Skip to main content
Version: v4.9

Private Helm Repositories for Apps

vCluster Platform apps allow specifying credentials to access private Helm chart repositories.

Specify static credentials​

You can specify credentials either directly inside the app or via a project secret.

The following example shows specifying the credentials directly within the app itself:

apiVersion: management.loft.sh/v1
kind: App
metadata:
  name: my-app
spec:
  config:
    chart:
      name: argo-cd
      repoURL: https://private-repo.com/my-repo
      username: my-username
      password: my-password

You can also reference a project secret via:

apiVersion: management.loft.sh/v1
kind: App
metadata:
  name: my-app
spec:
  config:
    chart:
      name: argo-cd
      repoURL: https://private-repo.com/my-repo
      usernameRef:
        projectSecretRef:
          name: my-secret
          project: my-project
          key: my-username-key
      passwordRef:
        projectSecretRef:
          name: my-secret
          project: my-project
          key: my-password-key

Use dynamic credentials (ECR etc.)​

For dynamic credentials, such as ECR credentials, use external-secrets and export the credentials to a project secret.

For example, for ECR credentials, this can be done via:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "ecr-secret"
spec:
  refreshInterval: "1h"
  target:
    name: ecr-secret
    template:
      metadata:
        labels:
          loft.sh/project-secret: "true"
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: "ecr-gen"
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-gen
spec:
  # specify aws region (mandatory)
  region: eu-west-1
  # choose an authentication strategy
  # if no auth strategy is defined it falls back to using
  # credentials from the environment of the controller.
  auth:
    # 1: static credentials
    # point to a secret that contains static credentials
    # like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
    secretRef:
      accessKeyIDSecretRef:
        name: "my-aws-creds"
        key: "key-id"
      secretAccessKeySecretRef:
        name: "my-aws-creds"
        key: "access-secret"
tip

Remember to set the label loft.sh/project-secret on the Kubernetes secret, in order for Loft to pick it up correctly. Also make sure the secret is created in the correct project namespace in the form of p-.

Then just reference the created secret within the app itself:

apiVersion: management.loft.sh/v1
kind: App
metadata:
  name: my-app
spec:
  config:
    chart:
      name: argo-cd
      repoURL: https://private-repo.com/my-repo
      usernameRef:
        projectSecretRef:
          name: ecr-secret
          project: my-project
          key: my-username-key
      passwordRef:
        projectSecretRef:
          name: ecr-secret
          project: my-project
          key: my-password-key