Installation Preparation

Requirements

In order to fully install Okteto, you'll need the following:

• A domain to which you can add a wildcard DNS record
• A Kubernetes cluster
• A working installation of kubectl
• A working installation of Helm v3
• A Bitbucket, GitHub, or Google OAuth application, or an OpenID Connect application
• Credentials of your Cloud Provider
• A bucket (or equivalent block storage)
• An Okteto License (optional)

Domain

You'll need to have access to a domain to which you can add a wildcard DNS record.

This can be a root domain (e.g. example.com) or a subdomain (e.g. dev.example.com). Okteto uses Let's Encrypt to generate valid TLS servers, so your domain needs to be available over the internet.

The domain needs to be registered with the same cloud provider you'll be using to store you private images.

Deploy a Kubernetes cluster

We recommend that you follow your cloud provider's Kubernetes cluster creation guide.

We recommend the following specs:

• v1.19 or newer
• A pool with at least 3 nodes with a minimum of 4CPUs and 16 GB of Memory
• 100 GB per disk

You'll be using the cluster's API server endpoint when configuring Okteto.

Installing kubectl

Follow the official Kubernetes documentation for installing kubectl.

Be sure to configure your kubectl to talk to your newly minted cluster.

Installing Helm v3

Follow the official documentation for installing the latest release of Helm v3.

Authentication

Okteto uses OAuth for user authentication. It currently supports GitHub, Google, and OpenID Connect.

Bitbucket

Follow Bitbucket's official documentation on how to create an OAuth Consumer.

When creating the OAuth Consumer, you will need to provide the following values:

Callback URL:

https://okteto.DOMAIN/auth/callback

URL:

https://okteto.DOMAIN

Permissions: Account: Email Account: Read

You'll use the Key and Secret when installing Okteto.

GitHub

Follow GitHub's official documentation on how to create an OAuth App.

When creating the OAuth App, you will need to provide the following values:

Homepage URL:

https://okteto.DOMAIN

Authorization callback URL:

https://okteto.DOMAIN/auth/callback

You'll use the client ID and client Secret when installing Okteto.

Google

Follow Google's official documentation on how to create an OAuth 2.0 Client.

When creating the OAUTH 2.0 Client, you will need to provide the following values:

Authorized javascript origin:

https://okteto.DOMAIN

Authorized redirect URIs:

https://okteto.DOMAIN
https://okteto.DOMAIN/auth/callback

You'll use the client ID, client Secret when installing Okteto.

OpenID Connect

Follow your OpenID Connect service provider's documentation on how to create the required application.

When creating the application, you'll need to provide the following values:

• Start SSO URL: https://okteto.DOMAIN
• Redirect URIs: https://okteto.DOMAIN, https://okteto.DOMAIN/auth/callback
• Scopes: openid, email, profile
• Response Type: code
• Grant Type: authorization code

You'll use the issuer URL, authorization URL, client ID, and client Secret when installing Okteto.

Okteto doesn't currently support provider-initiated login or logout.

Cloud Provider Account

Okteto needs to perform the following actions on your cloud provider:

1. Create and list DNS entries (this is used when generating and renewing certificates)
2. Read and Write from block storage (this is used when pulling and pushing images to the registry)

Please refer to the following documents on how to create the credentials in the different cloud providers:

Azure

Creating an Azure Storage Account

Follow these instructions to create a storage account in your Azure Subscription. You'll use the access key when installing Okteto.

Creating a Storage Container

Okteto uses a Storage Container to store your private images. Follow Azures's guide on how to create a storage container and set its privacy level to private.

Registering your Domain

Follow these instructions to register your domain in Azure DNS.

Creating a Service Principal

Okteto will use the Service Principal to create, update, and delete DNS entries in your Azure DNS zone when generating SSL certificates.

To create the service principal you can use the following script (requires azure-cli and jq):

# This is the URI of the service principal that uses Azure DNS
$ AZURE_NEW_SP_NAME=http://okteto-enterprise


# This is the name of the resource group that you have your dns zone in
$ AZURE_DNS_ZONE_RESOURCE_GROUP=AZURE_DNS_ZONE_RESOURCE_GROUP


# The DNS zone name. This should match the domain you configured in the previous step.
$ AZURE_DNS_ZONE=dev.example.com


# Create the Service Principal
$ DNS_SP=$(az ad sp create-for-rbac --name $AZURE_NEW_SP_NAME)


# Extract the required values
$ AZURE_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
$ AZURE_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
$ AZURE_TENANT_ID=$(echo $DNS_SP | jq -r '.tenant')
$ AZURE_SUBSCRIPTION_ID=$(az account show | jq -r '.id')

Get the following values and save them. We'll need the values below when installing Okteto.

$ echo "Service Principal ID: $AZURE_NEW_SP_NAME"
$ echo "Service Principal Password: $AZURE_SP_PASSWORD"
$ echo "Azure Subscription ID: $AZURE_SUBSCRIPTION_ID"
$ echo "Azure Tenant ID: $AZURE_TENANT_ID"
$ echo "Resource Group Name: $AZURE_DNS_ZONE_RESOURCE_GROUP"

By default, the service principal will have more permissions than necessary. We recommend you lower the permissions of the service principal:

# Remove all permissions
$az role assignment delete --assignee $AZURE_SP_APP_ID --role Contributor


# Give it permissions to the DNS zone
NS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)
$ az role assignment create --assignee $AZURE_SP_APP_ID --role "DNS Zone Contributor" --scope $DNS_ID

AWS

Registering your Domain

Follow these instructions to register your domain in Route53.

Register your domain using the same account used to create your EKS cluster.

Creating an S3 Bucket

Okteto uses S3 to store your private images. Follow Amazon's guide on how to create s3 buckets. Create the bucket in the region as your EKS cluster, and keep it private.

Creating an IAM

The Okteto sub-components need access to Route 53 (to fulfill the ACME challenge for the certificates) and S3 (for uploading and downloading your container images).

We recommend you follow AWS' official documentation on how to create and manage IAM Users for more information on this.

Create an IAM User with the following actions (replace YOUR_BUCKET with your s3 bucket name):

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "route53:GetChange",
          "Resource": "arn:aws:route53:::change/*"
      },
      {
          "Effect": "Allow",
          "Action": "route53:ChangeResourceRecordSets",
          "Resource": "arn:aws:route53:::hostedzone/*"
      },
      {
          "Effect": "Allow",
          "Action": "route53:ListHostedZonesByName",
          "Resource": "*"
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation",
              "s3:ListBucketMultipartUploads"
          ],
          "Resource": "arn:aws:s3:::YOUR_BUCKET"
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:DeleteObject",
              "s3:ListMultipartUploadParts",
              "s3:AbortMultipartUpload"
          ],
          "Resource": "arn:aws:s3:::YOUR_BUCKET/*"
      }
  ]
}

Once the IAM User is created, generate a set of Access keys and save them locally. You'll use the keys when installing Okteto.

Digital Ocean

Registering your Domain

Follow these instructions to register your domain with DigitalOcean.

Register your domain using the same account used to create your DOK cluster.

Generating an API Token

Go to https://cloud.digitalocean.com/account/api/tokens and generate a new personal access token with read/write access. We'll be using this when installing Okteto.

Creating a DigitalOcean Space and Access Key

Okteto uses a Storage Space to store your private images. Follow DigitalOcean's guide on how to create a storage space and api key. Create the space in the same region as your Kubernetes cluster and restrict file listing.

Google Cloud

Registering your Domain

Follow these instructions to create a managed zone in your Google Cloud account.

Create it in the same project and region as your GKE cluster.

Creating a Google Cloud Storage Bucket

Okteto uses Google Cloud Storage to store your private images. Follow Google's guide on how to create storage buckets. Create the bucket in the same project and region as your GKE cluster, and keep it private.

Creating a Google Cloud Service Account

The Okteto sub-components need access to Cloud DNS (for generating certificates) and Cloud Storage (for uploading and downloading your container images).

We recommend you follow Google's official documentation on how to create and manage Service Accounts for more information on this.

You'll need to perform the following tasks:

1. Create a Service Account in the same Google Cloud project as your GKE cluster.
2. Give it the DNS Administrator and Storage Object Admin roles.
3. Create a JSON key and save it locally. We'll be using this when installing Okteto.

You'll use the credentials when installing Okteto.

Deploying Okteto

With the environment set up and configuration generated, you can now proceed to the deployment of Okteto.