Skip to main content

Deploy into Kubernetes Cluster


Procedure outlined here is only applicable for installing latest version

Resource Requirement

A 2 core 4GB work node will be more than enough for OneDev deployment.


  1. Kubernetes version 1.18 or Higher

  2. kubectl and helm3 installed

  3. You've added OneDev chart repository with below command:

    helm repo add onedev
    helm repo update onedev


  1. Install OneDev service
    helm install onedev onedev/onedev -n onedev --create-namespace
  2. Follow instructions on screen to access OneDev
  1. You may continue to configure OneDev via helm values

Use External Database

By default, OneDev uses an internal database, and it is suggested to use an external database in production environment. Below command upgrades an installation to use an existing MySQL database (database should be empty initially):

helm upgrade onedev onedev/onedev -n onedev --set database.external=true --set database.type=mysql --set --set-string database.port=3306 --set --set database.user=dbuser --set database.password=dbpassword --reuse-values

Click here for detailed explanations of external database settings

Expose OneDev via Load Balancer

By default OneDev http and ssh services are exposed via ClusterIP service. Below command upgrades an installation to use LoadBalancer service:

helm upgrade onedev onedev/onedev -n onedev --set service.type=LoadBalancer --reuse-values

With this command, you will get an external ip address to access OneDev http and ssh services

Click here for detailed explanations of service related settings

Make sure to update OneDev server url via menu Administration / System Setting to use external ip address or dns name of the load balancer

Expose OneDev Http Service via Ingress

You may expose OneDev service via ingress instead of load balancer with below command:

helm upgrade onedev onedev/onedev -n onedev --set ingress.enabled=true --set ingress.className=<ingress class name> --set<OneDev dns name> --reuse-values


  1. <ingress class name>: should be replaced with class name of your ingress controller. For instance this value is generally nginx for nginx ingress controller, which can be installed via below command:
    helm install ingress-nginx ingress-nginx --repo --namespace ingress-nginx --create-namespace
  2. <OneDev dns name>: should be replaced with dns name of OneDev. Appropriate dns records need to be added so that this dns name can be resolved to external ip address of corresponding ingress controller

Click here for detailed explanation of ingress related settings

Enable TLS for OneDev Http Service

After exposing OneDev http service via ingress, you can continue to enable TLS support with below command:

helm upgrade onedev onedev/onedev -n onedev --set ingress.tls.enabled=true --reuse-values

Use Specified TLS Certificate

By default the http service will be using a faked TLS certificate, and you can create a secret onedev-tls to use specified key and certificate like below:

kubectl create secret tls onedev-tls -n onedev --key /path/to/server.key --cert /path/to/server.crt

Getting TLS Certificate Automatically

Alternative, you can configure OneDev to populate secret onedev-tls automatically by getting certificate from ACME providers (currently only supports Let's Encrypt). To do it, first make sure cert manager is installed in your cluster with below command:

kubectl apply -f

Then run below command to enable tls aceme:

helm upgrade onedev onedev/onedev -n onedev --set ingress.tls.acme.enabled=true --set<your email address> --reuse-values

Here <your email address> should be replaced with your email address to receive certificate notifications such as expiration etc.

This will get staging certificate which is appropriate for testing purpose. You may run below command to check certificate status:

kubectl describe certificate onedev-tls -n onedev

When you are ready to switch to production certificate, run below command:

helm upgrade onedev onedev/onedev -n onedev --set ingress.tls.acme.production=true --reuse-values

And then delete secret onedev-tls to force cert manager to repopulate it:

kubectl delete secret onedev-tls -n onedev

Wait a while for the certificate to be populated

Expose SSH Service via Ingress Controller

In case OneDev http service is exposed via ingress, you can expose SSH service via same ingress controller via port forwarding so that http and ssh service can be accessed via same dns name. Taking nginx controller for instance, this can be achieved by upgrading controller like below:

helm upgrade ingress-nginx ingress-nginx --repo -n ingress-nginx --set tcp.22=onedev/onedev:ssh --reuse-values

After running this command, make sure to update SSH root url at OneDev side as ssh://<OneDev DNS name> in menu Administration/System Setting