|
| 1 | +# Protect Configuration |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +Since resources are created according to the configurations you enter, it's essential to restrict such configurations from direct modifications. For critical environments like production, it becomes necessary to introduce an approval flow for any edits made to the configuration files. |
| 6 | + |
| 7 | +In Devtron, these configurations are present in the **App Configuration** tab of your application. |
| 8 | + |
| 9 | +Any changes made to the following configurations will require approval if enabled: |
| 10 | + |
| 11 | +- Deployment Template |
| 12 | +- ConfigMaps |
| 13 | +- Secrets |
| 14 | + |
| 15 | +This stands true for both: base configuration and respective environment-level configuration. |
| 16 | + |
| 17 | + |
| 18 | + |
| 19 | + |
| 20 | + |
| 21 | +--- |
| 22 | + |
| 23 | +## Changing the Configuration Values |
| 24 | + |
| 25 | +{% hint style="info" %} |
| 26 | +Only a super-admin, manager, and admin can edit the configuration values. |
| 27 | +{% endhint %} |
| 28 | + |
| 29 | +Let's assume you are the application admin and you wish to edit the deployment template of your environment (as an override). |
| 30 | + |
| 31 | +1. Go to the `App Configuration` tab. |
| 32 | + |
| 33 | +2. In Environment Overrides → (choose your environment) → Deployment Template |
| 34 | + |
| 35 | +  |
| 36 | + |
| 37 | +3. You can change the value of a key to a desired value as shown below. Once done, click the **Save Changes…** button **.** |
| 38 | + |
| 39 | +  |
| 40 | + |
| 41 | +4. If the configuration is protected, your changes won't be published right away. You can do either of the following: |
| 42 | + |
| 43 | + * **Save as draft** : Selecting this option will save your file as a draft. You and other users can view and edit the saved draft and propose it further for approval. |
| 44 | + * **Save & Propose Changes** : Selecting this option will propose your changes to a configuration approver for a review. |
| 45 | + |
| 46 | + Since we are proposing the changes immediately, click **Propose Changes**. |
| 47 | + |
| 48 | +  |
| 49 | + |
| 50 | +5. You can also view the approver(s) if you wish. |
| 51 | + |
| 52 | +  |
| 53 | + |
| 54 | +{% hint style="info" %} |
| 55 | +The one who performs the edits cannot approve their own changes. A different user has to review and approve. |
| 56 | +{% endhint %} |
| 57 | + |
| 58 | +Only one draft can exist at time and you cannot create multiple drafts. In the top-right corner, you have the option to discard the draft if you don't wish to proceed with the edits you made. |
| 59 | + |
| 60 | +--- |
| 61 | + |
| 62 | +## Approving the Configuration |
| 63 | + |
| 64 | +{% hint style="info" %} |
| 65 | +Only a different super-admin user or someone (who is not amongst the editors of the draft), having `Configuration approver` access, can approve the changes made to the configuration files. |
| 66 | +{% endhint %} |
| 67 | + |
| 68 | +Go to the edited configuration file to review and approve the changes as shown below. |
| 69 | + |
| 70 | + |
| 71 | + |
| 72 | +A super-admin can check whether a user has approval rights by going to **Global Configurations** → **Authorization** (dropdown) → **User Permissions**. |
| 73 | + |
| 74 | + |
| 75 | + |
| 76 | + |
| 77 | +--- |
| 78 | + |
| 79 | +## Deploying with New Configuration Values |
| 80 | + |
| 81 | +Once the approver validates and approves your configuration changes, you can proceed to deploy your application with the updated configuration. |
| 82 | + |
| 83 | +1. Go to the **Build & Deploy** tab of your application. |
| 84 | + |
| 85 | +2. Click **Select Image** in the deployment flow. |
| 86 | + |
| 87 | +  |
| 88 | + |
| 89 | +3. You can view an indicator at the bottom `Config Diff from Last Deployed`. Click **Review** to view the changes. |
| 90 | + |
| 91 | +  |
| 92 | + |
| 93 | +{% hint style="info" %} |
| 94 | +If the new configuration is not yet approved, the changes made to the config would not be visible during deployment, it would show `No Config Diff from Last Deployed` at the bottom. In that case, check whether your changes are present in the live config or not. If your changes are absent, chances are your draft is either pending for approval or rejected (discarded). |
| 95 | +{% endhint %} |
| 96 | + |
| 97 | +4. Once you have verified the changes, you can click **Deploy**. |
| 98 | + |
| 99 | +  |
| 100 | + |
| 101 | +{% hint style="info" %} |
| 102 | +If you don't wish to deploy with the new changes, you can choose `Last deployed config` from the available drop-down. |
| 103 | +{% endhint %} |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +## Enabling/Disabling Config Protection |
| 108 | + |
| 109 | +{% hint style="info" %} |
| 110 | +Only a super-admin can enable or disable the config protection. |
| 111 | +{% endhint %} |
| 112 | + |
| 113 | +1. Go to the `App Configuration` tab. |
| 114 | + |
| 115 | +2. Click `Protect Configuration`. |
| 116 | + |
| 117 | +3. Use the toggle button to enable the protection for the configuration of your choice (base/environment level). A protection badge would appear next to the chosen configuration. |
| 118 | + |
| 119 | +Alternatively, unprotecting the configuration will lead to the discarding of unapproved drafts (if any). |
| 120 | + |
| 121 | + |
| 122 | + |
| 123 | + |
| 124 | + |
0 commit comments