Skip to main content

Configuration Settings

General Settings#

email#

The email of the application owner.

cluster#

  • endpoint: The public endpoint of your Kubernetes cluster. It will be used by Okteto when generating Kubeconfig credentials for your users.
cluster:
endpoint: "https://52.30.32.1"

license#

Okteto Enterprise is free for small teams. You can manage up to 3 users with 3 namespaces each without having to provide a license.

license: XXXXX

Want to use Okteto Enterprise with a bigger team? Let's talk

You can also use a secret to store the license.

subdomain#

The domain (or subdomain) managed by Okteto Enterprise.

Your Okteto Enterprise instance will be available at okteto.$SUBDOMAIN. All ingresses created by okteto will use it as well (e.g. https://app-$NAMESPACE.$SUBDOMAIN)

subdomain: "example.com"

After installation, we recommend that you create a DNS entry for *.$SUBDOMAIN, pointing to the public address of your load balancer.

auth#

Okteto Enterprise supports using Bitbucket, Github, Google, or OpenID Connect as authentication providers.

You can also use a secret to store the sensitive part of these credentials.

  • bitbucket: Use this group of settings when using Bitbucket OAauth as your authentication provider.
auth:
bitbucket:
enabled: true
clientId: OAauth Consumer Key
clientSecret: OAauth Consumer Secret
workspace: my-workspace

The workspace field is optional. Only members of the workspace will be allowed to login into your Okteto Enterprise instance. An empty workspace field permits any user to log in.

  • github: Use this group of settings when using Github OAuth as your authentication provider.
auth:
github:
enabled: true
clientId: clientID
clientSecret: clientSecret
organization: my-org

The organization field is optional. Only members of the organization will be allowed to log in into your Okteto Enterprise instance. An empty organization field permits any user to log in.

  • google: Use this group of settings when using Google OAuth as your authentication provider.
auth:
google:
enabled: true
clientId: clientid.apps.googleusercontent.com
clientSecret: clientSecret
  • openid: Use this group of settings when using an OpenID Connect provider as your authentication provider.
auth:
openid:
enabled: true
clientId: clientid
clientSecret: clientSecret
group: my-group
endpoints:
issuer: https://your-provider
authorization: https://your-provider/authorization
mapping:
externalIDKey: nickname
nameKey: name
emailKey: email
pictureKey: picture
groupsKey: groups

The group field is optional. Only members of the group will be allowed to log in into your Okteto Enterprise instance. An empty group field permits any user to log in.

The issuer and authorization endpoints must match the value returned in the provider config discovery.

The mapping fields are optional. Use them to configure the mapping between Okteto's user attributes and the claim coming from your authentication provider.

Your provider needs to support the UserInfo endpoint in order to be used with Okteto Enterprise. This authentication option follows the OpenID standard, and it has been validated with Okta, PingIdentity, and Gitlab.

cloud#

Okteto Enterprise integrates with different cloud providers to store the registry images and generate certificates for your applications.

The credentials will be used by cert-manager when generating and renewing the wildcard certificate. The sensitive part of the credentials are not included in the configuration file. Instead, it is provided to Okteto Enterprise via a secret.

  • azure: Use this if your domain is managed by Azure DNS, and to use Azure Storage to store your private images.
cloud:
provider:
azure:
enabled: true
servicePrincipal: "Service Principal ID"
subscriptionID: "Azure Subscription ID"
tenantID: "Azure Tenant ID"
resourceGroupName: "Resource Group Name"
storage:
container: "Storage Container Name"
accountName: "Storage Account Name"

The storage setting will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

  • aws: Use this if your domain is managed by Route53, and to use S3 to store your private images.
cloud:
provider:
aws:
enabled: true
bucket: "Bucket Name"
region: "AWS region"
iam:
accessKeyID: "IAM Access Key"

The bucket will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

Use the role configuration below if your Route53 zone is managed by a separate AWS account than the one used to provision your Kubernetes cluster.

cloud:
provider:
aws:
enabled: true
bucket: "Bucket Name"
region: "AWS region"
iam:
enabled: false
role:
enabled: true
arn: "Role arn"
hostedZoneID: "zone id"
  • digitalocean: Use this if your domain is managed by DigitalOcean, and to use DigitalOcean spaces to store your private images.
cloud:
provider:
digitalocean:
enabled: true
space:
name:
accessKeyID:

The space settings will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

  • gcp: Use this if your domain is managed by Google Cloud DNS, and to use Google Cloud Storage to store your private images.
cloud:
provider:
gcp:
enabled: true
bucket: "Bucket Name"
project: "Project ID"

The bucket settings will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

  • byo: Use this if you're using a provider not currently supported by Okteto Enterprise.
cloud:
provider:
byo:
enabled: true
issuerName:
issuerKind: Issuer

When using byo you'll need to create a valid cert-manager issuer before installing Okteto Enterprise, and configure your registry to use the file system for storage.

Advanced Cloud Scenarios#

It is possible to use separate cloud providers for DNS than for storage if needed. Reach out to us, we're always happy to help!

Okteto Enterprise Components#

api#

The API service. Account and Kubernetes credentials management, namespace creation, and sharing, deployment via the catalog, etc...

  • annotations: Annotations to add to the API pods.
  • labels: Labels to add to the API pods.
  • replicaCount: The number of API pods. It defaults to 2.
  • resources: The resources for the API pods.
api:
replicaCount: 2
resources:
requests:
cpu: 100m
memory: 128Mi

autoscaler#

The cluster autoscaler service. It instructs the Kubernetes cluster autoscaler to scale nodes if the cumulative resource requests of pods running in a node or the real cpu/memory usage of a node is beyond the limits. Use tolerations.devPool to limit the autoscaler analysis to a subset of cluster nodes.

autoscaler:
enabled: false
schedule: 300
up: 80
down: 60
increment: 1
min: 1
max: 10
slackWebhook:
  • annotations: Annotations to add to the autoscaler pods.
  • down: Decrease the cluster size when the CPU or memory consumption is lesser than this value. It defaults to 60 percent.
  • increment: the number of new nodes to request when all the current nodes are overloaded. e.g. if this value is 3, the autoscaler will request 3 new nodes when all the cluster nodes are overloaded. It defaults to 1.
  • labels: Labels to add to the autoscaler pods.
  • max: Maximum number of nodes in the cluster. It defaults to 10. Zero means unlimited.
  • min: Minimum number of nodes in the cluster. It defaults to 1.
  • schedule: How often, in seconds, the autoscaler analyzes if the cluster needs to be scaled. It defaults to 300.
  • slackWebhook: A slack webhook url to notify autoscaler events.
  • up: Increase the cluster size when the CPU or memory consumption is greater than or equal to this value. It defaults to 80 percent.

Requirements: cluster autoscaler and metrics server must be installed in your cluster.

buildkit#

The build service. It's used in combination with okteto build to build containers directly in the cluster.

  • annotations: Annotations to add to the buildkit pods.
  • labels: Labels to add to the buildkit pods.
  • replicaCount: The number of buildkit pods. It defaults to 1.
  • resources: The resources for the buildkit pods.
  • storage.class: The storage class of the volume attached to every buildkit pod to persist the buildkit cache.
  • storage.size: The size of the volume attached to every buildkit pod to persist the buildkit cache.
  • storage.cache: The size of the buildkit cache to store image caches. It should be 30Gi smaller than storage.size.
buildkit:
replicaCount: 1
storage:
class: ssd
size: 180Gi
cache: 150000

daemonset#

The daemonset automatically configures every node of your cluster to work better with Okteto.

  • annotations: Annotations to add to the daemonset pods.
  • labels: Labels to add to the daemonset pods.

frontend#

The frontend service serves the web application.

  • annotations: Annotations to add to the frontend pods.
  • labels: Labels to add to the frontend pods.
  • replicaCount: The number of frontend pods. It defaults to 2.
  • resources: The resources for the frontend pods.
frontend:
replicaCount: 2
resources:
requests:
cpu: 100m
memory: 128Mi

gc#

The garbage collector service. It automatically scales idle applications to zero and deletes unused namespaces.

  • annotations: Annotations to add to the gc pods.
  • labels: Labels to add to the gc pods.
  • scaleToZeroPeriod: The duration, in hours, that an application or resource must be idle before the garbage collector scales it to zero. Set to zero to disable.
  • deleteNamespacePeriod: The duration, in days, that a namespace must be idle before the garbage collector deletes it. Set to zero to disable.
  • slackWebhook: If set, the garbage collector will send a notification when it scales a resource to zero or when it deletes a namespace.
gc:
enabled: false
scaleToZeroPeriod: 24
deleteNamespacePeriod: 15
slackWebhook:

installer#

The jobs that execute the Okteto pipelines.

  • activeDeadlineSeconds: Maximum duration of the pipeline in seconds.
  • gitSSHUser: User to be used when cloning git repos using ssh.
  • sshSecretName: The name of the secret that contains the private key used when cloning git repos using ssh. If it doesn't exist, the key and the secret will be automatically generated by Okteto.
installer:
activeDeadlineSeconds: 1800
gitSSHUser: git
sshSecretName: "okteto-ssh"

registry#

The private container registry.

  • annotations: Annotations to add to the registry pods.
  • ingress.annotations: Annotations to add to the registry ingress. These annotations take precendence over the ones defined in the ingress section.
  • ingress.tlsSecret: TLS secret for the registry endpoint. If empty, okteto will default to the wildcard certificate created by Okteto Enterprise.
  • labels: Labels to add to the registry pods.
  • pullPolicy: The security policy for image pulls. If set to cluster, any Okteto Enterprise user can pull any image from the registry. When set to namespace, only users with access to the namespace can pull images from the namespace. It defaults to namespace.
  • replicaCount: The number of registry pods. It defaults to 1.
  • resources: The resources for the registry pods.
  • serviceAccountName: The service account used by the registry. It defaults to default.
  • storage: The storage mechanism for the images.
    • cloud.enabled: Set this to true if you want to store the images using your cloud provider's block storage service (e.g. S3). It will use the values defined in the cloud key. It's enabled by default.
registry:
storage:
cloud:
enabled: true
  • filesystem: Set this to true if you want to store the images in PVC attached to the registry. This might limit your ability to scale up the registry, depending on the type of storage you are using. You can also customize the storageClass, the size of the volume, and even attach an existing volume claim via claimName.
registry:
storage:
cloud:
enabled: false
filesystem:
enabled: true
persistence:
claimName: ""
accessMode: ReadWriteOnce
storageClass: ""
size: 40Gi

telemetry#

You can enable or disable the telemetry job. The telemetry job "phones home" once a day with the following information:

  • Number of managed users
  • Number of managed namespaces
  • Kubernetes Version and Platform
  • A unique install ID
  • Your license ID.
  • The name of the authentication provider
  • The name of the cloud provider

Okteto uses the information to help us better understand how our customers use Okteto Enterprise, as well as to help us prioritize fixes and features. We don't share your information with anyone else.

telemetry:
enabled: true

webhook#

The webhook service. Ingress creation, generation of hostnames, enforcement of policies, etc...

  • annotations: Annotations to add to the webhook pods.
  • labels: Labels to add to the webhook pods.
  • replicaCount: The number of webhook pods. It defaults to 2.
  • resources: The resources for the webhook pods.

Advanced Configuration#

applications#

  • repository: The default application repository for every Okteto Enterprise user. It defaults to https://apps.okteto.com when not specified.
applications:
repository: "https://apps.okteto.com"

clusterRole#

The role Okteto assigns to every user. If empty, Okteto will create a default role.

clusterRole: "role name"

convertLoadBalancedServices#

Converts services with type LoadBalancer into ClusterIP and automatically creates an ingress. Enabled by default.

convertLoadBalancedServices:
enabled: true

devStorageClass#

Uses the specified storage class for all persistent volume claims created when developers execute okteto up. This setting will override any storage class defined on the Okteto manifest. Disabled by default.

devStorageClass:
enabled: true
storageClass: ebs-sc
  • storageClass: the storage class enforced for persistent volume claims created by okteto up.

There is only one exception where this storage class will be overwritten. In case of having volume snapshots feature configured, if a storage class is required for the snapshots that storage class will have preference.

ingress#

Configure default values for the ingress created by Okteto Enterprise.

ingress:
annotations:
kubernetes.io/ingress.class: nginx
class: nginx
forceIngressClass: false
ip: ""
tlsSecret: ""
  • annotations: The annotations to apply to all the ingresses created during the Okteto Enterprise installation.
  • class: If set, Okteto Enterprise will set this as the ingress.class of all ingresses managed by Okteto. This is useful if you have more than one ingress controller in your cluster.
  • forceIngressClass: If enabled, all ingresses deployed in namespaces managed by Okteto will have the ingress class defined in ingress.class (default: false).
  • ip: The internal IP of the ingress. Pods will call the Okteto API and the Okteto Registry using this IP. Required if the Okteto API/Registry is exposed using an ingress not managed by Okteto.
  • tlsSecret: TLS secret for the ingress created by Okteto Enterprise. If empty, okteto defaults to the wildcard certificate created by Okteto Enterprise.

ingressLimits#

Configure ingress connections limits for each public endpoint.

Disabled by default.

ingressLimits:
enabled: true
connections: 40
rps: 40
rpm: 400
  • connections: maximum parallel connections for each ingress.
  • rps: maximum requests per second for each ingress.
  • rpm: maximum requests per minute for each ingress.

injectDevelopmentBinaries#

Automatically inject kubectl, helm, and okteto binaries on every development environment, and on the git and helm deployment pipelines. This requires permissions to mount a host volume.

If this is disabled, you'll need to provide your own images in backend.installers.git.image and backend.installers.helm.image.

injectDevelopmentBinaries:
enabled: true

networkPolicies#

Configures network policies for each namespace to isolate network traffic. Disabled by default.

networkPolicies:
enabled: true
blockedCIDRs:
- "169.254.169.254/32"
  • blockedCIDRs: (optional) Outgoing traffic to any cidr on this list will be blocked by the network policy.

overrideFileWatchers#

Overrides the default kernel values for file watchers in every node. Recommended if you're running databases, or if you plan on using "okteto up" on the cluster. This requires permission to mount and modify /proc values.

overrideFileWatchers:
enabled: true
maxUserWatches: 10048576
maxMapCount: 262144
aioMaxNR: 1000000
  • maxUserWatches: The maximum number of allowed inotify watchers.
  • maxMapCount: The maximum number of memory map areas a process may have.
  • aioMaxNR: The maximum number of allowable concurrent IO requests.

overrideRegistryResolution#

Overrides the registry hostname resolution to use internal IPs. This requires permission to mount and modify the cluster nodes' /etc/hosts file.

overrideRegistryResolution:
enabled: true

prepullImages#

Pre-pull the git and helm installer images in all the nodes. This requires permission to mount the docker socket.

prepullImages:
enabled: true

privateRegistry#

A list of private registries and its corresponding credentials. The kubelet will use them when pulling images:

privateRegistry:
hub:
url: https://index.docker.io/v1/
user: username1
password: password1
gcr:
url: https://gcr.io
token: dXNlcjM6cGFzc3dvcmQzCg==

Use token if your registry does not support username/password authentication (e.g. google registry).

pullAlways#

Forces the PullAlways image pull policy in the cluster. Enabled by default.

pullAlways:
enabled: true

quickstarts#

The list of shortcuts to show in the "Deploy from Git Repository" dialog.

quickstarts:
- name: "Movies Sample App"
url: https://github.com/okteto/movies
default: true
branch: main
variables:
- name: DB_HOST
value: mongodb
- name: THEME
options: ["dark", "light"]
- name: "Github"
url: https://github.com/
- name: "Gitlab"
url: https://gitlab.com/
- name: "Bitbucket"
url: https://bitbucket.org/
  • name: name to identify the quickstart.
  • url: repository URL configured for the quickstart.
  • branch: default branch to be considered for the configured quickstart repository.
  • variables: list of variables to be passed to the pipeline on deployment time.
    • name: indicates the variable name.
    • value: specifies the default value.
    • options: specifies an enumeration of possible values.
  • default: flag to indicate if url, branch and variables fields will be automatically filled with configured values in the "Deploy from Git Repository" dialog.

quotas#

Enables resource quotas at the namespace level. Disabled by default.

quotas:
resources:
enabled: true
maxNamespaces: "3"
maxPods: "20"
maxServices: "20"
maxReplicationControllers: "30"
maxSecrets: "20"
maxConfigMaps: "20"
maxPVCs: "10"
maxVolumeSnapshots: "10"
bandwidth:
enabled: true
ingress: "800M"
egress: "800M"
requests:
enabled: true
cpu: "1"
memory: "2Gi"
storage: "20Gi"
limits:
enabled: true
cpu: "4"
memory: "8Gi"
storage: "20Gi"
limitranges:
max:
enabled: true
cpu: "2"
memory: "4Gi"
requests:
enabled: true
cpu: "100m"
memory: "0.2Gi"
limits:
enabled: true
cpu: "500m"
memory: "1Gi"

secret#

Labels and annotations to include in the secret created by the chart. Useful if you want to integrate with Vault or similar secret stores.

secret:
annotations:
your.custom.annotation: "10"
labels:
your.custom.label: "20"

tolerations#

Indicates tolerations for the okteto components. Define the label and taint okteto-node-pool on your worker nodes to match these values.

tolerations:
oktetoPool: okteto
buildPool: build
devPool: dev
  • oktetoPool: tolerations for the api, webhook, gc, autoscaler, ingress controller, and frontend services.
  • buildPool: tolerations for the buildkit and registry services.
  • devPool: tolerations for the pods deployed in namespaces created by okteto.

For example, if you add the label okteto-node-pool:build and the taint okteto-node-pool=build:NoSchedule to a node, and you are using buildPool: build, the buildkit and registry pods will be deployed to this node.

userDefinedNamespaces#

Disable if you want to enforce using the username as a suffix on namespaces and ingress hosts. Enabled by default.

userDefinedNamespaces: false

volumes#

Allows you to specify different settings for volumes.

volumes:
validate:
enabled: true
supportedStorageClasses: ["standard", "standard-rwo"]
forceStorageClass: true
supportedAccessModes: ["ReadWriteOnce"]
  • validate: section to configure volume validation.
  • enabled: enables volume validation. Disabled by default
  • supportedStorageClasses: list of supported storage classes.
  • forceStorageClass: flag to specify if the storage class should be enforced in case of creating a volume with a non-supported storage class. If set, the first storage class specified on supportedStorageClasses will be the enforced value.
  • supportedAccessModes: list of supported access modes.

volumeSnapshots#

Enables users to initialize persistent volume claims with the contents of a preexisting volume snapshot.

This feature requires having a CSI driver installed in your cluster.

volumeSnapshots:
enabled: true
driver: ebs.csi.aws.com
class: snapclass
storageClass: ebs-sc
  • driver: the name of the CSI driver used when creating snapshots.
  • class: the VolumeSnapshotClass of the volume snapshot.
  • storageClass: (optional) the storage class required by volumes initialized from snapshots.

Add the dev.okteto.com/from-snapshot-id annotation to any persistent volume claim to tell Okteto to initialize your persistent volume claim, as shown below:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
dev.okteto.com/from-snapshot-id: snap-xxxxxxxx
name: pvc-name
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

When a persistent volume claim resource is created, Okteto will import the snapshot in Kubernetes using a VolumeSnapshotContent and will set the source of your persistent volume claim to this VolumeSnapshotContent.

wildcardCertificate#

Disable if you want to bring your own certificates and/or certificate authority. Enabled by default.

wildcardCertificate:
create: true
duration: 2160h0m0s
name: default-ssl-certificate
# if using a private CA, specify the name of the TLS secret that stores the certificate
privateCA:
enabled: false
secret:
name: "okteto-ca"
key: "ca.crt"
  • create: If set to false, Okteto will not create the wildcard certificate automatically.
  • duration: The duration of the certificate. Ignored if create is set to false.
  • name: The name of the secret where the certificate will be stored.
  • privateCA.enabled: Set to true when using a private certificate authority.
  • privateCA.secret.name: The name of the secret that stores the private certificate autority's certificate.
  • privateCA.secret.key: The key in the secret that stores the private certificate authority's certificate.

Dependencies#

Okteto Enterprise will automatically install NGINX Ingress Controller and Cert-Manager as part of the default installation, using the official Helm charts.

NGINX-Ingress#

Use the nginx-ingress keys in your configuration file to modify the configuration.

For example, to change the number of replicas, you'd need to add the following:

nginx-ingress:
controller:
replicaCount: 2

The full list of values is available here.

cert-manager#

Use the cert-manager keys in your configuration file to modify the configuration.

For example, to change the number of replicas, you'd need to add the following:

cert-manager:
replicaCount: 2

The full list of values is available here.