doc: Lock Deployment Config (#4732)

* Created Lock DT Config Doc * Added specifics * Added Enterprise Tag * Incorporated PM and CO Feedback * Minor fix
devtron-labs · Mar 4, 2024 · c49a6f2 · c49a6f2
1 parent df3caad
commit c49a6f2
Show file tree

Hide file tree

Showing 12 changed files with 138 additions and 10 deletions.
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
@@ -44,6 +44,7 @@
   * [Scoped Variables](user-guide/global-configurations/scoped-variables.md)
   * [Pull Image Digest](user-guide/global-configurations/pull-image-digest.md)
   * [Tags Policy](user-guide/global-configurations/tags-policy.md)
+  * [Lock Deployment Config](user-guide/global-configurations/lock-deployment-config.md)
   * [Filter Condition](user-guide/global-configurations/filter-condition.md)
   * [Build Infra](user-guide/global-configurations/build-infra.md)
 * [Devtron Upgrade](setup/upgrade/README.md)

diff --git a/docs/user-guide/application-groups.md b/docs/user-guide/application-groups.md
@@ -79,7 +79,7 @@ As shown below, you can handle the configurations of more than one application f
 ![Figure 8: Configurations of each App](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/application-groups/configurations.jpg)
 
 {% hint style="info" %}
-Users need to have [Admin role](../user-guide/global-configurations/authorization/user-access.md#role-based-access-levels) or above (along with access to the environment and applications) to change their configuration
+Users need to have [Admin role](../user-guide/global-configurations/authorization/user-access.md#role-based-access-levels) or above (along with access to the environment and applications) to change their configuration. Please note, you might not be able to change the values of locked keys in deployment template. Refer [Lock Deployment Config](./global-configurations/lock-deployment-config.md) to know more.
 {% endhint %}
 
 

diff --git a/docs/user-guide/bulk-update.md b/docs/user-guide/bulk-update.md
@@ -4,7 +4,7 @@ This feature helps you to update Deployment Template, ConfigMaps & Secrets for m
 
 Need to make some common changes across multiple devtron applications?
 **Bulk Edit** allows you to do that.<br>
-Eg. You can change the value for `MaxReplicas` in Deployment Templates of multiple Devtron applications or you can add key-value pairs in multiple ConfigMaps & Secrets.
+Eg. You can change the value for `MaxReplicas` in Deployment Templates of multiple Devtron applications or you can add key-value pairs in multiple ConfigMaps & Secrets. However, you might not be able to change the values of locked keys. Refer [Lock Deployment Config](./global-configurations/lock-deployment-config.md) to know more.
 
 ## Support
 Bulk edit is currently supported for:

diff --git a/docs/user-guide/creating-application/config-approval.md b/docs/user-guide/creating-application/config-approval.md
@@ -40,10 +40,14 @@ Let's assume you are the application admin and you wish to edit the deployment t
 
     ![Figure 2: Selecting Values to Change](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/config-approval/edit-deployment-template.jpg)
 
-3. You can change the value of a key to a desired value as shown below. Once done, click the **Save Changes…** button **.**
+3. You can change the value of a key to a desired value as shown below. Once done, click the **Save Changes…** button.
 
     ![Figure 3: Changed Values](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/config-approval/changed-values.jpg)
 
+{% hint style="info" %}
+If you are not a super-admin, you cannot modify the locked keys in deployment template. Refer [Lock Deployment Config](../global-configurations/lock-deployment-config.md) to know more. 
+{% endhint %}
+
 4. If the configuration is protected, your changes won't be published right away. You can do either of the following:
 
     * **Save as draft** : Selecting this option will save your file as a draft. You and other users can view and edit the saved draft and propose it further for approval.

diff --git a/docs/user-guide/creating-application/deployment-template.md b/docs/user-guide/creating-application/deployment-template.md
@@ -15,10 +15,10 @@ To configure a deployment chart for your application, do the following steps:
 
 You can select a default deployment chart from the following options:
 
-1. [Deployment](https://docs.devtron.ai/usage/applications/creating-application/deployment-template/deployment) (Recommended)
-1. [Rollout Deployment](deployment-template/rollout-deployment.md)
-2. [Job & CronJob](deployment-template/job-and-cronjob.md)
-3. Knative
+1. [Deployment](deployment-template/deployment) (Recommended)
+2. [Rollout Deployment](deployment-template/rollout-deployment.md)
+3. [Job & CronJob](deployment-template/job-and-cronjob.md)
+4. [StatefulSet](deployment-template/statefulset.md)
 
 
 ![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/deployment-template/deployment-chart.png)
@@ -45,3 +45,7 @@ Enable **show application metrics** toggle to view the application metrics on th
 > **IMPORTANT**: Enabling Application metrics introduces a sidecar container to your main container which may require some additional configuration adjustments. We recommend you to do load test after enabling it in a non-production environment before enabling it in production environment.
 
 Select **Save & Next** to save your configurations.
+
+{% hint style="warning" %}
+Super-admins can lock keys in base deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
+{% endhint %}
diff --git a/docs/user-guide/creating-application/deployment-template/deployment.md b/docs/user-guide/creating-application/deployment-template/deployment.md
@@ -22,6 +22,10 @@ You can define application behavior by providing information in the following se
 | `Advanced (YAML)` | If you want to do additional configurations, then click **Advanced (YAML)** for modifications.<br>Refer [Advanced (YAML)](https://docs.devtron.ai/usage/applications/creating-application/deployment-template/rollout-deployment#3.-advanced-yaml) section for more detail.</br> |
 | `Show application metrics` | You can enable `Show application metrics` to see your application's metrics-CPU Service Monitor usage, Memory Usage, Status, Throughput and Latency.<br>Refer [Application Metrics](https://docs.devtron.ai/v/v0.5/usage/applications/app-details/app-metrics) for more detail.</br> |
 
+{% hint style="warning" %}
+Super-admins can lock keys in deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
+{% endhint %}
+
 
 ## 1. Yaml File
 

diff --git a/docs/user-guide/creating-application/deployment-template/job-and-cronjob.md b/docs/user-guide/creating-application/deployment-template/job-and-cronjob.md
@@ -63,3 +63,7 @@ cronjobConfigs:
 | `successfulJobsHistoryLimit` | The successfulJobsHistoryLimit fields are optional. These fields specify how many completed and failed jobs should be kept. By default, they are set to 3 and 1 respectively. Setting a limit to 0 corresponds to keeping none of the corresponding kind of jobs after they finish. |
 | `suspend` | The suspend field is also optional. If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. Defaults to false. |
 | `kind` | As with all other Kubernetes config, a Job and cronjob needs apiVersion, kind.cronjob and job also needs a section fields which is optional . these fields specify to deploy which job (conjob or job) should be kept. by default, they are set cronjob. |
+
+{% hint style="warning" %}
+Super-admins can lock keys in Job & CronJob deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
+{% endhint %}
diff --git a/docs/user-guide/creating-application/deployment-template/rollout-deployment.md b/docs/user-guide/creating-application/deployment-template/rollout-deployment.md
@@ -12,6 +12,10 @@ You can define application behavior by providing information in the following se
 
 ![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/deployment-template/deployment-template.gif)
 
+{% hint style="warning" %}
+Super-admins can lock keys in rollout deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
+{% endhint %}
+
 ## 1. Chart version
 
 | Key | Descriptions |

diff --git a/docs/user-guide/creating-application/deployment-template/statefulset.md b/docs/user-guide/creating-application/deployment-template/statefulset.md
@@ -9,7 +9,7 @@ It supports only `ONDELETE` and `ROLLINGUPDATE` deployment strategy.
 ![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/creating-application/deployment-template/sts-strategy.jpg)
 
 
-You can select `SatefulSet` chart when you want to use only basic use cases which contain the following:
+You can select `StatefulSet` chart when you want to use only basic use cases which contain the following:
 
 * **Managing Stateful Applications:** StatefulSets are ideal for managing stateful applications, such as databases or distributed systems, that require stable network identities and persistent storage for each Pod.
 
@@ -27,7 +27,9 @@ You can select `SatefulSet` chart when you want to use only basic use cases whic
 
 * **Resource Cleanup:** StatefulSets allow for easy cleanup of older versions by deleting StatefulSets and their associated Pods and persistent volumes that are no longer needed, ensuring efficient resource utilization.
 
-
+{% hint style="warning" %}
+Super-admins can lock keys in StatefulSet deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
+{% endhint %}
 
 
 ## 1. Yaml File

diff --git a/docs/user-guide/creating-application/environment-overrides.md b/docs/user-guide/creating-application/environment-overrides.md
@@ -38,7 +38,11 @@ If you want to configure **Basic** GUI at the application level, then you can pr
 
 If `Basic` is locked, you can modify the configurations on `Advanced (YAML)` which will be the default page.
 
-**Note**: **Delete Override** will discard the current overrides and the base configuration will be applicable to the environment.
+{% hint style="warning" %}
+Super-admins can lock keys in deployment template to prevent non-super-admins from modifying those locked keys. Refer [Lock Deployment Config](../../global-configurations/lock-deployment-config.md) to know more.
+{% endhint %}
+
+**Note**: **Delete Override** will discard the current overrides and the base configuration will be applicable to the environment. 
 
 ### ConfigMaps & Secrets
 

diff --git a/docs/user-guide/global-configurations/README.md b/docs/user-guide/global-configurations/README.md
@@ -36,6 +36,8 @@ Before you start creating an application, we recommend to provide basic informat
 
 [Filter Condition](filter-condition.md)
 
+[Lock Deployment Config](lock-deployment-config.md)
+
 [Build Infra](build-infra.md)
 
 You can also refer our YouTube video provided here.

diff --git a/docs/user-guide/global-configurations/lock-deployment-config.md b/docs/user-guide/global-configurations/lock-deployment-config.md
@@ -0,0 +1,99 @@
+# Lock Deployment Config
+
+## Introduction [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing)
+
+The [Deployment Template](../../reference/glossary.md#base-deployment-template) might contain certain configurations intended for the DevOps team (e.g., `ingress`), and not meant for developers to modify. 
+
+Therefore, Devtron allows super-admins to restrict such fields from modification or deletion.
+
+![Figure 1: Preventing Changes to Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/not-eligible-changes.jpg)
+
+This stands true for deployment templates in:
+* [Base configuration](../../user-guide/creating-application/deployment-template.md)
+* [Environment-level configuration](../../user-guide/creating-application/environment-overrides.md)
+
+**How is this different from the [Protect Configuration](../../user-guide/creating-application/config-approval.md) feature?**
+
+The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. This is performed at application-level.
+
+Whereas, the 'lock deployment config' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at global-level.
+
+---
+
+## Locking Deployment Keys
+
+{% hint style="warning" %}
+### Who Can Perform This Action?
+Users need to have super-admin permission to lock deployment keys.
+{% endhint %}
+
+1. Go to **Global Configurations** → **Lock Deployment Config**. Click **Configure Lock**.
+
+    ![Figure 2: Configure Lock Button](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/lock-deployment-config.jpg)
+
+2. (Optional) Click **Refer Values.YAML** to check which keys you wish to lock.
+
+    ![Figure 3: Values.YAML File](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/values-yaml.jpg)
+
+3. Enter the keys inside the editor on the left-hand side, e.g., `autoscaling.MaxReplicas`. Use <a href="https://goessner.net/articles/JsonPath/index.html" target="_blank">JSONpath expressions</a> to enter specific keys, lists, or objects to lock.
+
+    ![Figure 4: Referring Values.YAML File for Locking Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/autoscaling-lock.jpg)
+
+4. Click **Save**. 
+
+    ![Figure 5: Saving Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/saving-locked-keys.jpg)
+
+5. A confirmation dialog box would appear. Read it and click **Confirm**.
+
+    ![Figure 6: Confirmation Dialog](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/confirmation.jpg)
+
+---
+
+## Result
+
+While super-admins can directly edit the locked keys, let's look at a scenario where a user (non-super-admin) tries to edit the same in an [unprotected](../../user-guide/creating-application/config-approval.md) base deployment template.
+
+* User can hide/unhide the locked keys as shown below.
+
+    ![Figure 7: Hiding Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/hide-locked-keys.gif)
+
+{% hint style="info" %}
+<span><img src="https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/mode.jpg" alt="GUI or YAML Mode"></span> <br />
+If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys.
+{% endhint %}
+
+* Let's assume the user edits one of the locked keys...
+
+    ![Figure 8: Editing Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/change-locked-values.gif)
+
+    ...and saves the changes.
+
+    ![Figure 9: Saving Edits to Locked Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/changing-values.jpg)
+
+* A modal window will appear on the right highlighting the non-eligible edits.
+
+    ![Figure 10: Eligible and Non-eligible Changes](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/not-eligible-changes.jpg)
+
+* Let's assume the user edits a key that is not locked or adds a new key.
+
+    ![Figure 11: Editing Allowed Keys](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/changing-allowed-values.jpg)
+
+* The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: **Save changes which are eligible for update**.
+
+    ![Figure 12: Saving Eligible Changes](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/saving-allowed-changes.jpg)
+
+{% hint style="warning" %}
+### Who Can Perform This Action?
+Only a super-admin, manager, or application admin can edit the configuration values. 
+{% endhint %}
+
+* Once the user clicks the **Update** button, the permissible changes will reflect in the deployment template. 
+
+    ![Figure 13: Updating Deployment Config](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/updating-changes.jpg)
+
+    However, if it's a [protected template](../../user-guide/creating-application/config-approval.md), the user will require the approval of a [configuration approver](./user-access.md#role-based-access-levels) as shown below.
+
+    ![Figure 14: Proposing Changes to Protected Config](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/lock-dt/proposing-changes.jpg)
+
+The same result can be seen if the user tries to edit environment-specific deployment templates.
+