Skip to main content
Version: 1.19

Custom Resource Definitions

As part of Okteto's installation, some Custom Resource Definitions (CRDs) are installed in your cluster. These CRDs are used by Okteto to mainly store different information. You can see the list of CRDs installed by Okteto exploring the folder crds in the templates of the Okteto Helm Chart or by running the following command in your cluster:

kubectl get crd | grep okteto.com

You can let Okteto install these CRDs or you can install them manually on your own, but be aware they are needed for Okteto to work properly. You can use the following configuration setting to let Okteto know if it should install them or not. By default, Okteto will install them.

Private Registries

In Okteto version 1.14 we've changed the way private registry configuration is managed. In 1.14 onward you must configure private registries via the Admin dashboard or by defining them directly in your cluster through one of the CRDs installed by Okteto: admin.okteto.com. This last case is useful, for example, if you have your own mechanism to provision credentials/secrets in your cluster.

If you prefer to define the registries directly in your cluster, you can do it by creating an Opaque Kubernetes secret in the cluster with the data needed for the registry. Depending on the type of registry, you will need different fields.

Once the secret is created, you will need to create a resource with the apiVersion admin.okteto.com/v1, which is one of the CRDs installed by Okteto, referring to the secret which contains the credentials.

If you want to define static credentials (username and password) for a private registry you need to create a secret in the Okteto namespace with the username and password to be used. Once created, you need to define a CRD using the name of the resource as the hostname of the registry (e.g. index.docker.io or 111122223333.dkr.ecr.eu-central-1.amazonaws.com). For example, if you want to add a configuration for Docker's registry, you will need to create a resource like this:

note

Defining the port through spec.static.port is optional and only available for static registries. It should only be used if the registry listens on a port other than the default http(s) 80/443

note

If you are using custom ports, make sure to run Okteto Chart >=1.14.2

apiVersion: admin.okteto.com/v1
kind: Registry
metadata:
name: index.docker.io # hostname of the registry to be configured
namespace: okteto
spec:
static:
port: 5000 # optional
passwordSecretRef:
key: <field in referenced secret> # key of the secret which contains the password
name: <secret-name> # name of the secret where the password is stored
userSecretRef:
key: <field in referenced secret> # key of the secret which contains the username
name: <secret-name> # name of the secret where the username is stored

In the case of AWS, where you have to specify the Access Key and Access Secret, the process is similar to the static credentials one. You will need to create a secret with those values, and then, create a CRD like this (the name of the resource has to be the hostname of the registry to be configured and it has to end with .amazonaws.com):

apiVersion: admin.okteto.com/v1
kind: Registry
metadata:
name: 111122223333.dkr.ecr.eu-central-1.amazonaws.com # hostname of the registry to be configured
namespace: okteto
spec:
awsIamUser:
accessKeyIDSecretRef:
key: <field in referenced secret> # key of the secret which contains the access key
name: <secret-name> # name of the secret where the access key is stored
secretAccessKeySecretRef:
key: <field in referenced secret> # key of the secret which contains the access secret key
name: <secret-name> # name of the secret where the access secret is stored
note

Any changes you make to credentials can take a few seconds to propagate to all components in the cluster. To make sure Okteto is able to access the registries, you can check in the Admin dashboard. If you add credentials using CRDs they will be displayed in the UI, but they can't be modified from the UI. If you want to manage them from the UI, they must be created from there.

How it works

Okteto runs a dedicated Kubernetes Controller to manage Registy Credentials. As part of this process, the Controller creates and manages a Docker Config JSON secret in the Okteto namespace. This secret is called ${RELEASE_NAME}-dockerconfig-static and is always up to date with the latest registry credentials defined in Registry resources (either through the UI or manually applied).

This docker config secret is used as a pull secret in installer jobs. This secret is then picked up by the Okteto Daemonset and written to every node which allows Kubelet to pull private images.

Dev namespaces Pull Secret

An okteto-regcred secret exists in all okteto development namespaces and preview environments. This secrets, by default, only contains credentials to the okteto internal registry and is injected as a pull secret to all pods by the okteto webhook.

Starting in Okteto 1.19, all private registries defined in the cluster can be copied into this okteto-regcred secret thus not requiring the Daemonset to copy docker config.json file in the node.

To enable this behavior set the following configuration in your helm values:

regcredsManager:
pullSecrets:
enabled: true

When regcredsManager.pullSecrets.enabled=true the docker credentials defined in ${RELEASE_NAME}-dockerconfig-static will no longer be copied into the nodes.

note

Since the okteto-regcred lives in all dev namespaces and preview environments, Okteto users will have access and be able to read the contents of these secrets