Skip to main content

Raftt Configuration File - raftt.yml

The configuration of Raftt is located in the raftt.yml file that is created the first time you run raftt up for the repository. (It can also be created by running raftt setup before running raftt up). Once the file is created, you need to modify it according to your needs, and we recommend committing it to your repo.

raftt.yml Example

See below a sample raftt.yml file containing all possible attributes.
A more detailed explanation can be found below

envDefinition: acme.raftt
host: admiral.acme.raftt.io
secrets:                                       # Secret fetched from local machine
  db-password:
    inputcommand: python3 ./scripts/get_db_password.py
    outputenv: DB_PASSWORD
directOptions:

raftt.yml Specification

envDefinition

A top-level element that contains the path to the .raftt file containing the environment definition. The filename can be any arbitrary name, but we recommend to use a file extension of .raftt or .rft.

host (optional)

A top-level element that configures the accessible host of a dedicated Raftt deployment. Contact us if you'd like one :).

If using connect-mode, this will usually be "direct", which indicates that there is no cluster-level controller, and the lifecycle of the environment controller is managed by the CLI/daemon.

secrets (optional)

A dictionary whose keys are the secret names that can be referenced as part of the environment.
Each dictionary entry contains the following attributes:

  • inputcommand - The command whose output is the secret.
    tip

    Since this command runs locally, we recommend using an OS-independent command, so the same raftt.yml file can be shared between team members working with different operating systems.
    A possible way to do it is having this command run a short OS-independent python script whose output is the secret.

The secret value will be accessible in the .raftt file

aws_creds = get_secret("aws-credentials") # will return "AKIAEXAMPLEAWSCREDS"
  • outputenv - The name of the environment variable for which the value will be the output of inputcommand.
    • The env var will be accessible for replacing env vars in a docker-compose file like $SECRET-NAME

Secrets loaded into Raftt in this way are never persisted, and are available only within the context of the environment - isolated completely from other users. See Environment Security and Isolation for more information.

For example, the following raftt.yml definition:

secrets:
  my-vol-secret:
    inputcommand: echo "abcd"
  my-env-secret:
    inputcommand: echo "1234"
    outputenv: MY_SECRET_ENV

Along with the following snippet in the docker-compose:

services:
...
  my_service:
    ...
    environment:
      - MY_SECRET_ENV
    volumes:
      - /SECRETS/my-vol-secret:/root/secret_file

Will make:

  • The MY_SECRET_ENV env variable in the my_service container equal 1234.
  • The file /root/secret_file in the my_service container equal abcd.

directOptions (optional)

This key contains various customizations to the connect-mode, that may be necessary for your usage of Raftt. Everything here is optional - only add something if you need it.

Below is the yaml with all fields filled with valid values. This is almost certainly not what you want!

directOptions:
  defaultContext: dev-cluster
  storageClassName: gp3
  workloadIdentityServiceAccount: svc-account-name
  useHostPathForVolume: false
  controllerNodeSelector:
    nodeselectorkey: nodeselectorvalue
  podPriorityValue: 10
  searchLocalDockerRegistry: false
  privilegedController: false
  controllerResources:
    requests:
      cpu: 100m
      memory: 200Mi
    limits:
      cpu: 2000m
      memory: 1500Mi
  controllerTolerations:
    - key: my-toleration
      operator: Equal
      value: my-value
  enforceNonRootEnv: false
  controllerPodSecurityContext:
    runAsUser: 1000
    supplementalGroups:
      - 1300
  controllerSecurityContext:
    runAsUser: 3000
    runAsGroup: 3000
  controllerIngress:
    host: a.b.c.com
    ingressClass: nginx
    annotations:
      my-ingress-annotation: annotation-value
    maxWaitForIngressSeconds: 15
    useHTTP: false

defaultContext

Name of the default Kubernetes context to use. Default: current context.

storageClassName

Name of the storage class to use for the environment controller's persistent volume. Default: null, which will use the storage class marked as default in the cluster.

workloadIdentityServiceAccount

Name of the service account in the namespace to set for the environment controller. See the dedicated image registries documentation for more information.

useHostPathForVolume

Instead of creating a PVC for the storage used by the environment controller, use a hostPath. This is not recommended for general usage.

controllerNodeSelector

The node selectors to apply to the environment controller deployment. If the environment controller should reside on specific nodes only, you can set using this key.

podPriorityValue

Configures a priority for the environment controller deployment and workloads in dev mode. Useful if you encounter problems with scheduling pods and other workloads in the cluster can handle some disruption.

searchLocalDockerRegistry

Whether to search the local docker registry, present if using something like Minikube.

See the dedicated image registries documentation for more information.

privilegedController

Whether to bring up the environment controller as privileged. Can be necessary depending on the security configuration of your cluster.

controllerResources

Set the resource requests and limits set on the environment controller deployment. Default is set in above example yaml.

controllerTolerations

The tolerations to apply to the environment controller deployment.

Note - this is a list of the Toleration Kubernetes type, other fields are possible. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#toleration-v1-core.

enforceNonRootEnv

Causes all the raftt containers (the environment controller and other auxiliary containers) to come up as non-root. This affects behavior in some subtle ways related to file userIDs, but can unblock if certain cluster policies do not allow root.

controllerPodSecurityContext

Overrides to the environment controller pod security context. Needed if cluster policies require certain settings.

Note - this is a Kubernetes type, many fields are possible. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core.

controllerSecurityContext

Overrides to the environment controller container security context. Needed if cluster policies require certain settings.

Note - this is a Kubernetes type, many fields are possible. See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core.

controllerIngress

This is a complex field, allowing users of connect-mode to define an optional Ingress resource that allows much better connectivity between the developer's machine and the environment controller. The default is connecting over kubernetes port-forward, which is both slower and prone to disconnections.

  • ingressClass - The class of the ingress to set, if any
  • host - the host to set in the IngressRule
  • annotations - annotations to add to the created Ingress object
  • maxWaitForIngressSeconds - max time to wait for the ingress to be updated with the .Status.LoadBalancer.Ingress field, once it is reconciled. Only relevant if host is not specified. Default: 10
  • useHTTP - whether to connect over an HTTP websocket instead of HTTPS. Note that no matter what a fully authenticated and encrypted channel (over SSH or QUIC) is tunneled underneath.

Need something else? Let us know!