Skip to main content
Version: 1.27

Helm Configuration

General Settings

license

You'll receive a license key as part of your subscription to Okteto. If you haven't received it, please open a support ticket.

If you are interested in evaluating Okteto, sign up for our free 30 days trial, no credit card required.

license: XXXXX

You can also use a secret to store the license.

subdomain

Okteto's automatic SSL endpoints allows you to expose secure and unique public endpoints for your development environments. By default, all endpoints created by Okteto will use a combination of the name of the app, the namespace, and the subdomain. For example, if you have a development environment named app in the cindy namespace, it will be accessible at https://app-cindy.example.com if subdomain is example.com.

subdomain: "example.com"

Okteto's frontend and API services will be also accessible via https://okteto.$SUBDOMAIN. Once Okteto is installed, you can use kubectl to retrieve the public address of the Okteto NGINX Ingress Controller:

kubectl get service -l=app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller --namespace=okteto

The output will look something like this:

NAME                              TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)                                     AGE
okteto-ingress-nginx-controller LoadBalancer 10.0.7.73 34.68.230.234 80:30795/TCP,443:32481/TCP,1234:30885/TCP 5m

You'll need to take the EXTERNAL-IP address to create a DNS entry for *.$SUBDOMAIN.

You can overwrite Okteto's public URL using the publicOverride field.

publicOverride

Use this property to override the Public URL where Okteto is available. This option replaces okteto.$SUBDOMAIN with your FQDN of choice.

publicOverride: "example.com"

Once you set this in your Helm configuration file, make sure to point the Okteto Ingress Controller's IP address to this domain using your DNS provider. The IP address can be found by running the following command (like we did during the install phase):

kubectl get service -l=app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller --namespace=okteto

Important: When using publicOverride, the certificate referred by wildcardCertificate.name must be valid for publicOverride, registry.$SUBDOMAIN and buildkit.$SUBDOMAIN.

When publicOverride is set, an additional component is deployed for Okteto Private Endpoints feature. You can configure its settings using the privateEndpoints section.

When setting your auth provider, the authentication callback URL and origin URL will change to the following:

Callback URL:

https://${publicOverride}/auth/callback
https://private-endpoints.${subdomain}/auth/callback

Origin URL:

https://${publicOverride}
https://private-endpoints.${subdomain}

auth

Use the auth property to specify which users can access Okteto and the method they can use for logging in.

Okteto provides OAuth2 integrations for the following auth providers:

Additionally, Okteto provides a single user authentication method based on a Token for initial evaluations.

Theme

Use this property to customize the logo and the colors of the sidebar to match your team's identity or your favorite colors.

  • logo: The logo displayed at the far top left of the Okteto UI. The value can be a url or a Base64 encoded image.
  • primary: The primary color of the sidebar. This is used for the color of the sidebar. The value can be a HTML color name (e.g. blue, red) or a hexadecimal code.
  • secondary: The secondary color of the sidebar. This is used for the icons and the text displayed in the sidebar. The value can be a HTML color name (e.g. blue, red) or a hexadecimal code.
theme:
logo: http://example.com/icon.png
primary: \#EFF3F2
secondary: black

Okteto Components

api

The API service. Account and Kubernetes credentials management, namespace creation, and sharing, deployment via the catalog, etc...

  • annotations: Annotations to add to the API pods.
  • extraEnv: Environment variables to be set on the API containers.
  • labels: Labels to add to the API pods.
  • priorityClassName: The priority class to be used by the API pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • replicaCount: The number of API pods. It defaults to 2.
  • resources: The resources for the API pods.
api:
extraEnv:
- name: NO_PROXY
value: ".example.com"
replicaCount: 2
resources:
requests:
cpu: 100m
memory: 128Mi

autoscaler (deprecated)

The cluster autoscaler service. Disabled by default. It instructs the Kubernetes cluster autoscaler to scale nodes if the real cpu/memory usage of a node is beyond the limits. Use tolerations.devPool to limit the autoscaler analysis to a subset of cluster nodes.

Requirements: cluster autoscaler and metrics server must be installed in your cluster.

  • annotations: Annotations to add to the autoscaler pods.
  • cpu.up: Increase the cluster size when the CPU consumption is greater than or equal to this value. It defaults to 60 percent.
  • cpu.down: Decrease the cluster size when the CPU consumption is lesser than this value. It defaults to 40 percent.
  • image: image used by the autoscaler to deploy the autoscaler agent. It defaults to busybox.
  • labels: Labels to add to the autoscaler pods.
  • memory.up: Increase the cluster size when the Memory consumption is greater than or equal to this value. It defaults to 70 percent.
  • memory.down: Decrease the cluster size when the Memory consumption is lesser than this value. It defaults to 50 percent.
  • nodes.increment: The number of new nodes to request when all the current nodes are overloaded. e.g. if this value is 3, the autoscaler will request 3 new nodes when all the cluster nodes are overloaded. It defaults to 1.
  • nodes.min: Minimum number of nodes in the cluster. It defaults to 1.
  • nodes.max: Maximum number of nodes in the cluster. It defaults to 10. Zero means unlimited.
  • nodes.poolLabel: The node label that identifies the node pool of the node. For example, the value in GKE is cloud.google.com/gke-nodepool. In EKS the value is eks.amazonaws.com/nodegroup. If set, the autoscaler scales each node pool independently.
  • pods.up: Increase the cluster size when the Pods in a node vs the max pods per node is greater than or equal to this value. It defaults to 90 percent.
  • pods.down: Decrease the cluster size when the Pods in a node vs the max pods per node is lesser than this value. It defaults to 80 percent.
  • priorityClassName: The priority class to be used by the autoscaler pods.
  • schedule: How often, in seconds, the autoscaler analyzes if the cluster needs to be scaled. It defaults to 300.
  • slackWebhook: A slack webhook url to notify autoscaler events.
  • volumes.up: Increase the cluster size when the Volumes in a node vs the max volumes per node is greater than or equal to this value. It defaults to 90 percent.
  • volumes.down: Decrease the cluster size when the Volumes in a node vs the max volumes per node is lesser than this value. It defaults to 80 percent.
autoscaler:
enabled: false
image: busybox
schedule: 300
cpu:
up: 60
down: 40
memory:
up: 70
down: 50
pods:
up: 90
down: 80
volumes:
up: 90
down: 80
nodes:
increment: 1
min: 1
max: 10
podLabel: cloud.google.com/gke-nodepool
slackWebhook:

buildkit

The build service. It's used in combination with okteto build to build containers directly in the cluster.

  • port: Port used for the buildkit statefulset. Defaults to 443.
  • annotations: Annotations to add to the buildkit pods.
  • extraEnv: Environment variables to be set on the buildkit containers.
  • hpa.enabled: Enable horizontal pod autoscaling for the buildkit pods. Disabled by default.
  • hpa.min: Minimum number of buildkit pods to keep running.
  • hpa.max: Maximum number of buildkit pods to scale to.
  • hpa.cpu: The amount of CPU utilization that will cause the HPA to scale the buildkit pods.
  • labels: Labels to add to the buildkit pods.
  • podManagementPolicy: The podManagementPolicy of the buildkit pods. Defaults to Parallel.
  • priorityClassName: The priority class to be used by buildkit pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • replicaCount: The number of buildkit pods. It defaults to 1.
  • resources: The resources for the buildkit pods.
  • serviceAccount.create: create a service account for buildkit. True by default.
  • serviceAccount.name: Buildkit service account name. Defaults to okteto-buildkit.
  • serviceAccount.annotations: Annotations for the buildkit service account.
  • serviceAccount.labels: Labels for the buildkit service account.
  • persistence.enabled: Configures a persistence volume for buildkit. Enabled by default.
  • persistence.class: The storage class of the persistence volume attached to every buildkit pod.
  • persistence.size: The size of the persistence volume attached to every buildkit pod. Defaults to 750Gi.
  • persistence.cacheRadio: What percentage the persitence size should be use for the cache. Value should be between 0 and 1. Defaults to 0.9.
  • tolerations: List of tolerations to be added to the Buildkit pods. If not set, the Buildkit pods will inherit the tolerations list set in globals.tolerations.okteto.
  • nodeSelectors: Dictionary of node selectors to be added to the Buildkit pods. If not set, the Buildkit pods will inherit the node selectors dictionary set in globals.nodeSelectors.okteto.
  • network.mode: Controls the networking environment for containers during the build process. Defaults to auto but can be set to host, none, or bridge. Bridge mode can be useful for preventing port collisions in concurrent builds by isolating network environments.
buildkit:
port: 443
extraEnv:
- name: NO_PROXY
value: ".example.com"
replicaCount: 1
persistence:
enabled: true
storageClass: ssd
size: 180Gi
cache: 150000
tolerations:
- key: "okteto-buildkit"
operator: "Equal"
value: "buildkit"
effect: "NoExecute"
nodeSelectors:
okteto-node-label: build
region: west

In order to handle timeouts during communication between the client and the buildkit daemon, the following environment variables can be modified on the server side:

  • OKTETO_KEEPALIVE_SERVER_TIME_MS: After this duration of time, if the server doesn't see any activity it pings the client to see if the transport is still alive. If set below 1s, a minimum value of 1s will be used. The current default value is 2 hours.
  • OKTETO_KEEPALIVE_SERVER_TIMEOUT_MS: After having pinged for keepalive check, the server waits for a duration of Timeout and if no activity is seen, the connection is closed. The current default value is 20 seconds.
  • OKTETO_KEEPALIVE_SERVER_MAX_CONN_IDLE_MS: Duration for the amount of time after which an idle connection would be closed by sending a GOAWAY. Idleness duration is defined since the most recent time the number of outstanding RPCs became zero or the connection establishment. The current default value is infinity.
  • OKTETO_KEEPALIVE_SERVER_MAX_CONN_AGE_MS: Duration for the maximum amount of time a connection may exist before it will be closed by sending a GOAWAY. A random jitter of +/-10% will be added to the value to spread out connection storms. The current default value is infinity.
  • OKTETO_KEEPALIVE_SERVER_MAX_CONN_AGE_GRACE_MS: An additive period after OKTETO_KEEPALIVE_SERVER_MAX_CONN_AGE_MS after which the connection will be forcibly closed. The current default value is infinity.
  • OKTETO_KEEPALIVE_SERVER_POLICY_MINTIME_MS: Minimum amount of time a client should wait before sending a keepalive ping. The current default value is 5 minutes.
  • OKTETO_KEEPALIVE_SERVER_POLICY_PERMIT_WITHOUT_STREAM: If true, server allows keepalive pings even when there are no active streams(RPCs). If false, and client sends pings when there are no active streams, server will send GOAWAY and close the connection. False by default.

If you're trying to configure Buildkit persistency for your Okteto installation, check out our video tutorial:

daemonset

The daemonset automatically configures every node of your cluster to work better with Okteto.

  • annotations: Annotations to add to the daemonset pods.
  • extraEnv: Environment variables to be set on the daemonset containers.
  • labels: Labels to add to the daemonset pods.
  • image: Container image used by the daemonset pods.
  • configurePrivateRegistriesInNodes.enabled: Specifies if the daemonset should configure the private registry credentials in the nodes for kubelet or not. It defaults to false. It's disabled if regcredsManager.pullSecrets.enabled=true.
  • priorityClassName: The priority class to be used by the daemonset pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.

The daemonset performs the following tasks on each node:

  • Overrides the Okteto Registry hostname resolution to use internal IPs.
  • Overrides the default kernel values for file watchers on every node.
  • Configures the kubelet with registry credentials for private registries (if configurePrivateRegistriesInNodes.enabled=true and regcredsManager.pullSecrets.enabled=false).
  • Installs your CA if wildcardCertificate.privateCA is enabled.
  • Installs a CA if using self-signed certificates (wildcardCertificate.create: true).

You can restrict the nodes where the daemonset is deployed using dev tolerations and nodeSelectors:

tolerations:
devPool: dev

defaultBackend

The defaultBackend receives errored requests from the ingress-controller and transform them returning them to the client.

  • affinity: Affinities to add to the defaultBackend pods.
  • annotations: Annotations to add to the defaultBackend pods.
  • enabled: Control if defaultBackend is deployed. Defaults to true.
  • extraEnvs: Environment variables to be set on the defaultBackend containers.
  • image: Configuration block to customize the image used by the defaultBackend pods.
    • repository: Registry and repository for the defaultBackend pods.
    • tag: Tag used for the defaultBackend pods.
  • labels: Labels to add to the defaultBackend pods.
  • nameOverride: String to override the full name of the defaultBackend service. If you rename an existing service, you need to follow the manual migration steps documented below.
  • port: Internal port used for the defaultBackend. Defaults to 8080.
  • priorityClassName: The priority class to be used by the defaultBackend pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • replicaCount: The number of defaultBackend pods. It defaults to 2.
  • resources: The resources for the defaultBackend pods.
defaultBackend:
replicaCount: 3
resources:
requests:
cpu: 100m
memory: 128Mi

The defaultBackend provides the following features:

  • Autowake namespaces: when a user access an endpoint from an slept namespace, the defaultBackend will issue a wake command.
  • Custom error pages: when a user access an endpoint and an error is produced, the defaultBackend will return a custom error page with hints on how to solve it.
tolerations:
devPool: dev

Manual migration steps when renaming the defaultBackend service

If you rename the defaultBackend service using the nameOverride property, follow these steps to successfully upgrade Okteto in your cluster:

  1. Identify the current service name for your defaultBackend
kubectl get svc -l app.kubernetes.io/component=default-backend -n okteto
  1. Patch the defaultBackend service adding the annotation: helm.sh/resource-policy: keep
kubectl patch service "<Your existing defaultBackend service name>" -n okteto -p '{"metadata":{"annotations":{"helm.sh/resource-policy": "keep"}}}'
  1. Upgrade the Okteto Helm chart. This will create a new defaultBackend service with the new name.
  2. You can now safely delete the old defaultBackend service.

frontend

The frontend service serves the web application.

  • annotations: Annotations to add to the frontend pods.
  • extraEnv: Environment variables to be set on the frontend containers.
  • labels: Labels to add to the frontend pods.
  • priorityClassName: The priority class to be used by the frontend pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • replicaCount: The number of frontend pods. It defaults to 2.
  • resources: The resources for the frontend pods.
frontend:
extraEnv:
- name: NO_PROXY
value: ".example.com"
replicaCount: 2
resources:
requests:
cpu: 100m
memory: 128Mi

gc

The Okteto Garbage Collector service automatically scales idle applications to zero and deletes unused namespaces for optimal cost savings and resource management. It is enabled by default.

The Garbage Collector service can also be configured in the Admin Dashboard by navigating to Admin -> Garbage Collector.

  • annotations: Annotations to add to the gc pods.
  • labels: Labels to add to the gc pods.
  • slackWebhook: If set, the garbage collector will send a notification when it scales a resource to zero or when it deletes a namespace.
  • upSessionByLastSyncedFile: If true, okteto up sessions will be scaled to zero if no files have been synchronized in the scale to zero period. Default behavior is to check for an active connection (regardless of inactivity)
  • priorityClassName: The priority class to be used by the gc pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
gc:
enabled: true
upSessionByLastSyncedFile: false
slackWebhook:

insights

Configures the Okteto Insights component in your Okteto instance.

  • enabled: Whether to enable Okteto Insights. Defaults to false.
  • bearerSecret.name: Name of the secret where the token to access Okteto Insights metrics is stored. Defaults to okteto-insights.
  • bearerSecret.key: Name of the key within the secret where the token to access Okteto Insights metrics is stored. Defaults to bearer.
insights:
enabled: false
bearerSecret:
name: okteto-insights
key: bearer

If Okteto Insights is enabled, the Event Exporter component and the Insights Metrics cronjob are also installed.

The Event Exporter receives Okteto CLI events via Kubernetes Events and injects them as Okteto Insights metrics.

  • priorityClassName: The priority class for pods created by the Event Exporter. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • podAnnotations: Annotations to add to Event Exporter pods.
  • podLabels: Labels to add to the Event Exporter pods.
  • resources: The resources for the Event Exporter pods.
insights:
eventsExporter:
priorityClassName:
podLabels: {}
podAnnotations: {}
resources:
requests:
cpu: 50m
memory: 20Mi
limits:
memory: 100Mi

The Insight Metrics is a cronjob that pre-computes several metrics for the Okteto Insights /metrics endpoint.

  • annotations: Annotations to add to Insight Metrics pods.
  • labels: Labels to add to the Insight Metrics pods.
  • priorityClassName: The priority class for pods created by the Insight Metrics. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • resources: The resources for the Insight Metrics pods.
  • schedule: Defines the frequency at which cronjob is executed, using the cron syntax. It defaults to run every 5 minutes (*/5 * * * *).
insights:
metrics:
annotations: {}
labels: {}
priorityClassName:
resources:
requests:
cpu: 50m
memory: 20Mi
limits:
memory: 100Mi
schedule: "*/5 * * * *"

installer

The jobs that deploy your development environments from Git.

  • annotations: Annotations to add to the installer job pods.
  • extraEnv: Environment variables to be set on the installer job containers.
  • labels: Labels to add to the installer job pods.
  • image: to configure your custom installer binaries, including a custom Okteto CLI version.
  • runner: to configure your custom installer image.
  • activeDeadlineSeconds: Maximum duration of the pipeline in seconds.
  • gitSSHUser: User to be used when cloning git repos using ssh.
  • sshSecretName: The name of the secret that contains the private key used when cloning git repos using ssh. If it doesn't exist, the key and the secret will be automatically generated by Okteto.
  • resources: The resources for pods created by the installer jobs.
  • priorityClassName: The priority class for pods created by the installer job pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • securityContext: The security context for the installer job container. It's not set by default, and it follows the same syntax used in Kubernetes
installer:
image: okteto/installer:1.5.2
runner: okteto/pipeline-runner:1.0.0
extraEnv:
- name: NO_PROXY
value: ".example.com"
activeDeadlineSeconds: 1800
gitSSHUser: git
sshSecretName: "okteto-ssh"
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
cpu: 10m
memory: 50Mi

privateEndpoints

When publicOverride is set, Okteto Self Hosted deploys an additional component for Okteto Private Endpoints feature, which is responsible for authenticating and authorizing requests sent to Okteto Endpoints set to private mode.

  • port: Internal port used for the Private Endpoint component. Defaults to 8080.
  • resources: The resources for the Private Endpoint component pods.
  • replicaCount: The number of Private Endpoint component pods. It defaults to 1.
  • annotations: Annotations to add to the Private Endpoint component pods.
  • priorityClassName: The priority class to be used by the Private Endpoints pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.

By default, the Private Endpoint component will inherit the configuration set at the [auth] section, but you can override some values with the following properties:

  • clientID: Overrides auth.*.clientID.
  • clientSecret: Overrides auth.*.clientSecret.

regcredsManager

The configuration for the controller manager of the Registry Credentials Operator.

This controller manager is deployed as a deployment and is responsible for managing private registry credentials in the cluster. If pullSecrets.enabled=true all private registry credentials are copied to the okteto-regcred secret in user dev namespaces and previews. If pullSecrets.enabled=false these credentials are copied to all nodes through the Okteto Daemon if daemonset.configurePrivateRegistriesInNodes.enabled=true.

  • priorityClassName: The priority class to be used by the controller manager pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • pullSecrets.enabled: If enabled, private registry credentials defined in the cluster will be written to user namespaces as pull secrets and no longer be written to the nodes. Defaults to true.
  • internalCertificate.annotations: Annotations to add to the tls secret used in the controller manager webhook server.
  • podAnnotations: Annotations to add to the controller manager pods.
  • podLabels: Labels to add to the controller manager pods.
  • webhookTimeout: The timeout in seconds for request made to the validating webhook server
  • replicas: The number of controller manager pods. The controller is deployed as a deployment with leader election. It is recommended to have at least 2 replicas here.
  • resources: The resources for the controller manager pods.
regcredsManager:
priorityClassName:
pullSecrets:
enabled: false
internalCertificate:
annotations: {}
podLabels: {}
podAnnotations: {}
webhookTimeout: 30
replicas: 2
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
memory: 800Mi

resourceManager

Use this section to configure the Resource Manager

  • annotations: Annotations to add to the Resource Manager pods.
  • deletePeriodDays: Specifies the retention period for the recommendations. If a service is no longer deployed in your cluster, its recommendation will be deleted after the specified deletePeriod. It defaults to 15 days.
  • enabled: When set to true, the Resource Manager is installed. When Resource Manager is installed, Okteto creates a CronJob responsible for computing the cpu and memory recommendations for your pods. It defaults to true.
  • labels: Labels to add to the Resource Manager pods.
  • priorityClassName: The priority class to be used by the Resource Manager pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • recommendations.correction: A floating-point multiplier used to adjust for over or under-provisioning of resources. The default is 1.1, indicating a 10% over-provisioning. This value must be greater than 0. For example, setting it to 0.9 will result in a 10% under-provisioning compared to the average utilization.
  • recommendations.min.cpu: Specifies the minimum CPU requests configured when the Resource Manager applies recommendations. The minimum value will be used if a recommendation hasn't been calculated yet or is below this value. It defaults to 5m.
  • recommendations.min.memory: Specifies the minimum memory requests configured when the Resource Manager applies recommendations. The minimum value will be used if a recommendation hasn't been calculated yet or is below this value. It defaults to 10Mi.
  • recommendations.weight: A floating-point number between 0 and 1 used to stabilize CPU and memory recommendation calculations. A higher value (closer to 1) gives more weight to historical resource usage trends, making the Resource Manager less responsive to recent changes or spikes. A lower value (closer to 0) makes it more reactive to recent usage patterns, including spikes. The default value is 0.9, which makes the Resource Manager conservative, favoring existing trends and attempting to ignore minor fluctuations.
  • resources: The resources for the Resource Manager pods.
  • schedule: Defines the frequency at which resource recommendations are calculated, using the cron syntax. It defaults to run every 5 minutes (*/5 * * * *).
resourceManager:
enabled: true
schedule: "*/5 * * * *"
deletePeriodDays: 15
recommendations:
weight: 0.9
correction: 1.1
min:
cpu: 5m
memory: 10Mi
priorityClassName:
labels: {}
annotations: {}
resources: {}

registry

Use this section to configure the Okteto Registry. We have dedicated guides to configure the Okteto Registry to store your images in the storage driver of your choice.

These are all the settings available to configure your Okteto Registry:

  • annotations: Annotations to add to the registry pods.
  • extraEnv: Environment variables to be set on the registry containers.
  • ingress.annotations: Annotations to add to the registry ingress. These annotations take precedence over the ones defined in the ingress section.
  • labels: Labels to add to the registry pods.
  • pullPolicy: The security policy for image pulls. If set to cluster, any Okteto user can pull any image from the registry. When set to namespace, only users with access to the namespace can pull images from the namespace. It defaults to namespace.
  • priorityClassName: The priority class to be used by the registry pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • replicaCount: The number of registry pods. It defaults to 1.
  • resources: The resources for the registry pods.
  • serviceAccountName: Alternative service account to be used by the registry. The service account must exist in the same namespace for the Okteto Helm release. Defaults to none.
  • serviceAccount.annotations: Annotations to add to the registry service account.
  • secret.name: when using external storage, the name of the secret with the values of your cloud provider credentials.
  • secret.accessKey: the key of the access key in the secret referenced by secret.name (defaults to accessKey).
  • secret.secretKey: the key of the secret key in the secret referenced by secret.name (defaults to secretKey).

telemetry

The telemetry job "phones home" once a day with the following information:

  • Number of managed users
  • Number of managed namespaces
  • Kubernetes Version and Platform
  • A unique install ID
  • Your license ID.
  • The name of the authentication provider
  • The name of the cloud provider

Okteto uses the information to help us better understand how our customers use Okteto, as well as to help us prioritize fixes and features. We don't share your information with anyone else.

  • enabled: Enables or disables the telemetry job. Defaults to true.
  • priorityClassName: The priority class to be used by the telemetry pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
telemetry:
enabled: true

If this configuration is disabled, Okteto CLI analytics are automatically disabled.

webhook

The webhook service. Ingress creation, generation of hostnames, enforcement of policies, etc...

  • annotations: Annotations to add to the webhook pods.
  • extraEnv: Environment variables to be set on the webhook containers.
  • hostNetwork: Enables or disables host networking for the webhook deployment. The default is false.
  • labels: Labels to add to the webhook pods.
  • port: Port sets the port used for the webhook deployment. The default is 443.
  • priorityClassName: The priority class to be used by the webhook pods. The PriorityClass must already exist in your cluster before using this setting. This value has precedence over globals.priorityClassName if both are set. If this value is not set, the pods will inherit the priority class defined by the value set in globals.priorityClassName.
  • replicaCount: The number of webhook pods. It defaults to 2.
  • resources: The resources for the webhook pods.
  • internalCertificate.annotations: Annotations to add to the internal certificate generated for the webhook.

Advanced Configuration

affinity

Apply default affinities to pods deployed in namespaces created by Okteto.

  • devPool: Affinities for pods created on namespaces managed by Okteto.
  • oktetoPool: Affinities for pods created during the Okteto installation.
affinity:
devPool:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: cloud.google.com/spot
operator: In
values:
- "true"
weight: 10
oktetoPool:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: dev.okteto.com/overloaded
operator: DoesNotExist
weight: 50

In this case, pods deployed in namespaces created by Okteto will have a preferred affinity to land on preemptive nodes.

autowake

When enabled, Okteto wakes up sleeping Namespaces upon receiving an incoming request to any of the Namespace's public endpoints (default: true).

autowake:
enabled: true

convertLoadBalancedServices

Converts services with type LoadBalancer into ClusterIP and automatically creates an ingress. Enabled by default.

convertLoadBalancedServices:
enabled: true

crds

Configures CRDs managed by Okteto.

  • annotations: The annotations to apply to the CRDs created during the Okteto installation.
  • keep: Keep CRDs on chart uninstall (defaults to true).
  • install: Install and upgrade CRDs on chart install (defaults to true).
crds:
install: true
keep: true
annotations: {}

devStorageClass

Uses the specified storage class for all persistent volume claims created when developers execute okteto up. This setting will override any storage class defined on the Okteto manifest. Disabled by default.

  • storageClass: The storage class enforced for persistent volume claims created by okteto up.
devStorageClass:
enabled: true
storageClass: ebs-sc

There is only one exception where this storage class is overwritten. In case of having volume snapshots feature configured, if a storage class is required for the snapshots that storage class will have preference.

fullnameOverride

The Okteto chart combines the release name and the chart name to create a prefix used for naming the Kubernetes resources created by the chart. Use this property to override the whole prefix. If you want to override only the chart name, you can use the nameOverride setting.

fullnameOverride: custom-prefix

The maximum length for fullnameOverride is 34 characters. Check how to extend the limit to 40 characters if you need a longer prefix.

globals

Global settings applicable to all Okteto components.

priorityClassName

Defines the priority class to be used by all pods in the okteto namespace. The priority class must already exist in your cluster before using this setting.

globals:
priorityClassName: okteto-priority

tolerations

Specifies the tolerations to be applied to pods, categorized under okteto or dev:

  • okteto: Tolerations applied to pods running in the okteto namespace, excluding the Okteto Daemonset.
  • dev: Tolerations applied to pods created by user applications, which run in namespaces managed by Okteto. This also applies to the Okteto Daemonset.
globals:
tolerations:
okteto:
- key: "kubernetes.io/arch"
operator: "Equal"
value: "arm64"
effect: "NoSchedule"
dev:
- key: "kubernetes.io/arch"
operator: "Equal"
value: "arm64dev"
effect: "NoSchedule"

nodeSelectors

Specifies the node selectors to be applied to pods, categorized under okteto or dev:

  • okteto: Node selectors applied to pods running in the okteto namespace, excluding the Okteto Daemonset.
  • dev: Node selectors applied to pods created by user applications, which run in namespaces managed by Okteto. This also applies to the Okteto Daemonset.
globals:
nodeSelectors:
okteto:
okteto-node-label: okteto
dev:
okteto-node-label: dev
region: east

ingress

Configure default values for the ingress created by Okteto.

  • annotations: The annotations to apply to all the ingresses created during the Okteto installation.
  • oktetoIngressClass: The ingressClassName to apply to all the ingresses created during the Okteto installation (defaults to nginx).
  • class: If specified, Okteto will set this as the ingressClassName of all ingresses managed by Okteto. This is useful if you have more than one ingress controller in your cluster.
  • forceIngressClass: If enabled, all ingresses deployed in namespaces managed by Okteto will have the ingress class defined in ingress.class (default: false).
  • forceIngressSubdomain: If enabled, the subdomain of the host of all ingresses deployed in namespaces managed by Okteto must match the okteto wildcard subdomain (default: false).
  • ip: The internal IP of the ingress. Pods will call the Okteto API and the Okteto Registry using this IP. Required if the installation of the Okteto NGINX Ingress Controller is disabled.
ingress:
annotations: {}
oktetoIngressClass: nginx
class: nginx
forceIngressClass: false
forceIngressSubdomain: true
ip: ""

ingressLimits

Configure ingress connections limits for each public endpoint. Disabled by default.

  • connections: Maximum parallel connections for each ingress.
  • rps: Maximum requests per second for each ingress.
  • rpm: Maximum requests per minute for each ingress.
ingressLimits:
enabled: true
connections: 40
rps: 40
rpm: 400

injectDevelopmentBinaries

Automatically inject kubectl, helm, and okteto binaries on every development environment, and on the git and helm deployment pipelines. This requires permissions to mount a host volume.

If this is disabled, you'll need to provide your own image in installer.image.

injectDevelopmentBinaries:
enabled: true

kubetoken

  • lifetimeSeconds: The lifetime in seconds of the tokens generated for the Kubernetes credentials provided by Okteto. This value has to be equal or greater than installer.activeDeadlineSeconds to make sure the tokens are valid during all installer execution. Defaults to 86400 seconds (1 day).

One important thing to bear in mind is that the maximum expiration time you can specify depends on the Kubernetes apiserver's flag --service-account-max-token-expiration, so it might happen that the expiration time retrieved on your tokens is not the one specified here. If you specify a higher value, you will always get the maximum allowed by the apiserver. Be aware that not all Kubernetes service providers allow you to change this value and they enforce their own.

nameOverride

The Okteto chart combines the release name and the chart name to create a prefix used for naming the Kubernetes resources created by the chart. Use this property to override the chart name part of the prefix. You can override the whole prefix by using the fullnameOverride setting.

nameOverride: custom-chart-name-override

Note that the maximum length for the entire prefix is 34 characters. Check how to extend the limit to 40 characters if you need a longer prefix.

namespace

Annotation and label customizations in namespaces created by Okteto. These annotations and labels are additional to the ones already applied by Okteto.

  • annotations: Annotations applied to each namespace created by Okteto.
  • labels: Labels applied to each namespace created by Okteto.
  • ingress.annotations: Annotations applied to ingresses in namespaces created by Okteto.
  • ingress.labels: Labels applied to ingresses in namespaces created by Okteto.
  • autoRoleBinding.enabled: Flag to automatically bind the default service account within namespaces managed by Okteto to the cluster role specified on serviceAccounts.roleBindings.namespaces. This will provide access to the Kubernetes API to all pods that do not have a custom service account. Defaults to true.
namespace:
annotations:
development: "true"
labels:
istio-injection: enabled
ingress:
annotations:
cert-manager.io/issuer: "letsencrypt"
labels:
development: "true"

networkPolicies

Configures network policies for each namespace to isolate network traffic. Disabled by default.

  • ingress: Ingress list of rules (NetworkPolicyIngressRule) to be applied on every namespace managed by Okteto. (optional).
  • egress: Egress list of rules (NetworkPolicyEgressRule) to be applied on every namespace managed by Okteto (optional).
networkPolicies:
enabled: true
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978

overrideFileWatchers

Overrides the default kernel values for file watchers in every node. Recommended if you're running databases, or if you plan on using "okteto up" on the cluster. This requires permission to mount and modify /proc values.

  • maxUserWatches: The maximum number of allowed inotify watchers.
  • maxMapCount: The maximum number of memory map areas a process may have.
  • aioMaxNR: The maximum number of allowable concurrent IO requests.
overrideFileWatchers:
enabled: true
maxUserWatches: 10048576
maxMapCount: 262144
aioMaxNR: 1000000

overrideRegistryResolution

Overrides the registry hostname resolution to use internal IPs. This requires permission to mount and modify the cluster nodes' /etc/hosts file.

overrideRegistryResolution:
enabled: true

oktetoBotUser

Overrides the name of the user used for admin access tokens. Defaults to "okteto-bot".

pullAlways

Forces the PullAlways image pull policy in the cluster. Enabled by default.

pullAlways:
enabled: true

quotas

Enables resource quotas at the namespace level.

  • resources: Limits the number of resources that a user can create.
    • maxNamespaces: Maximum number of namespaces that a user can create. This does not apply to the okteto-bot user used for admin access tokens.
    • maxPods: Maximum number of pods per namespace.
    • maxReplicationControllers: Maximum number of replication controllers per namespace.
    • maxSecrets: Maximum number of secrets per namespace.
    • maxServices: Maximum number of services per namespace.
    • maxJobs: Maximum number of jobs per namespace.
    • maxCronjobs: Maximum number of cronjobs per namespace.
    • maxLoadBalancers: Maximum number of services of type LoadBalancer per namespace.
    • maxNodePorts: Maximum number of services of type NodePort per namespace.
    • maxConfigMaps: Maximum number of config maps per namespace.
    • maxPVCs: Maximum number of persistent volume claims per namespace.
    • maxVolumeSnapshots: Maximum number of volume snapshots per namespace.
    • maxIngresses: Maximum number of ingresses per namespace.
  • bandwidth: Limits the incoming/outgoing bandwidth per pod. Requires using the Okteto NGINX Ingress Controller.
    • ingress: Maximum ingress bandwidth.
    • egress: Maximum egress bandwidth.
    • up: Limits the incoming/outgoing bandwidth per development container.
      • ingress: Maximum ingress bandwidth for a development container
      • egress: Maximum egress bandwidth for a development container.
  • requests: Limits the maximum resource requests per namespace.
    • cpu: Maximum CPU resource requests.
    • memory: Maximum memory resource requests.
    • storage: Maximum storage resource requests.
  • limits: Limits the maximum resource limits per namespace.
    • cpu: Maximum CPU resource limits.
    • memory: Maximum memory resource limits.
    • storage: Maximum storage resource limits.
  • limitranges: Configures the limit ranges of each namespace.
    • max: Configures the maximum resources per container.
      • cpu: Maximum CPU resource limits.
      • memory: Maximum memory resource limits.
    • requests: Configures the default resource requests per container.
      • cpu: Default CPU resource requests.
      • memory: Default memory resource requests.
    • limits: Configures the default resource limits per container.
      • cpu: Default CPU resource limits.
      • memory: Default memory resource limits.

The default configuration values are shown below. A value of "-1" indicates that no quota is enforced for that specific resource:

quotas:
resources:
enabled: false
maxNamespaces: "3"
maxPods: "-1"
maxServices: "-1"
maxLoadBalancers: "0"
maxNodePorts: "0"
maxReplicationControllers: "-1"
maxSecrets: "-1"
maxConfigMaps: "-1"
maxPVCs: "-1"
maxVolumeSnapshots: "-1"
maxIngresses: "-1"
maxJobs: "-1"
maxCronjobs: "-1"
bandwidth:
enabled: false
ingress: "800M"
egress: "800M"
up:
enabled: false
ingress: "800M"
egress: "800M"
requests:
enabled: false
cpu: "1"
memory: "2Gi"
storage: "20Gi"
limits:
enabled: false
cpu: "4"
memory: "8Gi"
storage: "20Gi"
limitranges:
max:
enabled: false
cpu: "3"
memory: "12Gi"
requests:
enabled: true
cpu: "10m"
memory: "50Mi"
limits:
enabled: true
cpu: "2"
memory: "8Gi"

secret

Labels and annotations to include in the secret created by the chart. Useful if you want to integrate with Vault or similar secret stores.

secret:
annotations:
your.custom.annotation: "10"
labels:
your.custom.label: "20"

serviceAccounts

Use the serviceAccounts section to configure labels, annotations and role bindings to be applied to each service account generated by Okteto for user accounts.

  • annotations: Annotations added to each service account generated by Okteto for user accounts.
  • labels: Labels added to each service account generated by Okteto for user accounts.
  • roleBindings.namespaces: Okteto assigns this cluster role to every admin, owner and member of a namespace via a namespace-scoped role binding on every namespace managed by Okteto. This cluster role is not created by Okteto, it must exist in the cluster. Default value is cluster-admin.
  • roleBindings.previews: Okteto assigns this cluster role to every Okteto user via a namespace-scoped role binding on every global preview environment. This cluster role is not created by Okteto, it must exist in the cluster. Default value is view.
  • clusterRoleBinding: Okteto assigns this cluster role to every user via a cluster role binding. By default, this behavior is disabled. This can be useful to give access to cluster level resources to every developer account, like accessing the Node API. This cluster role is not created by Okteto, it must exist in the cluster.
  • extraRoleBindings: Okteto assigns every cluster role specified there to every user via a namespace-scoped role binding on the namespace specified in the configuration. Okteto will not create the ClusterRoles nor the Namespaces and expects them to exist in the cluster.
serviceAccounts:
annotations:
custom.annotation/one: one
custom.annotation/two: two
labels:
custom.label/one: one
custom.label/two: two
roleBindings:
namespaces: cluster-admin
previews: view
clusterRoleBinding: "example-cluster-role"
extraRoleBindings:
namespace-name1:
- cluster-role1
- cluster-role2
namespace-name2:
- cluster-role3

In case you need to link more than one cluster role in any of the configuration settings, you should use Cluster Role aggregation to aggregate several Cluster Roles into one.

userDefinedNamespaces

Disable if you want to enforce using the username as a suffix on namespaces and ingress hosts. Enabled by default.

userDefinedNamespaces: false

userPodAffinity

When enabled Okteto automatically adds a preferred affinity to every pod, which leans towards placing pods from the same namespace and in the same node (default: true).

  • antiAffinity: When enabled Okteto adds an anti-affinity to the pod to ensure that all pods in the same namespace are placed in the same node. Disabled by default
userPodAffinity:
enabled: true
antiAffinity:
enabled: false

virtualServices

When enabled, the Okteto UI will show the public endpoints associated with Istio Virtual Services (default: false).

virtualServices:
enabled: false

volumes

Allows you to specify different settings for volumes.

  • validate: Section to configure volume validation.
  • enabled: Enables volume validation. Disabled by default
  • supportedStorageClasses: List of supported storage classes.
  • forceStorageClass: Flag to specify if the storage class should be enforced in case of creating a volume with a non-supported storage class. If set, the first storage class specified on supportedStorageClasses will be the enforced value.
  • supportedAccessModes: List of supported access modes.
volumes:
validate:
enabled: true
supportedStorageClasses: ["standard", "standard-rwo"]
forceStorageClass: true
supportedAccessModes: ["ReadWriteOnce"]

volumeSnapshots

Enables users to initialize persistent volume claims with the contents of a preexisting volume snapshot.

This feature requires having a CSI driver installed in your cluster.

  • driver: The name of the CSI driver used when creating snapshots.
  • class: The VolumeSnapshotClass of the volume snapshot.
  • storageClass: The storage class required by volumes initialized from snapshots (optional).
  • enableNamespaceAccessValidation: When enabled, only users that have access to the namespace where the volume snapshot is stored will be able to use it in their development environments. Default false.
  • allowIDAnnotation: Allow using your cloud provider's snapshot ID as the source of the data. Default true.
volumeSnapshots:
enabled: true
driver: ebs.csi.aws.com
class: snapclass
storageClass: ebs-sc

Add the dev.okteto.com/from-snapshot-id annotation to any persistent volume claim to tell Okteto to initialize your persistent volume claim, as shown below:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
dev.okteto.com/from-snapshot-id: snap-xxxxxxxx
name: pvc-name
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

When a persistent volume claim resource is created, Okteto will import the snapshot in Kubernetes using a VolumeSnapshotContent and will set the source of your persistent volume claim to this VolumeSnapshotContent.

wildcardCertificate

By default, Okteto configures a self-signed wildcard certificate for your instance to simplify your product evaluation. For a production-ready installation, follow our docs to configure your wildcard certificate and disable the default behavior.

These are all the settings available to configure certificates:

  • create: If set to false, Okteto will not create a self-signed wildcard certificate
  • duration: The duration of the self-signed certificate. Ignored if create is set to false
  • name: The name of the secret where the certificate is stored
  • privateCA.enabled: Set to true when using a private certificate authority
  • privateCA.secret.name: The name of the secret that stores the private certificate authority's certificate
  • privateCA.secret.key: The key in the secret that stores the private certificate authority's certificate
  • annotations: Annotations to add to the self-signed certificate generated by Okteto
wildcardCertificate:
create: true
duration: 2160h0m0s
name: default-ssl-certificate
annotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
# if using a private CA, specify the name of the TLS secret that stores the certificate
privateCA:
enabled: false
secret:
name: "okteto-ca"
key: "ca.crt"

Dependencies

Okteto will automatically install two instances of NGINX Ingress Controller as part of the default installation, using its official Helm chart.

Each instance has an specific role:

  • ingress-nginx: ingress-controller that serves all the inbound traffic to the Okteto cluster, including Buildkit, Registry, Okteto API, Okteto Frontend and users' ingresses.
  • okteto-nginx: ingress-controller dedicated to serve users' ingresses inbound traffic. By default, it is deployed behind ingress-nginx.

Okteto Ingress Controllers

Okteto has two nginx-related keys you can define in your configuration file (e.g. config.yaml or any other config file where you specify these keys): ingress-nginx and okteto-nginx. These each serve a different function.

ingress-nginx

This key is used to specify ingress behavior for Okteto's platform components (e.g. api, buildkit, registry) and supports passthrough/proxy behavior to okteto-nginx. This configuration will serve through a *.$subdomain internal ingress pointing to okteto-nginx. This ingress controller resides within the control plane of the Okteto cluster.

okteto-nginx

This key is used to specify ingress behavior specifically for development environments. This configuration is used to parse and register developer ingresses. This ingress controller resides within the cluster and manages ingress to and between developer applications.

A practical example of how these two ingress controllers interaction is: when a new user request arrives to Okteto it will be served by ingress-nginx, which will proxy it to okteto-nginx. Then okteto-nginx will proxy the request to the backend pod.

Sample configuration

One example of modifying the Okteto ingress controllers, to change the number of replicas in ingress-nginx, looks like this:

ingress-nginx:
controller:
replicaCount: 2

The full list of values is available here.

ingress-nginx & okteto-nginx default values

Okteto sets specific values on the embedded ingress-nginx chart to enable features dependent on the ingress-controller. The values can be checked with the following command:

  • ingress-nginx:

    helm get values okteto/okteto --jsonpath '{.ingress-nginx}'
  • okteto-nginx:

    helm get values okteto/okteto --jsonpath '{.okteto-nginx}'

Using Your Own Ingress Controller

Refer to this community guide for detailed instructions on disabling the Okteto Nginx Ingress Controller and exposing Okteto behind your own Ingress Controller.

Redis

Okteto's Resource Manager uses Redis to store the generated recommendations. Redis is only installed when the Resource Manager is enabled and it's deployed using the Bitnami Redis chart, you can customize the deployment using these values under the redis key.

Reloader

The Okteto chart uses Reloader to perform rolling upgrades to Okteto components when changes happen on specific secrets. Reloader can be customized using the reloader.reloader value using these parameters.

Store Sensitive Configuration Values using a Secret

Create a secret named okteto-cloud-secret to store the following values instead of setting them in your helm configuration file:

  • OKTETO_LICENSE: use this instead of .Values.license in your helm configuration file.
  • GOOGLE_CLIENTSECRET: use this instead of .Values.auth.google.clientSecret in your helm configuration file.
  • GITHUB_CLIENTSECRET: use this instead of .Values.auth.github.clientSecret in your helm configuration file.
  • BITBUCKET_CLIENTSECRET: use this instead of .Values.auth.bitbucket.clientSecret in your helm configuration file.
  • OPENID_CLIENTSECRET: use this instead of .Values.auth.openid.clientSecret in your helm configuration file.
  • GITHUB_INTEGRATION_CLIENTSECRET: use this instead of .Values.github.clientSecret in your helm configuration file.
  • GITHUB_APP_PRIVATE_KEY: use this instead of .Values.github.appPrivateKey in your helm configuration file.

Handling a Long Release Name

The Okteto chart combines the release name and the chart name to create a prefix used for naming the Kubernetes resources created by the chart.

In Kubernetes, there are strict limits on the maximum length of names for various resources. For example, CronJob names cannot exceed 52 characters, and Service names cannot be longer than 63 characters. Additionally, Helm enforces a maximum length of 53 characters for a release name.

Since the Okteto chart creates multiple resources in Kubernetes, it employs specific strategies to avoid exceeding these length limits and to minimize the need for additional configuration.

The maximum length for the Okteto prefix is 34 characters. This limit is derived from the maximum name length allowed by Kubernetes (63 characters), minus the length of the longest Okteto component suffix ("-ingress-nginx-defaultbackend"). The 34 characters are then divided into 27 characters for the release name and 7 characters for the chart name ("-okteto").

This limit can be extended to 40 characters by overriding the name of the defaultBackend component. To do this, set the defaultBackend.nameOverride value. If you rename the defaultBackend on an existing installation, be sure to follow these steps to safely rename it.

If you need to use a release name longer than 40 characters, you can also use the nameOverride or fullnameOverride settings to make the prefix shorter.