Lock Deployment Configuration

Introduction

The Deployment Template might contain certain configurations intended for the DevOps team (e.g., ingress), and not meant for developers to modify.

Therefore, Devtron allows super-admins to restrict such fields from modification or deletion.

This stands true for deployment templates in:

How is this different from the Protect Configuration feature?

The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. This is performed at application-level.

Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at global-level.

Locking Deployment Keys

Who Can Perform This Action?

Users need to have super-admin permission to lock deployment keys.

Go to Global Configurations → Lock Deployment Config. Click Configure Lock.
Figure 2: Configure Lock Button
(Optional) Click Refer Values.YAML to check which keys you wish to lock.
Figure 3: Values.YAML File
Enter the keys inside the editor on the left-hand side, e.g., autoscaling.MaxReplicas. Use JSONpath expressions to enter specific keys, lists, or objects to lock.
Figure 4: Referring Values.YAML File for Locking Keys
Click Save.
Figure 5: Saving Locked Keys
A confirmation dialog box would appear. Read it and click Confirm.
Figure 6: Confirmation Dialog

Result

While super-admins can directly edit the locked keys, let's look at a scenario where a user (non-super-admin) tries to edit the same in an unprotected base deployment template.

User can hide/unhide the locked keys as shown below.
Figure 7: Hiding Locked Keys

If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys.

Let's assume the user edits one of the locked keys...
Figure 8: Editing Locked Keys
...and saves the changes.
Figure 9: Saving Edits to Locked Keys
A modal window will appear on the right highlighting the non-eligible edits.
Figure 10: Eligible and Non-eligible Changes
Let's assume the user edits a key that is not locked or adds a new key.
Figure 11: Editing Allowed Keys
The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: Save changes which are eligible for update.
Figure 12: Saving Eligible Changes

Who Can Perform This Action?

Only a super-admin, manager, or application admin can edit the configuration values.

Once the user clicks the Update button, the permissible changes will reflect in the deployment template.
Figure 13: Updating Deployment Config
However, if it's a protected template, the user will require the approval of a configuration approver as shown below.
Figure 14: Proposing Changes to Protected Config

The same result can be seen if the user tries to edit environment-specific deployment templates.

PreviousTags Policy NextImage Promotion Policy

Last updated 4 months ago