Skip to main content

Deploy into Kubernetes Cluster

Resource Requirement

A 2 core 4GB work node will be more than enough for OneDev deployment.


  1. Kubernetes cluster version 1.18 or higher
  2. connected to the cluster
  3. kubectl and helm3 installed


  1. Install OneDev chart into cluster:
    $ helm install onedev onedev --repo --namespace onedev --create-namespace
    Check here for configurable helm values
  2. OneDev will create a load balancer for external access. Run below command to get external ip of the load balancer:
    $ kubectl get service onedev -n onedev
  3. Pointer your browser to http://<external ip> to access OneDev
  4. Continue to setup ingress and letsencrypt below if desired


  • Besides creating resources in namespace onedev, a cluster role onedev and associated cluster role binding onedev will be created in default namespace. This is necessary as OneDev needs to be granted some cluster-wide permissions to run builds as pods
  • OneDev will create two persistent volume claims, one to store MySQL database files, and another to store OneDev data including repositories. The actual place of these volumes varies depending on your Kubernetes cluster config. On Google Kubernetes Engine, they will be created as Google persistent disks

Ingress Setup

The installation procedure above requires a separate load balancer which can be expensive. In case the cluster already has an ingress controller serving external traffic, you can configure OneDev to be accessed via virtual host of the ingress controller with below procedure:

  1. Get external ip address of the ingress controller. For a default installation of nginx controller, this can be shown with below command:

    $ kubectl get service ingress-nginx-controller -n ingress-nginx
  2. Configure your DNS provider to add a A record to associate OneDev DNS name with external ip address of nginx controller above.

    NOTE: this is NOT the ip address of OneDev load balancer we used previously

  3. Run below command to tell ingress controller to route traffic of above DNS name to OneDev:

    $ helm upgrade onedev onedev --repo --namespace onedev --set<OneDev DNS name> --set ingress.class=<ingress class> --reuse-values

    Here <OneDev DNS name> should be replaced by DNS name specified in step 2, and <ingress class> should be replaced by ingress class of desired ingress controller, which is normally nginx for nginx controller

  4. Now you should be able to access OneDev via url http://<OneDev DNS name>

  5. To enable SSH access to OneDev repositories, you need to configure ingress controller to forward traffic of certain port to OneDev SSH service. For nginx controller, this can be achieved by upgrading controller like below:

    $ helm upgrade ingress-nginx ingress-nginx --repo --namespace ingress-nginx --create-namespace --set tcp.<external SSH port number>=onedev/<OneDev SSH service name>:<OneDev SSH port number> --reuse-values


  • <external SSH port number>: port number you wish to expose on nginx controller for external SSH access

  • <OneDev SSH service name>: name of OneDev SSH service, which is normally onedev. If you separate SSH service from main service with option ssh.separateService, it will be onedev-ssh

  • <OneDev SSH service port>: port of OneDev SSH service, which is normally 22, unless overridden via option ssh.port

    After running this command, make sure to update SSH server url at OneDev side as ssh://<OneDev DNS name>:<external SSH port number> via menu Administration/System Setting

LetsEncrypt Setup

  1. Make sure OneDev is installed following this guide

  2. Make sure your cluster has ingress controller installed. If not, run below command to install:

    $ helm install ingress-nginx ingress-nginx --repo --namespace ingress-nginx --create-namespace
  3. Set up ingress for OneDev following this guide

  4. To automatically get/renew certificate from LetsEncrypt, a cert manager is required. Install with below command if the cluster does not have one:

    $ kubectl apply -f
  5. Run command below to configure OneDev to request certificate from LetsEncrypt for the DNS name specified previously

    $ helm upgrade onedev onedev --repo --namespace onedev --set ingress.tls=true --set<an email address> --reuse-values

    Here <an email address> should be replaced by an email address used to receive certificate notifications such as invalidation/expiration etc.

  6. Wait a while, and access OneDev from browser with url https://<OneDev DNS name>. If the certificate is invalid, run command below to check the certificate status:

    $ kubectl describe certificate onedev-tls -n onedev