Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This section includes information about the minimum requirements you need to install and use Devtron.
Devtron is installed over a Kubernetes cluster. Once you create a Kubernetes cluster, Devtron can be installed standalone or along with CI/CD integration:
Devtron with CI/CD: Devtron installation with the CI/CD integration is used to perform CI/CD, security scanning, GitOps, debugging, and observability.
Helm Dashboard by Devtron: The Helm Dashboard by Devtron, which is a standalone installation, includes functionalities to deploy, observe, manage, and debug existing Helm applications in multiple clusters. You can also install integrations from Devtron Stack Manager.
In this section, we will cover the basic details on how you can quickly get started with Devtron. First, lets see what are the prerequisite requirements before you install Devtron.
You can create any Kubernetes cluster (preferably K8s version 1.16 or higher) for installing Devtron.
You can create a cluster using one of the following cloud providers as per your requirements:
AWS EKS
Google Kubernetes Engine (GKE)
Azure Kubernetes Service (AKS)
k3s - Lightweight Kubernetes
Make sure to install helm.
The minimum requirements for installing Helm Dashboard by Devtron
and Devtron with CI/CD
as per the number of applications you want to manage on Devtron
are provided below:
For configuring small resources (to manage not more than 5 apps on Devtron):
Devtron with CI/CD
2
6 GB
Helm Dashboard by Devtron
1
1 GB
For configuring medium/larger resources (to manage more than 5 apps on Devtron):
Devtron with CI/CD
6
13 GB
Helm Dashboard by Devtron
2
3 GB
Refer to the Override Configurations section for more information.
Note:
Please make sure that the recommended resources are available on your Kubernetes cluster before you proceed with Devtron installation.
It is NOT recommended to use brustable CPU VMs (T series in AWS, B Series in Azure and E2/N1 in GCP) for Devtron installation to experience consistency in performance.
You can install Devtron standalone (Helm Dashboard by Devtron) or along with CI/CD integration. Or, you can upgrade Devtron to the latest version.
Choose one of the options as per your requirements:
Devtron installation with the CI/CD integration is used to perform CI/CD, security scanning, GitOps, debugging, and observability.
Upgrade Devtron to latest version
You can upgrade Devtron in one of the following ways:
Devtron is a tool integration platform for Kubernetes.
Devtron deeply integrates with products across the lifecycle of microservices i.e., CI/CD, security, cost, debugging, and observability via an intuitive web interface. Devtron helps you to deploy, observe, manage & debug the existing Helm apps in all your clusters.
Workflow which understands the domain of Kubernetes, testing, CD, SecOps so that you don't have to write scripts
Reusable and composable components so that workflows are easy to construct and reason through
Deploy to multiple Kubernetes clusters on multiple cloud/on-prem from one Devtron setup
Works for all cloud providers and on-premise Kubernetes clusters
Multi-level security policy at global, cluster, environment, and application-level for efficient hierarchical policy management
Behavior-driven security policy
Define policies and exceptions for Kubernetes resources
Define policies for events for faster resolution
One place for all historical Kubernetes events
Access all manifests securely, such as secret obfuscation
Application metrics for CPU, RAM, HTTP status code, and latency with a comparison between new and old
Advanced logging with grep and JSON search
Intelligent correlation between events, logs for faster triangulation of issue
Auto issue identification
Fine-grained access control; control who can edit the configuration and who can deploy.
Audit log to know who did what and when
History of all CI and CD events
Kubernetes events impacting application
Relevant cloud events and their impact on applications
Advanced workflow policies like blackout window, branch environment relationship to secure build and deployment pipelines
GitOps exposed through API and UI so that you don't have to interact with git CLI
GitOps backed by Postgres for easy analysis
Enforce finer access control than Git
Deployment metrics to measure the success of the agile process. It captures MTTR, change failure rate, deployment frequency, and deployment size out of the box.
Audit log to understand the failure causes
Monitor changes across deployments and reverts easily
Application metrics only work for K8s version 1.16+
Get updates on Devtron's development and chat with the project maintainers, contributors, and community members.
We, at Devtron, take security and our users' trust very seriously. If you believe you have found a security issue in Devtron, please responsibly disclose it by contacting us at security@devtron.ai.
Devtron is installed over a Kubernetes cluster. Once you create a Kubernetes cluster, Devtron can be installed standalone or along with CI/CD integration.
Choose one of the options as per your requirements:
Note: If you have questions, please let us know on our discord channel.
Create a cluster using .
Note
: You can also refer our customized documentation for installing Devtron with CI/CD
on AWS EKS .
Create a cluster using .
Create a cluster using .
Create a cluster using .
Note
: You can also refer our customized documentation for installing Helm Dashboard by Devtron
on Minikube, Microk8s, K3s, Kind
.
The Helm Dashboard by Devtron which is a standalone installation includes functionalities to deploy, observe, manage, and debug existing Helm applications in multiple clusters. You can also install integrations from .
With this option, you can install Devtron with CI/CD by enabling GitOps during the installation. You can also install other integrations from .
Devtron uses a modified version of .
Check out our . Directions for opening issues, coding standards, and notes on our development processes are all included.
Join the
Follow
Raise feature requests, suggest enhancements, report bugs at
Read the
In this section, we describe the steps in detail on how you can install Devtron with CI/CD by enabling GitOps during the installation.
Install Helm if you have not installed it.
Run the following command to install the latest version of Devtron with CI/CD along with GitOps (Argo CD) module:
Note: If you want to configure Blob Storage during the installation, refer configure blob storage duing installation.
To install Devtron on clusters with the multi-architecture nodes (ARM and AMD), append the Devtron installation command with --set installer.arch=multi-arch
.
Note:
If you want to install Devtron for production deployments
, please refer to our recommended overrides for Devtron Installation.
Configuring Blob Storage in your Devtron environment allows you to store build logs and cache. In case, if you do not configure the Blob Storage, then:
You will not be able to access the build and deployment logs after an hour.
Build time for commit hash takes longer as cache is not available.
Artifact reports cannot be generated in pre/post build and deployment stages.
Choose one of the options to configure blob storage:
Run the following command to install Devtron along with MinIO for storing logs and cache.
Note: Unlike global cloud providers such as AWS S3 Bucket, Azure Blob Storage and Google Cloud Storage, MinIO can be hosted locally also.
Refer to the AWS specific
parameters on the Storage for Logs and Cache page.
Run the following command to install Devtron along with AWS S3 buckets for storing build logs and cache:
Install using S3 IAM policy.
Note: Please ensure that S3 permission policy to the IAM role attached to the nodes of the cluster if you are using below command.
Install using access-key and secret-key for AWS S3 authentication:
Install using S3 compatible storages:
Refer to the Azure specific
parameters on the Storage for Logs and Cache page.
Run the following command to install Devtron along with Azure Blob Storage for storing build logs and cache:
Refer to the Google Cloud specific
parameters on the Storage for Logs and Cache page.
Run the following command to install Devtron along with Google Cloud Storage for storing build logs and cache:
Note: The installation takes about 15 to 20 minutes to spin up all of the Devtron microservices one by one.
Run the following command to check the status of the installation:
The command executes with one of the following output messages, indicating the status of the installation:
Downloaded
The installer has downloaded all the manifests, and the installation is in progress.
Applied
The installer has successfully applied all the manifests, and the installation is completed.
Run the following command to check the installer logs:
Run the following command to get the Devtron dashboard URL:
You will get an output similar to the example shown below:
Use the hostname aaff16e9760594a92afa0140dbfd99f7-305259315.us-east-1.elb.amazonaws.com
(Loadbalancer URL) to access the Devtron dashboard.
Note: If you do not get a hostname or receive a message that says "service doesn't exist," it means Devtron is still installing. Please wait until the installation is completed.
Note: You can also use a CNAME
entry corresponding to your domain/subdomain to point to the Loadbalancer URL to access at a customized domain.
devtron.yourdomain.com
CNAME
aaff16e9760594a92afa0140dbfd99f7-305259315.us-east-1.elb.amazonaws.com
When you install Devtron for the first time, it creates a default admin user and password (with unrestricted access to Devtron). You can use that credentials to log in as an administrator.
After the initial login, we recommend you set up any SSO service like Google, GitHub, etc., and then add other users (including yourself). Subsequently, all the users can use the same SSO (let's say, GitHub) to log in to Devtron's dashboard.
The section below will help you understand the process of getting the administrator credentials.
Username: admin
Password: Run the following command to get the admin password:
If you want to uninstall Devtron or clean Devtron helm installer, refer our uninstall Devtron.
Related to installation, please also refer FAQ section also.
Devtron installation with the CI/CD integration is used to perform CI/CD, security scanning, GitOps, debugging, and observability.
Use this option to install Devtron with Build and Deploy CI/CD
integration.
The Helm Dashboard by Devtron which is a standalone installation includes functionalities to deploy, observe, manage, and debug existing Helm applications in multiple clusters. You can also install integrations from Devtron Stack Manager.
Use this option if you are managing the applications via Helm and you want to use Devtron to deploy, observe, manage, and debug the Helm applications.
With this option, you can install Devtron with CI/CD by enabling GitOps during the installation. You can also install other integrations from Devtron Stack Manager.
Use this option to install Devtron with CI/CD by enabling GitOps, which is the most scalable method in terms of version control, collaboration, compliance and infrastructure automation.
In this section, we describe the steps in detail on how you can install Devtron with CI/CD integration.
Install , if you have not installed it already.
If you are using EKS version 1.23 or above, you must also install .
Run the following command to install AWS EBS CSI driver using Helm:
Run the following command to install the latest version of Devtron along with the CI/CD module:
To install Devtron on clusters with the multi-architecture nodes (ARM and AMD), append the Devtron installation command with --set installer.arch=multi-arch
.
Configuring Blob Storage in your Devtron environment allows you to store build logs and cache. In case, if you do not configure the Blob Storage, then:
You will not be able to access the build and deployment logs after an hour.
Build time for commit hash takes longer as cache is not available.
Artifact reports cannot be generated in pre/post build and deployment stages.
Choose one of the options to configure blob storage:
Run the following command to install Devtron along with MinIO for storing logs and cache.
Note: Unlike global cloud providers such as AWS S3 Bucket, Azure Blob Storage and Google Cloud Storage, MinIO can be hosted locally also.
Run the following command to install Devtron along with AWS S3 buckets for storing build logs and cache:
Install using S3 IAM policy.
Note: Please ensure that S3 permission policy to the IAM role attached to the nodes of the cluster if you are using below command.
Install using access-key and secret-key for AWS S3 authentication:
Install using S3 compatible storages:
Run the following command to install Devtron along with Azure Blob Storage for storing build logs and cache:
Run the following command to install Devtron along with Google Cloud Storage for storing build logs and cache:
The installation takes about 15 to 20 minutes to spin up all of the Devtron microservices one by one
Run the following command to check the status of the installation:
The command executes with one of the following output messages, indicating the status of the installation:
Run the following command to check the installer logs:
Run the following command to get the Devtron dashboard URL:
You will get an output similar to the example shown below:
Use the hostname aaff16e9760594a92afa0140dbfd99f7-305259315.us-east-1.elb.amazonaws.com
(Loadbalancer URL) to access the Devtron dashboard.
If you do not get a hostname or receive a message that says "service doesn't exist," it means Devtron is still installing. Please wait until the installation is completed.
You can also use a CNAME
entry corresponding to your domain/subdomain to point to the Loadbalancer URL to access at a customized domain.
When you install Devtron for the first time, it creates a default admin user and password (with unrestricted access to Devtron). You can use that credentials to log in as an administrator.
After the initial login, we recommend you set up any SSO service like Google, GitHub, etc., and then add other users (including yourself). Subsequently, all the users can use the same SSO (let's say, GitHub) to log in to Devtron's dashboard.
The sections below will help you understand the process of getting the administrator password.
Username: admin
Password: Run the following command to get the admin password:
In certain scenarios, you may need to deploy Devtron to a Kubernetes cluster that isn’t connected to the internet. Such air-gapped environments are used for various reasons, particularly in industries with strict regulatory requirements like healthcare, banking, and finance. This is because air-gapped environments aren't exposed to the public internet; therefore, they create a controlled and secure space for handling sensitive data and operations.
Install podman
or docker
on the VM from where you're executing the installation commands.
Clone the Devtron Helm chart:
Set the values of TARGET_REGISTRY
, TARGET_REGISTRY_USERNAME
, and TARGET_REGISTRY_TOKEN
. This registry should be accessible from the VM where you are running the cloning script and the K8s cluster where you’re installing Devtron.
Set the environment variables
Log in to the target Docker registry
Clone the images
Set the environment variables
Log in to the target Podman registry
Clone the images
Before starting, ensure you have created an image pull secret for your registry if authentication is required.
Create the namespace (if not already created)
Create the Docker registry secret
If you are installing Devtron with the CI/CD module or using Argo CD, create the secret in the following namespaces else, you can skip this step-:
Navigate to the Devtron Helm chart directory
Use the below command to install Devtron without any Integrations
Without imagePullSecrets
:
With imagePullSecrets
:
Use the below command to install Devtron with only the CI/CD module
Without imagePullSecrets
:
With imagePullSecrets
:
Use the below command to install Devtron with the CI/CD module and Argo CD
Without imagePullSecrets
:
With imagePullSecrets
:
The Kubernetes client by Devtron is a very lightweight dashboard that can be installed on arm64/amd64-based architectures. It comes with the features such as Kubernetes Resources Browser and Cluster Management that can provide control and observability for resources across clouds and clusters.
Devtron Kubernetes client is an intuitive Kubernetes Dashboard or a command line utility installed outside a Kubernetes cluster. The client can be installed on a desktop running on any Operating Systems and interact with all your Kubernetes clusters and workloads through an API server. It is a binary, packaged in a bash script that you can download and install by using the following set of commands.
By installing Devtron Kubernetes Client
, you can access:
Managing Kubernetes Resources at scale: Clusters vary on business and architectural needs. Organizations tend to build smaller clusters for more decentralization. This practice leads to the creation of multiple clusters and more nodes. Managing them on a CLI requires multiple files, making it difficult to perform resource operations. But with the Devtron Kubernetes Client, you can gain more visibility into K8s resources easily.
Unifying information in one place: When information is scattered across clusters, and you have to type commands with arguments to fetch desired output, the process becomes slow and error-prone. Without a single point of configuration source, the configurations of different config. files diverge, making them even more challenging to restore and track. The Devtron Kubernetes Client unifies all the information and tools into one interface to perform various contextual tasks.
Accessibility during an outage for troubleshooting: As the Devtron Kubernetes Client runs outside a cluster, you can exercise basic control over their failed resources when there is a cluster-level outage. The Client helps to gather essential logs and data to pinpoint the root cause of the issue and reduce the time to restore service.
Avoiding Kubeconfig version mismatch errors: With the Devtron Kubernetes Client, you can be relieved from maintaining the Kubeconfig versions for the respective clusters (v1.16 - 1.26 i.e, current version) as the Devtron Kubernetes Client performs self kubeconfig version control. Instead of managing multiple kubectl versions manually, it eliminates the chances of errors occurring due to the mismatch in configuration.
Download the bash script using the below URL: https://cdn.devtron.ai/k8s-client/devtron-install.bash
To automatically download the executable file and to open the dashboard in the respective browser, run the following command:
Note
: Make sure you place Devtron-install.bash
in your current directory before you execute the command.
Devtron Kubernetes Client opens in your browser automatically.
Note
: You do not need to have a super admin
permission to add a cluster if you install Devtron Kubernetes Client
. You can add more than one cluster.
Kubernetes Resource Browser
provides a graphical user interface for interacting and managing all your Kubernetes (k8s) resources across clusters. It also helps you to deploy and manage Kubernetes resources and allows pod operations such as:
View real-time logs
Check manifest and edit live manifests of k8s resources
Executable via terminal
View Events
Or, delete a resource
With Kubernetes Resource browser
, you can also perform the following:
Check the real-time health status
Search for any workloads
Manage multiple clusters and change cluster contexts
Deploy multiple K8s manifests through Create
UI option.
Perform resource grouping at the cluster level.
Note
: You do not need to have a super admin
permission to access Kubernetes Resource Browser
if you install Devtron Kubernetes Client
.
With the Devtron Kubernetes Client
, you can manage all your clusters running on-premises or on a cloud. It is a cluster and cloud agnostic platform where you can add as many clusters as you want, be it a lightweight cluster such as k3s/ microk8s or cloud managed clusters like Amazon EKS.
It enables you to observe and monitor the cluster health and real-time node conditions. The Cluster management feature provides a summary of nodes with all available labels, annotations, taints, and other parameters such as resource usage. In addition to that, it helps you to perform node operations such as:
Debug a node
Cordon a node
Drain a node
Taint a node
Edit a node config
Delete a node
In case if you close the browser by mistake, you can open the dashboard by executing the following command. It will open the dashboard through a port in the available web browser and store the Kubernetes client's state.
To stop the dashboard, you can execute the following command:
To update the Devtron Kubernetes Client
, use the following command. It will stop the running dashboard and download the latest executable file and open it in the browser.
Still facing issues, please reach out to us on .
To uninstall Devtron, run the following command:
This command will remove all the namespaces related to Devtron (devtroncd
, devtron-cd
, devtron-ci
etc.).
Note: If you have questions, please let us know on our discord channel.
In this section, we describe on how you can install Helm Dashboard by Devtron without any integrations. Integrations can be added later using .
If you want to install Devtron on Minikube, Microk8s, K3s, Kind, refer this .
Install if you have not installed it.
Note: This installation command will not install CI/CD integration. For CI/CD, refer section.
Run the following command to install Helm Dashboard by Devtron:
To install Devtron on clusters with the multi-architecture nodes (ARM and AMD), append the Devtron installation command with --set installer.arch=multi-arch
.
Run the following command to get the dashboard URL:
You will get the result something as shown below:
The hostname aaff16e9760594a92afa0140dbfd99f7-305259315.us-east-1.elb.amazonaws.com
as mentioned above is the Loadbalancer URL where you can access the Devtron dashboard.
You can also do a CNAME entry corresponding to your domain/subdomain to point to this Loadbalancer URL to access it at a custom domain.
When you install Devtron for the first time, it creates a default admin user and password (with unrestricted access to Devtron). You can use that credentials to log in as an administrator.
After the initial login, we recommend you set up any SSO service like Google, GitHub, etc., and then add other users (including yourself). Subsequently, all the users can use the same SSO (let's say, GitHub) to log in to Devtron's dashboard.
The section below will help you understand the process of getting the administrator credentials.
Username: admin
Password: Run the following command to get the admin password:
If you want to configure Blob Storage during the installation, refer .
If you want to install Devtron for production deployments
, please refer our for Devtron Installation.
Refer to the AWS specific
parameters on the page.
Refer to the Azure specific
parameters on the page.
Refer to the Google Cloud specific
parameters on the page.
If you want to uninstall Devtron or clean Devtron helm installer, refer our .
Related to installaltion, please also refer section also.
If you have any questions, please let us know on our Discord channel.
After installation, refer for further steps, including obtaining the dashboard URL and the admin password.
You must add your cluster to make your cluster visible on the Kubernetes Resource Browser
and Clusters
section. To add a cluster, go to the Global Configurations
and click Add Cluster
. .
After your cluster is added via Global Configurations
, go to the Kubernetes Resource Browser
page and select your cluster. .
With its rich features and intuitive interface, you can easily manage and and use any CLI debugging tools like busybox, kubectl, netshoot or any custom CLI tools like k9s.
After your cluster is added via Global Configurations
, go to the Clusters
page and search or select your cluster. .
Note: If you want to uninstall Devtron or clean Devtron helm installer, refer our .
To use the CI/CD capabilities with Devtron, you can Install the or .
Downloaded
The installer has downloaded all the manifests, and the installation is in progress.
Applied
The installer has successfully applied all the manifests, and the installation is completed.
devtron.yourdomain.com
CNAME
aaff16e9760594a92afa0140dbfd99f7-305259315.us-east-1.elb.amazonaws.com
devtron.yourdomain.com
CNAME
aaff16e9760594a92afa0140dbfd99f7-305259315.us-east-1.elb.amazonaws.com
You can configure Devtron by using configuration files. Configuration files are YAML files which are user-friendly. The configuration allows you to quickly roll back a configuration change if necessary. It also aids cluster re-creation and restoration.
There are two ways you can perform configurations while setting up Devtron dashboard:
You can also setup ingress
while setting up Devtron dashboard. Refer here for ingress setup.
If you wish to use Ingress as a means to access the Devtron services available in your cluster, you can configure it either during the installation or after the installation of Devtron.
Refer the section relevant to you:
If you have successfully configured Ingress, refer Post Ingress Setup.
If you are installing Devtron, you can enable Ingress either via set flag or by using ingress-values.yaml to specify the desired Ingress settings.
You can use the --set
flag to specify the desired Ingress settings.
Here, we have added 5 configurations you can perform depending on your requirements:
To enable Ingress and set basic parameters, use the following command:
To add labels to the Ingress resource, use the following command:
To add annotations to the Ingress resource, use the following command:
To configure TLS settings, including secretName
and hosts
, use the following command:
To include all the above settings in a single command, use:
As an alternative to the set flag method, you can enable Ingress using ingress-values.yaml
instead.
Create an ingress-values.yaml
file. You may refer the below format for an advanced ingress configuration which includes labels, annotations, secrets, and many more.
Once you have the ingress-values.yaml
file ready, run the following command:
After Devtron is installed, Devtron is accessible through devtron-service
. If you wish to access Devtron through ingress, you'll need to modify this service to use a ClusterIP instead of a LoadBalancer.
You can do this using the kubectl patch
command:
Next, create ingress to access Devtron by applying the devtron-ingress.yaml
file. The file is also available on this link. You can access Devtron from any host after applying this yaml.
For k8s versions < 1.19, apply this yaml:
Optionally, you also can access Devtron through a specific host by running the following YAML file:
Once Ingress setup for Devtron is done and you want to run Devtron over https
, you need to add different annotations for different ingress controllers and load balancers.
In case of nginx ingress controller
, add the following annotations under service.annotations
under nginx ingress controller to run devtron over https
.
(i) Amazon Web Services (AWS)
If you are using AWS cloud, add the following annotations under service.annotations
under nginx ingress controller.
(ii) Digital Ocean
If you are using Digital Ocean cloud, add the following annotations under service.annotations
under nginx ingress controller.
In case of AWS application load balancer, add following annotations under ingress.annotations
to run devtron over https
.
In case of AWS application load balancer, the following annotations need to be added under ingress.annotations
to run devtron over https
.
For an Ingress resource to be observed by AGIC (Application Gateway Ingress Controller) must be annotated with kubernetes.io/ingress.class: azure/application-gateway. Only then AGIC will work with the Ingress resource in question.
Note: Make sure NOT to use port 80 with HTTPS and port 443 with HTTP on the Pods.
A global configuration allows you to easily share common configuration between multiple repositories without copy/pasting it to these repositories.
Before you start creating an application, we recommend to provide basic information in different sections of Global Configurations available in Devtron
.
You can also refer our YouTube video provided here.
For Helm
installation this section refers to secrets section of values.yaml
.
Configure the following properties:
POSTGRESQL_PASSWORD
Using this parameter the auto-generated password for Postgres can be edited as per requirement(Used by Devtron to store the app information)
NA
WEBHOOK_TOKEN
If you want to continue using Jenkins for CI then provide this for authentication of requests should be base64 encoded
NA
For Helm
installation this section refers to configs section of values.yaml
.
Configure the following properties:
BASE_URL_SCHEME
Either of HTTP or HTTPS (required)
HTTP
BASE_URL
URL without scheme and trailing slash, this is the domain pointing to the cluster on which the Devtron platform is being installed. For example, if you have directed domain devtron.example.com
to the cluster and the ingress controller is listening on port 32080
then URL will be devtron.example.com:32080
(required)
change-me
DEX_CONFIG
NA
EXTERNAL_SECRET_AMAZON_REGION
AWS region for the secret manager to pick (required)
NA
PROMETHEUS_URL
URL of Prometheus where all cluster data is stored; if this is wrong, you will not be able to see application metrics like CPU, RAM, HTTP status code, latency, and throughput (required)
NA
Devtron provides ways to control how much memory
or CPU
can be allocated to each Devtron microservice. You can adjust the resources that are allocated to these microservices based on your requirements. The resource configurations are available in following sizes:
Small
: To configure the small resources (e.g. to manage less than 10 apps on Devtron ) based on the requirements, append the Devtron installation command with -f https://raw.githubusercontent.com/devtron-labs/devtron/main/charts/devtron/resources-small.yaml
.
For Helm
installation this section refers to customOverrides section of values.yaml
. In this section you can override values of devtron-cm which you want to keep persistent. For example:
You can configure the following properties:
CI_NODE_LABEL_SELECTOR
Labels for a particular nodegroup which you want to use for running CIs
NA
CI_NODE_TAINTS_KEY
Key for toleration if nodegroup chosen for CIs have some taints
NA
CI_NODE_TAINTS_VALUE
Value for toleration if nodegroup chosen for CIs have some taints
NA
AWS SPECIFIC
While installing Devtron and using the AWS-S3 bucket for storing the logs and caches, the below parameters are to be used in the ConfigMap.
NOTE: For using the S3 bucket it is important to add the S3 permission policy to the IAM role attached to the nodes of the cluster.
DEFAULT_CACHE_BUCKET
AWS bucket to store docker cache, it should be created beforehand (required)
DEFAULT_BUILD_LOGS_BUCKET
AWS bucket to store build logs, it should be created beforehand (required)
DEFAULT_CACHE_BUCKET_REGION
AWS region of S3 bucket to store cache (required)
DEFAULT_CD_LOGS_BUCKET_REGION
AWS region of S3 bucket to store CD logs (required)
BLOB_STORAGE_S3_ENDPOINT
S3 compatible bucket endpoint.
The below parameters are to be used in the Secrets :
BLOB_STORAGE_S3_ACCESS_KEY
AWS access key to access S3 bucket. Required if installing using AWS credentials.
BLOB_STORAGE_S3_SECRET_KEY
AWS secret key to access S3 bucket. Required if installing using AWS credentials.
AZURE SPECIFIC
While installing Devtron using Azure Blob Storage for storing logs and caches, the below parameters will be used in the ConfigMap.
AZURE_ACCOUNT_NAME
Account name for AZURE Blob Storage
AZURE_BLOB_CONTAINER_CI_LOG
AZURE Blob storage container for storing ci-logs after running the CI pipeline
AZURE_BLOB_CONTAINER_CI_CACHE
AZURE Blob storage container for storing ci-cache after running the CI pipeline
GOOGLE CLOUD STORAGE SPECIFIC
While installing Devtron using Google Cloud Storage for storing logs and caches, the below parameters will be used in the ConfigMap.
BLOB_STORAGE_GCP_CREDENTIALS_JSON
Base-64 encoded GCP credentials json for accessing Google Cloud Storage
DEFAULT_CACHE_BUCKET
Google Cloud Storage bucket for storing ci-logs after running the CI pipeline
DEFAULT_LOGS_BUCKET
Google Cloud Storage bucket for storing ci-cache after running the CI pipeline
To convert string to base64 use the following command:
Note:
Ensure that the cluster has read and write access to the S3 buckets/Azure Blob storage container mentioned in DEFAULT_CACHE_BUCKET, DEFAULT_BUILD_LOGS_BUCKET or AZURE_BLOB_CONTAINER_CI_LOG, or AZURE_BLOB_CONTAINER_CI_CACHE.
Ensure that the cluster has read access to AWS secrets backends (SSM & secrets manager).
The following tables contain parameters and their details for Secrets and ConfigMaps that are configured during the installation of Devtron. If the installation is done using Helm
, the values can be tweaked in values.yaml file.
We can use the --set
flag to override the default values when installing with Helm. For example, to update POSTGRESQL_PASSWORD and BLOB_STORAGE_PROVIDER, use the install command as:
Blob Storage allows users to store large amounts of unstructured data. Unstructured data is a data that does not adhere to a particular data model or definition, such as text or binary data. Configuring blob storage in your Devtron environment allows you to store build logs and cache.
In case, if you do not configure the Blob Storage, then:
You will not be able to access the build and deployment logs after an hour.
Build time for commit hash takes longer as cache is not available.
Artifact reports cannot be generated in pre/post build and deployment stages.
You can configure Blob Storage with one of the following Blob Storage providers given below:
Note: You can also use the respective following command to switch to another Blob Storage provider. As an example, If you are using MinIO Storage and want to switch to Azure Blob Storage, use the command provided on the Azure Blob Storage tab to switch.
Use the following command to configure MinIO for storing logs and cache.
Note: Unlike global cloud providers such as AWS S3 Bucket, Azure Blob Storage and Google Cloud Storage, MinIO can be hosted locally also.
Use the following command to configure AWS S3 bucket for storing build logs and cache. Refer to the AWS specific
parameters on the Storage for Logs and Cache page.
Configure using S3 IAM policy:
NOTE: Pleasee ensure that S3 permission policy to the IAM role attached to the nodes of the cluster if you are using the below command.
Configure using access-key and secret-key for aws S3 authentication:
Configure using S3 compatible storages:
Use the following command to configure Azure Blob Storage for storing build logs and cache. Refer to the Azure specific
parameters on the Storage for Logs and Cache page.
Use the following command to configure Google Cloud Storage for storing build logs and cache. Refer to the Google Cloud specific
parameters on the Storage for Logs and Cache page.
ACD_PASSWORD
ArgoCD Password for CD Workflow
Auto-Generated
Optional
AZURE_ACCOUNT_KEY
Account key to access Azure objects such as BLOB_CONTAINER_CI_LOG or CI_CACHE
""
Mandatory (If using Azure)
GRAFANA_PASSWORD
Password for Grafana to display graphs
Auto-Generated
Optional
POSTGRESQL_PASSWORD
Password for your Postgresql database that will be used to access the database
Auto-Generated
Optional
AZURE_ACCOUNT_NAME
Azure account name which you will use
""
Mandatory (If using Azure)
AZURE_BLOB_CONTAINER_CI_LOG
Name of container created for storing CI_LOG
ci-log-container
Optional
AZURE_BLOB_CONTAINER_CI_CACHE
Name of container created for storing CI_CACHE
ci-cache-container
Optional
BLOB_STORAGE_PROVIDER
Cloud provider name which you will use
MINIO
Mandatory (If using any cloud other than MINIO), MINIO/AZURE/S3
DEFAULT_BUILD_LOGS_BUCKET
S3 Bucket name used for storing Build Logs
devtron-ci-log
Mandatory (If using AWS)
DEFAULT_CD_LOGS_BUCKET_REGION
Region of S3 Bucket where CD Logs are being stored
us-east-1
Mandatory (If using AWS)
DEFAULT_CACHE_BUCKET
S3 Bucket name used for storing CACHE (Do not include s3://)
devtron-ci-cache
Mandatory (If using AWS)
DEFAULT_CACHE_BUCKET_REGION
S3 Bucket region where Cache is being stored
us-east-1
Mandatory (If using AWS)
EXTERNAL_SECRET_AMAZON_REGION
Region where the cluster is setup for Devtron installation
""
Mandatory (If using AWS)
ENABLE_INGRESS
To enable Ingress (True/False)
False
Optional
INGRESS_ANNOTATIONS
Annotations for ingress
""
Optional
PROMETHEUS_URL
Existing Prometheus URL if it is installed
""
Optional
CI_NODE_LABEL_SELECTOR
Label of CI worker node
""
Optional
CI_NODE_TAINTS_KEY
Taint key name of CI worker node
""
Optional
CI_NODE_TAINTS_VALUE
Value of taint key of CI node
""
Optional
CI_DEFAULT_ADDRESS_POOL_BASE_CIDR
CIDR ranges used to allocate subnets in each IP address pool for CI
""
Optional
CI_DEFAULT_ADDRESS_POOL_SIZE
The subnet size to allocate from the base pool for CI
""
Optional
CD_NODE_LABEL_SELECTOR
Label of CD node
kubernetes.io/os=linux
Optional
CD_NODE_TAINTS_KEY
Taint key name of CD node
dedicated
Optional
CD_NODE_TAINTS_VALUE
Value of taint key of CD node
ci
Optional
CD_LIMIT_CI_CPU
CPU limit for pre and post CD Pod
0.5
Optional
CD_LIMIT_CI_MEM
Memory limit for pre and post CD Pod
3G
Optional
CD_REQ_CI_CPU
CPU request for CI Pod
0.5
Optional
CD_REQ_CI_MEM
Memory request for CI Pod
1G
Optional
CD_DEFAULT_ADDRESS_POOL_BASE_CIDR
CIDR ranges used to allocate subnets in each IP address pool for CD
""
Optional
CD_DEFAULT_ADDRESS_POOL_SIZE
The subnet size to allocate from the base pool for CD
""
Optional
GITOPS_REPO_PREFIX
Prefix for Gitops repository
devtron
Optional
RECOMMEND_SECURITY_SCANNING
If True, security scanning
is enabled
by default for a new build pipeline. Users can however turn it off in the new or existing pipelines.
FORCE_SECURITY_SCANNING
If set to True, security scanning
is forcefully enabled
by default for a new build pipeline. Users can not turn it off for new as well as for existing build pipelines. Old pipelines that have security scanning disabled will remain unchanged and image scanning should be enabled manually for them.
HIDE_DISCORD
Hides discord chatbot from the dashboard.
You can install and try Devtron on a high-end machine or a Cloud VM. If you install it on a laptop/PC, it may start to respond slowly, so it is recommended to uninstall Devtron from your system before shutting it down.
2 vCPUs
4GB+ of free memory
20GB+ free disk space
Before you get started, you must set up a cluster in your server and finish the following actions:
To install devtron on Minikube/kind
cluster, run the following command:
To install devtron on k3s
cluster, run the following command:
To access Devtron dashboard when using Minikube
as cluster, run the following command:
To access Devtron dashboard when using Kind/k3s
as cluster, run the following command to port forward the devtron service to port 8000:
Dashboard: http://127.0.0.1:8000.
When you install Devtron for the first time, it creates a default admin user and password (with unrestricted access to Devtron). You can use that credentials to log in as an administrator.
After the initial login, we recommend you set up any SSO service like Google, GitHub, etc., and then add other users (including yourself). Subsequently, all the users can use the same SSO (let's say, GitHub) to log in to Devtron's dashboard.
The section below will help you understand the process of getting the administrator credentials.
Username: admin
Password: Run the following command to get the admin password:
It is recommended to use Cloud VM with 2vCPU+, 4GB+ free memory, 20GB+ storage, Compute Optimized VM type & Ubuntu Flavoured OS.
Make sure that the port on which the devtron-service runs remain open in the VM's security group or network security group.
If you want to uninstall Devtron or clean Devtron helm installer, refer our uninstall Devtron.
Projects are the logical grouping of your applications so that you can manage and control the access level of users.
Refer user access for more detail.
To add a project name, go to the Projects
section of Global Configurations
.
Click Add Project
.
Provide a project name in the field and click Save
.
Git Accounts allow you to connect your code source with Devtron. You will be able to use these git accounts to build the code using the CI pipeline.
To add git account, go to the Git accounts
section of Global Configurations
. Click Add git account.
Provide the information in the following fields to add your git account:
Name
Git host
It is the git provider on which corresponding application git repository is hosted.
Note: By default, Bitbucket
and GitHub
are available in the drop-down list. You can add many as you want by clicking [+ Add Git Host]
.
URL
Authentication Type
Devtron supports three types of authentications:
User auth: If you select User auth
as an authentication type, then you must provide the Username
and Password
or Auth token
for the authentication of your version control account.
Anonymous: If you select Anonymous
as an authentication type, then you do not need to provide the Username
and Password
.
Note: If authentication type is set as Anonymous
, only public git repository will be accessible.
SSH Key: If you choose SSH Key
as an authentication type, then you must provide the Private SSH Key
corresponding to the public key added in your version control account.
To update the git account:
Click the git account which you want to update.
Update the required changes.
Click Update
to save the changes.
Updates can only be made within one Authentication type or one protocol type, i.e. HTTPS (Anonymous or User Auth) & SSH. You can update from Anonymous
to User Auth
& vice versa, but not from Anonymous
or User Auth
to SSH
and vice versa.
Note:
You can enable or disable a git account. Enabled git accounts will be available on the App Configuration > Git repository.
In Devtron, you can either use Helm or GitOps (Argo CD) to deploy your applications and charts. GitOps is a branch of DevOps that focuses on using Git repositories to manage infrastructure and application code deployments.
If you use the GitOps approach, Devtron will store Kubernetes configuration files and the desired state of your applications in Git repositories.
Go to Global Configurations → GitOps
Select any one of the supported Git providers to configure GitOps.
The Git provider you select for configuring GitOps might impact the following sections:
Fill all the mandatory fields. Refer supported Git providers to know more about the respective fields.
In the Directory Management in Git section, you get the following options:
Use default git repository structure:
This option lets Devtron automatically create a GitOps repository within your organization. The repository name will match your application name, and it cannot be changed. Since Devtron needs admin access to create the repository, ensure the Git credentials you provided in Step 3 have administrator rights.
Allow changing git repository for application:
Select this option if you wish to use your own GitOps repo. This is ideal if there are any confidentiality/security concerns that prevent you from giving us admin access. Therefore, the onus is on you to create a GitOps repo with your Git provider, and then add it to the specific application on Devtron. Make sure the Git credentials you provided in Step 3 have at least read/write access. Choosing this option will unlock a GitOps Configuration page under the App Configuration tab.
Click Save/Update. A green tick will appear on the active Git provider.
Alternatively, you may use the feature flag FEATURE_USER_DEFINED_GITOPS_REPO_ENABLE to enable or disable custom GitOps repo.
For disabling - FEATURE_USER_DEFINED_GITOPS_REPO_ENABLE: "false"
For enabling - FEATURE_USER_DEFINED_GITOPS_REPO_ENABLE: "true"
Go to Devtron's Resource Browser.
Select the cluster where Devtron is running, i.e., default_cluster
.
Go to the Config & Storage dropdown on the left.
Click ConfigMap.
Use the namespace filter (located on the right-hand side) to select devtroncd
namespace. Therefore, it will show only the ConfigMaps related to Devtron, and filter out the rest.
Find the ConfigMap meant for the dashboard of your Devtron instance, i.e., dashboard-cm
(with an optional suffix).
Click Edit Live Manifest.
Add the feature flag (with the intended boolean value) within the data
dictionary
Click Apply Changes.
Below are the Git providers supported in Devtron for storing configuration files.
A GitHub account
A GitHub organization. If you don't have one, refer Creating Organization in GitHub.
Fill the following mandatory fields:
Git Host
Shows the URL of GitHub, e.g., https://github.com/
GitHub Organisation Name
GitHub Username
Provide the username of your GitHub account
Personal Access Token
A GitLab account
A GitLab group. If you don't have one, refer Creating Group in GitLab.
Fill the following mandatory fields:
Git Host
Shows the URL of GitLab, e.g., https://gitlab.com/
GitLab Group ID
GitLab Username
Provide the username of your GitLab account
Personal Access Token
An organization on Azure DevOps. If you don't have one, refer this link.
A project in your Azure DevOps organization. Refer Creating Project in Azure.
Fill the following mandatory fields:
Azure DevOps Organisation Url*
Azure DevOps Project Name
Azure DevOps Username*
Provide the username of your Azure DevOps account
Azure DevOps Access Token*
Here, you get 2 options:
Bitbucket Cloud - Select this if you wish to store GitOps configuration in a web-based Git repository hosting service offered by Bitbucket.
Bitbucket Data Center - Select this if you wish to store GitOps configuration in a git repository hosted on a self-managed Bitbucket Data Center (on-prem).
A Bitbucket account
A workspace in your Bitbucket account. Refer Creating Workspace in Bitbucket.
Fill the following mandatory fields:
Bitbucket Host
Shows the URL of Bitbucket Cloud, e.g., https://bitbucket.org/
Bitbucket Workspace ID
Bitbucket Project Key
Bitbucket Username*
Provide the username of your Bitbucket account
Personal Access Token
Fill the following mandatory fields:
Bitbucket Host
Enter the URL address of your Bitbucket Data Center, e.g., https://bitbucket.mycompany.com
Bitbucket Project Key
Bitbucket Username*
Provide the username of your Bitbucket Data Center account
Password
Provide the password to authenticate your Bitbucket Data Center account
We do NOT recommend using GitHub organization that contains your source code.
Create a new account on GitHub (if you do not have one).
On the upper-right corner of your GitHub page, click your profile photo, then click Settings.
On the Access
section, click Organizations.
On the Organizations
section, click New organization.
Pick a plan for your organization. You have the option to select create free organization
also.
On the Set up your organization
page,
Enter the organization account name
, contact email
.
Select the option your organization belongs to.
Verify your account and click Next.
Your GitHub organization name
will be created.
Go to your profile and click Your organizations to view all the organizations you created.
For more information about the plans available for your team, see GitHub's products. You can also refer GitHub organization official doc page for more detail.
Create a new account on GitLab (if you do not have one).
You can create a group by going to the 'Groups' tab on the GitLab dashboard and click New group
.
Select Create group
.
Enter the group name (required) and select the optional descriptions if required, and click Create group.
Your group will be created and your group name will be assigned with a new Group ID
(e.g. 61512475).
Go to Azure DevOps and navigate to Projects.
Select your organization and click New project
.
On the Create new project
page,
Enter the project name
and description of the project.
Select the visibility option (private or public), initial source control type, and work item process.
Click Create.
Azure DevOps displays the project welcome page with the project name
.
You can also refer Azure DevOps - Project Creation official page for more details.
Create a new individual account on Bitbucket (if you do not have one).
Select your profile and settings avatar on the upper-right corner of the top navigation bar.
Select All workspaces
from the dropdown menu.
Select the Create workspace
on the upper-right corner of the Workspaces
page.
On the Create a Workspace
page:
Enter a Workspace name
.
Enter a Workspace ID
. Your ID cannot have any spaces or special characters, but numbers and capital letters are fine. This ID becomes part of the URL for the workspace and anywhere else where there is a label that identifies the team (APIs, permission groups, OAuth, etc.).
Click Create.
Your Workspace name
and Workspace ID
will be created.
You can also refer official Bitbucket Workspace page for more details.
You can add your existing Kubernetes clusters and environments on the Clusters and Environments
section. You must have a super admin access to add a cluster.
To add cluster, go to the Clusters & Environments
section of Global Configurations
. Click Add cluster.
To add a Kubernetes cluster on Devtron using server url
and the bearer token
, provide the information in the following fields:
Name
Enter a name of your cluster.
Server URL
Bearer Token
Bearer token of a cluster.
Prerequisites:
kubectl
must be installed on the bastion.
Note: We recommend to use a self-hosted URL instead of cloud hosted URL. Refer the benefits of self-hosted URL.
You can get the Server URL
& Bearer Token
by running the following command depending on the cluster provider:
If you are using EKS, AKS, GKE, Kops, Digital Ocean managed Kubernetes, run the following command to generate the server URL and bearer token:
If you are using a microk8s cluster
, run the following command to generate the server URL and bearer token:
Disaster Recovery:
It is not possible to edit the server URL of a cloud specific provider. If you're using an EKS URL (e.g. *****.eu-west-1.elb.amazonaws.com
), it will be a tedious task to add a new cluster and migrate all the services one by one.
But in case of using a self-hosted URL (e.g. clear.example.com
), you can just point to the new cluster's server URL in DNS manager and update the new cluster token and sync all the deployments.
Easy Cluster Migrations:
In case of managed Kubernetes clusters (like EKS, AKS, GKE etc) which is a cloud provider specific, migrating your cluster from one provider to another will result in waste of time and effort.
On the other hand, migration for a self-hosted URL is easy as the URL is of single hosted domain independent of the cloud provider.
To add clusters using kubeconfig, follow these steps:
First, navigate to the global configurations menu, and then go to "clusters and environment" section.
Click on the Add cluster
button. In the options provided, choose the From kubeconfig
option.
Next, either paste the kubeconfig file or browse for it and select the appropriate file.
Afterward, click on the Get cluster
button. This action will display the cluster details alongside the kubeconfig.
Select the desired cluster and click on Save
to successfully add the cluster to Devtron.
Note: Please ensure that the kubeconfig file you use has admin permissions
. It is crucial for Devtron to have the necessary administrative privileges; otherwise, it may encounter failures or disruptions during deployments and other operations. Admin permission is essential to ensure the smooth functioning of Devtron and to prevent any potential issues that may arise due to insufficient privileges.
If you want to see application metrics against the applications deployed in the cluster, Prometheus must be deployed in the cluster. Prometheus is a powerful tool to provide graphical insight into your application behavior.
Note: Make sure that you install
Monitoring (Grafana)
from theDevtron Stack Manager
to configure prometheus. If you do not installMonitoring (Grafana)
, then the option to configure prometheus will not be available.
Enable the application metrics to configure prometheus and provide the information in the following fields:
Prometheus endpoint
Provide the URL of your prometheus.
Authentication Type
Prometheus supports two authentication types:
Basic: If you select the Basic
authentication type, then you must provide the Username
and Password
of prometheus for authentication.
Anonymous: If you select the Anonymous
authentication type, then you do not need to provide the Username
and Password
.
Note: The fields Username
and Password
will not be available by default.
TLS Key
& TLS Certificate
TLS Key
and TLS Certificate
are optional, these options are used when you use a customized URL.
Now, click Save Cluster
to save your cluster on Devtron.
Your Kubernetes cluster gets mapped with Devtron when you save the cluster configurations. Now, the Devtron agent must be installed on the added cluster so that you can deploy your applications on that cluster.
When the Devtron agent starts installing, click Details
to check the installation status.
A new window pops up displaying all the details about the Devtron agent.
Once you have added your cluster in the Clusters & Environments
, you can add the environment by clicking Add environment
.
A new environment window pops up.
Environment Name
Enter a name of your environment.
Enter Namespace
Enter a namespace corresponding to your environment. Note: If this namespace does not already exist in your cluster, Devtron will create it. If it exists already, Devtron will map the environment to the existing namespace.
Environment Type
Select your environment type:
Production
Non-production
Note: Devtron shows deployment metrics (DORA metrics) for environments tagged as Production
only.
Click Save
and your environment will be created.
You can also update an environment by clicking the environment.
You can change Production
and Non-Production
options only.
You cannot change the Environment Name
and Namespace Name
.
Make sure to click Update to update your environment.
While container registries are typically used for storing images built by the CI Pipeline, an OCI registry can store container images as well as other artifacts such as helm charts. In other words, all container registries are OCI registries, but not all OCI registries are container registries.
You can configure a container registry using any registry provider of your choice. It allows you to build, deploy, and manage your container images or charts with easy-to-use UI.
From the left sidebar, go to Global Configurations → Container/OCI Registry.
Click Add Registry.
Choose a provider from the Registry provider dropdown. View the Supported Registry Providers.
Choose the Registry type:
Private Registry: Choose this if your images or artifacts are hosted or should be hosted on a private registry restricted to authenticated users of that registry. Selecting this option requires you to enter your registry credentials (username and password/token).
Public Registry: Unlike private registry, this doesn't require your registry credentials. Only the registry URL and repository name(s) would suffice.
Assuming your registry type is private, here are few of the common fields you can expect:
Name
Registry URL
Provide the URL of your registry in case it doesn't come prefilled (do not include oci://
, http://
, or /https://
in the URL)
Authentication Type
Push container images
Push helm packages
Tick this checkbox if you wish to push helm charts to your registry
Use as chart repository
Tick this checkbox if you want Devtron to pull helm charts from your registry and display them on its chart store. Also, you will have to provide a list of repositories (present within your registry) for Devtron to successfully pull the helm charts.
Set as default registry
Tick this checkbox to set your registry as the default registry hub for your images or artifacts
Click Save.
Amazon ECR is an AWS-managed container image registry service. The ECR provides resource-based permissions to the private repositories using AWS Identity and Access Management (IAM). ECR allows both Key-based and Role-based authentications.
Before you begin, create an IAM user and attach the ECR policy according to the authentication type.
Provide the following additional information apart from the common fields:
Registry URL
Example of URL format: xxxxxxxxxxxx.dkr.ecr.<region>.amazonaws.com
where xxxxxxxxxxxx
is your 12-digit AWS account ID
Authentication Type
Select one of the authentication types:
EC2 IAM Role: Authenticate with workernode IAM role and attach the ECR policy (AmazonEC2ContainerRegistryFullAccess) to the cluster worker nodes IAM role of your Kubernetes cluster.
Access key ID
: Your AWS access key
Secret access key
: Your AWS secret access key ID
Provide the following additional information apart from the common fields:
Username
Provide the username of the Docker Hub account you used for creating your registry.
Password/Token
For Azure, the service principal authentication method can be used to authenticate with username and password. Visit this link to get the username and password for this registry.
Provide the following additional information apart from the common fields:
Registry URL/Login Server
Example of URL format: xxx.azurecr.io
Username/Registry Name
Provide the username of your Azure container registry
Password
Provide the password of your Azure container registry
JSON key file authentication method can be used to authenticate with username and service account JSON file. Visit this link to get the username and service account JSON file for this registry.
Remove all the white spaces from JSON key and wrap it in a single quote before pasting it in Service Account JSON File
field
Provide the following additional information apart from the common fields:
Registry URL
Example of URL format: region-docker.pkg.dev
Service Account JSON File
Paste the content of the service account JSON file
JSON key file authentication method can be used to authenticate with username and service account JSON file. Please follow link to get the username and service account JSON file for this registry.
Remove all the white spaces from JSON key and wrap it in single quote before pasting it in Service Account JSON File
field
Provide the following additional information apart from the common fields:
Username
Provide the username of your Quay account
Token
Provide the password of your Quay account
Provide below information if you select the registry type as Other
.
Registry URL
Enter the URL of your private registry
Username
Provide the username of your account where you have created your registry
Password/Token
Provide the password or token corresponding to the username of your registry
Advanced Registry URL Connection Options
Allow Only Secure Connection: Tick this option for the registry to allow only secure connections
Allow Secure Connection With CA Certificate: Tick this option for the registry to allow secure connection by providing a private CA certificate (ca.crt)
Allow Insecure Connection: Tick this option to make an insecure communication with the registry (for e.g., when SSL certificate is expired)
You can use any registry which can be authenticated using docker login -u <username> -p <password> <registry-url>
. However these registries might provide a more secured way for authentication, which we will support later.
You can create a Pod that uses a Secret to pull an image from a private container registry. You can use any private container registry of your choice, for e.g., Docker Hub.
Super-admin users can decide if they want to auto-inject registry credentials or use a secret to pull an image for deployment to environments on specific clusters.
To manage the access of registry credentials, click Manage.
There are two options to manage the access of registry credentials:
Do not inject credentials to clusters
Select the clusters for which you do not want to inject credentials
Auto-inject credentials to clusters
Select the clusters for which you want to inject credentials
You can choose one of the two options for defining credentials:
If you select Use Registry Credentials, the clusters will be auto-injected with the registry credentials of your registry type. As an example, If you select Docker
as Registry Type, then the clusters will be auto-injected with the username
and password/token
which you use on the Docker Hub account.
Click Save.
You can create a Secret by providing credentials on the command line.
Create this Secret and name it regcred
(let's say):
where,
namespace is your sub-cluster, e.g., devtron-demo
your-registry-server is your Private Docker Registry FQDN. Use https://index.docker.io/v1/ for Docker Hub.
your-name is your Docker username
your-pword is your Docker password
your-email is your Docker email
You have successfully set your Docker credentials in the cluster as a Secret called regcred
.
Typing secrets on the command line may store them in your shell history unprotected, and those secrets might also be visible to other users on your PC during the time when kubectl is running.
Enter the Secret name in the field and click Save.
Authorization
section describes how to authenticate and authorize access to resources, also managing role-based access levels in Devtron.
Access can be granted to a user via:
You can add more chart repositories to Devtron. Once added, they will be available in the All Charts
section of the .
Note: After the successful installation of Devtron, click Refetch Charts
to sync and download all the default charts listed on the dashboard.
To add chart repository, go to the Chart Repositories
section of Global Configurations
. Click Add repository.
Note: Only public chart repositories can be connected as of now via Devtron.
Provide below information in the following fields:
You can also update your saved chart repository settings.
Click the chart repository which you want to update.
Modify the required changes and click Update
to save you changes.
Note:
You can perform a dry run to validate the below chart repo configurations by clicking Validate
.
Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
clientID
clientSecret
redirectURI (provided in SSO Login Services by Devtron)
Devtron includes predefined helm charts that cover the majority of use cases. For any use case not addressed by the default helm charts, you can upload your own helm chart and use it as a custom chart in Devtron.
Who can upload a custom chart - Super admins
Who can use the custom chart - All users
A super admin can upload multiple versions of a custom helm chart.
A valid helm chart, which contains Chart.yaml
file with name and version fields.
Image descriptor template file .image_descriptor_template.json
.
Custom chart packaged in the *.tgz
format.
You can use the following command to create the Helm chart:
Please see the following example:
.image_descriptor_template.json
It's a GO template file that should produce a valid JSON
file upon rendering. This file is passed as the last argument in helm install -f myvalues.yaml -f override.yaml
command.
Place the .image_descriptor_template.json
file in the root directory of your chart.
You can use the following variables in the helm template (all the placeholders are optional):
The values from the CD deployment pipeline are injected at the placeholder specified in the
.image_descriptor_template.json
template file.
For example:
To create a template file to allow Devtron to only render the repository name and the tag from the CI/CD pipeline that you created, edit the
.image_descriptor_template.json
file as:
*.tgz
formatBefore you begin, ensure that your helm chart includes both
Chart.yaml
(withname
andversion
fields) and.image_descriptor_template.json
files.
The helm chart to be uploaded must be packaged as a versioned archive file in the format <helm-chart-name>-vx.x.x.tgz
.
The above command will create a my-custom-chart-0.1.0.tgz
file.
A custom chart can only be uploaded by a super admin.
On the Devtron dashboard, select Global Configurations > Custom charts.
Select Import Chart.
Select tar.gz file... and upload the packaged custom chart in the *.tgz
format.
The chart is being uploaded and validated. You may also Cancel upload if required.
The uploaded archive will be validated against:
Supported archive template should be in *.tgz
format.
Content of values.yaml
should be there in app-values.yaml
file.
release-values.yaml
file is required.
Chart.yaml
must include the name and the version number.
..image_descriptor_template.json
file should be present and the field format must match the format listed in the image builder template section.
The following are the validation results:
All users can view the custom charts.
To view the list of available custom charts, go to Global Configurations → Deployment Charts page.
The charts can be searched with their name, version, or description.
Info:
You can edit the GUI schema of both the deployment charts:
Charts provided by Devtron (Deployment, Job & CronJob, Rollout Deployment, and StatefulSet)
Custom charts uploaded by you
In this example, we will edit the Deployment chart type provided by Devtron.
Click the edit button next to the chart as shown below.
You may start editing the schema by excluding existing fields/objects or including more of them. Click the Refer YAML button to view all the supported fields.
While editing the schema, you may use the Preview GUI option for a real-time preview of your changes.
Click Save Changes.
Next, if you go to App Configuration → Base Deployment Template, you will be able to see the deployment template fields (in Basic GUI) as per your customized schema.
Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
clientID
clientSecret
redirectURI (provided in SSO Login Services by Devtron)
dex config if you want to integrate login with SSO (optional) for more information check
Provide a name to your Git provider. Note: This name will be available on the App Configuration > drop-down list.
Provide the Git host URL
.
As an example: for GitHub, for GitLab etc.
Enter the GitHub organization name. If you do not have one, refer .
Provide your personal access token (PAT). It is used as an alternate password to authenticate your GitHub account.
If you do not have one, create a GitHub PAT .
Access Required:
repo
- Full control of private repositories (able to access commit status, deployment status, and public repositories).
admin:org
- Full control of organizations and teams (Read and Write access). May not be required if you are using user-defined git repo.
delete_repo
- Grants delete repo access on private repositories.
Enter the GitLab group ID. If you do not have one, refer .
Provide your personal access token (PAT). It is used as an alternate password to authenticate your GitLab account.
If you do not have one, create a GitLab PAT .
Access Required:
api
- Grants complete read/write access to the scoped project API.
write_repository
- Allows read/write access (pull, push) to the repository.
Enter the Org URL of Azure DevOps. Format should be https://dev.azure.com/<org-name>
, where <org-name>
represents the organization name, e.g.,
Enter the Azure DevOps project name. If you do not have one, refer .
Provide your Azure DevOps access token. It is used as an alternate password to authenticate your Azure DevOps account.
If you do not have one, create a Azure DevOps access token .
Access Required:
code
- Grants the ability to read source code and metadata about commits, change sets, branches, and other version control artifacts. .
Enter the Bitbucket workspace ID. If you do not have one, refer
Enter the Bitbucket project key. If you do not have one, refer . Note: If the project is not provided, the repository is automatically assigned to the oldest project in the workspace.
Provide your personal access token (PAT). It is used as an alternate password to authenticate your Bitbucket Cloud account.
If you do not have one, create a Bitbucket Cloud PAT .
Access Required:
repo
- Full control of repositories (Read, Write, Admin, Delete) access.
Enter the Bitbucket project key. Refer .
Server URL of a cluster. Note: We recommended to use a instead of cloud hosted URL.
Provide a name to your registry, this name will appear in the Container Registry drop-down list available within the section of your application
The credential input fields may differ depending on the registry provider, check
Tick this checkbox if you wish to use the repository to push container images. This comes selected by default and you may untick it if you don't intend to push container images after a CI build. If you wish to to use the same repository to pull container images too, read .
User Auth: It is a key-based authentication, attach the ECR policy (AmazonEC2ContainerRegistryFullAccess) to the .
Provide the password/ corresponding to your docker hub account. It is recommended to use Token
for security purpose.
You can enable or disable your chart repository. If you enable it, then you will be able to see the enabled chart in All Charts
section of the .
Note: Chart.yaml
is the metadata file that gets created when you create a .
ConfigMap/Secret template should be same as that of our .
New by selecting Upload chart.
The custom charts can be used from the section.
The deployment strategy for a custom chart is fetched from the custom chart template and cannot be configured in the .
This section is an extension of feature within App Configuration → Base Deployment Template. Refer the document to know more about the significance of having a customizable GUI schema for your deployment templates.
A GUI schema is available for you to edit in case of Devtron charts. In case of custom charts, you may have to define a GUI schema yourself. To know how to create such GUI schema, refer .
Name
Provide a Name
of your chart repository. This name is added as prefix to the name of the chart in the listing on the helm chart section of application.
URL
This is the URL of your chart repository. E.g. https://charts.bitnami.com/bitnami
Name
Name of the helm chart (Required).
Version
This is the chart version. Update this value for each new version of the chart (Required).
Description
Description of the chart (Optional).
image_tag
The build image tag
image
Repository name
pipelineName
The CD pipeline name created in Devtron
releaseVersion
Devtron's internal release number
deploymentType
Deployment strategy used in the pipeline
app
Application's ID within the Devtron ecosystem
env
Environment used to deploy the chart
appMetrics
For the App metrics UI feature to be effective, include the appMetrics
placeholder.
Success
The files uploaded are validated.
Enter a description for the chart and select Save or Cancel upload.
Unsupported template
The archive file do not match the required template.
Upload another chart or Cancel upload.
New version detected
You are uploading a newer version of an existing chart
Enter a Description and select Save to continue uploading, or Cancel upload.
Already exists
There already exists a chart with the same version.
Edit the version and re-upload the same chart using Upload another chart.
Upload a new chart with a new name using Upload another chart.
Cancel upload.
External Links allow you to connect to the third-party applications within your Devtron dashboard for seamlessly monitoring/debugging/logging/analyzing your applications. You can select from the pre-defined third-party applications such as Grafana
to link to your application for quick access.
Configured external links will be available on the App details
page. You can also integrate Document
or Folder
using External Links.
Some of the third-party applications which are pre-defined on Devtron
Dashboard are:
Grafana
Kibana
Newrelic
Coralogix
Datadog
Loki
Cloudwatch
Swagger
Jira etc.
To monitor/debug an application using a specific Monitoring Tool (such as Grafana, Kibana, etc.), you may need to navigate to the tool's page, then to the respective app/resource page.
External Links
can take you directly to the tool's page, which includes the context of the application, environment, pod, and container.
Before you begin, configure an application in the Devtron dashboard.
Super admin access
Monitoring tool URL
Note: External links can only be added/managed by a super admin, but non-super admin users can access the configured external links on the App Configuration
page.
On the Devtron dashboard, go to the Global Configurations
from the left navigation pane.
Select External links
.
Select Add Link.
On the Add Link
page, select the external link (e.g. Grafana) which you want to link to your application from Webpage.
The following fields are provided on the Add Link page:
Link name
Provide name of the link.
Description
Description of the link name.
Show link in
All apps in specific clusters: Select this option to select the cluster.
Specific applications: Select this option to select the application.
Clusters
Choose the clusters for which you want to configure the selected external link with.
Select one or more than one cluster to enable the link on the specified clusters.
Select All Clusters to enable the link on all the clusters.
Applications
Choose the application for which you want to configure the selected external link with.
Select one or more than one application to enable the link on the specified application.
Select All applications to enable the link on all the applications. Note: If you enable `App admins can edit`, then you can view the selected links on the App-Details page.
URL Template
The configured URL Template is used by apps deployed on the selected clusters/applications. By combining one or more of the env variables, a URL with the structure shown below can be created: http://www.domain.com/{namespace}/{appName}/details/{appId}/env/{envId}/details/{podName} If you include the variables {podName} and {containerName} in the URL template, then the configured links (e.g. Grafana) will be visible only on the pod level and container level respectively. The env variables:
{appName}
{appId}
{envId}
{namespace}
Note: The env variables will be dynamically replaced by the values that you used to configure the link.
Note: To add multiple links, select + Add another at the top-left corner.
Click Save.
The users (admin and others) can access the configured external link on the App Details page.
Note: If you enable App admins can edit
on the External Links
page, then only non-super admin users can view the selected links on the App Details
page.
On the External Links
page, the configured external links can be filtered/searched, as well as edited/deleted.
Select Global Configurations > External links
.
Filter and search the links based on the link's name or a user-defined name.
Edit a link by selecting the edit icon next to an external link.
Delete an external link by selecting the delete icon next to a link. The bookmarked link will be removed in the clusters for which it was configured.
Using the Permission groups
, you can assign a user to a particular group and a user inherits all the permissions granted to the group.
The advantage of the Permission groups
is to define a set of privileges like create, edit, or delete for the given set of resources that can be shared among the users within the group.
The User permissions section for Specific permissions
contains a drop-down list of all existing groups for which a user has an access. This is an optional field and more than one groups can be selected for a user.
Go to Global Configurations → Authorization → Permissions groups → Add group.
Enter the Group Name
and Description
.
You can either grant super-admin permission to a user group or specific permissions to manage access for:
In Devtron Apps
option, you can provide access to a group to manage permission for custom apps created using Devtron.
The Devtron Apps
option will be available only if you install CI/CD integration.
Provide the information in the following fields:
Project
Select a project from the drop-down list to which you want to give permission to the group. You can select only one project at a time.
Note: If you want to select more than one project, then click Add row
.
Environment
Select the specific environment or all environments from the drop-down list.
Note: If you select All environments
option, then a user gets access to all the current environments including any new environment which gets associated with the application later.
Application
Select the specific applications or all applications from the drop-down list corresponding to your selected Environments.
Note: If you select All applications
option, then a user gets access to all the current applications including any new application which gets associated with the project later
.
Role
View only
Build and Deploy
Admin
Manager
You can add multiple rows for Devtron Apps
permission.
Once you have finished assigning the appropriate permissions for the groups, Click Save.
In Helm Apps
option, you can provide access to a group to manage permission for Helm apps deployed from Devtron or outside Devtron.
Provide the information in the following fields:
Project
Select a project from the drop-down list to which you want to give permission to the group. You can select only one project at a time.
Note: If you want to select more than one project, then click Add row
.
Environment or cluster/namespace
Select the specific environment or all existing environments in default cluster
from the drop-down list.
Note: If you select all existing + future environments in default cluster
option, then a user gets access to all the current environments including any new environment which gets associated with the application later.
Application
Select the specific application or all applications from the drop-down list corresponding to your selected Environments.
Note: If All applications
option is selected, then a user gets access to all the current applications including any new application which gets associated with the project later
.
Role
View only
View & Edit
Admin
You can add multiple rows for Devtron app permission.
Once you have finished assigning the appropriate permissions for the groups, Click Save.
In Jobs
option, you can provide access to a group to manage permission for jobs created using Devtron.
Provide the information in the following fields:
Project
Select a project from the drop-down list to which you want to give permission to the group. You can select only one project at a time.
Note: If you want to select more than one project, then click Add row
.
Job Name
Select the specific job name or all jobs from the drop-down list.
Note: If you select All Jobs
option, then the user gets access to all the current jobs including any new job which gets associated with the project later.
Workflow
Select the specific workflow or all workflows from the drop-down list.
Note: If you select All Workflows
option, then the user gets access to all the current workflows including any new workflow which gets associated with the project later.
Environment
Select the specific environment or all environments from the drop-down list.
Note: If you select All environments
option, then the user gets access to all the current environments including any new environment which gets associated with the project later.
Role
View only
Run job
Admin
You can add multiple rows for Jobs
permission.
Once you have finished assigning the appropriate permissions for the groups, Click Save.
In Kubernetes Resources
option, you can provide permission to view, inspect, manage, and delete resources in your clusters from Kubernetes Resource Browser page in Devtron. You can also create resources from the Kubernetes Resource Browser
page.
Only super admin users will be able to see Kubernetes Resources
tab and provide permission to other users to access Resource Browser
.
To provide Kubernetes resource permission, click Add permission
.
On the Kubernetes resource permission
, provide the information in the following fields:
Cluster
Select a cluster from the drop-down list to which you want to give permission to the user. You can select only one cluster at a time.
Note: To add another cluster, then click Add another
.
Namespace
Select the namespace from the drop-down list.
API Group
Select the specific API group or All API groups
from the drop-down list corresponding to the K8s resource.
Kind
Select the kind or All kind
from the drop-down list corresponding to the K8s resource.
Resource name
Select the resource name or All resources
from the drop-down list to which you want to give permission to the user.
Role
View
Admin
You can add multiple rows for Kubernetes resource permission.
Once you have finished assigning the appropriate permissions for the groups, Click Save.
In Chart group permission
option, you can manage the access of groups for Chart Groups in your project.
The Chart group permission
option will be available only if you install CI/CD integration.
You can only give users the ability to create
or edit
, not both.
View
Enable View
to view chart groups only.
Create
Enable Create
if you want the users to create, view, edit or delete the chart groups.
Edit
Deny: Select Deny
option from the drop-down list to restrict the users to edit the chart groups.
Specific chart groups: Select the Specific Charts Groups
option from the drop-down list and then select the chart group for which you want to allow users to edit.
Click Save once you have configured all the required permissions for the groups.
You can edit the permission groups by clicking the downward arrow.
Edit the permission group.
Once you are done editing the permission group, click Save.
If you want to delete the groups with particular permission group, click Delete.
Like any enterprise product, Devtron supports fine grained access control to the resources based on:
Type of action allowed on Devtron resources (Create Vs View)
Sensitivity of the data (Editing image Vs Editing memory)
Access can be added to the User either directly or via Permission groups.
Devtron supports the following levels of access:
View only: User with View only
access has the least privilege. This user can only view combination of environments, applications and helm charts on which access has been granted to the user. This user cannot view sensitive data like secrets used in applications or charts.
Build and Deploy: In addition to View only
access, user with Build and deploy
permission can build and deploy the image of the permitted applications and helm charts to the permitted environments.
Admin: User with Admin
access can create, edit, delete and view permitted applications in the permitted projects.
Manager: User with Manager
access can do everything that an Admin
type user can do, in addition, they can also give and revoke access of users for the applications and environments of which they are Manager
.
Super Admin: User with Super admin
privilege has unrestricted access to all Devtron resources. Super admin can create, modify, delete and view any Devtron resource without any restriction; its like Superman without the weakness of Kryptonite. Super Admin can also add and delete user access across any Devtron resource, add delete git repository credentials, container registry credentials, cluster and environment.
View
Yes
No
No
No
No
Build and Deploy
Yes
No
No
No
Yes
Admin
Yes
Yes
Yes
Yes
Yes
Manager
Yes
Yes
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
Yes
Yes
View Only
Yes
No
No
No
View and Edit
Yes
Yes
Yes
No
Admin
Yes
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
Yes
Manager
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
To add a user, go to the Authorization > User Permissions
section of Global Configurations
. Click Add user.
There are two types of permissions in Devtron:
Specific permissions
Devtron Apps
Helm Apps
Kubernetes Resources
Chart Groups
Super admin permission
To assign a super admin access, go to the Authorization > User Permissions
section of Global Configurations
.
Click Add user.
Provide the email address of a user. You can add more than one email address. Please note that email address must be same as that in the email
field in the JWT token returned by OIDC provider.
Select Super admin permission
and click Save
.
A user now will have a Super admin access.
Note:
Only users with Super admin permission
can assign super admin permissions to a user.
We suggest that super admin access must be given to the selected users only.
To assign a specific permission, go to the Authorization > User Permissions
section of Global Configurations
.
Click Add user.
Provide the email address of a user. You can add more than one email address. Please note that email address must be same as that in the email
field in the JWT token returned by OIDC provider.
Select Specific permissions
.
Select the group permission from the drop-down list, if required.
Selecting Specific permission
option allows you to manage access and provide the role-based access accordingly for
In Devtron Apps
option, you can provide access to a user to manage permission for custom apps created using Devtron.
Note: The Devtron Apps
option will be available only if you install CI/CD integration.
Provide the information in the following fields:
Project
Select a project from the drop-down list to which you want to give permission to the user. You can select only one project at a time.
Note: If you want to select more than one project, then click Add row
.
Environment
Select the specific environment or all environments from the drop-down list.
Note: If you select All environments
option, then a user gets access to all the current environments including any new environment which gets associated with the application later.
Application
Select the specific applications or all applications from the drop-down list corresponding to your selected Environments.
Note: If you select All applications
option, then a user gets access to all the current applications including any new application which gets associated with the project later
.
Role
View only
Build and Deploy
Admin
Manager
You can add multiple rows for Devtron app permission.
Once you have finished assigning the appropriate permissions for the users, Click Save
.
In Helm Apps
option, you can provide access to a user to manage permission for Helm apps deployed from Devtron or outside Devtron.
Provide the information in the following fields:
Project
Select a project from the drop-down list to which you want to give permission to the user. You can select only one project at a time.
Note: If you want to select more than one project, then click Add row
.
Environment or cluster/namespace
Select the specific environment or all existing environments in default cluster
from the drop-down list.
Note: If you select all existing + future environments in default cluster
option, then a user gets access to all the current environments including any new environment which gets associated with the application later.
Application
Select the specific application or all applications from the drop-down list corresponding to your selected Environments.
Note: If All applications
option is selected, then a user gets access to all the current applications including any new application which gets associated with the project later
.
Role
View only
View & Edit
Admin
You can add multiple rows for Devtron app permission.
Once you have finished assigning the appropriate permissions for the users, Click Save
.
In Kubernetes Resources
option, you can provide permission to view, inspect, manage, and delete resources in your clusters from Kubernetes Resource Browser page in Devtron. You can also create resources from the Kubernetes Resource Browser
page.
Note: Only super admin users will be able to see Kubernetes Resources
tab and provide permission to other users to access Resource Browser
.
To provide Kubernetes resource permission, click Add permission
.
On the Kubernetes resource permission
, provide the information in the following fields:
Cluster
Select a cluster from the drop-down list to which you want to give permission to the user. You can select only one cluster at a time.
Note: To add another cluster, then click Add another
.
Namespace
Select the namespace from the drop-down list.
API Group
Select the specific API group or All API groups
from the drop-down list corresponding to the K8s resource.
Kind
Select the kind or All kind
from the drop-down list corresponding to the K8s resource.
Resource name
Select the resource name or All resources
from the drop-down list to which you want to give permission to the user.
Role
View
Admin
You can add multiple rows for Kubernetes resource permission.
Once you have finished assigning the appropriate permissions for the users, Click Save
.
In Chart group permission
option, you can manage the access of users for Chart Groups in your project.
Note: The Chart group permission
option will be available only if you install CI/CD integration.
NOTE: You can only give users the ability to create
or edit
, not both.
View
Enable View
to view chart groups only.
Create
Enable Create
if you want the users to create, view, edit or delete the chart groups.
Edit
Deny: Select Deny
option from the drop-down list to restrict the users to edit the chart groups.
Specific chart groups: Select the Specific Charts Groups
option from the drop-down list and then select the chart group for which you want to allow users to edit.
Click Save
once you have configured all the required permissions for the users.
Direct user permissions cannot be edited if you're using LDAP/Microsoft for SSO and 'auto-assign permission' is enabled. Permissions can only be managed via permission groups in such a scenario.
You can edit the user permissions by clicking on the downward arrow
.
Edit the user permissions.
After you have done editing the user permissions, click Save
.
If you want to delete the user/users with particular permissions, click Delete
.
Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
clientID
clientSecret
redirectURI (already provided in SSO Login Services by Devtron)
Devtron provides a sample configuration out of the box. Here are some values you need to fetch from your LDAP.
bindDN
bindPW
baseDN
Since LDAP supports creation of User Groups, this feature simplifies the onboarding process of organizations having a large headcount of users. It also eliminates repetitive permission assignment by automatically mapping your LDAP User groups to Devtron's Permission Groups during single sign-on (SSO) login.
If you've created user groups in LDAP, you can create corresponding permission groups in Devtron with the same names. When members of those user groups first log in to Devtron, they'll automatically inherit the permissions from their Devtron permission group. This means you can't manually adjust or add individual permissions for users mapped to a permission group.
SSO login requires exact matching between Devtron permission group names and LDAP user groups. Any discrepancies or missing groups will prevent successful login.
Once you save the configuration with this auto-assign feature enabled, existing user permissions will be cleared and the future permissions will be managed through Permission Groups linked to LDAP user groups.
If you're missing some permissions that you know you should have, try logging out and signing back in to Devtron. This will refresh your permissions based on your latest LDAP user group.
With the Manage Notification
feature, you can manage the notifications for your build and deployment pipelines. You can receive the notifications on Slack or via e-mail.
Go to the Global Configurations
-> Notifications
Click Configurations
to add notification configuration in one of the following options:
You can manage the SES configuration
to receive e-mails by entering the valid credentials. Make sure your e-mail is verified by SES.
Click Add
and configure SES.
Configuration Name
Provide a name to the SES Configuration.
Access Key ID
Valid AWS Access Key ID.
Secret Access Key
Valid AWS Secret Access Key.
AWS Region
Select the AWS Region from the drop-down menu.
E-mail
Enter the SES verified e-mail id on which you wish to receive e-mail notifications.
Click Save
to save your SES configuration or e-mail ID
You can manage the SMTP configuration
to receive e-mails by entering the valid credentials. Make sure your e-mail is verified by SMTP.
Click Add
and configure SMTP.
Configuration Name
Provide a name to the SMTP Configuration
SMTP Host
Host of the SMTP.
SMTP Port
Port of the SMTP.
SMTP Username
Username of the SMTP.
SMTP Password
Password of the SMTP.
E-mail
Enter the SMTP verified e-mail id on which you wish to receive e-mail notifications.
Click Save
to save your SMTP configuration or e-mail ID
You can manage the Slack configurations
to receive notifications on your preferred Slack channel.
Click Add
to add new Slack Channel.
Slack Channel
Name of the Slack channel on which you wish to receive notifications.
Webhook URL
Project
Select the project name to control user access.
Click Save
and your slack channel will be added.
Click Add New
to receive new notification.
Send To
When you click on the Send to
box, a drop-down will appear, select your slack channel name if you have already configured Slack Channel. If you have not yet configured the Slack Channel, Configure Slack Channel
Select Pipelines
Then, to fetch pipelines of an application, project and environment.
Choose a filter type(environment
, project
or application
)
You will see a list of pipelines corresponding to your selected filter type, you can select any number of pipelines. For each pipeline, there are 3 types of events Trigger
, Success
, and Failure
. Click on the checkboxes for the events, on which you want to receive notifications.
Click Save
when you are done with your Slack notification configuration.
Send To
Click Send To
box, select your e-mail address/addresses on which you want to send e-mail notifications. Make sure e-mail id are SES Verified.
If you have not yet configured SES, Configure SES.
Select Pipelines
To fetch pipelines of an application, project and environment.
Choose a filter type(environment, project or application)
You will see a list of pipelines corresponding to your selected filter type, you can select any number of pipelines. For each pipeline, there are 3 types of events Trigger
, Success
, and Failure
. Click on the checkboxes for the events, on which you want to receive notifications.
Click Save
once you have configured the SES notification.
Send To
Click Send To
box, select your e-mail address/addresses on which you want to send e-mail notifications. Make sure e-mail IDs are SMTP Verified.
If you have not yet configured SMTP, Configure SMTP.
Select Pipelines
To fetch pipelines of an application, project and environment.
Choose a filter type(environment, project or application)
You will see a list of pipelines corresponding to your selected filter type, you can select any number of pipelines. For each pipeline, there are 3 types of events Trigger
, Success
, and Failure
. Click on the checkboxes for the events, on which you want to receive notifications.
Click Save
once you have configured the SMTP notification.
Unplanned or last minute deployments of applications can affect the services of an organization. Consequently, its business impact will be severe if such disruptions occur during peak hours or critical periods (say festive season or no deployment on Fridays).
Therefore, Devtron comes with a feature called 'Deployment Window' that allows you to define specific timeframes during which application deployments are either blocked or allowed in specific environments. Moreover, actions that can potentially impact the existing deployment are also restricted, which include:
However, exempted users can still perform the above actions even during blocked periods.
Definition
Time period during which deployments are not allowed
Only time period during deployments are allowed
Use
To block deployments when systems are already stable and running a critical business in peak hours
To allow deployments preferably during non-business hours so as to minimize any negative impact on end-users
In case of overlap?
Blackout window gets a higher priority over maintenance window
Maintenance window has a lower priority
Technically, both of them are different methods of restricting deployments to an environment. For example, specifying either a blackout window of [8:00 AM to 10:00 PM] or a maintenance window of [10:00 PM to 8:00 AM] essentially does the same job. You can define either of them depending on your use case.
Go to Global Configurations → Deployment Window.
This involves two parts:
This involves the process of creating a blackout window or a maintenance window.
In the Windows
tab, click + Add Window.
Give an appropriate name to your deployment window (e.g., weekend restrictions) and write a brief description that explains what the deployment window does. Refer this section to view the pages where the window name and description will appear.
Choose a deployment window type, i.e., maintenance window or blackout window.
In your deployment window, make sure to choose the correct time zone (by default it is determined from the browser you use).
Let's say you are a super-admin located in New Delhi (GMT +5:30) and you wish to restrict midnight deployments according to the Californian timings (GMT -07:00) for your team in the US. Therefore, it's crucial to choose the correct time zone (i.e., GMT -07:00) and then add the duration (see next steps).
This ensures that deployments occur at the intended local time, helping to avoid disruptions, and facilitating co-ordinated operations across different regions.
Click + Add duration.
The following options are available for you to enforce the deployment window:
Once: Use this to make your deployment window active between two specific date and time, e.g., 20 Jun 2024, 08:00 PM ➝ 26 Jun 2024, 05:00 PM
Daily: Use this to make your deployment window active everyday between specific timings, e.g., daily between 12:00 AM ➝ 06:00 AM
Weekly: On selected days at specific timings, e.g., Wed and Sun • 02:00 AM ➝ 05:30 AM
Weekly Range: Between days of the week, e.g., Mon (02:00 AM) to Fri (05:30 AM)
Monthly: On or between days of the month, e.g., Day 1 (10:30 PM) to Day 2 (06:30 AM)
You can also add Start Date and End Date to your recurring deployment window.
Start Date
Use this to enforce restrictions of a deployment window only after a specific date
End Date
Use this to stop restrictions of a deployment window beyond a specific date
Both Start Date and End Date
Use these to confine your deployment window restrictions between two dates
Let's say you wish to enforce a blackout window every weekend to prevent unsolicited deployments by your team. If you select a weekly range (e.g., Saturday 12:00 AM to Monday 12:00 AM) and apply the deployment window without specifying dates, the weekend restrictions will persist indefinitely.
However, by specifying a start date and an end date (as shown below), your deployment window will have a defined validity period. This ensures that the deployment window restrictions are temporary and do not extend beyond the intended timeframe.
After clicking Done, you can use the + Add duration button to add more than one duration (for e.g., one monthly and one weekly) in a given deployment window.
You can also determine the users who can take actions (say deployment) even when restrictions are in place. These can be super-admins, specific users, both, or none.
Enter a display message to show the user whose deployment gets blocked, e.g., Try deploying on Monday - Weekend deployment is not a best practice - Contact your Admin. This will help the user understand the restriction better.
Click Save Changes.
If required, you can edit a deployment window to modify it as shown below.
You may delete a deployment window if it's not needed anymore. If the deployment window was applied to any deployment pipeline (application + environment), the restrictions would no longer exist.
This involves the process of applying the deployment window you created above to your deployment pipeline(s).
Go to the Apply To tab and click the No windows dropdown next to the [application + environment] you wish to apply deployment window(s).
Select the deployment windows from the dropdown and click Save Changes.
If you wish to apply deployment windows to multiple applications and environments at once, use the checkbox.
We recommend you to use the available filters (Application, Environment, Deployment Window) to simplify the process of application + environment selection.
On the floating widget, click Manage Windows.
Click the Add Deployment Windows dropdown to choose the deployment window(s).
Use the Review Changes option to confirm the impacted environment(s) and click Save.
You can remove deployment window(s) applied to one or more deployment pipelines as shown below.
The Deployment window section shows the blackout and maintenance windows configured for each environment of the application.
However, if a deployment window doesn't exist for an environment, the message No deployment windows are configured
would be displayed next to it.
You may click the dropdown icon to view the details which include:
Type of deployment window (Blackout/Maintenance)
Name and description
Frequency of window (once, weekly, monthly, yearly)
Duration
Unlike the Overview page which shows deployment windows for all environments, the App Details page does not show all deployment windows configured for the environment. It shows:
Active deployment windows
Upcoming deployment windows
For example, if the super-admin has configured 4 deployment windows (say 2 Blackout and 2 Maintenance), you will see 4 cards stacked upon each other. However, no cards will be shown if deployment windows aren't configured. You may click on the windows card stack to view the details of active and upcoming deployment windows.
The default time period for showing upcoming deployment windows is 90 days. You can configure this individually for blackout and maintenance windows, via ConfigMap, in the Orchestrator
microservice as shown below:
The below functions are blocked during an ongoing blackout window or outside maintenance window.
The exempted users specified in the deployment window configuration can perform the above actions.
When you hibernate an application, it becomes non-functional. To avoid this, hibernation of application is blocked.
Although Kubernetes handles the restart process smoothly, there is a possibility of interruptions or downtime. To avoid this, restarting workloads (say Pod, Deployment, ReplicaSet) of an application is blocked when deployment is restricted.
Similar to restart workloads, deletion of workloads might disrupt the desired state and behavior of the application, hence it is barred during a deployment block.
Go to the Build & Deploy
tab. The CD pipelines with restricted deployment will carry a DO NOT DEPLOY
label.
Despite that, if a user selects an eligible image and proceeds to deploy, it will show Deployment is blocked
along with a list of exempted users who are allowed to deploy.
Not just manual trigger, deployments remain blocked even if the trigger mode is automatic. In such cases, if a new CI image is built, the user has to manually deploy once the deployment block is lifted.
The Deployment History
tab will also log whether a given deployment was initiated during a blackout window or outside a maintenance window.
Rolling back to an older version, by using a previously deployed image, is barred during a deployment block.
Go to App Configuration → Workflow.
In Devtron, deleting a CD pipeline affects the current state of the deployed application. Moreover, it might impact future deployments and you will also lose information about past deployments, i.e., Deployment History.
If you attempt to delete any CD pipeline with restricted deployment, it will show Pipeline deletion is blocked
.
Just like application, application groups are also subjected to deployment windows.
Let's say you have 10 applications in your application group, and a blackout window is ongoing for 3 of them. In such a case, if you deploy your application group, those 3 applications will not get deployed. Therefore, you might experience a partial success along with an option to retry the failed deployments.
The same stands true for other bulk actions like hibernate, unhibernate, and restart workloads.
Devtron offers the option to pull container images using digest. Refer to know the purpose it serves.
Though it can be enabled by an application-admin for a given CD Pipeline, Devtron also allows super-admins to enable pull image digest at environment level.
This helps in better governance and less repetitiveness if you wish to manage pull image digest for multiple applications across environments.
From the left sidebar, go to Global Configurations → Pull Image Digest.
As a super-admin, you can decide whether you wish to enable pull image digest or .
This is for enabling pull image digest for deployment to all environments.
Enable the toggle button next to Pull image digest for all existing & future environments
.
Click Save Changes.
This is for enabling pull image digest for specific environments. Therefore, only those applications deploying to selected environment(s) will have pull image digest enabled in its CD pipeline.
Use the checkbox to choose one or more environments present within the list of clusters you have on Devtron.
Click Save Changes.
Devtron's Tags Policy
feature enables you to assign tags to your applications. Devtron also offers the option to propagate the tags assigned to an application as labels within the associated Kubernetes resources.
To add tags, follow these steps:
From the left pane, navigate to the Global Configuration
section.
Select Tags
within the Global Configuration
section.
Once you are in the Tags
section, locate the Add Tag button in the upper-right corner of the screen and click it.
Within the Add Tag
section, you will find two options for tags:
Suggested tags: These tags appear as suggestions when adding tags to applications.
Mandatory tags: These tags are required for applications within the selected project.
To create mandatory tags, choose the second option: Mandatory tags
. This ensures that the specified tags are mandatory for the applications within the selected project.
Next, choose the project(s) for which you want to create mandatory tags. You can select multiple projects at once (if required).
After selecting the projects, proceed to add the mandatory tags for the selected projects.
By default, tags assigned to applications in Devtron are not automatically propagated to Kubernetes resources as labels. However, Devtron provides the flexibility to enable this feature if desired.
When the propagation is enabled for tags from the global configuration, the tags will be automatically propagated as labels for all applications within the projects where these tags are used. Even if tag propagation is disabled from the global configuration in Devtron, you still have the option to enable propagation at the application level.
In a project where mandatory tags are enabled, it is required to provide values for those tags when creating new applications. Without providing values for the mandatory tags, it is not possible to create a new application within that project.
When mandatory tags are enabled, Devtron enforces the requirement to specify values for these tags during the application creation process. This ensures that all applications within the project adhere to the specified tag values.
If tag propagation for a project is disabled globally, you can still enable it for individual applications. During the application creation process, you have the option to enable tag propagation specifically for that application. By doing so, the tags assigned to that application will be propagated as labels to the associated Kubernetes resources.
The you create in Devtron for managing the CI-CD of your application can be made flexible or restricting with the help of CD filter conditions, for e.g., not all events (such as image builds) generated during the CI stage require progression to the CD stage. Therefore, instead of creating multiple workflows that cater to complex requirements, Devtron provides you the option of defining filters to tailor your workflow according to your specific needs.
Using filter conditions, you can control the progression of events. Here are a few general examples:
Images containing the label "test" should not be eligible for deployment in production environment
Only images having tag versions greater than v0.7.4 should be eligible for deployment
Images hosted on Docker Hub should be eligible but not the rest
Only images derived from master branch should be eligible for production deployment (see )
From the left sidebar, go to Global Configurations → Filter Condition.
Add a filter condition.
In the Define Filter condition section, you get the following fields:
Filter For: Choose the pipeline upon which the filter should apply. Currently, you can use filter conditions for CD pipelines only. Support for CI pipelines is underway.
Filter Name: Give a name to the filter.
Description: (Optional) Add a description to the filter, preferably explaining what it does.
Filter Condition: You can specify either a pass condition, fail condition, or both the conditions:
Pass Condition: Events that satisfy the pass condition are eligible to trigger your CD pipeline.
Fail Condition: Events that satisfy the fail condition are not eligible to trigger your CD pipeline.
Use CEL Expression: You can use Common Expression Language
(CEL) to define the conditions. Currently, you can create conditions with the help of following variables:
containerImage: Package that contains all the necessary files and instructions to run an application in a container, e.g., gcr.io/k8s-minikube/kicbase:v0.0.39. It returns a string value in the following format: <registry>/<repository>:<tag>
containerRepository: Storage location for container images, e.g., kicbase
containerImageTag: Versioning of image to indicate its release, e.g., v0.0.39
imageLabels: The label(s) you assign to an image in the CD pipeline, e.g., ["PROD","Stage"]. It returns an array of strings.
Click View filter criteria to check the supported criteria. You get a copy button and a description of each criterion upon hovering. Moreover, you can go to CEL expression to learn more about the rules and supported syntax. Check to know more.
Click Next.
In the Apply to section, you get the following fields:
Application: Choose one or more applications to which your filter condition must apply.
Environment: Choose one or more environments to which your filter condition must apply.
Since an application can have more than one environment, the filter conditions apply only to the environment you chose in the Apply to section. If you create a filter condition without choosing an application or environment, it will not apply to any of your pipelines.
Click Save. You have successfully created a filter.
If you create filters using CEL expressions that result in a conflict (i.e., passing and failing of the same image), fail will have higher precedence
Consider a scenario where you wish to make an image eligible for deployment only if its tag version is greater than v0.0.7
The CEL Expression should be containerImageTag > "v0.0.7"
Go to the Build & Deploy tab. The filter condition was created specifically for test
environment, therefore the filter condition would be evaluated only at the relevant CD pipeline, i.e., test
Click Select Image for the test
CD pipeline. The first tab Eligible images shows the list and count of images that have satisfied the pass condition since their tag versions were greater than v0.0.7
. Hence, they are marked eligible for deployment.
The second tab Latest images shows the latest builds (up to 10 images) irrespective of whether they have satisfied the filter condition(s) or not. The ones that have not satisfied the filter conditions get marked as Excluded
. In other words, they are not eligible for deployment.
Clicking the filter icon at the top-left shows the filter condition(s) applied to the test
CD pipeline.
Consider another scenario where you wish to make images eligible for deployment only if the application's git branch starts with the word hotfix
and also if its repo URL matches your specified condition.
CEL Expression:
gitCommitDetails.filter(gitCommitDetail, gitCommitDetail.startsWith('https://github.com/devtron-labs')).map(repo, gitCommitDetails[repo].branch).exists_one(branch, branch.startsWith('hotfix-'))
where, https://github.com/devtron-labs
is a portion of the repo URL
and hotfix-
is for finding the branch name (say hotfix-sept-2024)
Alternatively, if you have a fixed branch (say hotfix-123), you may write the following expression:
'hotfix-123' in gitCommitDetails.filter(gitCommitDetail, gitCommitDetail.startsWith('https://github.com/devtron-labs')).map(repo, gitCommitDetails[repo].branch)
Walkthrough Video:
Consider a scenario where you wish to exclude an image from deployment if its tag starts with the word trial
or ends with the word testing
The CEL Expression should be containerImageTag.startsWith("trial") || containerImageTag.endsWith("testing")
Go to the Build & Deploy tab. The filter condition was created specifically for devtron-demo
environment, therefore the filter condition would be evaluated only at the relevant CD pipeline, i.e., devtron-demo
Click Select Image for the devtron-demo
CD pipeline. The first tab Eligible images shows the list and count of images that have not met the fail condition. Hence, they are marked eligible for deployment.
The second tab Latest images shows the latest builds (up to 10 images) irrespective of whether they have satisfied the filter condition(s) or not. The ones that have satisfied the filter conditions get marked as Excluded
. In other words, they are not eligible for deployment.
Clicking the filter icon at the top-left shows the filter condition(s) applied to the devtron-demo
CD pipeline.
The might contain certain configurations intended for the DevOps team (e.g., ingress
), and not meant for developers to modify.
Therefore, Devtron allows super-admins to restrict such fields from modification or deletion.
This stands true for deployment templates in:
The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. This is performed at application-level.
Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at global-level.
Go to Global Configurations → Lock Deployment Config. Click Configure Lock.
(Optional) Click Refer Values.YAML to check which keys you wish to lock.
Click Save.
A confirmation dialog box would appear. Read it and click Confirm.
User can hide/unhide the locked keys as shown below.
Let's assume the user edits one of the locked keys...
...and saves the changes.
A modal window will appear on the right highlighting the non-eligible edits.
Let's assume the user edits a key that is not locked or adds a new key.
The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: Save changes which are eligible for update.
Once the user clicks the Update button, the permissible changes will reflect in the deployment template.
The same result can be seen if the user tries to edit environment-specific deployment templates.
If you want to check the current version of Devtron you are using, please use the following command.
Please ignore any errors you encounter while running the upgrade script
An ideal deployment workflow may consist of multiple stages (e.g., SIT, UAT, Prod environment).
Therefore, Devtron offers a feature called 'Image Promotion Policy' that allows you to directly promote an image to the target environment, bypassing the intermediate stages in your workflow including:
You can create a policy using our APIs or through Devtron CLI. To get the latest version of the devtctl binary, please contact your enterprise POC or reach out to us directly for further assistance.
Here is the CLI approach:
Syntax:
Arguments:
--name
(required): The name of the image promotion policy.
--description
(optional): A brief description of the policy, preferably explaining what it does.
--failCondition
(optional): Images that match this condition will NOT be eligible for promotion to the target environment.
--approverCount
(optional): The number of approvals required to promote an image (0-6). Defaults to 0 (no approvals).
--allowRequestFromApprove
(optional): (Boolean) If true, user who raised the image promotion request can approve it. Defaults to false.
--allowImageBuilderFromApprove
(optional): (Boolean) If true, user who triggered the build can approve the image promotion request. Defaults to false.
--allowApproverFromDeploy
(optional): (Boolean) If true, user who approved the image promotion request can deploy that image. Defaults to false.
--applyPath
(optional): Specify the path to the YAML file that contains the list of applications and environments to which the policy should be applicable.
If an image matches both pass and fail conditions, the priority of the fail condition will be higher. Therefore, such image will NOT be eligible for promotion to the target environment.
If you don't define both pass and fail conditions, all images will be eligible for promotion.
You can apply a policy using our APIs or through Devtron CLI. Here is the CLI approach:
Create a YAML file and give it a name (say applyPolicy.yaml
). Within the file, define the applications and environments to which the image promotion policy should apply, as shown below.
Apply the policy using the following CLI command:
Here, you can promote images to the target environment(s).
Go to the Build & Deploy tab of your application.
Click the Promote button next to the workflow in which the you wish to promote the image. Please note, the button will appear only if image promotion is allowed for any environment used in that workflow.
In the Select Image
tab, you will see a list of images. Use the Show Images from dropdown to filter the list and choose the image you wish to promote. This can be either be an image from the CI pipeline or one that has successfully passed all stages (e.g., pre, post, if any) of that particular environment.
Use the SELECT button on the image, and click Promote to...
Select one or more target environments using the checkbox.
Click Promote Image.
The image's promotion to the target environment now depends on the approval settings in the image promotion policy. If the super-admin has enforced an approval process, the image requires the necessary number of approvals before promotion. On the other hand, if the super-admin has not enforced approval, the image will be automatically promoted since there is no request phase involved.
If approval(s) are required for image promotion, you may check the status of your request in the Approval Pending
tab.
Go to the Build & Deploy tab of your application.
Click the Promote button next to the workflow.
Go to the Approval Pending
tab to see the list of images requiring approval. By default, it shows a list of all images whose promotion request is pending with you.
All the images will show the source from which it is being promoted, i.e., CI stage or intermediate stage (environment).
Click Approve for... to choose the target environments to which it can be promoted.
Click Approve.
You can also use the Show requests dropdown to filter the image promotion requests for a specific target environment.
If there are pending promotion requests, you can approve them as shown below:
In the Build & Deploy tab of your application, click Select Image for the CD pipeline, and choose your promoted image for deployment.
You can check the deployment of promoted images in the Deployment History of your application. It will also indicate the pipeline from which the image was promoted and deployed to the target environment.
{podName}: If used, the link will only be visible at the pod level on the page.
{containerName}: If used, the link will only be visible at the container level on the page.
Select one of the to which you want to give permission to the user:
Select one of the to which you want to give permission to the user:
Select one of the to which you want to give permission to the user:
Select one of the to which you want to give permission to the user and click Done
:
Selecting option allows you to manage access and provide the accordingly for:
Selecting option will get full access to Devtron resources and the rest of the options will not be available.
Select one of the to which you want to give permission to the user:
Select one of the to which you want to give permission to the user:
Select one of the to which you want to give permission to the user and click Done
:
Enter the valid .
Once you enable pull image digest for a given environment in Global Configurations, users won't be able to modify the . The toggle button would appear disabled for that environment as shown below.
Here's a sample pipeline we will be using for our explanation of and .
How is this different from the feature?
Enter the keys inside the editor on the left-hand side, e.g., autoscaling.MaxReplicas
. Use to enter specific keys, lists, or objects to lock.
While super-admins can directly edit the locked keys, let's look at a scenario where a user (non-super-admin) tries to edit the same in an base deployment template.
If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys.
However, if it's a , the user will require the approval of a as shown below.
If you have built such a , your CI image will sequentially traverse and deploy to each environment until it reaches the target environment. However, if there's a critical issue you wish to address urgently (through a hotfix) on production, navigating the standard workflow might feel slow and cumbersome.
and of the intermediate stages
All of the intermediate stages
--passCondition
(optional): Specify a condition using . Images that match this condition will be eligible for promotion to the target environment.
Here, applicationEnvironments
is a dictionary that contains the application names (app1, app2) and the corresponding environment names (env-demo/env-staging) where the policy will apply. In the applyToPolicyName
key, enter the value of the name
argument you used earlier while .
In case you have configured , an email notification will be sent to the approvers.
Only the users having role (for the application and environment) or superadmin permissions will be able to approve the image promotion request.
If a user has approved the promotion request for an image, they may or may not be able to deploy depending upon the .
However, a promoted image does not automatically qualify as a deployable image. It must fulfill all configured requirements (, , etc.) of the target environment for it to be deployed.
If you want to check the current version of Devtron you are using, please use the following command.
Fetch the latest Devtron helm chart
Input the target Devtron version that you want to upgrade to. You can find the latest releases from Devtron on Github https://github.com/devtron-labs/devtron/releases
Upgrade Devtron
Input the target Devtron version that you want to upgrade to. You can find the latest releases from Devtron on Github https://github.com/devtron-labs/devtron/releases
Patch Devtron Installer
Hurray! Your Devtron stack is completely setup. Let's get started by deploying a simple application on it.
This is a sample Nodejs application which we are going to deploy using Devtron. For a detailed step-wise procedure, please have a look at the link below -
Delete the respective resources i.e, nats-operator , nats-streaming and nats-server using the following commands.
Verify the deletion of resources using the following commands.
Set reSync: true
in the installer object, this will initiate upgrade of the entire Devtron stack, you can use the following command to do this.
The CI pipeline includes Pre and Post-build steps to validate and introduce checkpoints in the build process. The pre/post plugins allow you to execute some standard tasks, such as Code analysis, Load testing, Security scanning etc. You can build custom pre-build/post-build tasks or select one of the standard preset plugins provided by Devtron.
Preset plugin is an API resource which you can add within the CI build environment. By integrating the preset plugin in your application, it helps your development cycle to keep track of finding bugs, code duplication, code complexity, load testing, security scanning etc. You can analyze your code easily.
Devtron CI pipeline includes the following build stages:
Pre-Build Stage: The tasks in this stage run before the image is built.
Build Stage: In this stage, the build is triggered from the source code (container image) that you provide.
Post-Build Stage: The tasks in this stage are triggered once the build is complete.
Make sure you have CI build pipeline before you start configuring Pre-Build or Post-Build tasks.
Each Pre/Post-build stage is executed as a series of events called tasks and includes custom scripts. You can create one or more tasks that are dependent on one another for execution. In other words, the output variable of one task can be used as an input for the next task to build a CI runner. The tasks will run following the execution order.
The tasks can be re-arranged by drag-and-drop; however, the order of passing the variables must be followed.
You can create a task either by selecting one of the available preset plugins or by creating a custom script.
Pre-Build/Post-Build
Lets take Codacy
as an example and configure it in the Pre-Build stage in the CI pipeline for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.
Go to the Applications and select your application from the Devtron Apps tabs.
Go to the App Configuration tab, click Workflow Editor.
Select the build pipeline for configuring the pre/post-build tasks.
On the Edit build pipeline, in the Pre-Build Stage
, click + Add task.
Select Codacy from PRESET PLUGINS.
Enter a relevant name or codacy in the Task name
field. It is a mandatory field.
Enter a descriptive message for the task in the Description
field. It is an optional field.
Note
: The description is available by default.
In the Input Variables, provide the information in the following fields:
CodacyEndpoint
String
API endpoint for Codacy
GitProvider
String
Git provider for the scanning
CodacyApiToken
String
API token for Codacy. If it is provided, it will be used, otherwise it will be picked from Global secret (CODACY_API_TOKEN)
Organisation
String
Your Organization for Codacy
RepoName
String
Your Repository name
Branch
String
Your branch name
In Trigger/Skip Condition
, set the trigger conditions to execute a task or Set skip conditions
. As an example: CodacyEndpoint equal to https://app.codacy.com.
Note
: You can set more than one condition.
In Pass/Failure Condition
set the conditions to execute pass or fail of your build. As an example: Pass if number of issues equal to zero.
Note
: You can set more than one condition.
Click Update Pipeline.
Go to the Build & Deploy, click the build pipeline and start your build.
Click Details
on the build pipeline and you can view the details on the Logs
.
On the Edit build pipeline screen, select the Pre-build stage.
Select + Add task.
Select Execute custom script.
The task type of the custom script may be a Shell or a Container image.
Select the Task type as Shell.
Consider an example that creates a Shell task to stop the build if the database name is not "mysql". The script takes 2 input variables, one is a global variable (DOCKER_IMAGE
), and the other is a custom variable (DB_NAME
) with a value "mysql". The task triggers only if the database name matches "mysql". If the trigger condition fails, this Pre-build task will be skipped and the build process will start. The variable DB_NAME
is declared as an output variable that will be available as an input variable for the next task. The task fails if DB_NAME
is not equal to "mysql".
Task name
Required
A relevant name for the task
Description
Optional
A descriptive message for the task
Task type
Optional
Shell: Custom shell script goes here
Input variables
Optional
Variable name: Alphanumeric chars and (_) only
Source or input value: The variable's value can be global, output from the previous task, or a custom value. Accepted data types include: STRING | BOOL | NUMBER | DATE
Description: Relevant message to describe the variable.
Trigger/Skip condition
Optional
A conditional statement to execute or skip the task
Script
Required
Custom script for the Pre/Post-build tasks
Output directory path
Optional
Output variables
Optional
Environment variables that are passed as input variables for the next task.
Pass/Failure Condition (Optional): Conditional statements to determine the success/failure of the task. A failed condition stops the execution of the next task and/or build process
Select Update Pipeline.
Here is a screenshot with the failure message from the task:
Select the Task type as Container image.
This example creates a Pre-build task from a container image. The output variable from the previous task is available as an input variable.
Task name
Required
A relevant name for the task
Description
Optional
A descriptive message for the task
Task type
Optional
Container image
Input variables
Optional
Variable name: Alphanumeric chars and (_) only
Source or input value: The variable's value can be global, output from the previous task, or a custom value Accepted data types include: STRING | BOOL | NUMBER | DATE
Description: Relevant message to describe the variable
Trigger/Skip condition
Optional
A conditional statement to execute or skip the task
Container image
Required
Select an image from the drop-down list or enter a custom value in the format <image>:<tag>
Mount custom code
Optional
Enable to mount the custom code in the container. Enter the script in the box below.
Mount above code at (required): Path where the code should be mounted
Command
Optional
The command to be executed inside the container
Args
Optional
The arguments to be passed to the command mentioned in the previous field
Port mapping
Optional
The port number on which the container listens. The port number exposes the container to outside services.
Mount code to container
Optional
Mounts the source code inside the container. Default is "No". If set to "Yes", enter the path.
Mount directory from host
Optional
Mount any directory from the host into the container. This can be used to mount code or even output directories.
Output directory path
Optional
Directory path for the script output files such as logs, errors, etc.
Select Update Pipeline.
Go to Preset Plugins section to know more about the available plugins
Trigger the CI pipeline
The CI process involves activities that require infra resources such as CPU, memory (RAM), and many more. The amount of resources required depends on the complexity of the application. In other words, large applications require more resources compared to small applications.
Therefore, applying a common infra configuration to all applications is not optimal. Since resources incur heavy costs, it's wise to efficiently allocate resources (not more, not less).
With the 'Build Infra' feature, Devtron makes it possible for you to tweak the resources as per the needs of your applications. The build (ci-runner) pod will be scheduled on an available node (considering applied taints and tolerations) in the cluster on which 'Devtron' is installed.
From the left sidebar, go to Global Configurations → Build Infra.
You will see the Default Profile and a list of Custom Profiles (if they exist). Setting up profiles makes it easier for you to manage the build infra configurations, ensuring its reusability in the long term.
This contains the default infra configuration applicable to all the applications, be it large or small.
You may click it to modify the following:
CPU - Processor core allocated to the build process. See CPU units.
Memory - RAM allocated to the build process. See memory units.
Build Timeout - Max. time limit allocated to the build process. See timeout units.
Furthermore, CPU and Memory have 2 fields each:
Request - Use this field to specify the minimum guaranteed amount of CPU/Memory resources your application needs for its CI build. In our example, we required 1500m or 1.5 cores CPU along with 6 GB of RAM.
Limit - Use this field to set the maximum amount of CPU/Memory resources the build process can use, even if there is a lot available in the cluster.
Instead of default profile, you can create custom profiles having different infra configurations. Example: One profile for Python apps, a second profile for large apps, and a third profile for small apps, and many more.
Click Create Profile.
Give a name to the profile along with a brief description, and select the configurations to specify the values.
Click Save. Your custom profile will appear under the list of custom profiles as shown below.
Once you create a profile, attach it to the intended applications, or else the default profile will remain applied.
Go to the Applications tab.
Choose an application and click the dropdown below it.
Choose the profile you wish to apply from the dropdown.
Click Change to apply the profile to your application.
Tip: If you missed creating a profile but selected your application(s), you can use the 'Create Profile' button. This will quickly open a new tab for creating a profile. Once done, you can return and click the refresh icon as shown below.
If you wish to apply a profile to multiple applications at once, you can do that too.
Simply use the checkboxes to select the applications. You can do this even if there are many applications spanning multiple pages. You will see a draggable floating widget as shown below.
Select the profile you wish to apply from the dropdown and confirm the changes.
Once you apply a profile, it will show the count of applications attached to it.
You can edit or delete a custom profile using the respective icons as shown below.
If you delete a profile attached to one or more applications, the default profile will apply from the next build.
If you need extra control on the build infra configuration apart from CPU, memory, and build timeout, feel free to open a GitHub issue for us to help you.
CPU resources are measured in millicore. 1000m or 1000 millicore is equal to 1 core. If a node has 4 cores, the node's CPU capacity would be represented as 4000m.
Memory is measured in bytes. You can enter memory with suffixes (E, P, T, G, M, K, and Ei, Pi, Ti, Gi, Mi, Ki).
m
-
0.001 byte
byte
-
1 byte
k
Kilo
1,000 bytes
Ki
Kibi
1,024 bytes
M
Mega
1,000,000 bytes
Mi
Mebi
1,048,576 bytes
G
Giga
1,000,000,000 bytes
Gi
Gibi
1,073,741,824 bytes
T
Tera
1,000,000,000,000 bytes
Ti
Tebi
1,099,511,627,776 bytes
P
Peta
1,000,000,000,000,000 bytes
Pi
Petabi
1,125,899,906,842,624 bytes
E
Exa
1,000,000,000,000,000,000 bytes
Ei
Exabi
1,152,921,504,606,846,976 bytes
You can specify timeouts in the following units, beyond which the build process would be marked as failed:
seconds
minutes
hours
Configure Global Configurations first before creating an application or cloning an existing application.
The Applications page helps you create and manage your microservices, and it majorly consists of the following:
You can view the app name, its status, environment, namespace, and many more upfront. The apps are segregated into: Devtron Apps, Helm Apps, ArgoCD Apps, and FluxCD Apps.
You can use this to:
There are additional options available for you:
Search and filters to make it easier for you to find applications.
Export CSV to download the data of Devtron apps (not supported for Helm apps and Argo CD apps).
Sync button to refresh the app listing.
In Argo CD, a user manages one dashboard for one ArgoCD instance. Therefore, with multiple ArgoCD instances, the process becomes cumbersome for the user to manage several dashboards.
With Devtron, you get an entire Argo CD app listing in one place. This listing includes:
Apps deployed using GitOps on Devtron
Other Argo CD apps present in your cluster
Devtron also bridges the gap for ArgoCD users by providing additional features as follows:
Single-pane View: All Argo CD apps will show details such as their app status, environment, cluster, and namespace together in one dashboard.
Feature-rich Options: Clicking an Argo CD app will give you access to its logs, terminal, events, manifest, available resource kinds, pod restart log, and many more.
The cluster in which Argo CD apps exist should be added in Global Configurations → Clusters and Environments
ENABLE_EXTERNAL_ARGO_CD: "true"
Go to the Resource Browser of Devtron.
Select the cluster (in which your Argo CD app exists).
Type ConfigMap
in the 'Jump to Kind' field.
Search for dashboard-cm
using the available search bar and click it.
Click Edit Live Manifest.
Set the feature flag ENABLE_EXTERNAL_ARGO_CD to "true"
Click Apply Changes.
Go back to the 'Jump to Kind' field and type Pod
.
Search for dashboard
pod and use the kebab menu (3 vertical dots) to delete the pod.
Go to Applications and refresh the page. A new tab named ArgoCD Apps will be visible.
Select the cluster(s) from the dropdown to view the Argo CD apps available in the chosen cluster(s).
Flux CD doesn't have any official dashboard; however, Devtron supports the listing of your Flux CD apps in one dashboard. Here, the advantages are same as those of ArgoCD app listing.
The cluster in which Flux CD apps exist should be added in Global Configurations → Clusters and Environments
FEATURE_EXTERNAL_FLUX_CD_ENABLE: "true"
You may refer the steps mentioned in the Enabling ArgoCD App Listing section since the procedure is similar.
Using Devtron's Resource Browser, add the feature flag in the Dashboard ConfigMap as shown below.
After successfully executing all the steps, a new tab named FluxCD Apps will be visible. Select the cluster(s) from the dropdown to view the Flux CD apps available in the chosen cluster(s).
(Optional) Once you choose cluster(s), you may use the Template Type dropdown to further filter your Flux CD app listing based on its type, i.e., Kustomization or Helmrelease.
Click any Flux CD app to view its details as shown below.
On the Devtron dashboard, select Applications.
On the upper-right corner of the screen, click Create.
Select Custom app from the drop-down list.
A new application can be created from one of the following options:
Custom App
To create a new application from the custom app, select Custom app.
In the Create application window, enter an App Name and select a Project.
Select either:
Create from scratch to create an application from scratch, or
Clone existing application to clone an existing application.
If you select Create from scratch, select the project from the drop-down list.
Note
: You have to add project under Global Configurations. Only then, it will appear in the drop-down list here.
If you select Clone existing application, select an app you want to clone from and the project from the drop-down list.
Note
: You have to add project under Global Configurations. Only then, it will appear in the drop-down list here.
Tags
are key-value pairs. You can add one or multiple tags in your application.
Propagate Tags When tags are propagated, they are considered as labels to Kubernetes resources. Kubernetes offers integrated support for using these labels to query objects and perform bulk operations e.g., consolidated billing using labels. You can use these tags to filter/identify resources via CLI or in other Kubernetes tools.
Click + Add tag
to add a new tag.
Click Save
.
The 'GitOps Configuration' page appears only if the super-admin has enabled 'Allow changing git repository for application' in Global Configurations → GitOps.
This configuration is an extension of the GitOps settings present in Global Configurations of Devtron. Therefore, make sure you read it before making any changes to your app configuration.
The application-level GitOps configuration offers the flexibility to add a custom Git repo (as opposed to Devtron auto-creating a repo for your application).
Users need to have Admin permission or above (along with access to the environment and application) to configure user-defined Git repo.
Go to Applications → Devtron Apps (tab) → (choose your app) → App Configuration (tab) → GitOps Configuration.
Assuming a GitOps repo was not added to your application earlier, you get 2 options:
Auto-create repository - Select this option if you wish to proceed with the default behavior. It will create a repository automatically, named after your application with a prefix. Thus saving you the trouble of creating one manually.
Commit manifests to a desired repository - Select this option if you wish to add a custom repo that is already created with your Git provider. Enter its link in the Git Repo URL
field.
GitOps repositories, whether auto-created by Devtron or added manually, are immutable. This means they cannot be modified after creation. The same is true if you have an existing CD pipeline that uses/used GitOps for deployment.
Click Save.
Note: In case you skipped the GitOps configuration for your application and proceeded towards the creation of a new CD pipeline (that uses GitOps), you will be prompted to configure GitOps as shown below:
You can deploy a helm chart using either Helm or GitOps. Let's assume you wish to deploy airflow
chart.
Select the helm chart from the Chart Store.
Click Configure & Deploy.
After you enter the App Name
, Project
, and Environment
; an option to choose the deployment approach (i.e., Helm or GitOps) would appear. Select GitOps.
A modal window will appear for you to enter a Git repository. Just like Devtron Apps (step 2), you get two options:
Auto-create repository
Commit manifests to a desired repository
Enter your custom Git Repo URL, and click Save.
Next, you may proceed to deploy the chart.
Once you deploy a helm app with GitOps, you cannot change its GitOps repo.
A deployment configuration is a manifest of the application. It defines the runtime behavior of the application. You can select one of the default deployment charts or custom deployment charts which are created by super admin.
To configure a deployment chart for your application, do the following steps:
Go to Applications and create a new application.
Go to App Configuration page and configure your application.
On the Base Deployment Template page, select the drop-down under Chart type.
Users need to have Admin role or above to select a chart.
After you select and save a chart type for a given application, you won't be able to change it later. Make sure to choose the correct chart type before saving. You can select a chart from Devtron Charts or other Deployment Charts.
You can select a default deployment chart from the following options:
Deployment (Recommended)
This option will be available only if a custom chart exists. If it doesn't, a user with super admin
permission may upload one in Global Configurations → Deployment Charts.
You can select an available custom chart as shown below. You can also view the description of the custom charts in the list.
Users need to have Admin role or above to select a chart version.
Once you select a chart type, choose a chart version using which you wish to deploy the application.
Devtron uses helm charts for deployments and it maintains multiple chart versions based on the features it supports.
One can see available chart versions in the drop-down. You can select any chart version as per your requirements. By default, the latest version of the helm chart is selected.
Every chart version has its own YAML file that provides specifications for your application. To make it easy to use, we have created templates for the YAML file and have added some variables inside the YAML. You can provide or change the values of these variables as per your requirement.
Users need to have Admin role or above to configure a chart. However, super-admins can lock keys in base deployment template to prevent non-super-admins from modifying them. Refer Lock Deployment Configuration to know more.
If you are not an advanced user, you may use the Basic (GUI) section to configure your chosen chart.
By default, the following fields are available for you to modify in the Basic (GUI) section:
Arguments
Enable the Arguments
to pass one or more argument values. By default, it is in the disabled
state.
Command
Enable the Command
to pass one or more command values. By default, it is in the disabled
state.
HTTP Request Routes
Enable the HTTP Request Routes
to define Host
, and Path
. By default, it is in the disabled
state.
Host: Domain name of the server.
Path: Path of the specific component in the host that the HTTP wants to access.
You can define multiple paths as required by clicking Add path.
Resources
Here, you can tweak the requests and limits of the CPU resource and RAM resource as per the application.
Autoscaling
Define the autoscaling parameters to automatically scale your application's deployment based on resource utilization.
Maximum Replicas: The maximum number of replicas your application can scale up to.
Minimum Replicas: The minimum number of replicas your application should run at any time.
Target CPU Utilization Percentage: The average CPU utilization across all pods that will trigger scaling.
Target Memory Utilization Percentage: The average memory utilization across all pods that will trigger scaling.
Environment Variables (Key/Value)
Define key/value
by clicking Add variable.
Key: Define the key of the environment.
Value: Define the value of the environment.
You can define multiple env variables by clicking Add EnvironmentVariables.
Container Port
The internal port on which the container listens for HTTP requests. Specify the container port and optionally the service port that maps to it.
Service
Configure the service that exposes your application to the network.
Type: Specify the type of service (e.g., ClusterIP, NodePort, LoadBalancer).
Annotations: Add custom annotations to the service for additional configuration.
Readiness Probe
Define the readiness probe to determine when a container is ready to start accepting traffic.
Path: The HTTP path that the readiness probe will access.
Port: The port on which the readiness probe will access the application.
Liveness Probe
Define the liveness probe to check if the container is still running and to restart it if it is not.
Path: The HTTP path that the liveness probe will access.
Port: The port on which the liveness probe will access the application.
Tolerations
Define tolerations to allow the pods to be scheduled on nodes with matching taints.
Key: The key of the taint to tolerate.
Operator: The relationship between the key and the value (e.g., Exists, Equal).
Value: The value of the taint to match.
Effect: The effect of the taint to tolerate (e.g., NoSchedule, NoExecute).
ServiceAccount
Specify the service account for the deployment to use, allowing it to access Kubernetes API resources.
Create: Toggle to create a new service account.
Name: The name of the service account to use.
Click Save Changes. If you want to do additional configurations, then click the Switch to Advanced button or Advanced (YAML) button for modifications.
If you change any values in the 'Basic (GUI)', then the corresponding values will change in 'Advanced (YAML)' too.
Users who are not super-admins will land on 'Basic (GUI)' section when they visit Base Deployment Template page; whereas super-admins will land on 'Advanced (YAML)' section. This is just a default behavior; therefore, they can still navigate to the other section if needed.
By default, the Basic (GUI)
section comes with multiple predefined fields as seen earlier in the table. However, if you wish to display a different set of fields to your team, you can modify the whole section as per your requirement.
This is useful in scenarios where:
Your team members find it difficult to understand and edit the Advanced (YAML) section.
You frequently edit certain fields in Advanced (YAML), which you expect to remain easily accessible in Basic (GUI) section.
You don't require some fields in Basic (GUI) section.
You need the autonomy to keep the Basic (GUI) unique for applications/clusters/environments/charts, or display the same Basic (GUI) everywhere.
There are two ways you can customize the Basic GUI, use any one of the following:
From Deployment Charts section
Using APIs (explained below)
You can pass a custom JSON (deployment schema) of your choice through the following API. You may need to run the API with the POST
method if you are doing it for the first time.
In the name
field, give a name to your schema, e.g., schema-1
Enter the type
as JSON.
The schema
field is for entering your custom deployment schema. Perform the following steps:
To create a custom schema of your choice, you may use RJSF JSON Schema Tool.
Copy the final JSON and stringify it using any free online tool.
Paste the stringified JSON in the schema
field of the API request body.
Send the API request. If your schema already exists, use the PUT
method instead of POST
in the API call.
The attributeSelector
object helps you choose the scope at which your custom deployment schema will take effect.
1 (High)
APP_ENV
Specific to an application and its environment
2
APP
Applies at the application level if no specific environment is defined
3
ENV
Applies to specific deployment environment
4
CHART_REF
Applies to all applications using a specific chart type and version
5
CLUSTER
Applies across all applications and environments within a specific cluster
6
GLOBAL
Universally applies if no other more specific schemas are defined
If you are an advanced user wishing to perform additional configurations, you may switch to Advanced (YAML) for modifications.
Refer the respective templates to view the YAML details.
Depending on the chart type and version you select, application metrics of your application may be viewed. This includes:
Status codes 2xx, 3xx, 5xx
Throughput
Latency ...and many more
Enable Show application metrics toggle to view the application metrics on the App Details page.
IMPORTANT: Enabling application metrics introduces a sidecar container to your main container which may require some additional configuration adjustments. We recommend you to do load test after enabling it in a non-production environment before enabling it in production environment.
Select Save & Next to save your configurations.
This chart creates a deployment that runs multiple replicas of your application and automatically replaces any instances that fail or become unresponsive. It does not support Blue/Green and Canary deployments. This is the default deployment chart. You can select Deployment
chart when you want to use only basic use cases which contain the following:
Create a Deployment to rollout a ReplicaSet. The ReplicaSet creates Pods in the background. Check the status of the rollout to see if it succeeds or not.
Declare the new state of the Pods. A new ReplicaSet is created and the Deployment manages moving the Pods from the old ReplicaSet to the new one at a controlled rate. Each new ReplicaSet updates the revision of the Deployment.
Rollback to an earlier Deployment revision if the current state of the Deployment is not stable. Each rollback updates the revision of the Deployment.
Scale up the Deployment to facilitate more load.
Use the status of the Deployment as an indicator that a rollout has stuck.
Clean up older ReplicaSets that you do not need anymore.
You can define application behavior by providing information in the following sections:
Chart version
Basic (GUI)
Advanced (YAML)
Show application metrics
Super-admins can lock keys in deployment template to prevent non-super-admins from modifying those locked keys. Refer Lock Deployment Configuration to know more.
This defines ports on which application services will be exposed to other services
envoyPort
envoy port for the container
idleTimeout
the duration of time that a connection is idle before the connection is terminated
name
name of the port
port
port for the container
servicePort
port of the corresponding kubernetes service
nodePort
nodeport of the corresponding kubernetes service
supportStreaming
Used for high performance protocols like grpc where timeout needs to be disabled
useHTTP2
Envoy container can accept HTTP2 requests
To set environment variables for the containers that run in the Pod.
To set environment variables for the containers and fetching their values from pod-level fields.
If this check fails, kubernetes restarts the pod. This should return error code in case of non-recoverable error.
Path
It define the path where the liveness needs to be checked
initialDelaySeconds
It defines the time to wait before a given container is checked for liveliness
periodSeconds
It defines the time to check a given container for liveness
successThreshold
It defines the number of successes required before a given container is said to fulfill the liveness probe
timeoutSeconds
It defines the time for checking timeout
failureThreshold
It defines the maximum number of failures that are acceptable before a given container is not considered as live
httpHeaders
Custom headers to set in the request. HTTP allows repeated headers, you can override the default headers by defining .httpHeaders for the probe.
scheme
Scheme to use for connecting to the host (HTTP or HTTPS). Defaults to HTTP.
tcp
The kubelet will attempt to open a socket to your container on the specified port. If it can establish a connection, the container is considered healthy.
The maximum number of pods that can be unavailable during the update process. The value of "MaxUnavailable: " can be an absolute number or percentage of the replicas count. The default value of "MaxUnavailable: " is 25%.
The maximum number of pods that can be created over the desired number of pods. For "MaxSurge: " also, the value can be an absolute number or percentage of the replicas count. The default value of "MaxSurge: " is 25%.
This specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. This defaults to 0 (the Pod will be considered available as soon as it is ready).
If this check fails, kubernetes stops sending traffic to the application. This should return error code in case of errors which can be recovered from if traffic is stopped.
Path
It define the path where the readiness needs to be checked
initialDelaySeconds
It defines the time to wait before a given container is checked for readiness
periodSeconds
It defines the time to check a given container for readiness
successThreshold
It defines the number of successes required before a given container is said to fulfill the readiness probe
timeoutSeconds
It defines the time for checking timeout
failureThreshold
It defines the maximum number of failures that are acceptable before a given container is not considered as ready
httpHeaders
Custom headers to set in the request. HTTP allows repeated headers, you can override the default headers by defining .httpHeaders for the probe.
scheme
Scheme to use for connecting to the host (HTTP or HTTPS). Defaults to HTTP.
tcp
The kubelet will attempt to open a socket to your container on the specified port. If it can establish a connection, the container is considered healthy.
You can create PodDisruptionBudget
for each application. A PDB limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions. For example, an application would like to ensure the number of replicas running is never brought below the certain number.
or
You can specify either maxUnavailable
or minAvailable
in a PodDisruptionBudget and it can be expressed as integers or as a percentage.
minAvailable
Evictions are allowed as long as they leave behind 1 or more healthy pods of the total number of desired replicas.
maxUnavailable
Evictions are allowed as long as at most 1 unhealthy replica among the total number of desired replicas.
You can create ambassador mappings to access your applications from outside the cluster. At its core a Mapping resource maps a resource to a service.
enabled
Set true to enable ambassador mapping else set false
ambassadorId
used to specify id for specific ambassador mappings controller
cors
used to specify cors policy to access host for this mapping
weight
used to specify weight for canary ambassador mappings
hostname
used to specify hostname for ambassador mapping
prefix
used to specify path for ambassador mapping
labels
used to provide custom labels for ambassador mapping
retryPolicy
used to specify retry policy for ambassador mapping
corsPolicy
Provide cors headers on flagger resource
rewrite
used to specify whether to redirect the path of this mapping and where
tls
used to create or define ambassador TLSContext resource
extraSpec
used to provide extra spec values which not present in deployment template for ambassador resource
This is connected to HPA and controls scaling up and down in response to request load.
enabled
Set true to enable autoscaling else set false
MinReplicas
Minimum number of replicas allowed for scaling
MaxReplicas
Maximum number of replicas allowed for scaling
TargetCPUUtilizationPercentage
The target CPU utilization that is expected for a container
TargetMemoryUtilizationPercentage
The target memory utilization that is expected for a container
extraMetrics
Used to give external metrics for autoscaling
You can use flagger for canary releases with deployment objects. It supports flexible traffic routing with istio service mesh as well.
enabled
Set true to enable canary releases using flagger else set false
addOtherGateways
To provide multiple istio gateways for flagger
addOtherHosts
Add multiple hosts for istio service mesh with flagger
analysis
Define how the canary release should progress and at what interval
annotations
Annotation to add on flagger resource
labels
Labels to add on flagger resource
appProtocol
Protocol to use for canary
corsPolicy
Provide cors headers on flagger resource
createIstioGateway
Set to true if you want to create istio gateway as well with flagger
headers
Add headers if any
loadtest
Enable load testing for your canary release
fullnameOverride
replaces the release fullname created by default by devtron, which is used to construct Kubernetes object names. By default, devtron uses {app-name}-{environment-name} as release fullname.
Image is used to access images in kubernetes, pullpolicy is used to define the instances calling the image, here the image is pulled when the image is not present,it can also be set as "Always".
imagePullSecrets
contains the docker credentials that are used for accessing a registry.
regcred is the secret that contains the docker credentials that are used for accessing a registry. Devtron will not create this secret automatically, you'll have to create this secret using dt-secrets helm chart in the App store or create one using kubectl. You can follow this documentation Pull an Image from a Private Registry https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ .
enabled
Determines whether to create a ServiceAccount for pods or not. If set to true
, a ServiceAccount will be created.
name
Specifies the name of the ServiceAccount to use.
annotations
Specify annotations for the ServiceAccount.
the hostAliases field is used in a Pod specification to associate additional hostnames with the Pod's IP address. This can be helpful in scenarios where you need to resolve specific hostnames to the Pod's IP within the Pod itself.
This allows public access to the url, please ensure you are using right nginx annotation for nginx class, its default value is nginx
Legacy deployment-template ingress format
enabled
Enable or disable ingress
annotations
To configure some options depending on the Ingress controller
path
Path name
host
Host name
tls
It contains security details
This allows private access to the url, please ensure you are using right nginx annotation for nginx class, its default value is nginx
enabled
Enable or disable ingress
annotations
To configure some options depending on the Ingress controller
path
Path name
host
Host name
tls
It contains security details
Specialized containers that run before app containers in a Pod. Init containers can contain utilities or setup scripts not present in an app image. One can use base image inside initContainer by setting the reuseContainerImage flag to true
.
To wait for given period of time before switch active the container.
These define minimum and maximum RAM and CPU available to the application.
Resources are required to set CPU and memory usage.
Limits make sure a container never goes above a certain value. The container is only allowed to go up to the limit, and then it is restricted.
Requests are what the container is guaranteed to get.
This defines annotations and the type of service, optionally can define name also.
It is required when some values need to be read from or written to an external disk.
It is used to provide mounts to the volume.
Spec is used to define the desire state of the given container.
Node Affinity allows you to constrain which nodes your pod is eligible to schedule on, based on labels of the node.
Inter-pod affinity allow you to constrain which nodes your pod is eligible to be scheduled based on labels on pods.
Key part of the label for node selection, this should be same as that on node. Please confirm with devops team.
Value part of the label for node selection, this should be same as that on node. Please confirm with devops team.
Taints are the opposite, they allow a node to repel a set of pods.
A given pod can access the given node and avoid the given taint only if the given pod satisfies a given taint.
Taints and tolerations are a mechanism which work together that allows you to ensure that pods are not placed on inappropriate nodes. Taints are added to nodes, while tolerations are defined in the pod specification. When you taint a node, it will repel all the pods except those that have a toleration for that taint. A node can have one or many taints associated with it.
This is used to give arguments to command.
It contains the commands for the server.
enabled
To enable or disable the command
value
It contains the commands
Containers section can be used to run side-car containers along with your main container within same pod. Containers running within same pod can share volumes and IP Address and can address each other @localhost. We can use base image inside container by setting the reuseContainerImage flag to true
.
Container lifecycle hooks are mechanisms that allow users to define custom actions to be performed at specific stages of a container's lifecycle i.e. PostStart or PreStop.
containerSpec
containerSpec to define container lifecycle hooks configuration
lifecycle
Lifecycle hooks for the container
enabled
Set true to enable lifecycle hooks for the container else set false
postStart
The postStart hook is executed immediately after a container is created
httpsGet
Sends an HTTP GET request to a specific endpoint on the container
host
Specifies the host (example.com) to which the HTTP GET request will be sent
path
Specifies the path (/example) of the endpoint to which the HTTP GET request will be sent
port
Specifies the port (90) on the host where the HTTP GET request will be sent
preStop
The preStop hook is executed just before the container is stopped
exec
Executes a specific command, such as pre-stop.sh, inside the cgroups and namespaces of the container
command
The command to be executed is sleep 10, which tells the container to sleep for 10 seconds before it is stopped
It is a kubernetes monitoring tool and the name of the file to be monitored as monitoring in the given case. It describes the state of the Prometheus.
Accepts an array of Kubernetes objects. You can specify any kubernetes yaml here and it will be applied when your app gets deployed.
Kubernetes waits for the specified time called the termination grace period before terminating the pods. By default, this is 30 seconds. If your pod usually takes longer than 30 seconds to shut down gracefully, make sure you increase the GracePeriod
.
A Graceful termination in practice means that your application needs to handle the SIGTERM message and begin shutting down when it receives it. This means saving all data that needs to be saved, closing down network connections, finishing any work that is left, and other similar tasks.
There are many reasons why Kubernetes might terminate a perfectly healthy container. If you update your deployment with a rolling update, Kubernetes slowly terminates old pods while spinning up new ones. If you drain a node, Kubernetes terminates all pods on that node. If a node runs out of resources, Kubernetes terminates pods to free those resources. It’s important that your application handle termination gracefully so that there is minimal impact on the end user and the time-to-recovery is as fast as possible.
It is used for providing server configurations.
It gives the details for deployment.
image_tag
It is the image tag
image
It is the URL of the image
It gives the set of targets to be monitored.
It is used to configure database migration.
These Istio configurations collectively provide a comprehensive set of tools for controlling access, authenticating requests, enforcing security policies, and configuring traffic behavior within a microservices architecture. The specific settings you choose would depend on your security and traffic management requirements.
istio
Istio enablement. When istio.enable
set to true, Istio would be enabled for the specified configurations
authorizationPolicy
It allows you to define access control policies for service-to-service communication.
action
Determines whether to ALLOW or DENY the request based on the defined rules.
provider
Authorization providers are external systems or mechanisms used to make access control decisions.
rules
List of rules defining the authorization policy. Each rule can specify conditions and requirements for allowing or denying access.
destinationRule
It allows for the fine-tuning of traffic policies and load balancing for specific services. You can define subsets of a service and apply different traffic policies to each subset.
subsets
Specifies subsets within the service for routing and load balancing.
trafficPolicy
Policies related to connection pool size, outlier detection, and load balancing.
gateway
Allowing external traffic to enter the service mesh through the specified configurations.
host
The external domain through which traffic will be routed into the service mesh.
tls
Traffic to and from the gateway should be encrypted using TLS.
secretName
Specifies the name of the Kubernetes secret that contains the TLS certificate and private key. The TLS certificate is used for securing the communication between clients and the Istio gateway.
peerAuthentication
It allows you to enforce mutual TLS and control the authentication between services.
mtls
Mutual TLS. Mutual TLS is a security protocol that requires both client and server, to authenticate each other using digital certificates for secure communication.
mode
Mutual TLS mode, specifying how mutual TLS should be applied. Modes include STRICT, PERMISSIVE, and DISABLE.
portLevelMtls
Configures port-specific mTLS settings. Allows for fine-grained control over the application of mutual TLS on specific ports.
selector
Configuration for selecting workloads to apply PeerAuthentication.
requestAuthentication
Defines rules for authenticating incoming requests.
jwtRules
Rules for validating JWTs (JSON Web Tokens). It defines how incoming JWTs should be validated for authentication purposes.
selector
Specifies the conditions under which the RequestAuthentication rules should be applied.
virtualService
Enables the definition of rules for how traffic should be routed to different services within the service mesh.
gateways
Specifies the gateways to which the rules defined in the VirtualService apply.
hosts
List of hosts (domains) to which this VirtualService is applied.
http
Configuration for HTTP routes within the VirtualService. It define routing rules based on HTTP attributes such as URI prefixes, headers, timeouts, and retry policies.
KEDA is a Kubernetes-based Event Driven Autoscaler. With KEDA, you can drive the scaling of any container in Kubernetes based on the number of events needing to be processed. KEDA can be installed into any Kubernetes cluster and can work alongside standard Kubernetes components like the Horizontal Pod Autoscaler(HPA).
Example for autosccaling with KEDA using Prometheus metrics is given below:
Example for autosccaling with KEDA based on kafka is given below :
Kubernetes NetworkPolicies control pod communication by defining rules for incoming and outgoing traffic.
enabled
Enable or disable NetworkPolicy.
annotations
Additional metadata or information associated with the NetworkPolicy.
labels
Labels to apply to the NetworkPolicy.
podSelector
Each NetworkPolicy includes a podSelector which selects the grouping of pods to which the policy applies. The example policy selects pods with the label "role=db". An empty podSelector selects all pods in the namespace.
policyTypes
Each NetworkPolicy includes a policyTypes list which may include either Ingress, Egress, or both.
Ingress
Controls incoming traffic to pods.
Egress
Controls outgoing traffic from pods.
Winter Soldier can be used to
cleans up (delete) Kubernetes resources
reduce workload pods to 0
NOTE: After deploying this we can create the Hibernator object and provide the custom configuration by which workloads going to delete, sleep and many more. for more information check the main repo
Given below is template values you can give in winter-soldier:
enabled
false
,true
decide the enabling factor
apiVersion
pincher.devtron.ai/v1beta1
, pincher.devtron.ai/v1alpha1
specific api version
action
sleep
,delete
, scale
This specify the action need to perform.
timeRangesWithZone
:timeZone
eg:- "Asia/Kolkata"
,"US/Pacific"
timeRangesWithZone
:timeRanges
array of [ timeFrom
, timeTo
, weekdayFrom
, weekdayTo
]
It use to define time period/range on which the user need to perform the specified action. you can have multiple timeRanges.
These settings will take action
on Sat and Sun from 00:00 to 23:59:59,
targetReplicas
[n]
: n - number of replicas to scale.
These is mandatory field when the action
is scale
Default value is []
.
fieldSelector
- AfterTime(AddTime( ParseTime({{metadata.creationTimestamp}}, '2006-01-02T15:04:05Z'), '5m'), Now())
These value will take a list of methods to select the resources on which we perform specified action
.
here is an example,
Above settings will take action on Sat
and Sun
from 00:00 to 23:59:59, and on Mon
-Fri
from 00:00 to 08:00 and 20:00 to 23:59:59. If action:sleep
then runs hibernate at timeFrom and unhibernate at timeTo
. If action: delete
then it will delete workloads at timeFrom
and timeTo
. Here the action:scale
thus it scale the number of resource replicas to targetReplicas: [1,1,1]
. Here each element of targetReplicas
array is mapped with the corresponding elements of array timeRangesWithZone/timeRanges
. Thus make sure the length of both array is equal, otherwise the cnages cannot be observed.
The above example will select the application objects which have been created 10 hours ago across all namespaces excluding application's namespace. Winter soldier exposes following functions to handle time, cpu and memory.
ParseTime - This function can be used to parse time. For eg to parse creationTimestamp use ParseTime({{metadata.creationTimestamp}}, '2006-01-02T15:04:05Z')
AddTime - This can be used to add time. For eg AddTime(ParseTime({{metadata.creationTimestamp}}, '2006-01-02T15:04:05Z'), '-10h') ll add 10h to the time. Use d for day, h for hour, m for minutes and s for seconds. Use negative number to get earlier time.
Now - This can be used to get current time.
CpuToNumber - This can be used to compare CPU. For eg any({{spec.containers.#.resources.requests}}, { MemoryToNumber(.memory) < MemoryToNumber('60Mi')}) will check if any resource.requests is less than 60Mi.
A security context defines privilege and access control settings for a Pod or Container.
To add a security context for main container:
To add a security context on pod level:
You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. This can help to achieve high availability as well as efficient resource utilization.
It gives the realtime metrics of the deployed applications
Deployment Frequency
It shows how often this app is deployed to production
Change Failure Rate
It shows how often the respective pipeline fails
Mean Lead Time
It shows the average time taken to deliver a change to production
Mean Time to Recovery
It shows the average time taken to fix a failed pipeline
If you want to see application metrics like different HTTP status codes metrics, application throughput, latency, response time. Enable the Application metrics from below the deployment template Save button. After enabling it, you should be able to see all metrics on App detail page. By default it remains disabled.
Once all the Deployment template configurations are done, click on Save
to save your deployment configuration. Now you are ready to create Workflow to do CI/CD.
Helm Chart json schema is used to validate the deployment template values.
The values of CPU and Memory in limits must be greater than or equal to in requests respectively. Similarly, In case of envoyproxy, the values of limits are greater than or equal to requests as mentioned below.
Workflow is a logical sequence of different stages used for continuous integration and continuous deployment of an application.
Click on New Build Pipeline
to create a new workflow
On clicking New Build Pipeline
, three options appear as mentioned below:
Continuous Integration: Choose this option if you want Devtron to build the image of source code.
Linked CI Pipeline: Choose this option if you want to use an image created by an existing CI pipeline in Devtron.
Incoming Webhook: Choose this if you want to build your image outside Devtron, it will receive a docker image from an external source via the incoming webhook.
Then, create CI/CD Pipelines for your application.
To know how to create the CI pipeline for your application, click on: Create CI Pipelines
To know how to create the CD pipeline for your application, click on: Create CD Pipelines
In this section, we will provide information on the Build Configuration
.
Build configuration is used to create and push docker images in the container registry of your application. You will provide all the docker related information to build and push docker images on the Build Configuration
page.
Only one docker image can be created for multi-git repository applications as explained in the Git Repository section.
For build configuration, you must provide information in the sections as given below:
The following fields are provided on the Store Container Image section:
Container Registry
Container Repository
Enter the name of your container repository, preferably in the format username/repo-name
. The repository that you specify here will store a collection of related docker images. Whenever an image is added here, it will be stored with a new tag version.
If you are using docker hub account, you need to enter the repository name along with your username. For example - If my username is kartik579 and repo name is devtron-trial, then enter kartik579/devtron-trial instead of only devtron-trial.
In order to deploy the application, we must build the container images to configure a fully operational container environment.
You can choose one of the following options to build your container image:
I have a Dockerfile
Create Dockerfile
Build without Dockerfile
A Dockerfile
is a text document that contains all the commands which you can call on the command line to build an image.
Select repository containing Dockerfile
Dockerfile Path (Relative)
Enter a relative file path where your docker file is located in Git repository. Ensure that the dockerfile is available on this path. This is a mandatory field.
With the option Create Dockerfile, you can create a Dockerfile
from the available templates. You can edit any selected Dockerfile template as per your build configuration requirements.
Language
Select the programming language (e.g., Java
, Go
, Python
, Node
etc.) from the drop-down list you want to create a dockerfile as per compatibility to your system.
Note We will be adding other programming languages in the future releases.
Framework
Select the framework (e.g., Maven
, Gradle
etc.) of the selected programming language.
Note We will be adding other frameworks in the future releases.
With the option Build without Dockerfile, you can use Buildpacks to automatically build the image for your preferred language and framework.
Select repository containing code
Project Path (Relative)
In case of monorepo, specify the path of the project from your Git repository.
Language
Select the programming language (e.g., Java
, Go
, Python
, Node
, Ruby
, PHP
etc.) from the drop-down list you want to build your container image as per the compatibility to your system.
Note: We will be adding other programming languages in the future releases.
Version
Select a language version from the drop-down list. If you do not find the version you need, then you can update the language version in Build Env Arguments
. You can also select Autodetect in case if you want Builder
to detect version by itself or its default version.
Select a builder
A builder is an image that contains a set of buildpacks which provide your app's dependencies, a stack, and the OS layer for your app image. Select a buildpack provider from the following options:
You can add Key/Value pair by clicking Add argument.
Key
Value
Define the value for the specified key. E.g. Version no.
Note This fields are optional. If required, it can be overridden at CI step.
Using this option, you can build images for a specific or multiple architectures and operating systems (target platforms). You can select the target platform from the drop-down list or can type to select a customized target platform.
Before selecting a customized target platform, please ensure that the architecture and the operating system are supported by the registry type
you are using, otherwise build will fail. Devtron uses BuildX to build images for multiple target Platforms, which requires higher CI worker resources. To allocate more resources, you can increase value of the following parameters in the devtron-cm
configmap in devtroncd
namespace.
LIMIT_CI_CPU
REQ_CI_CPU
REQ_CI_MEM
LIMIT_CI_MEM
To edit the devtron-cm
configmap in devtroncd
namespace:
If target platform is not set, Devtron will build image for architecture and operating system of the k8s node on which CI is running.
The Target Platform feature might not work in minikube & microk8s clusters as of now.
It is is a collapsed view including the following parameters:
Key
Value
These fields will contain the key parameter and the value for the specified key for your docker build. This field is Optional. If required, this can be overridden at CI step.
Click Save Configuration.
Secrets and configmaps both are used to store environment variables but there is one major difference between them: Configmap stores key-values in normal text format while secrets store them in base64 encrypted form. Devtron hides the data of secrets for the normal users and it is only visible to the users having edit permission.
Secret objects let you store and manage sensitive information, such as passwords, authentication tokens, and ssh keys. Embedding this information in secrets is safer and more flexible than putting it verbatim in a Pod definition or in a container image.
Click Add Secret
to add a new secret.
Name
Provide a name to your Secret
Data Type
Data Volume
Specify if there is a need to add a volume that is accessible to the Containers running in a pod.
Use secrets as Environment Variable
Select this option if you want to inject Environment Variables in your pods using Secrets.
Use secrets as Data Volume
Select this option if you want to configure a Data Volume that is accessible to Containers running in a pod. Ensure that you provide a Volume mount path for the same.
Key-Value
Provide a key and the corresponding value of the provided key.
Specify the volume mount folder path in Volume Mount Path
, a path where the data volume needs to be mounted. This volume will be accessible to the containers running in a pod.
For multiple files mount at the same location you need to check sub path bool
field, it will use the file name (key) as sub path. Sub Path feature is not applicable in case of external configmap except AWS Secret Manager, AWS System Manager and Hashi Corp Vault, for these cases Name (Secret key)
as sub path will be picked up automatically.
File permission will be provide at the configmap level not on the each key of the configmap. it will take 3 digit standard permission for the file.
Click Save Secret
to save the secret.
You can see the Secret is added.
You can update your secrets anytime later, but you cannot change the name of your secrets. If you want to change your name of secrets then you have to create a new secret.
To update secrets, click the secret you wish to update.
Click Update Secret
to update your secret.
You can delete your secret. Click your secret and click the delete sign
to delete your secret.
There are five Data types that you can use to save your secret.
Kubernetes Secret: The secret that you create using Devtron.
Kubernetes External Secret: The secret data of your application is fetched by Devtron externally. Then the Kubernetes External Secret is converted to Kubernetes Secret.
AWS Secret Manager: The secret data of your application is fetched from AWS Secret Manager and then converted to Kubernetes Secret from AWS Secret.
AWS System Manager: The secret data for your application is fetched from AWS System Secret Manager and all the secrets stored in AWS System Manager are converted to Kubernetes Secret.
HashiCorp Vault: The secret data for your application is fetched from HashiCorp Vault and the secrets stored in HashiCorp Vault are converted to Kubernetes Secret.
Note: The conversion of secrets from various data types to Kubernetes Secrets is done within Devtron and irrespective of the data type, after conversion, the Pods access secrets
normally.
Use this option to mount an existing Kubernetes Secret in your application pods. A Secret will not be created by system so please ensure that the secret already exist within the namespace else the deployment will fail.
The secret that is already created and stored in the environment and being used by Devtron externally is referred here as Kubernetes External Secret
. For this option, Devtron will not create any secret by itself but they can be used within the pods. Before adding secret from kubernetes external secret, please make sure that secret with the same name is present in the environment. To add secret from kubernetes external secret, follow the steps mentioned below:
Navigate to Secrets
of the application.
Click Add Secret
to add a new secret.
Select Kubernetes External Secret
from dropdown of Data type
.
Provide a name to your secret. Devtron will search secret in the environment with the same name that you mention here.
Before adding any external secrets on Devtron, kubernetes-external-secrets
must be installed on the target cluster. Kubernetes External Secrets allows you to use external secret management systems (e.g., AWS Secrets Manager, Hashicorp Vault, etc) to securely add secrets in Kubernetes.
To install the chart with the release named my-release:
To install the chart with AWS IAM Roles for Service Accounts:
To add secrets from AWS secret manager, navigate to Secrets
of the application and follow the steps mentioned below :
Click Add Secret
to add a new secret.
Select AWS Secret Manager
from dropdown of Data type
.
Provide a name to your secret.
Select how you want to use the secret. You may leave it selected as environment variable and also you may leave Role ARN
empty.
In Data
section, you will have to provide data in key-value format.
All the required field to pass your data to fetch secrets on Devtron are described below :
key
Secret key in backend
name
Name for this key in the generated secret
property
Property to extract if secret in backend is a JSON object
isBinary
Set this to true if configuring an item for a binary file stored else set false
To add secrets in AWS secret manager, do the following steps :
Go to AWS secret manager console.
Click Store a new secret
.
Add and save your secret.
Delete the Application, when you are sure you no longer need it.
Clicking on Delete Application
will not delete your application if you have workflows in the application.
If your Application contains workflows in the Workflow Editor. So, when you click on Delete Application
, you will see the following prompt.
Click on View Workflows
to view and delete your workflows in the application.
To delete the workflows in your application, you must first delete all the pipelines (CD Pipeline, CI Pipeline or Linked CI Pipeline or External CI Pipeline if there are any).
After you have deleted all the pipelines in the workflow, you can delete that particular workflow.
Similarly, delete all the workflows in the application.
Now, Click on Delete Application
to delete the application.
Since resources are created according to the configurations you enter, it's essential to restrict such configurations from direct modifications. For critical environments like production, it becomes necessary to introduce an approval flow for any edits made to the configuration files.
In Devtron, these configurations are present in the App Configuration tab of your application.
Any changes made to the following configurations will require approval if enabled:
Deployment Template
ConfigMaps
Secrets
This stands true for both: base configuration and respective environment-level configuration.
Only a super-admin, manager, and admin can edit the configuration values.
Let's assume you are the application admin and you wish to edit the deployment template of your environment (as an override).
Go to the App Configuration
tab.
In Environment Overrides → (choose your environment) → Deployment Template
You can change the value of a key to a desired value as shown below. Once done, click the Save Changes… button.
If the configuration is protected, your changes won't be published right away. You can do either of the following:
Save as draft : Selecting this option will save your file as a draft. You and other users can view and edit the saved draft and propose it further for approval.
Save & Propose Changes : Selecting this option will propose your changes to a configuration approver for a review.
Since we are proposing the changes immediately, click Propose Changes.
You can also view the approver(s) if you wish.
The one who performs the edits cannot approve their own changes. A different user has to review and approve.
Only one draft can exist at time and you cannot create multiple drafts. In the top-right corner, you have the option to discard the draft if you don't wish to proceed with the edits you made.
Only a different super-admin user or someone (who is not amongst the editors of the draft), having Configuration approver
access, can approve the changes made to the configuration files.
Go to the edited configuration file to review and approve the changes as shown below.
A super-admin can check whether a user has approval rights by going to Global Configurations → Authorization (dropdown) → User Permissions.
Once the approver validates and approves your configuration changes, you can proceed to deploy your application with the updated configuration.
Go to the Build & Deploy tab of your application.
Click Select Image in the deployment flow.
You can view an indicator at the bottom Config Diff from Last Deployed
. Click Review to view the changes.
If the new configuration is not yet approved, the changes made to the config would not be visible during deployment, it would show No Config Diff from Last Deployed
at the bottom. In that case, check whether your changes are present in the live config or not. If your changes are absent, chances are your draft is either pending for approval or rejected (discarded).
Once you have verified the changes, you can click Deploy.
If you don't wish to deploy with the new changes, you can choose Last deployed config
from the available drop-down.
Only a super-admin can enable or disable the config protection.
Go to the App Configuration
tab.
Click Protect Configuration
.
Use the toggle button to enable the protection for the configuration of your choice (base/environment level). A protection badge would appear next to the chosen configuration.
Alternatively, unprotecting the configuration will lead to the discarding of unapproved drafts (if any).
Each time you push a change to your application through GitHub, your application goes through a process to be built and deployed.
There are two main steps for building and deploying applications:
You can also rollback the deployment. Refer for detail.
To incorporate secrets from HashiCorp Vault, you need to create a generic Kubernetes secret that will be used for vault authentication. This involves creating a Kubernetes secret in the specific namespace where your application will be deployed. The secret should store the base64-encoded password or token obtained from vault. To simplify the process, you can utilize the Devtron generic chart. An example yaml is given below:
Note: Please note that you don't need to create the Kubernetes secret every time you create an External Secret for the corresponding namespace.
Once you have created the generic secret, follow these steps in the application's Secrets section:
1. Create a new secret
To add a new secret to the application, go to the App Configuration
section of the application. Then, navigate to the left pane and select the Secrets
option and click the Add Secret button.
2. Select HashiCorp Vault
as the External Secret Operator
After clicking the Add Secret button, select HashiCorp Vault
from the dropdown menu for the Data type
option. Provide a name for the secret you are creating, and then proceed to configure the external secret as described in the next step.
3. Configure the secret
To configure the external secret that will be fetched from HashiCorp Vault for your application, you will need to provide specific details using the following key-value pairs:
4. Save the secret
After configuring the external secret from HashiCorp Vault, proceed to save the secret by clicking the Save button.
By following the steps mentioned above and configuring these values correctly, you can seamlessly fetch and utilize external secrets from HashiCorp Vault within your application environment by deploying the application.
You will see all your environments associated with an application under the Environment Overrides
section.
You can customize your Deployment template, ConfigMap, Secrets
in Environment Overrides section to add separate customizations for different environments such as dev, test, integration, prod, etc.
If you want to deploy an application in a non-production environment and then in production environment, once testing is done in the non-production environment, then you do not need to create a new application for production environment. Your existing pipeline(non-production env) will work for both the environments with little customization in your deployment template under Environment overrides
.
In a Non-production environment, you may have specified 100m CPU resources in the deployment template but in the Production environment, you may want to have 500m CPU resources as the traffic on Pods will be higher than traffic on non-production env.
Configuring the Deployment template inside Environment Overrides
for a specific environment will not affect the other environments because Environment Overrides
will configure deployment templates on environment basis. And at the time of deployment, it will always pick the overridden deployment template if any.
If there are no overrides specified for an environment in the Environment Overrides
section, the deployment template will be the one you specified in the deployment template section
of the app creation.
(Note: This example is meant only for a representational purpose. You can choose to add any customizations you want in your deployment templates in the Environment Overrides
tab)
Any changes in the configuration will not be added to the template, instead, it will make a copy of the template and lets you customize it for each particular environment. And now this overridden template will be used only for the specified Environment.
This will save you the trouble to manually create deployment files separately for each environment. Instead, all you have to do is to change the required variables in the deployment template.
Go to App Configuration → Environment Overrides. For each environment you can override the following configurations:
However, you have the flexibility to use different values at the environment level by overriding the base configurations as shown below.
Similarly, if you are an advanced user intending to tweak more values in deployment template, you may go to Advanced (YAML)
section and edit them.
Delete Override will discard the current overrides and the base deployment configuration will be applicable again to the environment.
The same goes for ConfigMap
and Secrets
. You can also create an environment-specific configmap and Secrets inside the Environment override
section.
To update a ConfigMap, follow the steps below:
In your environment, click ConfigMaps.
Click the ConfigMap you wish to update.
Click Allow Override.
Edit your ConfigMap.
Click Save Changes.
Similarly, you can update Secrets too as shown below.
After the is complete, you can trigger the CD pipeline.
Go to the Build & Deploy
tab of your application and click Select Image in the CD pipeline.
Select an image to deploy and then click Deploy to trigger the CD pipeline.
However, if an image is already deployed, you can identify it by the tag Active on <Environment name>
.
If no approved images are available or the current image is already deployed, you won't see any images for deployment when clicking Select Image.
To request an image approval, follow these steps:
Navigate to the Build & Deploy
page, and click the Approval for deployment icon.
Click the Request Approval button present on the image for which you want to request an approval and click Submit Request.
The users you selected will receive an approval request via email. Any user with 'Image approver' permission alongwith access to the given application and given environment would be able to approve the image.
In case you wish to cancel the image approval request, you can do so from the Approval pending
tab as shown in the below image.
If you've received an approval but no longer want the image to be deployable, you can let the approval expire.
By default, super-admin users are considered as the default approvers. Users who build the image and/or request for its approval, cannot self-approve it even if they have super-admin privileges.
To approve an image approval request, follow these steps:
Go to the Build & Deploy
page and click the Approval for deployment
button.
Switch to the Approval pending
tab. Here, you will get a list of images that are awaiting approval.
Click Approve followed by Approve Request button.
To deploy an approved image, follow these steps:
Navigate to the Build & Deploy
tab and click Select Image.
You will find all the approved images listed under the Approved images
section. From the list, you can select the desired image and deploy it to your environment.
You can view the status of current deployment in the App Details
tab.
The status initially appears as Progressing
for approximately 1-2 minutes, and then gradually transitions to Healthy
state based on the deployment strategy.
Here, our CD pipeline trigger was successful and the deployment is in Healthy
state.
The users can access the on the App Details page.
Select Applications from the left navigation pane.
After selecting a configured application, select the App Details tab.
Note: If you enable
App admins can edit
on theExternal Links
page, then only non-super admin users can view the selected links on theApp-Details
page.
As shown in the screenshot, the external links appear on the App-Details
level:
You can hover around an external link (e.g. Grafana) to view the description.
On the App Configuration
page, select External Links
from the navigation pane. You can see the configured external links which can be searched, edited or deleted.
You can also Add Link
to add a new external link.
You can view the Ingress Host URL and the Load Balancer URL on the URLs section on the App Details. You can also copy the Ingress Host URL from the URLs instead of searching in the Manifest
.
Select Applications from the left navigation pane.
After selecting your configured application, select the App Details.
Click URLs.
You can view or copy the URL of the Ingress Host.
Note:
The Ingress Host URL will point to the load balancer of your application.
You can also view the Service
name with the load balancer detail.
The ConfigMap API resource holds key-value pairs of the configuration data that can be consumed by pods or used to store configuration data for system components such as controllers. ConfigMap is similar to Secrets, but designed to more conveniently support working with strings that do not contain sensitive information.
Click on Add ConfigMap
to add a config map to your application.
You can configure a configmap in two ways-
(a) Using data type Kubernetes ConfigMap
(b) Using data type Kubernetes External ConfigMap
1. Data Type
Select the Data Type as Kubernetes ConfigMap
, if you wish to use the ConfigMap created by Devtron.
2. Name
Provide a name to your configmap.
3. Use ConfigMap as
Here we are providing two options, one can select any of them as per your requirement
-Environment Variable
as part of your configMap or you want to add Data Volume
to your container using Config Map.
Environment Variable
Select this option if you want to add Environment Variables as a part of configMap. You can provide Environment Variables in key-value pairs, which can be seen and accessed inside a pod.
Data Volume
Select this option if you want to add a Data Volume
to your container using the Config Map.
Key-value pairs that you provide here, are provided as a file to the mount path. Your application will read this file and collect the required data as configured.
4. Data
In the Data
section, you provide your configmap in key-value pairs. You can provide one or more than one environment variable.
You can provide variables in two ways-
YAML (raw data)
GUI (more user friendly)
Once you have provided the config, You can click on any option-YAML
or GUI
to view the key and Value parameters of the ConfigMap.
Kubernetes ConfigMap using Environment Variable:
If you select Environment Variable
in 3rd option, then you can provide your environment variables in key-value pairs in the Data
section using YAML
or GUI
.
Data in YAML
(please Check below screenshot)
Now, Click on Save ConfigMap
to save your configmap configuration.
Kubernetes ConfigMap using Data Volume
Provide the Volume Mount folder path in Volume Mount Path, a path where the data volume needs to be mounted, which will be accessible to the Containers running in a pod.
You can add Configuration data as in YAML or GUI format as explained above.
You can click on YAML
or GUI
to view the key and Value parameters of the ConfigMap that you have created.
You can click on Save ConfigMap
to save the configMap.
For multiple files mount at the same location you need to check sub path bool field, it will use the file name (key) as sub path. Sub Path feature is not applicable in case of external configmap.
File permission will be provide at the configmap level not on the each key of the configmap. It will take 3 digit standard permission for the file.
You can select Kubernetes External ConfigMap
in the data type
field if you have created a ConfigMap using the kubectl command.
By default, the data type is set to Kubernetes ConfigMap
.
Kubernetes External ConfigMap is created using the kubectl create configmap
command. If you are using Kubernetes External ConfigMap
, make sure you give the name of ConfigMap the same as the name that you have given using kubectl create Configmap <configmap-name> <data source>
command, otherwise, it might result in an error during the built.
You have to ensure that the External ConfigMap exists and is available to the pod.
The config map is created.
You can update your configmap anytime later but you cannot change the name of your configmap. If you want to change the name of the configmap then you have to create a new configmap. To update configmap, click on the configmap you have created make changes as required.
Click on Update Configmap
to update your configmap.
You can delete your configmap. Click on your configmap and click on the delete sign
to delete your configmap.
If the deployment of your application is not successful, then debugging needs to be done to check the cause of the error.
This can be done through App Details
section which you can access in the following way:-
Applications->AppName->App Details
Over here, you can see the status of the app as Healthy. If there are some errors with deployment then the status would not be in a Healthy state.
Events of the application are accessible from the bottom left corner.
Events section displays you the events that took place during the deployment of an app. These events are available until 15 minutes of deployment of the application.
Logs contain the logs of the Pods and Containers deployed which you can use for the process of debugging.
The Manifest shows the critical information such as Container-image, restartCount, state, phase, podIP, startTime etc. and status of the pods deployed.
You might run into a situation where you need to delete Pods. You may need to bounce or restart a pod.
Deleting a Pod is not an irksome task, it can simply be deleted by Clicking on Delete Pod
.
Suppose you want to setup a new environment, you can delete a pod and thereafter a new pod will be created automatically depending upon the replica count.
You can view Application Objects
in this section of App Details
, such as:
You can monitor the application in the App Details
section.
Metrics like CPU Usage
, Memory Usage
, Throughput
and Latency
can be viewed here.
To trigger the CI pipeline, first you need to select a Git commit. To select a Git commit, click the Select Material button present on the CI pipeline.
Once clicked, a list will appear showing various commits made in the repository, it includes details such as the author name, commit date, time, etc. Choose the desired commit for which you want to trigger the pipeline, and then click Start Build to initiate the CI pipeline.
CI Pipelines with automatic trigger enabled are triggered immediately when a new commit is made to the git branch. If the trigger for a build pipeline is set to manual, it will not be automatically triggered and requires a manual trigger.
CI builds can be time-consuming for large repositories, especially for enterprises. However, Devtron's partial cloning feature significantly increases cloning speed, reducing the time it takes to clone your source code and leading to faster build times.
Advantages
Smaller image sizes
Reduced resource usage and costs
Faster software releases
Improved productivity
Get in touch with us if you are looking for a way to improve the efficiency of your software development process.
The Refresh icon updates the Git Commits section in the CI Pipeline by fetching the latest commits from the repository. Clicking on the refresh icon ensures that you have the most recent commit available.
The Ignore Cache option ignores the previous build cache and creates a fresh build. If selected, will take a longer build time than usual.
If you wish to pass runtime parameters for a build job, you can provide key-value pairs before triggering the build. Thereafter, you can access those passed values by referencing the corresponding keys in the environment variable dictionary.
Steps
Go to the Parameters tab available on the screen where you select the commit.
Click + Add parameter.
Enter your key-value pair as shown below.
Similarly, you may add more than one key-value pair by using the + Add Parameter button.
Click Start Build.
Click the CI Pipeline
or navigate to the Build History
to get the CI pipeline details such as build logs, source code details, artifacts, and vulnerability scan reports.
To access the logs of the CI Pipeline, simply click Logs
.
To view specific details of the Git commit you've selected for the build, click on Source
. This will provide you with information like the commit ID, author, and commit message associated with that particular commit.
By selecting the Artifacts
option, you can download reports related to the tasks performed in the Pre-CI and Post-CI stages. This will allow you to access and retrieve the generated reports, if any, related to these stages. Additionally, you have the option to add tags or comments to the image directly from this section.
Ephemeral container is a special type of container that runs temporarily in an existing Pod to accomplish user-initiated actions such as troubleshooting. It is especially useful when kubectl exec
is insufficient because a container has crashed or a container image doesn't include debugging utilities.
For instance, ephemeral containers help you execute a curl
request from within pods that typically lack this utility.
Ephemeral containers are turned on by default in Kubernetes v1.23 and later
Wherever you can access pod resources in Devtron, you can launch an ephemeral container as shown below.
In the left sidebar, go to Applications.
Search and click your application from the list of Devtron Apps.
Go to the App Details tab.
Under the K8 Resources tab, select Pod inside Workloads
.
Locate the pod you wish to debug. Hover and choose click Terminal.
Click Launch Ephemeral Container as shown below.
You get 2 tabs:
Basic - It provides the bare minimum configurations required to launch an ephemeral container.
It contains 3 mandatory fields:
Container name prefix - Type a prefix to give to your ephemeral container, for e.g., debug. Your container name would look like debug-jndvs
.
Image - Choose an image to run from the dropdown. Ephemeral containers need an image to run and provide the capability to debug, such as curl
. You can use a custom image too.
Target Container name - Since a pod can have one or more containers, choose a target container you wish to debug, from the dropdown.
Click Launch Container.
(This is not a recommended method. This option is available only if you are an admin.)
You can launch an ephemeral container from Kubernetes CLI. For this, you need access to the cluster terminal on Devtron.
You can remove an ephemeral container using either App Details or Resource Browser (from the same screen you used to create the ephemeral container).
You cannot use App Details or Resource Browser to remove an ephemeral container created using Kubernetes CLI
Application metrics can be enabled to see your application's metrics.
Devtron provides certain metrics (CPU and Memory utilization) for each application by default i.e. you do not need to enable “Application metrics”. However, prometheus needs to be present in the cluster and the endpoint of the same should be updated in Global Configurations --> Clusters & Environments section.
There are certain advanced metrics (like Latency, Throughput, 4xx, 5xx, 2xx) which are only available when "Application metrics" is enabled from the Deployment Template. When you enable these advanced metrics, devtron attaches a envoy sidecar container to your main container which runs as a transparent proxy and passes each request through it to measure the advanced metrics.
Note: Since, all the requests are passed through envoy, any misconfiguration in envoy configs can bring your application down, so please test the configurations in a non-production environment extensively.
CPU usage is a utilization metric that shows the overall utilization of cpu by an application. It is available as both, aggregated or per pod.
Memory usage is a utilization metric that shows the overall utilization of memory by an application. It is available as both, aggregated or per pod.
This application metrics indicates the number of request processed by an application per minute.
This metrics indicates the application’s response to client’s request with a specific status code i.e 1xx(Communicate transfer protocol-level information), 2xx(Client’s request was accepted successfully), 3xx(Client must take some additional action to complete their request), 4xx(Client side error) or 5xx(Server side error).
Latency metrics shows the latency for an application. Latency measures the delay between an action and a response.
99.9th percentile latency: The maximum latency, in seconds, for the fastest 99.9% of requests.
99th percentile latency: The maximum latency, in seconds, for the fastest 99% of requests.
95th percentile latency: The maximum latency, in seconds, for the fastest 95% of requests.
Note: We also support custom percentile input inside the dropdown .A latency measurement based on a single request is not meaningful.
The Overview
section contains the brief information of the application, any added tags, configured external links and deployment details of the particular application. In this section, you can also and if you added them while creating application.
The following details are provided on the Overview page:
You can change the project of your application by clicking Project on the Overview
section.
Click Project
.
On the Change project
dialog box, select the different project you want to change from the drop-down list.
Click Save. The application will be moved to the selected project.
Tags
are key-value pairs. You can add one or multiple tags in your application. When tags are propagated, they are considered as labels to Kubernetes resources. Kubernetes offers integrated support for using these labels to query objects and perform bulk operations e.g., consolidated billing using labels. You can use these tags to filter/identify resources via CLI or in other Kubernetes tools.
Manage tags
is the central place where you can create, edit, and delete tags. You can also propagate tags as labels to Kubernetes resources for the application.
Click Edit
.
On the Manage tags
page, click + Add tag
to add a new tag.
Click X
to delete a tag.
Dark grey colour in symbol specifies that the tags are propagated.
Click Save
.
The changes in the tags will be reflected in the Tags
on the Overview
section.
A PersistentVolumeClaim (PVC) volume is a request for storage, which is used to mount a PersistentVolume (PV) into a Pod. In order to optimize build time, you can configure PVC in your application.
If you want to optimize build time for the multiple target platforms (e.g., arm64, amd64), mounting a PVC will provide volume directly to a pod which helps in shorter build time by storing build cache. Mounting a PVC into a pod will provide storage for build cache which will not impact the normal build where the image is built on the basis of architecture and operating system of the K8s node on which CI is running.
The following configuration file describes persistent volume claim e.g.,cache-pvc.yaml
, where you have to define the metadata name
and storageClassname
.
Create the PersistentVolumeClaim by running the following command:
In order to configure PVC:
Go to the Overview
section of your application.
On the right-corner, click Edit
.
For app level PVC mounting, enter the following:
key:devtron.ai/ci-pvc-all
Note
: This PVC mounting will impact all the build pipelines of the application.
For pipeline level, enter the following:
key:devtron.ai/ci-pvc-{pipelinename}
Note
: This PVC mounting will impact only the particular build pipeline.
To know the pipelinename
detail, go to the App Configuration
, click Workflow Editor
the pipeline name will be on the Build
pipeline as shown below.
Click Save
.
Create a task using one of the integrated in Devtron:
Create a task from which you can customize your script with:
Or,
Resource Scanning: You can scan for vulnerabilities using Devtron's resource scanning feature.
Click the symbol on the left side of your tag to propagate a tag.
Note
: Dark grey colour in symbol specifies that the tags are propagated.
To remove the tags from propagation, click the symbol again.
The option to choose between 'Helm' or 'GitOps' is only available in
Select the Chart Version using which you want to deploy the application. Refer section for more detail.
You can perform a basic deployment configuration for your application in the Basic (GUI) section instead of configuring the YAML file. Refer section for more detail.
If you want to do additional configurations, then click Advanced (YAML) for modifications. Refer section for more detail.
You can enable Show application metrics
to see your application's metrics-CPU Service Monitor usage, Memory Usage, Status, Throughput and Latency.
Refer for more detail.
It use to specify the timeZone used. (It uses standard format. please refer )
Select the container registry from the drop-down list or you can click Add Container Registry. This registry will be used to .
Select the Git checkout path of your repository. This repository is the same which you defined on the section.
Select your code repository. This repository is the same which you defined on the section.
Heroku: It compiles your deployed code and creates a slug, which is a compressed and pre-packaged copy of your app and also the runtime which is optimized for distribution to the dyno (Linux containers) manager. .
GCR: GCR builder is a general purpose builder that creates container images designed to run on most platforms (e.g. Kubernetes / Anthos, Knative / Cloud Run, Container OS, etc.). It auto-detects the language of your source code, and can also build functions compatible with the Google Cloud Function Framework. .
Paketo: Paketo buildpacks provide production-ready buildpacks for the most popular languages and frameworks to easily build your apps. Based on your application needs, you can select from Full
, Base
and Tiny
. .
Define the key parameter as per your selected language and builder. E.g., By default GOOGLE_RUNTIME_VERSION
for GCR buildpack.
Note: If you want to define env arguments
for PHP
and Ruby
languages after selecting Heroku
builder, please make sure to refer respective and documentation for runtime information.
Provide the Data Type of your secret. To know about different Data Types available click on
If you are not a super-admin, you cannot modify the locked keys in deployment template. Refer to know more.
Users need to have or above (along with access to the environment and applications) to change perform environment override.
Users who are not super-admins will land on section when they visit the Deployment Template page; whereas super-admins will land on section. This is just a default behavior, they can still navigate to the other section if needed.
If you have a set up at application level, the environment(s) you define for your application will also inherit those values.
Refer to know more about each field within Basic (GUI)
section.
Refer to know the process of adding, removing, and customizing the Basic (GUI) section.
to know more about each key-value pair within the Advanced (YAML)
section.
If you want to configure your ConfigMap and secrets at the application level then you can provide them in and , but if you want to have environment-specific ConfigMap and secrets then provide them under the Environment override Section. At the time of deployment, it will pick both of them and provide them inside your cluster.
When for the deployment pipeline configured in the workflow, you are expected to request for an image approval before each deployment. Alternatively, you can deploy images that have already been approved once.
Users need to have or above (along with access to the environment and application) to request for an image approval.
In case you have configured , you can directly choose the approver(s) from the list of approvers as shown below.
Users with Approver
permission (for the specific application and environment) can also approve a deployment. This permission can be granted to users from present in .
In case or was configured in Devtron, and the user chose the approvers while raising an image approval request, the approvers would receive an email notification as shown below:
Users need to have or above (along with access to the respective environment and application) to select and deploy an approved image.
In case the super-admin has set the minimum number of approval to more than 1 (in ), you must wait for all approvals before deploying the image. In other words, partially approved image will not be eligible for deployment.
To further diagnose the deployments,
The link opens in a new tab with the context you specified as env variables in the section.
Users need to have or above (along with access to the environment and application) to pass build parameters.
In case you trigger builds in bulk, you can consider passing build parameters in .
To check for any vulnerabilities in the build image, click on Security
. Please note that vulnerabilities will only be visible if you have enabled the Scan for vulnerabilities
option in the advanced options of the CI pipeline before building the image. For more information about this feature, please refer to this .
Advanced - It is particularly useful for advanced users that wish to use labels or annotations since it provides additional key-value options. Refer to view the supported options.
Click to know more.
Click the symbol on the left side of your tag to propagate a tag.
To remove the tags from propagation, click the symbol again.
For more detail, refer .
value: metadata name (e.g., cache-pvc)
which you define on the .
value: metadata name which you define on the .
vault.server
Server is the connection address for the Vaultserver, e.g: "https://vault.example.com:8200"
vault.path
Specify the path where the secret is stored in Vault
tokenSecretRef.name
Enter the name of the secret that will be used for authentication
tokenSecretRef.key
Specify the key name within the secret that contains the token
secretKey
Provide a name for the secret in Kubernetes
key
Enter the name of the secret in Vault
property
Specify the key within the Vault secret
Data Type (Kubernetes ConfigMap)
Select your preferred data type for Kubernetes ConfigMap or Kubernetes External ConfigMap
Name
Provide a name to this ConfigMap.
Use configmap as Environment Variable
Select this option if you want to inject Environment Variables in pods using ConfigMap.
Use configmap as Data Volume
Select this option, if you want to configure a Data Volume that is accessible to Containers running in a pod and provide a Volume mount path.
Key-Value
Provide the actual key-value configuration data here. Key and corresponding value to the provided key.
Workloads
ReplicaSet(ensures how many replica of pod should be running), Status of Pod(status of the Pod)
Networking
Service(an abstraction which defines a logical set of Pods), Endpoints(names of the endpoints that implement a Service), Ingress(API object that manages external access to the services in a cluster)
Config & Storage
ConfigMap( API object used to store non-confidential data in key-value pairs)
Custom Resource
Rollout(new Pods will be scheduled on Nodes with available resources), ServiceMonitor(specifies how groups of services should be monitored)
CPU Usage
Percentage of CPU's cycles used by the app.
Memory Usage
Amount of memory used by app.
Throughput
Performance of the app.
Latency
Delay caused while transmitting the data.
In certain cases, you may want to override default configurations provided by Devtron. For example, for deployments or statefulsets you may want to change the memory or CPU requests or limit or add node affinity or taint tolerance. Say, for ingress, you may want to add annotations or host. Samples are available inside the manifests/updates directory.
To modify a particular object, it looks in namespace devtroncd
for the corresponding configmap as mentioned in the mapping below:
argocd
argocd-override-cm
GitOps
clair
clair-override-cm
container vulnerability db
clair
clair-config-override-cm
Clair configuration
dashboard
dashboard-override-cm
UI for Devtron
gitSensor
git-sensor-override-cm
microservice for Git interaction
guard
guard-override-cm
validating webhook to block images with security violations
postgresql
postgresql-override-cm
db store of Devtron
imageScanner
image-scanner-override-cm
image scanner for vulnerability
kubewatch
kubewatch-override-cm
watches changes in ci and cd running in different clusters
lens
lens-override-cm
deployment metrics analysis
natsOperator
nats-operator-override-cm
operator for nats
natsServer
nats-server-override-cm
nats server
natsStreaming
nats-streaming-override-cm
nats streaming server
notifier
notifier-override-cm
sends notification related to CI and CD
devtron
devtron-override-cm
core engine of Devtron
devtronIngress
devtron-ingress-override-cm
ingress configuration to expose Devtron
workflow
workflow-override-cm
component to run CI workload
externalSecret
external-secret-override-cm
manage secret through external stores like vault/AWS secret store
grafana
grafana-override-cm
Grafana config for dashboard
rollout
rollout-override-cm
manages blue-green and canary deployments
minio
minio-override-cm
default store for CI logs and image cache
minioStorage
minio-storage-override-cm
db config for minio
Let's take an example to understand how to override specific values. Say, you want to override annotations and host in the ingress, i.e., you want to change devtronIngress, copy the file devtron-ingress-override.yaml. This file contains a configmap to modify devtronIngress as mentioned above. Please note the structure of this configmap, data should have the key override
with a multiline string as a value.
apiVersion
, kind
, metadata.name
in the multiline string is used to match the object which needs to be modified. In this particular case it will look for apiVersion: extensions/v1beta1
, kind: Ingress
and metadata.name: devtron-ingress
and will apply changes mentioned inside update:
as per the example inside the metadata:
it will add annotations owner: app1
and inside spec.rules.http.host
it will add http://change-me
.
In case you want to change multiple objects, for eg in argocd
you want to change the config of argocd-dex-server
as well as argocd-redis
then follow the example in devtron-argocd-override.yaml.
Once we have made these changes in our local system we need to apply them to a Kubernetes cluster on which Devtron is installed currently using the below command:
Run the following command to make these changes take effect:
Our changes would have been propagated to Devtron after 20-30 minutes.
To use Devtron for production deployments, use our recommended production overrides located in manifests/updates/production. This configuration should be enough for handling up to 200 microservices.
The overall resources required for the recommended production overrides are:
cpu
6
memory
13GB
The production overrides can be applied as pre-devtron installation
as well as post-devtron installation
in the respective namespace.
If you want to install a new Devtron instance for production-ready deployments, this is the best option for you.
Create the namespace and apply the overrides files as stated above:
After files are applied, you are ready to install your Devtron instance with production-ready resources.
If you have an existing Devtron instance and want to migrate it for production-ready deployments, this is the right option for you.
In the existing namespace, apply the production overrides as we do it above.
App Name
Displays the name of the application.
Created on
Displays the day, date and time the application was created.
Created by
Displays the email address of a user who created the application.
Project
Displays the current project of the application. You can change the project by selecting a different project from the drop-down list.
On the Devtron dashboard, select Jobs.
On the upper-right corner of the screen, click Create.
Select Job from the drop-down list.
Create job page opens.
Provide below information on the Create job
page:
Job Name
User-defined name for the job in Devtron.
Description
Enter the description of a job.
Registry URL
This is the URL of your private registry in Quay. E.g. quay.io
Select one of them
Note: Do not forget to modify git repositories and corresponding branches to be used for each Job Pipeline if required.
Tags
are key-value pairs. You can add one or multiple tags in your application.
Propagate Tags When tags are propagated, they are considered as labels to Kubernetes resources. Kubernetes offers integrated support for using these labels to query objects and perform bulk operations e.g., consolidated billing using labels. You can use these tags to filter/identify resources via CLI or in other Kubernetes tools.
Click + Add tag
to add a new tag.
Click Save
.
Job allows manual and automated execution of your source code. Job pipeline will not have CI/CD pipeline as the job is limited to your source code only. You can also configure preset plugins in your job pipeline.
With job, you can execute your source code quickly and easily without going through CI/CD pipelines, which also optimize time.
There are two main steps in executing Job:
In the next section, we will learn on how to create, configure, trigger a job. You can also view the details on the Overview tab and Run History
.
Here we have demonstrated the installation of Devtron on popular cloud providers. The videos are easy to follow and provide step-by-step instructions.
Cloud Provider: Amazon Web Services (AWS)
Cloud Provider: Microsoft Azure
Cloud Provider: Google Cloud Platform (GCP)
Regular backups for Devtron PostgreSQL and ArgoCD are crucial components of a disaster recovery plan, as they protect against potential data loss due to unforeseen circumstances. This documentation provides instructions on how to take backups of Devtron and store them either on AWS S3 or Azure containers.
Go to the devtron chart store and search for devtron-backups
chart.
Select the devtron-backups
and click Configure & Deploy
.
Now follow either of the options described below according to your Cloud provider.
To store Devtron backups on AWS S3, please follow these steps:
Create an S3 bucket to store the Devtron backup, you can configure the bucket to delete all the objects older than 15/30 days.
Create a user with sufficient permissions to push to the S3 bucket created in step 1.
Obtain the access key and secret access key for the created user.
Configure the devtron-backups
chart for AWS S3 by selecting the appropriate options:
Deploy the chart, and the Devtron backup will be automatically uploaded to the AWS S3 bucket at the scheduled intervals.
To store Devtron backups on Azure Containers, please follow these steps:
Create a storage account in Azure.
Within the storage account, create two containers for the Devtron backup.
Navigate to Security + Networking > Access Key section in Azure and copy the Access Key:
Configure the devtron-backups
chart for Azure Containers by providing the Access Key:
Before deploying the backup chart, ensure that AWS.enabled
is set to false
. This will ensure that Devtron backup will be automatically uploaded to the configured Azure containers on the scheduled intervals.
By following these steps, you can ensure that your Devtron data is securely backed up and protected against any potential data loss, enabling you to recover quickly in case of emergencies.
Create from scratch :Select the project from the drop-down list.
Note
: You have to add . Only then, it will appear in the drop-down list here.
Clone existing application: Select an app you want to clone from and the project from the drop-down list.
Note
: You have to add . Only then, it will appear in the drop-down list here.
Click the symbol on the left side of your tag to propagate a tag.
Note
: Dark grey colour in symbol specifies that the tags are propagated.
To remove the tags from propagation, click the symbol again.
Once Devtron is installed, it has a built-in admin
user with super admin privileges with unrestricted access to all Devtron resources. We recommended to use a user with super admin privileges for initial and global configurations only and then switch to local users or configure SSO integration.
Only users with super-admin privileges can create SSO configuration. Devtron uses Dex for authenticating a user against the identity provider.
To add/edit SSO configuration, go to the SSO Login Services
section of Global Configurations
.
Below are the SSO providers which are available in Devtron. Select one of the SSO providers (e.g., GitHub) to configure SSO:
Google GitHub GitLab Microsoft LDAP OpenID Connect OpenShift
Dex implements connectors that target specific identity providers
for each connector configuration. You must have a created account for the corresponding identity provider and registered an app for client key and secret.
Refer the following documents for more detail.
https://dexidp.io/docs/connectors/
https://dexidp.io/docs/connectors/google/
Make sure that you have a super admin access.
Go to the Global Configurations
→ SSO Login Services
and click any SSO Provider
of your choice.
In the URL
field, enter the valid Devtron application URL
where it is hosted.
For providing redirectURI
or callbackURI
registered with the SSO provider, you can either select Configuration
or Sample Script
.
Provide the client ID
and client Secret
of your SSO provider (e.g. If you select Google
as SSO provider, then you must enter $GOOGLE_CLIENT_ID
and $GOOGLE_CLIENT_SECRET
in the client ID
and client Secret
respectively.)
Select Save
to create and activate SSO Login Service.
Note:
Only single SSO login configuration can be active at one time. Whenever you create or update any SSO configuration, it will be activated and used by Devtron and previous configurations will be deleted.
Except for the domain substring, URL and redirectURI remains same.
You can change SSO configuration anytime by updating the configuration and click Update
. Note: In case of configuration change, all users will be logged out of Devtron and will have to login again.
type
: Any platform name such as (Google, GitLab, GitHub etc.)
name
: Identity provider platform name
id
: Identity provider platform which is a unique ID in string. (Refer to dexidp.io
config
: User can put connector details for this key. Platforms may not have same structure but common configurations are clientID
, clientSecret
, redirectURI
.
hostedDomains
: Domains authorized for SSO login.
After configuring an SSO for authentication, you need to add users in Devtron, else your users won't be able to log in via SSO.
In case you have enabled auto-assign permissions in Microsoft or LDAP, relevant permission groups must also exist in Devtron for a successful login.
Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
clientID
tenantID (required only if you want to use Azure AD for auto-assigning permissions)
clientSecret
redirectURI (provided in SSO Login Services by Devtron)
Make sure to add tenantID in the SSO configuration field without fail.
Since Microsoft supports Active Directory (AD) , this feature further simplifies the onboarding process of organizations having a large headcount of users. It also eliminates repetitive permission assignment by automatically mapping your Azure AD groups to Devtron's Permission Groups during single sign-on (SSO) login.
If you've defined groups in your Active Directory, you can create corresponding permission groups in Devtron with the same names. When members of those Active Directory groups first log in to Devtron, they'll automatically inherit the permissions from their Devtron permission group. This means you can't manually adjust or add individual permissions for users mapped to a permission group.
SSO login requires exact matching between Devtron permission group names and AD groups. Any discrepancies or missing groups will prevent successful login.
Once you save the configuration with this feature enabled, existing user permissions will be cleared and the future permissions will be managed through permission groups linked to Azure Active Directory (Microsoft Entra ID) groups.
If your AD permissions aren't reflecting in Devtron, a quick sign-out and sign-in can resolve the issue.
Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
clientID
clientSecret
redirectURI (provided in SSO Login Services by Devtron)