fix(charts): default registration mode to "admin_only" (#758)

fix(charts): default registration mode to "admin_only"
deis · Mar 7, 2017 · 7d63d07 · 7d63d07
1 parent 427e49a
commit 7d63d07
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 16 deletions.
diff --git a/charts/workflow/values.yaml b/charts/workflow/values.yaml
@@ -106,7 +106,7 @@ controller:
   # enabled - allows for open registration
   # disabled - turns off open registration
   # admin_only - allows for registration by an admin only.
-  registration_mode: "enabled"
+  registration_mode: "admin_only"
 
 database:
   # The username and password to be used by the on-cluster database.

diff --git a/src/managing-workflow/production-deployments.md b/src/managing-workflow/production-deployments.md
@@ -26,22 +26,26 @@ See [Configuring Object Storage][] for details on removing this operational comp
 
 ## Review Security Considerations
 
-There are some additional security-related considerations when running Workflow in production, and
-users can consider enabling a firewall on the CoreOS hosts as well as the router component.
-
+There are some additional security-related considerations when running Workflow in production.
 See [Security Considerations][] for details.
 
 
-## Change Registration Mode
+## Registration is Admin-Only
 
-Changing the registration process is highly recommended in production. By default, registrations
-for a new cluster are open to anyone with the proper URL. Once the admin user has registered with a
-new cluster, it is recommended to either turn off registrations or enable the admin-only
-registration feature. It is also recommended to disable signups for the Grafana dashboards.
+By default, registration with the Workflow controller is in "admin_only" mode. The first user
+to run a `deis register` command becomes the initial "admin" user, and registrations after that
+are disallowed unless requested by an admin.
 
-Please see the following documentation:
+Please see the following documentation to learn about changing registration mode:
 
  - [Customizing Controller][]
+
+## Disable Grafana Signups
+
+It is also recommended to disable signups for the Grafana dashboards.
+
+Please see the following documentation to learn about disabling Grafana signups:
+
  - [Customizing Monitor][]
 
 

diff --git a/src/managing-workflow/tuning-component-settings.md b/src/managing-workflow/tuning-component-settings.md
@@ -60,7 +60,7 @@ The following environment variables are tunable for the [Controller][] component
 
 Setting                                         | Description
 ----------------------------------------------- | ---------------------------------
-REGISTRATION_MODE                               | set registration to "enabled", "disabled", or "admin_only" (default: "enabled")
+REGISTRATION_MODE                               | set registration to "enabled", "disabled", or "admin_only" (default: "admin_only")
 GUNICORN_WORKERS                                | number of [gunicorn][] workers spawned to process requests (default: CPU cores * 4 + 1)
 RESERVED_NAMES                                  | a comma-separated list of names which applications cannot reserve for routing (default: "deis, deis-builder, deis-workflow-manager")
 SLUGRUNNER_IMAGE_NAME                           | the image used to run buildpack application slugs (default: "quay.io/deisci/slugrunner:canary")

diff --git a/src/users/registration.md b/src/users/registration.md
@@ -49,17 +49,27 @@ You can verify your client configuration by running `deis whoami`.
 !!! note
     Session and client configuration is stored in the `~/.deis/client.json` file.
 
+## Registering New Users
+
+By default, new users are not allowed to register after an initial user does. That initial user
+becomes the first "admin" user. Others will now receive an error when trying to register, but when
+logged in, an admin user can register new users:
+
+```shell
+$ deis register --login=false --username=newuser --password=changeme123 [email protected]
+```
+
 ## Controlling Registration Modes
 
 After creating your first user, you may wish to change the registration mode for Deis Workflow.
 
 Deis Workflow supports three registration modes:
 
-| Mode              | Description                                     |
-| ---               | ---                                             |
-| enabled (default) | Registration is enabled and anyone can register |
-| disabled          | Does not allow anyone to register new users.    |
-| admin\_only       | Only existing admins may register new users     |
+| Mode                  | Description                                     |
+| ---                   | ---                                             |
+| admin\_only (default) | Only existing admins may register new users     |
+| enabled               | Registration is enabled and anyone can register |
+| disabled              | Does not allow anyone to register new users.    |
 
 To modify the registration mode for Workflow you may add or modify the `REGISTRATION_MODE` environment variable for the
 controller component. If Deis Workflow is already running, use: