Skip to main content
Version: 1.17

Configure Argo CD

Deploy Okteto with an Argo CD Application

In this guide, we'll learn how to deploy Okteto within an Argo CD Application manifest.

Set Up the Source

Okteto Self Hosted is distributed as a Helm Chart that can be sourced from Okteto's official repository:

helm repo add okteto
helm repo update

To configure it in the Argo CD manifest, you'll need to add it as a Helm type source:

repoURL: ''
chart: 'okteto'
targetRevision: '[LATEST RELEASE ex: 1.17.0]'
releaseName: 'okteto'

Set Up the Destination

Now it is time to tell Okteto where it is going to live, specifically the cluster and namespace:

server: 'https://kubernetes.default.svc'
namespace: 'okteto'

Configure the Sync Policy

The following syncOptions are recommended for installing Okteto in Argo CD and keeping it in a healthy state:


prune: true
selfHeal: true

- 'RespectIgnoreDifferences=true'
- 'PruneLast=true'
- 'CreateNamespace=true'
- 'ApplyOutOfSyncOnly=true'
  • syncPolicy.automated
    • prune: There are some objects created by Okteto whose names contain a hash derived from the configuration, so when it changes, Argo CD detects objects that no longer belong to the chart and that should be pruned. This option performs this task automatically. Otherwise, you'll need to manually set the "Prune" checkbox (or set the operation to "prune") when performing a manual sync.
    • selfHeal: This option will keep manifests consistent with the desired state and will recreate Okteto configuration in case it is deleted or modified externally by accident.
  • syncPolicy.syncOptions
    • 'RespectIgnoreDifferences=true': This option ensures sync operations respect the indications set in the "Configure the ignore differences".
    • 'PruneLast=true': Ensure that pruning takes place after syncing Okteto to the desired state.
    • 'CreateNamespace=true': Optionally let Argo CD auto-create the namespace set in the "Set Up the Destination" section.
    • 'ApplyOutOfSyncOnly=true': Okteto chart makes use of Helm templating to render some configurations dynamically such as internal certificates and private keys. Leaving this option enabled ensures those don't get recreated unnecessarily.

Configure Ignore Differences

Some Okteto resources are rendered via Helm templating functions that need access to the cluster's previous state. This is not possible in Argo CD; therefore, the following ignoreDifferences must be configured:


# TLS secrets generated by Okteto
- kind: 'Secret'
- '/data/ca.crt'
- '/data/tls.crt'
- '/data/tls.key'

# Webhook cabundles patched by Okteto
- group: ''
- '/webhooks/0/clientConfig/caBundle'
- '/webhooks/1/clientConfig/caBundle'
- '/webhooks/2/clientConfig/caBundle'
- '/webhooks/3/clientConfig/caBundle'
- '/webhooks/4/clientConfig/caBundle'
- '/webhooks/5/clientConfig/caBundle'
- '/webhooks/6/clientConfig/caBundle'
- '/webhooks/7/clientConfig/caBundle'
- '/webhooks/8/clientConfig/caBundle'
- '/webhooks/9/clientConfig/caBundle'
- '/webhooks/10/clientConfig/caBundle'
- '/webhooks/11/clientConfig/caBundle'

# Internal service account managed by Okteto
- kind: 'ServiceAccount'
name: 'okteto-admin'
- '/metadata/labels/app'
- '/metadata/labels/'
- '/metadata/labels/chart'
- '/metadata/labels/heritage'
- '/metadata/labels/release'

# Annotations for restarting internal components
- group: 'apps'
kind: 'DaemonSet'
- '/spec/template/metadata/annotations/checksum~1certs'
- group: 'apps'
kind: 'Deployment'
- '/spec/template/metadata/annotations/checksum~1secrets'


  • Changes to any part of the configuration will cause orphan resources to appear, which can be safely pruned automatically or manually by Argo CD. These resources are:
    • clustermetrics-<hash> job
    • migration-<hash> job
  • Changes to the following specific paths of the configuration may cause a small outage while syncing/applying:
    • .Values.webhook.internalCertificate.annotations will cause the webhooks registered by Okteto to recreate their certificates.
    • .Values.wildcardCertificate.annotations if .Values.wildcardCertificate.create == true will cause the self-signed certificates used for external access to recreate them.