Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: Lock Deployment Config #4732

Merged
merged 5 commits into from
Mar 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
* [Scoped Variables](user-guide/global-configurations/scoped-variables.md)
* [Pull Image Digest](user-guide/global-configurations/pull-image-digest.md)
* [Tags Policy](user-guide/global-configurations/tags-policy.md)
* [Lock Deployment Config](user-guide/global-configurations/lock-deployment-config.md)
* [Filter Condition](user-guide/global-configurations/filter-condition.md)
* [Build Infra](user-guide/global-configurations/build-infra.md)
* [Devtron Upgrade](setup/upgrade/README.md)
Expand Down
2 changes: 1 addition & 1 deletion docs/user-guide/application-groups.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ As shown below, you can handle the configurations of more than one application f
![Figure 8: Configurations of each App](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/application-groups/configurations.jpg)

{% hint style="info" %}
Users need to have [Admin role](../user-guide/global-configurations/authorization/user-access.md#role-based-access-levels) or above (along with access to the environment and applications) to change their configuration
Users need to have [Admin role](../user-guide/global-configurations/authorization/user-access.md#role-based-access-levels) or above (along with access to the environment and applications) to change their configuration. Please note, you might not be able to change the values of locked keys in deployment template. Refer [Lock Deployment Config](./global-configurations/lock-deployment-config.md) to know more.
{% endhint %}


Expand Down
2 changes: 1 addition & 1 deletion docs/user-guide/bulk-update.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ This feature helps you to update Deployment Template, ConfigMaps & Secrets for m

Need to make some common changes across multiple devtron applications?
**Bulk Edit** allows you to do that.<br>
Eg. You can change the value for `MaxReplicas` in Deployment Templates of multiple Devtron applications or you can add key-value pairs in multiple ConfigMaps & Secrets.
Eg. You can change the value for `MaxReplicas` in Deployment Templates of multiple Devtron applications or you can add key-value pairs in multiple ConfigMaps & Secrets. However, you might not be able to change the values of locked keys. Refer [Lock Deployment Config](./global-configurations/lock-deployment-config.md) to know more.

## Support
Bulk edit is currently supported for:
Expand Down
6 changes: 5 additions & 1 deletion docs/user-guide/creating-application/config-approval.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,14 @@ Let's assume you are the application admin and you wish to edit the deployment t

![Figure 2: Selecting Values to Change](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/config-approval/edit-deployment-template.jpg)

3. You can change the value of a key to a desired value as shown below. Once done, click the **Save Changes…** button **.**
3. You can change the value of a key to a desired value as shown below. Once done, click the **Save Changes…** button.

![Figure 3: Changed Values](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/config-approval/changed-values.jpg)

{% hint style="info" %}
If you are not a super-admin, you cannot modify the locked keys in deployment template. Refer [Lock Deployment Config](../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}

4. If the configuration is protected, your changes won't be published right away. You can do either of the following:

* **Save as draft** : Selecting this option will save your file as a draft. You and other users can view and edit the saved draft and propose it further for approval.
Expand Down
12 changes: 8 additions & 4 deletions docs/user-guide/creating-application/deployment-template.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ To configure a deployment chart for your application, do the following steps:

You can select a default deployment chart from the following options:

1. [Deployment](https://docs.devtron.ai/usage/applications/creating-application/deployment-template/deployment) (Recommended)
1. [Rollout Deployment](deployment-template/rollout-deployment.md)
2. [Job & CronJob](deployment-template/job-and-cronjob.md)
3. Knative
1. [Deployment](deployment-template/deployment) (Recommended)
2. [Rollout Deployment](deployment-template/rollout-deployment.md)
3. [Job & CronJob](deployment-template/job-and-cronjob.md)
4. [StatefulSet](deployment-template/statefulset.md)


![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/deployment-template/deployment-chart.png)
Expand All @@ -45,3 +45,7 @@ Enable **show application metrics** toggle to view the application metrics on th
> **IMPORTANT**: Enabling Application metrics introduces a sidecar container to your main container which may require some additional configuration adjustments. We recommend you to do load test after enabling it in a non-production environment before enabling it in production environment.

Select **Save & Next** to save your configurations.

{% hint style="warning" %}
Super-admins can lock keys in base deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ You can define application behavior by providing information in the following se
| `Advanced (YAML)` | If you want to do additional configurations, then click **Advanced (YAML)** for modifications.<br>Refer [Advanced (YAML)](https://docs.devtron.ai/usage/applications/creating-application/deployment-template/rollout-deployment#3.-advanced-yaml) section for more detail.</br> |
| `Show application metrics` | You can enable `Show application metrics` to see your application's metrics-CPU Service Monitor usage, Memory Usage, Status, Throughput and Latency.<br>Refer [Application Metrics](https://docs.devtron.ai/v/v0.5/usage/applications/app-details/app-metrics) for more detail.</br> |

{% hint style="warning" %}
Super-admins can lock keys in deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}


## 1. Yaml File

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,7 @@ cronjobConfigs:
| `successfulJobsHistoryLimit` | The successfulJobsHistoryLimit fields are optional. These fields specify how many completed and failed jobs should be kept. By default, they are set to 3 and 1 respectively. Setting a limit to 0 corresponds to keeping none of the corresponding kind of jobs after they finish. |
| `suspend` | The suspend field is also optional. If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. Defaults to false. |
| `kind` | As with all other Kubernetes config, a Job and cronjob needs apiVersion, kind.cronjob and job also needs a section fields which is optional . these fields specify to deploy which job (conjob or job) should be kept. by default, they are set cronjob. |

{% hint style="warning" %}
Super-admins can lock keys in Job & CronJob deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ You can define application behavior by providing information in the following se

![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/deployment-template/deployment-template.gif)

{% hint style="warning" %}
Super-admins can lock keys in rollout deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}

## 1. Chart version

| Key | Descriptions |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ It supports only `ONDELETE` and `ROLLINGUPDATE` deployment strategy.
![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/deployment-template/sts-strategy.jpg)


You can select `SatefulSet` chart when you want to use only basic use cases which contain the following:
You can select `StatefulSet` chart when you want to use only basic use cases which contain the following:

* **Managing Stateful Applications:** StatefulSets are ideal for managing stateful applications, such as databases or distributed systems, that require stable network identities and persistent storage for each Pod.

Expand All @@ -27,7 +27,9 @@ You can select `SatefulSet` chart when you want to use only basic use cases whic

* **Resource Cleanup:** StatefulSets allow for easy cleanup of older versions by deleting StatefulSets and their associated Pods and persistent volumes that are no longer needed, ensuring efficient resource utilization.


{% hint style="warning" %}
Super-admins can lock keys in StatefulSet deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}


## 1. Yaml File
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@ If you want to configure **Basic** GUI at the application level, then you can pr

If `Basic` is locked, you can modify the configurations on `Advanced (YAML)` which will be the default page.

**Note**: **Delete Override** will discard the current overrides and the base configuration will be applicable to the environment.
{% hint style="warning" %}
Super-admins can lock keys in deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
{% endhint %}

**Note**: **Delete Override** will discard the current overrides and the base configuration will be applicable to the environment.

### ConfigMaps & Secrets

Expand Down
2 changes: 2 additions & 0 deletions docs/user-guide/global-configurations/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ Before you start creating an application, we recommend to provide basic informat

[Filter Condition](filter-condition.md)

[Lock Deployment Config](lock-deployment-config.md)

[Build Infra](build-infra.md)

You can also refer our YouTube video provided here.
Expand Down
99 changes: 99 additions & 0 deletions docs/user-guide/global-configurations/lock-deployment-config.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
# Lock Deployment Config

## Introduction [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing)

The [Deployment Template](../../reference/glossary.md#base-deployment-template) might contain certain configurations intended for the DevOps team (e.g., `ingress`), and not meant for developers to modify.

Therefore, Devtron allows super-admins to restrict such fields from modification or deletion.

![Figure 1: Preventing Changes to Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/not-eligible-changes.jpg)

This stands true for deployment templates in:
* [Base configuration](../../user-guide/creating-application/deployment-template.md)
* [Environment-level configuration](../../user-guide/creating-application/environment-overrides.md)

**How is this different from the [Protect Configuration](../../user-guide/creating-application/config-approval.md) feature?**

The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. This is performed at application-level.

Whereas, the 'lock deployment config' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at global-level.

---

## Locking Deployment Keys

{% hint style="warning" %}
### Who Can Perform This Action?
Users need to have super-admin permission to lock deployment keys.
{% endhint %}

1. Go to **Global Configurations** → **Lock Deployment Config**. Click **Configure Lock**.

![Figure 2: Configure Lock Button](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/lock-deployment-config.jpg)

2. (Optional) Click **Refer Values.YAML** to check which keys you wish to lock.

![Figure 3: Values.YAML File](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/values-yaml.jpg)

3. Enter the keys inside the editor on the left-hand side, e.g., `autoscaling.MaxReplicas`. Use <a href="https://goessner.net/articles/JsonPath/index.html" target="_blank">JSONpath expressions</a> to enter specific keys, lists, or objects to lock.

![Figure 4: Referring Values.YAML File for Locking Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/autoscaling-lock.jpg)

4. Click **Save**.

![Figure 5: Saving Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/saving-locked-keys.jpg)

5. A confirmation dialog box would appear. Read it and click **Confirm**.

![Figure 6: Confirmation Dialog](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/confirmation.jpg)

---

## Result

While super-admins can directly edit the locked keys, let's look at a scenario where a user (non-super-admin) tries to edit the same in an [unprotected](../../user-guide/creating-application/config-approval.md) base deployment template.

* User can hide/unhide the locked keys as shown below.

![Figure 7: Hiding Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/hide-locked-keys.gif)

{% hint style="info" %}
<span><img src="https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/mode.jpg" alt="GUI or YAML Mode"></span> <br />
If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys.
{% endhint %}

* Let's assume the user edits one of the locked keys...

![Figure 8: Editing Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/change-locked-values.gif)

...and saves the changes.

![Figure 9: Saving Edits to Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/changing-values.jpg)

* A modal window will appear on the right highlighting the non-eligible edits.

![Figure 10: Eligible and Non-eligible Changes](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/not-eligible-changes.jpg)

* Let's assume the user edits a key that is not locked or adds a new key.

![Figure 11: Editing Allowed Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/changing-allowed-values.jpg)

* The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: **Save changes which are eligible for update**.

![Figure 12: Saving Eligible Changes](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/saving-allowed-changes.jpg)

{% hint style="warning" %}
### Who Can Perform This Action?
Only a super-admin, manager, or application admin can edit the configuration values.
{% endhint %}

* Once the user clicks the **Update** button, the permissible changes will reflect in the deployment template.

![Figure 13: Updating Deployment Config](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/updating-changes.jpg)

However, if it's a [protected template](../../user-guide/creating-application/config-approval.md), the user will require the approval of a [configuration approver](./user-access.md#role-based-access-levels) as shown below.

![Figure 14: Proposing Changes to Protected Config](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/proposing-changes.jpg)

The same result can be seen if the user tries to edit environment-specific deployment templates.

Loading