Lock Deployment Configuration

Introduction

The Deployment Template might contain certain configurations intended for the DevOps team (e.g., ingress), and not meant for developers to modify.

Therefore, Devtron allows super-admins to restrict such fields from modification or deletion.

Figure 1: Preventing Changes to Locked Keys

This stands true for deployment templates in:

How is this different from the Protect Configuration feature?

The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. This is performed at application-level.

Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at global-level.


Locking Deployment Keys

Who Can Perform This Action?

Users need to have super-admin permission to lock deployment keys.

  1. Go to Global ConfigurationsLock Deployment Config. Click Configure Lock.

    Figure 2: Configure Lock Button
  2. (Optional) Click Refer Values.YAML to check which keys you wish to lock.

    Figure 3: Values.YAML File
  3. Enter the keys inside the editor on the left-hand side, e.g., autoscaling.MaxReplicas. Use JSONpath expressions to enter specific keys, lists, or objects to lock.

    Figure 4: Referring Values.YAML File for Locking Keys
  4. Click Save.

    Figure 5: Saving Locked Keys
  5. A confirmation dialog box would appear. Read it and click Confirm.

    Figure 6: Confirmation Dialog

Result

While super-admins can directly edit the locked keys, let's look at a scenario where a user (non-super-admin) tries to edit the same in an unprotected base deployment template.

  • User can hide/unhide the locked keys as shown below.

    Figure 7: Hiding Locked Keys
  • Let's assume the user edits one of the locked keys...

    ...and saves the changes.

  • A modal window will appear on the right highlighting the non-eligible edits.

    Figure 10: Eligible and Non-eligible Changes
  • Let's assume the user edits a key that is not locked or adds a new key.

    Figure 11: Editing Allowed Keys
  • The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: Save changes which are eligible for update.

Who Can Perform This Action?

Only a super-admin, manager, or application admin can edit the configuration values.

  • Once the user clicks the Update button, the permissible changes will reflect in the deployment template.

    However, if it's a protected template, the user will require the approval of a configuration approver as shown below.

The same result can be seen if the user tries to edit environment-specific deployment templates.

Last updated