Automatic SSL endpoints
Auto create ingresses from services
Okteto can automatically create an SSL endpoint for your deployments. In order to take advantage of this feature, add the annotation below to your service's manifest:
metadata:
annotations:
dev.okteto.com/auto-ingress: "true"
For example:
apiVersion: v1
kind: Service
metadata:
name: hello-world
labels:
app: hello-world
annotations:
dev.okteto.com/auto-ingress: "true"
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-world
A sample of how this should look is available here.
Adding this annotation will tell Okteto to automatically create an https ingress rule for you that redirects to the first http port of your service.
NodePort
or LoadBalancer
services are managed as if they had this annotation too. You can disable this behavior by setting convertLoadBalancedServices.enabled
to false
.
You can see the address of your endpoint by going to the Okteto dashboard or by running the okteto endpoints
command. The endpoint address will be consistent across redeploys, as long as you don't change your service name.
Bring your own ingress
You can also use your own ingress manifests. This is useful when you have more complex configurations, or you need specific URLs.
Keep in mind that all the hosts you use in your ingress must end with-$NAMESPACE.okteto.example.com
.
Let Okteto generate the host
Okteto can automatically inject the right host names during the creation of your ingresses, while leaving the rest of the configuration intact. In order to take advantage of this feature, add the annotation below to your ingress' manifest.
metadata:
annotations:
dev.okteto.com/generate-host: "true"
Full example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world
annotations:
dev.okteto.com/generate-host: "true"
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hello-world
port:
number: 8080
We recommend you follow this option. This way your ingress configuration can be deployed on any namespace managed by Okteto.
Customizing the endpoints shown in the Okteto dashboard
Okteto provides additional annotations that enable you to customize the endpoints shown in the Okteto dashboard.
To hide specific endpoints from the Okteto dashboard, you can use the dev.okteto.com/hide-from-ui: true
annotation.
Simply apply this annotation to your Ingress
or VirtualService
resource, and the endpoints associated with that resource will not be displayed in the Okteto dashboard.
If you want to replace the default endpoints for an Ingress
or VirtualService
resource, you can use the dev.okteto.com/endpoints
annotation.
This annotation allows you to define a list of endpoints, separated by commas, that will replace the default endpoints.
Additionally, the value of this annotation expands the OKTETO_NAMESPACE
and OKTETO_DOMAIN
environment variables, providing an easy way to make your endpoints portable between namespaces.
- Kubernetes
- Compose
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: movies
annotations:
dev.okteto.com/generate-host: "true"
dev.okteto.com/endpoints: https://movies-${OKTETO_NAMESPACE}.${OKTETO_DOMAIN}/api
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: api
port:
number: 8080
version: "3"
services:
frontend:
build: frontend
ports:
- 80:80
backend:
build: backend
ports:
- 8080
endpoints:
labels:
dev.okteto.com/endpoints: https://movies-${OKTETO_NAMESPACE}.${OKTETO_DOMAIN}/api
rules:
- path: /
service: frontend
port: 80
- path: /api
service: backend
port: 8080
Expose HTTPS Backends Through Ingress
If your application communicates over HTTPS instead of HTTP, you'll need to create a dedicated ingress, as demonstrated in the Bring Your Own Ingress section, and add the following annotation to it:
metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
Please note that this won't pass through the certificate served by your application to the requester. Instead, the wildcard certificate of the Okteto instance will be used.