Skip to main content

Raftt Configuration File - raftt.yml

The configuration of Raftt is located in the raftt.yml file that is created the first time you run raftt up for the repository. (It can also be created by running raftt setup before running raftt up). Once the file is created, you need to modify it according to your needs, and we recommend committing it to your repo.

raftt.yml Example

See below a sample raftt.yml file containing all possible attributes.
A more detailed explanation can be found below

envDefinition: acme.raftt
secrets: # Secret fetched from local machine
inputcommand: python3 ./scripts/
outputenv: DB_PASSWORD

raftt.yml Specification


A top-level element that contains the path to the .raftt file containing the environment definition. The filename can be any arbitrary name, but we recommend to use a file extension of .raftt or .rft.

host (optional)

A top-level element that configures the accessible host of a dedicated Raftt deployment. Contact us if you'd like one :).

If using connect-mode, this will usually be "direct", which indicates that there is no cluster-level controller, and the lifecycle of the environment controller is managed by the CLI/daemon.

secrets (optional)

A dictionary whose keys are the secret names that can be referenced as part of the environment.
Each dictionary entry contains the following attributes:

  • inputcommand - The command whose output is the secret.

    Since this command runs locally, we recommend using an OS-independent command, so the same raftt.yml file can be shared between team members working with different operating systems.
    A possible way to do it is having this command run a short OS-independent python script whose output is the secret.

The secret value will be accessible in the .raftt file

aws_creds = get_secret("aws-credentials") # will return "AKIAEXAMPLEAWSCREDS"
  • outputenv - The name of the environment variable for which the value will be the output of inputcommand.
    • The env var will be accessible for replacing env vars in a docker-compose file like $SECRET-NAME

Secrets loaded into Raftt in this way are never persisted, and are available only within the context of the environment - isolated completely from other users. See Environment Security and Isolation for more information.

For example, the following raftt.yml definition:

inputcommand: echo "abcd"
inputcommand: echo "1234"
outputenv: MY_SECRET_ENV

Along with the following snippet in the docker-compose:

- /SECRETS/my-vol-secret:/root/secret_file

Will make:

  • The MY_SECRET_ENV env variable in the my_service container equal 1234.
  • The file /root/secret_file in the my_service container equal abcd.

directOptions (optional)

This key contains various customizations to the connect-mode, that may be necessary for your usage of Raftt. Everything here is optional - only add something if you need it.

Below is the yaml with all fields filled with valid values. This is almost certainly not what you want!

defaultContext: dev-cluster
storageClassName: gp3
workloadIdentityServiceAccount: svc-account-name
useHostPathForVolume: false
nodeselectorkey: nodeselectorvalue
podPriorityValue: 10
searchLocalDockerRegistry: false
privilegedController: false
cpu: 100m
memory: 200Mi
cpu: 2000m
memory: 1500Mi
- key: my-toleration
operator: Equal
value: my-value
enforceNonRootEnv: false
runAsUser: 1000
- 1300
runAsUser: 3000
runAsGroup: 3000
ingressClass: nginx
my-ingress-annotation: annotation-value
maxWaitForIngressSeconds: 15
useHTTP: false


Name of the default Kubernetes context to use. Default: current context.


Name of the storage class to use for the environment controller's persistent volume. Default: null, which will use the storage class marked as default in the cluster.


Name of the service account in the namespace to set for the environment controller. See the dedicated image registries documentation for more information.


Instead of creating a PVC for the storage used by the environment controller, use a hostPath. This is not recommended for general usage.


The node selectors to apply to the environment controller deployment. If the environment controller should reside on specific nodes only, you can set using this key.


Configures a priority for the environment controller deployment and workloads in dev mode. Useful if you encounter problems with scheduling pods and other workloads in the cluster can handle some disruption.


Whether to search the local docker registry, present if using something like Minikube.

See the dedicated image registries documentation for more information.


Whether to bring up the environment controller as privileged. Can be necessary depending on the security configuration of your cluster.


Set the resource requests and limits set on the environment controller deployment. Default is set in above example yaml.


The tolerations to apply to the environment controller deployment.

Note - this is a list of the Toleration Kubernetes type, other fields are possible. See


Causes all the raftt containers (the environment controller and other auxiliary containers) to come up as non-root. This affects behavior in some subtle ways related to file userIDs, but can unblock if certain cluster policies do not allow root.


Overrides to the environment controller pod security context. Needed if cluster policies require certain settings.

Note - this is a Kubernetes type, many fields are possible. See


Overrides to the environment controller container security context. Needed if cluster policies require certain settings.

Note - this is a Kubernetes type, many fields are possible. See


This is a complex field, allowing users of connect-mode to define an optional Ingress resource that allows much better connectivity between the developer's machine and the environment controller. The default is connecting over kubernetes port-forward, which is both slower and prone to disconnections.

  • ingressClass - The class of the ingress to set, if any
  • host - the host to set in the IngressRule
  • annotations - annotations to add to the created Ingress object
  • maxWaitForIngressSeconds - max time to wait for the ingress to be updated with the .Status.LoadBalancer.Ingress field, once it is reconciled. Only relevant if host is not specified. Default: 10
  • useHTTP - whether to connect over an HTTP websocket instead of HTTPS. Note that no matter what a fully authenticated and encrypted channel (over SSH or QUIC) is tunneled underneath.

Need something else? Let us know!