Private Helm Repositories for Apps
Loft apps allow specifying credentials to access private helm chart repositories.
Specify static credentials​
You can specify credentials either directly inside the app or via a project secret.
The following example shows specifying the credentials directly within the app itself:
apiVersion: management.loft.sh/v1
kind: App
metadata:
name: my-app
spec:
config:
chart:
name: argo-cd
repoURL: https://private-repo.com/my-repo
username: my-username
password: my-password
You can also reference a project secret via:
apiVersion: management.loft.sh/v1
kind: App
metadata:
name: my-app
spec:
config:
chart:
name: argo-cd
repoURL: https://private-repo.com/my-repo
usernameRef:
projectSecretRef:
name: my-secret
project: my-project
key: my-username-key
passwordRef:
projectSecretRef:
name: my-secret
project: my-project
key: my-password-key
Using dynamic credentials (ECR etc.)​
For dynamic credentials, such as ECR credentials, we recommend to use external-secrets and export the credentials to a project secret.
For example, for ECR credentials, this can be done via:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "ecr-secret"
spec:
refreshInterval: "1h"
target:
name: ecr-secret
template:
metadata:
labels:
loft.sh/project-secret: "true"
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
name: "ecr-gen"
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
name: ecr-gen
spec:
# specify aws region (mandatory)
region: eu-west-1
# choose an authentication strategy
# if no auth strategy is defined it falls back to using
# credentials from the environment of the controller.
auth:
# 1: static credentials
# point to a secret that contains static credentials
# like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
secretRef:
accessKeyIDSecretRef:
name: "my-aws-creds"
key: "key-id"
secretAccessKeySecretRef:
name: "my-aws-creds"
key: "access-secret"
Remember to set the label loft.sh/project-secret
on the Kubernetes secret, in order for Loft to pick it up correctly. Also make sure the secret is created in the correct project namespace in the form of loft-p-
.
Then just reference the created secret within the app itself:
apiVersion: management.loft.sh/v1
kind: App
metadata:
name: my-app
spec:
config:
chart:
name: argo-cd
repoURL: https://private-repo.com/my-repo
usernameRef:
projectSecretRef:
name: ecr-secret
project: my-project
key: my-username-key
passwordRef:
projectSecretRef:
name: ecr-secret
project: my-project
key: my-password-key