Configure Domain & TLS For Loft (Optional)
Remote Cluster Required
Connecting a domain requires that you have deployed Loft to a remote cluster.
After installing Loft, you may also choose to configure Domain and Transport Layer Security (TLS). Configuring Domain and TLS enables you to use Loft together with other members of your team who do not have direct access to Kubernetes, but want a common trusted endpoint for their Loft instance.
Configure Domain
NGINX Ingress Controller
- Automatic or Existing Installation
- Manual Ingress Controller Installation
Run the command:
loft start --host=loft.mydomain.tld # Make sure to change `loft.mydomain.tld`
Set the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yamlDetermine the External-IP address:
kubectl get ingress -n loft
NAME CLASS HOSTS ADDRESS PORTS AGE
loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10mSet up a DNS A record to the ingress address (x.x.x.x). Make sure Loft is reachable at the address via:
curl https://loft.mydomain.tld/version --insecure
{"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}
Deploy
nginx-ingress
controller to your cluster:helm upgrade --install ingress-nginx ingress-nginx --repository-config='' \
-n ingress-nginx --create-namespace \
--repo https://kubernetes.github.io/ingress-nginx \
--set-string controller.config.hsts=false \
--waitDetermine the External-IP address:
kubectl get ingress -n loft
NAME CLASS HOSTS ADDRESS PORTS AGE
loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10m
^^^^^^^Set up a DNS A record to the ingress address (x.x.x.x). Make sure Loft is reachable at the address via:
curl https://loft.mydomain.tld/version --insecure
{"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}Edit your existing
loft.yaml
file or create a new file namedloft.yaml
with the following content:ingress:
enabled: true
host: "loft.mydomain.tld" # Make sure to change this
ingressClass: "nginx" # OptionalSet the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml
Load Balancer
Create a file named
loft-loadbalancer.yaml
with the following content:- AWS ELB + ACM
- Other Load Balancers
apiVersion: v1
kind: Service
metadata:
annotations:
# Make sure to adjust the next line:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:xxx:certificate/xxx"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
name: loft-loadbalancer
namespace: loft
spec:
type: LoadBalancer
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 80
selector:
app: loft
release: loftapiVersion: v1
kind: Service
metadata:
name: loft-loadbalancer
namespace: loft
spec:
type: LoadBalancer
ports:
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app: loft
release: loftCreate the load balancer with this command:
kubectl apply -f loft-loadbalancer.yaml
Wait until the load balancer receives an External-IP address:
kubectl get svc loft-loadbalancer -n loft
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
loft-loadbalancer LoadBalancer 10.112.2.142 x.x.x.x 443:30933/TCP 3m16s
^^^^^^^Make sure Loft is reachable at the external ip address via:
curl https://x.x.x.x/version --insecure
{"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}
AWS Load Balancers
If you are using AWS, make sure you are using a Network Load Balancer (NLB) to route traffic, since other load balancers do not support the SPDY protocol Kubernetes requires.
Configure TLS
Cert-Manager
Install
cert-manager
to your cluster:helm upgrade --install cert-manager cert-manager --repository-config=''\
--namespace cert-manager --create-namespace \
--repo https://charts.jetstack.io \
--set installCRDs=true \
--waitEdit your existing
loft.yaml
file, or create a new file namedloft.yaml
with content:ingress:
annotations:
# Make sure the following line matches the name of your issuer (or use the section below to create one)
cert-manager.io/cluster-issuer: lets-encrypt-http-issuer
tls:
enabled: true
secret: tls-loft
certIssuer:
create: true # Change this if you already have your own cert-issuer
name: lets-encrypt-http-issuer
email: "YOUR_EMAIL" # REQUIRED
secretName: loft-letsencrypt-credentials
httpResolver:
enabled: true
ingressClass: nginx
resolvers: []
server: https://acme-v02.api.letsencrypt.org/directorySet the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml
AWS Certificate Manager (ACM)
- Domain via Ingress
- Domain via Load Balancer
Determine the External-IP address of your ingress:
kubectl get ingress -n loft
NAME CLASS HOSTS ADDRESS PORTS AGE
loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10m
^^^^^^^Find the AWS Elastic Load Balancer(ELB) for this IP address in the AWS console
Switch to the tab
Listeners
In the column "SSL Certificates", click on the link
View/edit certificates
Click on the
+
Synbol next to the tabCertificates
and add your Access Control Manager (ACM) managed certificate to the ingress controller's Load Balancer
Make sure to follow the Load Balancer > AWS ELB + ACM guide above.
Manually Provisioned Certificate
Create a Kubernetes secret from your certificate:
kubectl create secret generic tls-loft -n loft --type=kubernetes.io/tls \
--from-file=tls.crt=tls.crt \
--from-file=tls.key=tls.keyEdit your existing
loft.yaml
file, or create a new file namedloft.yaml
with content:- Loft Ingress handles TLS
- Loft Pod handles TLS
- Load Balancer handles TLS
ingress:
tls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous steptls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous stepThis must be configured outside of the Loft deployment
Set the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml
Self-Signed Certificate
Create a new private key:
openssl genrsa -out tls.key 4096
Create a file named
ssl.conf
with the following content:[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
x509_extensions = usr_cert
[ req_distinguished_name ]
organizationName = Organization Name (eg, company)
organizationName_default = loft
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = loft.mydomain.tld
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = digitalSignature
extendedKeyUsage = serverAuth, clientAuth
[ v3_req ]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE
keyUsage = digitalSignature
[ alt_names ]
DNS.1 = localhostCreate a certificate signing request:
openssl req -new -sha256 \
-out tls.csr \
-key tls.key \
-config ssl.confGenerate the certificate:
openssl x509 -req \
-sha256 \
-days 3650 \
-in tls.csr \
-signkey tls.key \
-out tls.crt \
-extensions v3_req \
-extfile ssl.confCreate a Kubernetes secret from your certificate:
kubectl create secret generic tls-loft -n loft --type=kubernetes.io/tls \
--from-file=tls.crt=tls.crt \
--from-file=tls.key=tls.keyEdit your existing
loft.yaml
file, or create a new file namedloft.yaml
with content:- Loft Ingress handles TLS
- Loft Pod handles TLS
- Load Balancer handles TLS
ingress:
tls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous steptls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous stepThis must be configured outside of the Loft deployment
Set the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml