Skip to main content
Version: 1.24

Automatic SSL endpoints

Okteto streamlines the development process by automatically adding endpoints to the CLI and UI for services that are running. Simply add the specified annotation to your service's manifest, and Okteto will automatically handle the endpoint creation.

If you've configured Endpoints but they aren't appearing, please check our FAQ guide for possible reasons why they might be missing.

Auto create ingresses from services

Okteto can automatically create an SSL endpoint for your deployments. In order to take advantage of this feature, add the dev.okteto.com/auto-ingress: "true" annotation to your Service definition.

apiVersion: v1
kind: Service
metadata:
name: hello-world
labels:
app: hello-world
annotations:
dev.okteto.com/auto-ingress: "true"
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-world
tip

A sample of how this should look is available here.

Adding this annotation will tell Okteto to automatically create an https ingress rule for you that redirects to the first http port of your service.

NodePort or LoadBalancer services are managed as if they had this annotation too. You can disable this behavior by setting convertLoadBalancedServices.enabled to false.

You can see the address of your endpoint by going to the Okteto dashboard or by running the okteto endpoints command. The endpoint address will be consistent across redeploys, as long as you don't change your service name.

Bring your own ingress

You can also use your own ingress manifests. This is useful when you have more complex configurations, or you need specific URLs.

Keep in mind that all the hosts you use in your ingress must end with-$NAMESPACE.okteto.example.com.

Let Okteto generate the host

Okteto can automatically inject the right host names during the creation of your ingresses, while leaving the rest of the configuration intact. In order to take advantage of this feature, add the dev.okteto.com/generate-host: "true" annotation to your Ingress definition.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world
annotations:
dev.okteto.com/generate-host: "true"
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hello-world
port:
number: 8080

We recommend you follow this option. This way your ingress configuration can be deployed on any namespace managed by Okteto.

Customizing the endpoints shown in the Okteto dashboard

Okteto provides additional annotations that enable you to customize the endpoints shown in the Okteto dashboard.

To hide specific endpoints from the Okteto dashboard, you can use the dev.okteto.com/hide-from-ui: true annotation. Simply apply this annotation to your Ingress or VirtualService resource, and the endpoints associated with that resource will not be displayed in the Okteto dashboard.

If you want to replace the default endpoints for an Ingress or VirtualService resource, you can use the dev.okteto.com/endpoints annotation. This annotation allows you to define a list of endpoints, separated by commas, that will replace the default endpoints. Additionally, the value of this annotation expands the OKTETO_NAMESPACE and OKTETO_DOMAIN environment variables, providing an easy way to make your endpoints portable between namespaces.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: movies
annotations:
dev.okteto.com/generate-host: "true"
dev.okteto.com/endpoints: https://movies-${OKTETO_NAMESPACE}.${OKTETO_DOMAIN}/api
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: api
port:
number: 8080

Expose HTTPS Backends Through Ingress

If your application communicates over HTTPS instead of HTTP, you'll need to create a dedicated ingress, as demonstrated in the Bring Your Own Ingress section, and add the following annotation to it:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
...

Please note that this won't pass through the certificate served by your application to the requester. Instead, the wildcard certificate of the Okteto instance will be used.