Configuration Settings

General Settings

email

The email of the application owner.

email: "[email protected]"

cluster

endpoint: The public endpoint of your Kubernetes cluster. It will be used by Okteto when generating Kubeconfig credentials for your users.

cluster:
  endpoint: "https://52.30.32.1"

license

Okteto Enterprise is free to try. Without a license, you'll be limited to managing up to 3 users with 3 namespaces each.

license: XXXXX

Don't have a license? Talk to us and start you free trial today.

subdomain

The domain (or subdomain) managed by Okteto Enterprise.

Your Okteto Enterprise instance will be available at okteto.$SUBDOMAIN. All ingresses created by okteto will be use it as well (e.g. https://app-$NAMESPACE.$SUBDOMAIN)

subdomain: "example.com"

After installation, we recommend that you create a DNS entry for *.$SUBDOMAIN, pointing to the public address of your load balancer.

auth

Okteto Enterprise supports using Bitbucket, Github, Google or OpenID Connect as authentication providers.

bitbucket: Use this group of settings when using Bitbucket OAauth as your authentication provider.

auth:
  bitbucket:
    enabled: true
    clientId: OAauth Consumer Key
    clientSecret: OAauth Consumer Secret
    workspace: my-workspace

The workspace field is optional. Only members of the workspace will be allowed to login into your Okteto Enterprise instance. An empty workspace field permits any user to login.

github: Use this group of settings when using Github OAauth as your authentication provider.

auth:
  github:
    enabled: true
    clientId: clientID
    clientSecret: clientSecret
    organization: my-org

The organization field is optional. Only members of the organization will be allowed to login into your Okteto Enterprise instance. An empty organization field permits any user to login.

google: Use this group of settings when using Google OAauth as your authentication provider.

auth:
  google:
    enabled: true
    clientId: clientid.apps.googleusercontent.com
    clientSecret: clientSecret

openid: Use this group of settings when using an OpenID Connect provider as your authentication provider.

auth:
  openid:
    enabled: true
    clientId: clientid
    clientSecret: clientSecret
    group: my-group
    endpoints:
      issuer: https://your-provider
      authorization: https://your-provider/authorization
    mapping:
      externalIDKey: nickname
      nameKey: name
      emailKey: email
      pictureKey: picture
      groupsKey: groups

The group field is optional. Only members of the group will be allowed to login into your Okteto Enterprise instance. An empty group field permits any user to login.

The issuer and authorization endpoints must match the value returned in the provider config discovery.

The mapping fields are optional. Use them to configure the mapping between Okteto's user attributes and the claim coming from your authentication provider.

Your provider needs to support the UserInfo endpoint in order to be used with Okteto Enterprise.This authentication option follows the OpenID standard, and it has been validated with Okta, PingIdentity and Gitlab.

cloud

Okteto Enterprise integrates with different cloud providers to store the registry images and generate certificates for your applications.

The credentials will be used by cert-manager when generating and renewing the wildcard certificate. The sensitive part of the credentials are not included in the configuration file. Instead, it is provided to Okteto Enterprise via a secret.

azure: Use this if your domain is managed by Azure DNS, and to use Azure Storage to store your private images.

cloud:
  provider:
    azure:
      enabled: true
      servicePrincipal: "Service Principal ID"
      subscriptionID: "Azure Subscription ID"
      tenantID: "Azure Tenant ID"
      resourceGroupName: "Resource Group Name"
      storage:
        container: "Storage Container Name"
        accountName: "Storage Account Name"

The storage setting will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

aws: Use this if your domain is managed by Route53, and to use S3 to store your private images.

cloud:
  provider:
    aws:
      enabled: true
      bucket: "Bucket Name"
      region: "AWS region"
      iam:
        accessKeyID: "IAM Access Key"

The bucket will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

digitalocean: Use this if your domain is managed by DigitalOcean, and to use Digital Ocean spaces to store your private images.

cloud:
  provider:
    digitalocean:
      enabled: true
      space:
        name:
        accessKeyID:

The space settings will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

gcp: Use this if your domain is managed by Google Cloud DNS, and to use Google Cloud Storage to store your private images.

cloud:
  provider:
    gcp:
      enabled: true
      bucket: "Bucket Name"
      project: "Project ID"

The bucket settings will be used by the registry to pull and push images (if using cloud storage). This needs to be created before installing Okteto Enterprise.

byo: Use this if you're using a provider not currently supported by Okteto Enterprise.

cloud:
  provider:
    byo:
      enabled: true
      issuerName: 
      issuerKind: Issuer

When using byo you'll need to create a valid cert-manager issuer before installing Okteto Enterprise, and configure your registry to use the file system for storage.

Advanced Cloud Scenarios

It is possible to use separate cloud providers for DNS than for storage if needed. Reach out to us, we are always happy to help!

Okteto Enterprise Components

api

The api service. Account and Kubernetes credentials management, namespace creation and sharing, deployment via the catalog, etc...

replicaCount: The number of API pods. It defaults to 2.
resources: The resources for the API pods.

api:
  replicaCount: 2
  resources:
    requests:
      cpu: 100m
      memory: 128Mi

buildkit

The build service. It's used in combination with okteto build to build containers directly in the cluster.

replicaCount: The number of buildkit pods. It defaults to 1.
resources: The resources for the buildkit pods.
storage.size: The size of the volume attached to every pod. It's used to store image caches.
storage.cache: The size of the buildkit cache to store image caches. It should be 30Gi smaller than storage.size.

buildkit:
  replicaCount: 1
  storage:
    size: 180Gi
    cache: 150000

frontend

The frontend service. Serves all the static assets used by the web application.

replicaCount: The number of frontend pods. It defaults to 2.
resources: The resources for the frontend pods.

frontend:
  replicaCount: 2
  resources:
    requests:
      cpu: 100m
      memory: 128Mi

registry

The private container registry.

replicaCount: The number of registry pods. It defaults to 1.
pullPolicy: The security policy for image pulls. If set to cluster, any Okteto Enterprise user can pull any image from the registry. When set to namespace, only users with access to the namespace can pull images from said namespace. It defaults to namespace.
resources: The resources for the registry pods.
storage: The storage mechanism for the images.
- cloud.enabled: Set this to true if you want to store the images using your cloud provider's block storage service (e.g. S3). It will use the values defined in the cloud key. It's enabled by default.

registry:
  storage:
    cloud:
      enabled: true

filesystem: Set this to true if you want to store the images in PVC attached to the registry. This might limit your ability to scale up the registry, depending on the type of storage you are using. You can also customize the storageClass, the size of the volume, and even attach an existing volume claim via claimName.

registry:
  storage:
    cloud:
      enabled: false
    filesystem:
      enabled: true
      persistence:
        claimName: ""
        accessMode: ReadWriteOnce
        storageClass: ""
        size: 40Gi

telemetry

Enable / disable the telemetry job. The telemetry job "phones home" once a day with the following information:

Number of managed users
Number of managed namespaces
Kubernete Version and Platform
A unique install ID
Your license ID.

Okteto uses the information to help us better understand how our customers use Okteto Enterprise, as well as to help us prioritize fixes and features. Your information is not shared with any other company.

telemetry:
  enabled: true

webhook

The webhook service. Ingress creation, generation of hostnames, enforcement of policies, etc...

replicaCount: The number of webhook pods. It defaults to 2.
resources: The resources for the webhook pods.

gc

The garbage collector service. It automatically scales idle applications to zero and deletes unused namespaces.

gc:
  enabled: false
  scaleToZeroPeriod: 24
  deleteNamespacePeriod: 15
  slackWebhook:

scaleToZeroPeriod: The duration, in hours, that an application or resource must be idle before the garbage collector scales it to zero. Set to zero to disable.
deleteNamespacePeriod: The duration, in days, that a namespace must be idle before the garbage collector deletes it. Set to zero to disable.
slackWebhook: If set, the garbage collector will send a notification when it scales a resource to zero or when it deletes a namespace.

autoscaler

The cluster autoscaler service. It instructs the Kubernetes cluster autoscaler to scale nodes if the cumulative resource requests of pods running in a node or the real cpu/memory usage of a node is beyond the limits.

autoscaler:
  enabled: false
  up: 80
  down: 60
  slackWebhook:

up: maximum cpu/memory percentage of the capacity of a node to be considered as busy.
down: minimun cpu/memory percentage of the capacity of a node to be considered as available.
slackWebhook: a slack webhook url to notify autoscaler events.

Requirements: cluster autoscaler and metrics server must be installed in your cluster.

Advanced Configuration

applications

repository: The default application repository for every Okteto Enterprise user. It defaults to https://apps.okteto.com when not specified.

applications: 
  repository: "https://apps.okteto.com"

clusterRole

The role that will be assigned to every Okteto Enterprise user. Leave empty to use the default role (namespace admin).

clusterRole: "role name"

ingress

Configure default values for the ingress created by Okteto Enterprise.

ingress:
  annotations:
    kubernetes.io/ingress.class: nginx
  class: nginx

annotations: The annotations to apply to all the ingresses created during the Okteto Enterprise installation.
class: If set, Okteto Enterprise will set this as the ingress.class of all ingresses managed by Okteto. This is useful if you have more than one ingress controller in your cluster.

ingressLimits

Configure ingress connections limits for each public endpoint. Disabled by default.

ingressLimits:
  enabled: true
  connections: 40
  rps: 40
  rpm: 400

connections: maximum parallel connections for each ingress.
rps: maximum requests per second for each ingress.
rpm: maximum requests per minute for each ingress.

injectDevelopmentBinaries

Automatically inject kubectl, helm, and okteto binaries on every development environment, and on the git and helm deployment pipelines. This requires permissions to mount a host volume.

If this is disabled, you'll need to provide your own images in backend.installers.git.image and backend.installers.helm.image.

injectDevelopmentBinaries:
  enabled: true

networkPolicies

Configures network policies for each namespace to isolate network traffic. Disabled by default.

networkPolicies:
  enabled: true
  cidr: "10.166.0.0/20"

cidr: CIDR of the worker nodes in your cluster. Required if network policies are enabled.

overrideFileWatchers

Overrides the default kernel values for file watchers in every node. Recommended if you're running databases, or if you plan on using "okteto up" on the cluster. This requires permission to mount and modify /proc values.

overrideFileWatchers:
  enabled: true
  maxUserWatches: 10048576
  maxMapCount: 262144
  aioMaxNR: 1000000

maxUserWatches: The maximum number of allowed inotify watchers.
maxMapCount: The maximum number of memory map areas a process may have.
aioMaxNR: The maximum number of allowable concurrent IO requests.

overrideRegistryResolution

Overrides the registry hostname resolution to use internal IPs. This requires permission to mount and modify the cluster nodes' /etc/hosts file.

overrideRegistryResolution: 
  enabled: true

prepullImages

Pre-pull the git and helm installer images in all the nodes. This requires permission to mount the docker socket.

prepullImages: 
  enabled: true

privateRegistry

A list of private registries and its corresponding credentials. The kubelet will use them when pulling images:

privateRegistry:
  hub: 
    url: https://index.docker.io/v1/
    user: username1
    password: password1
  gcr:
    url: https://gcr.io
    token: dXNlcjM6cGFzc3dvcmQzCg==

Use token if your registry does not support username/password authentication (e.g. google registry).

pullAlways

Forces the PullAlways image pull policy in the cluster. Enabled by default.

pullAlways:
  enabled: true

quickstarts

The list of shortcuts to show in the "Deploy from Git Repository" dialog.

quickstarts:
  - name: "Movies Sample App"
    url: https://github.com/okteto/movies
  - name: "Github"
    url: https://github.com/
  - name: "Gitlab"
    url: https://gitlab.com/
  - name: "Bitbucket"
    url: https://bitbucket.org/

quotas

Enables resource quotas at the namespace level. Disabled by default.

quotas:
  resources:
    enabled: true
    maxNamespaces: "3"
    maxPods: "20"
    maxServices: "20"
    maxReplicationControllers: "30"
    maxSecrets: "20"
    maxConfigMaps: "20"
    maxPVCs: "10"
  bandwidth:
    enabled: true
    ingress: "800M"
    egress: "800M"
  requests:
    enabled: true
    cpu: "1"
    memory: "2Gi"
    storage: "20Gi"
  limits:
    enabled: true
    cpu: "4"
    memory: "8Gi"
    storage: "20Gi"
  limitranges:
    max:
      enabled: true
      cpu: "2"
      memory: "4Gi"
    requests:
      enabled: true
      cpu: "100m"
      memory: "0.2Gi"
    limits:
      enabled: true
      cpu: "500m"
      memory: "1Gi"

secret

Labels and annotations to include in the secret created by the chart. Useful if you want to integrate with Vault or similar secret stores.

secret:
  annotations:
    your.custom.annotation: "10"
  labels: 
    your.custom.label: "20"

tolerations

Indicates tolerations for the okteto components. Define the label and taint okteto-node-pool on your worker nodes to match these values.

tolerations:
  oktetoPool: okteto
  buildPool: build
  devPool: dev

oktetoPool: tolerations for the api, webhook, gc, autoscaler, ingress controller and frontend services.
buildPool: tolerations for the buildkit and registry services.
devPool: tolerations for the pods deployed in namespaces created by okteto.

For example, if you add the label okteto-node-pool:build and the taint okteto-node-pool=build:NoSchedule to a node, and you are using buildPool: build, the buildkit and registry pods will be deployed to this node.

userDefinedNamespaces

Disable if you want to enforce using the username as a suffix on namespaces and ingress hosts. Enabled by default.

userDefinedNamespaces: false

volumeSnapshots

Enables users to initialize persistent volume claims with the contents of a preexisting volume snapshot.

This feature requires having a CSI driver installed in your cluster.

volumeSnapshots:
  enabled: true
  driver: ebs.csi.aws.com
  class: snapclass
  storageClass: ebs-sc

driver: the name of the CSI driver used to create the physical snapshot on the underlying storage system.
class: the VolumeSnapshotClass to which snapshots belongs.
storageClass: (optinal) the storage class required by volumes initialized from snapshots.

Add the dev.okteto.com/from-snapshot-id annotation to any persistent volume claim to tell Okteto to initialize your persistent volume claim, as shown below:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    dev.okteto.com/from-snapshot-id: snap-xxxxxxxx
  name: pvc-name
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

When the persistent volume claim resource is created, Okteto will import the snapshot in Kubernetes using a VolumeSnapshotContent and will set the source of your persistent volume claim to this VolumeSnapshotContent.

Dependencies

Okteto Enterprise will automatically install NGINX Ingress Controller and Cert-Manager as part of the default installation, using the official Helm charts.

NGINX-Ingress

Use the nginx-ingress keys in your configuration file to modify the configuration.

For example, to change the number of replicas, you'd need to add the following:

nginx-ingress:
  controller: 
    replicaCount: 2

The full list of values is available here.

cert-manager

Use the cert-manager keys in your configuration file to modify the configuration.

For example, to change the number of replicas, you'd need to add the following:

cert-manager:
  replicaCount: 2

The full list of values is available here.

General Settings#

email#

cluster#

license#

subdomain#

auth#

cloud#

Advanced Cloud Scenarios#

Okteto Enterprise Components#

api#

buildkit#

frontend#

registry#

telemetry#

webhook#

gc#

autoscaler#

Advanced Configuration#

applications#

clusterRole#

ingress#

ingressLimits#

injectDevelopmentBinaries#

networkPolicies#

overrideFileWatchers#

overrideRegistryResolution#

prepullImages#

privateRegistry#

pullAlways#

quickstarts#

quotas#

secret#

tolerations#

userDefinedNamespaces#

volumeSnapshots#

Dependencies#

NGINX-Ingress#

cert-manager#