" %} | ||
### Who Can Perform This Action? | ||
Only a super-admin, manager, or application admin can edit the configuration values. | ||
{% endhint %} | ||
|
||
* Once the user clicks the **Update** button, the permissible changes will reflect in the deployment template. | ||
* Once the user clicks the **Save Changes** button, the permissible changes will reflect in the deployment template. | ||
|
||
 | ||
 | ||
|
||
However, if it's a [protected template](../../user-guide/creating-application/config-approval.md), the user will require the approval of a [configuration approver](./user-access.md#devtron-apps-permissions) as shown below. | ||
|
||
 | ||
 | ||
|
||
The same result can be seen if the user tries to edit environment-specific deployment templates. | ||
|
||
--- | ||
|
||
## Updating an Applied Profile | ||
|
||
To update an existing applied profile, follow the steps below: | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
||
2. Click the **Applied Profiles** tab and click the `⋮` button next to the preferred applied profile. | ||
|
||
3. Click **Manage Policy** to add or remove the profiles. If you have applied the profile using match criteria, then you can also click **Edit match criteria** to edit the match criteria. | ||
|
||
4. Click **Save Changes**. | ||
|
||
 | ||
|
||
 | ||
|
||
--- | ||
|
||
## Removing an Applied Profile | ||
|
||
To remove an applied profile, follow the steps below: | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
||
2. Click the **Applied Profiles** tab and click the `⋮` button next to the preferred applied profile. | ||
|
||
3. Click **Delete** and the applied profile will be removed. | ||
|
||
 | ||
|
||
{% hint style="warning" %} | ||
### Note | ||
Removing an applied profile does not delete the lock deployment configuration profile. It only removes the associated restrictions from the deployment templates where the profile was applied. | ||
{% endhint %} | ||
|
||
--- | ||
|
||
## Updating Profile | ||
|
||
To update a lock deployment configuration file, follow the steps below: | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
||
2. Click the **Profiles** tab and then click the edit button next to the preferred profile. | ||
|
||
3. Edit the profile. | ||
|
||
4. Click **Save Changes**. | ||
|
||
 | ||
|
||
--- | ||
|
||
## Deleting Profile | ||
|
||
To delete a lock deployment configuration file, follow the steps below: | ||
|
||
1. Go to **Global Configurations** → **Lock Deployment Configuration**. | ||
|
||
2. Click the **Profiles** tab and then click the delete button next to the preferred profile. | ||
|
||
3. A pop-up window will appear, prompting you to enter the profile name for confirmation. | ||
|
||
4. Enter the name of the profile and click **Delete**. | ||
|
||
 | ||
|
||
{% hint style="warning" %} | ||
### Note | ||
Deleting a profile will automatically remove it from the Applied Profiles tab and remove its restrictions from all deployment templates where it was previously applied. | ||
{% endhint %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are just sample values we can lock keys even outside these.