Platform Configuration

Modify the platform's behavior and enable or turn off certain features, such as SSO login, custom branding, or auditing.

Changing the platform config

The platform config can be applied directly via helm values or through the UI in Admin > Config. Using helm values allows you to declaratively deploy the platform.

When using helm, you can apply the platform config via a vcluster.yaml file. This also makes it possible to deploy the platform through GitOps solutions such as ArgoCD. An example platform vcluster.yaml could look like this:

Example vCluster Platform configuration

config:
  loftHost: my-vcluster-host.com
  audit:
    enabled: true
  auth:
    github:
      clientId: $CLIENT_ID
      clientSecret: $CLIENT_SECRET
      redirectURI: https://my-vcluster-host.com/auth/github/callback

For a complete overview of possible Helm values, please refer to the Loft GitHub repository.

Changing the loftHost variable

After setting up the platform, TLS certificates, and configuring the ingress to use a custom domain, you need to change the loftHost variable. Initially, that value is set to the URL of either the Loft Router domain or no domain in the case of air-gapped setups. This value should be equal to the hostname specified in the ingress resource for accessing the platform.

info

The value of the loftHost variable should only be the hostname that the platform is reachable at and not contain protocols (such as HTTP) or subpaths.

After changing the loftHost, all currently connected clusters must be redeployed by running the same connection commands in the corresponding Kubernetes context. See the instructions on connecting clusters for more guidance.

Clusters must also be reconnected if the additionalCA or insecureSkipVerify values are changed after the initial setup.

Sensitive information in the platform config

Some fields within the platform config allow placeholders for environment variables, such as the clientId and clientSecret fields. This makes it possible to not expose sensitive information directly inside the platform values and instead mount this information into the platform through an external secret.

To load the GitHub clientId and clientSecret through a Kubernetes secret my-secret, use the following configuration:

Configuration with sensitive information

envValueFrom:
  CLIENT_ID:
    secretKeyRef:
      name: my-secret
      key: client_id
  CLIENT_SECRET:
    secretKeyRef:
      name: my-secret
      key: client_secret

config:
  auth:
    github:
      clientId: $CLIENT_ID
      clientSecret: $CLIENT_SECRET
      redirectURI: https://my-vcluster-platform-host.com/auth/github/callback

Then use Helm to apply this configuration and update $PLATFORM_VERSION with a valid platform version.

Apply configuration using Helm

helm upgrade loft vcluster-platform --install \
  --repo https://charts.loft.sh/ \
  --namespace vcluster-platform \
  --create-namespace \
  --values values.yaml \
  --version $PLATFORM_VERSION

Custom HTTP headers

The platform allows you to add custom HTTP headers to all requests that are sent to the platform API. This can be useful if you want to add custom headers to all requests, such as X-Frame-Options or X-XSS-Protection.

To add custom HTTP headers, use the following configuration:

Custom HTTP headers configuration

config:
  auth:
    customHttpHeaders:
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block

Setting additional certificate authority for platform

If you want to have all your virtual clusters managed by the platform use a specific certificate authority to establish the connection between the virtual cluster and the platform, you can set it as a configuration option on the platform instead of configuring it on each individual virtual cluster. This enables secure communication between your virtual clusters and the platform.

As a prerequisite, you have to configure TLS for the platform first.

Additional certificate authority configuration

additionalCA: "(base64 encoded CA)"

If you need to import externally managed virtual clusters to the platform, you can also enable a secure connection by grabbing the value from the existing platform. You can do this by running:

Get additionalCA value

helm get values --namespace [namespace where vCluster Platform is deployed] [loft helm release name] --all | grep additionalCA

Using the additionalCA value from the preceding command, import the vCluster using the following vCluster CLI command:

Import vCluster with additionalCA

vcluster platform add vcluster <VCLUSTER_NAME> \
--namespace=<VCLUSTER_NAMESPACE> \
--project=<PROJECT_NAME> \
--ca-data [base64 string grabbed from the command above]

Once the command succeeds, the imported vCluster pod restarts and reports Ready.

The platform agent

Every connected cluster in a platform environment, including the "main" cluster that platform is deployed in, must have a platform Agent deployed. This agent pod handles reconciliation of cluster-scoped (as in not platform instance-wide) resources.

By default, when the platform is installed, the platform pod also installs the platform Agent into the cluster you are deploying platform into. This is usually a desirable behavior since the platform requires the Agent to be present in all clusters. Sometimes, however, admins wish to manage the installation of the platform Agent themselves, either by installing it explicitly or by installing it via GitOps tooling. In this situation, it is possible to turn off the Agent deployment by setting the DISABLE_AGENT environment variable to "true". This can be accomplished in the env section of the platform values:

Disable Agent deployment

env:
  DISABLE_AGENT: true

It is also possible to tell platform not to install Agents into individual clusters. This can be accomplished by setting the loft.sh/cluster-ignore-agent Annotation of the Cluster resource to "true" for any clusters that the platform should not manage the Agent deployment on.

platform Agent is required

The platform Agent is required for every connected cluster in a platform deployment, including the cluster platform itself is deployed into. If you are disabling the agent deployment via one of the mechanisms described preceding, make sure you are still getting an Agent installed into every connected cluster by some other means.

If you are electing to manage the Agent installation yourself, you can install the Agent directly using Helm. Update $PLATFORM_VERSION with a valid platform version.

Install Agent using Helm

helm upgrade vcluster-platform vcluster-platform --install \
  --repo https://charts.loft.sh/ \
  --namespace vcluster-platform \
  --create-namespace \
  --set agentOnly=true \
  --version $PLATFORM_VERSION

Platform agent values

As with the primary platform chart, the platform Agent chart exposes values that can be configured by an administrator to suit their needs. The Agent chart and values can be seen in the public repository here.

If you have deployed the platform with the default behavior of not disabling the Agent deployment, you can still provide values to influence the deployment of the Agent itself. This can be accomplished by providing any valid Agent values in the agentValues section of the platform chart values. These values are received by the platform deployment and used when deploying the Agent pods. Below is an example of the platform values agentValues section.

Agent values configuration

agentValues:
  securityContext:
    enabled: true

Administrators can also provide Agent values for specific clusters by setting the loft.sh/agent-values Annotation of a specific cluster object. These values always override any values provided in the parent platform chart.

Config reference

auth required object pro

Authentication holds the information for authentication

oidc required object pro

OIDC holds oidc authentication configuration

issuerUrl required string pro

IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" field of all tokens produced by the provider and is used for configuration discovery.

The URL is usually the provider's URL without a path, for example "https://accounts.google.com" or "https://login.salesforce.com".

The provider must implement configuration discovery. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

clientId required string pro

ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single client to ensure the plugin can be used with public providers.

The plugin supports the "authorized party" OpenID Connect claim, which allows specialized providers to issue tokens to a client for a different client. See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

clientSecret required string pro

ClientSecret to issue tokens from the OIDC provider

redirectURI required string pro

loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback

postLogoutRedirectURI required string pro

Loft URI to be redirected to after successful logout by OIDC Provider

caFile required string pro

Path to a PEM encoded root certificate of the provider. Optional

insecureCa required boolean pro

Specify whether to communicate without validating SSL certificates

preferredUsername required string pro

Configurable key which contains the preferred username claims

loftUsernameClaim required string pro

LoftUsernameClaim is the JWT field to use as the user's username.

usernameClaim required string pro

UsernameClaim is the JWT field to use as the user's id.

emailClaim required string pro

EmailClaim is the JWT field to use as the user's email.

usernamePrefix required string pro

UsernamePrefix, if specified, causes claims mapping to username to be prefix with the provided value. A value "oidc:" would result in usernames like "oidc:john".

groupsClaim required string pro

GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

groups required string[] pro

If required groups is non empty, access is denied if the user is not part of at least one of the specified groups.

scopes required string[] pro

Scopes that should be sent to the server. If empty, defaults to "email" and "profile".

getUserInfo required boolean pro

GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's information from the UserInfo.

groupsPrefix required string pro

GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".

type required string pro

Type of the OIDC to show in the UI. Only for displaying purposes

github required object pro

Github holds github authentication configuration

clientId required string pro

ClientID holds the github client id

clientSecret required string pro

ClientID holds the github client secret

redirectURI required string pro

RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback

orgs required object[] pro

Loft queries the following organizations for group information. Group claims are formatted as "(org):(team)". For example if a user is part of the "engineering" team of the "coreos" org, the group claim would include "coreos:engineering".

If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to authenticate with loft.

name required string pro

Organization name in github (not slug, full name). Only users in this github organization can authenticate.

teams required string[] pro

Names of teams in a github organization. A user will be able to authenticate if they are members of at least one of these teams. Users in the organization can authenticate if this field is omitted from the config file.

hostName required string pro

Required ONLY for GitHub Enterprise. This is the Hostname of the GitHub Enterprise account listed on the management console. Ensure this domain is routable on your network.

rootCA required string pro

ONLY for GitHub Enterprise. Optional field. Used to support self-signed or untrusted CA root certificates.

gitlab required object pro

Gitlab holds gitlab authentication configuration

clientId required string pro

Gitlab client id

clientSecret required string pro

Gitlab client secret

redirectURI required string pro

Redirect URI

baseURL required string pro

BaseURL is optional, default = https://gitlab.com

groups required string[] pro

Optional groups whitelist, communicated through the "groups" scope. If groups is omitted, all of the user's GitLab groups are returned. If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.

google required object pro

Google holds google authentication configuration

clientId required string pro

Google client id

clientSecret required string pro

Google client secret

redirectURI required string pro

loft redirect uri. E.g. https://loft.my.domain/auth/google/callback

scopes required string[] pro

defaults to "profile" and "email"

hostedDomains required string[] pro

Optional list of whitelisted domains If this field is nonempty, only users from a listed domain will be allowed to log in

groups required string[] pro

Optional list of whitelisted groups If this field is nonempty, only users from a listed group will be allowed to log in

serviceAccountFilePath required string pro

Optional path to service account json If nonempty, and groups claim is made, will use authentication from file to check groups with the admin directory api

adminEmail required string pro

Required if ServiceAccountFilePath The email of a GSuite super user which the service account will impersonate when listing groups

microsoft required object pro

Microsoft holds microsoft authentication configuration

clientId required string pro

Microsoft client id

clientSecret required string pro

Microsoft client secret

redirectURI required string pro

loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback

tenant required string pro

tenant configuration parameter controls what kinds of accounts may be authenticated in loft. By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft. To change this, set the tenant parameter to one of the following:

common - both personal and business/school accounts can authenticate in loft via Microsoft (default) consumers - only personal accounts can authenticate in loft organizations - only business/school accounts can authenticate in loft tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft

groups required string[] pro

It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.

onlySecurityGroups required boolean pro

configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.

useGroupsAsWhitelist required boolean pro

Restrict the groups claims to include only the user’s groups that are in the configured groups

saml required object pro

SAML holds saml authentication configuration

redirectURI required string pro

If the response assertion status value contains a Destination element, it must match this value exactly. Usually looks like https://your-loft-domain/auth/saml/callback

ssoURL required string pro

SSO URL used for POST value.

caData required string pro

CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response. Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.

usernameAttr required string pro

Name of attribute in the returned assertions to map to username

emailAttr required string pro

Name of attribute in the returned assertions to map to email

groupsAttr required string pro

Name of attribute in the returned assertions to map to groups

ca required string pro

CA to use when validating the signature of the SAML response.

insecureSkipSignatureValidation required boolean pro

Ignore the ca cert

entityIssuer required string pro

When provided Loft will include this as the Issuer value during AuthnRequest. It will also override the redirectURI as the required audience when evaluating AudienceRestriction elements in the response.

ssoIssuer required string pro

Issuer value expected in the SAML response. Optional.

groupsDelim required string pro

If GroupsDelim is supplied the connector assumes groups are returned as a single string instead of multiple attribute values. This delimiter will be used split the groups string.

allowedGroups required string[] pro

List of groups to filter access based on membership

filterGroups required boolean pro

If used with allowed groups, only forwards the allowed groups and not all groups specified.

nameIDPolicyFormat required string pro

Requested format of the NameID. The NameID value is mapped to the ID Token 'sub' claim.

This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to "emailAddress" the format will resolve to:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If no value is specified, this value defaults to:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

rancher required object pro

Rancher holds the rancher authentication options

host required string pro

Host holds the rancher host, e.g. my-domain.com

bearerToken required string pro

BearerToken holds the rancher API key in token username and password form. E.g. my-token:my-secret

insecure required boolean pro

Insecure tells Loft if the Rancher endpoint is insecure.

password required object pro

Password holds password authentication relevant information

disabled required boolean pro

If true login via password is disabled

connectors required object[] pro

Connectors are optional additional connectors for Loft.

id required string pro

ID is the id that should show up in the url

displayName required string pro

DisplayName is the name that should show up in the ui

oidc required object pro

OIDC holds oidc authentication configuration

issuerUrl required string pro

IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" field of all tokens produced by the provider and is used for configuration discovery.

The URL is usually the provider's URL without a path, for example "https://accounts.google.com" or "https://login.salesforce.com".

The provider must implement configuration discovery. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

clientId required string pro

ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single client to ensure the plugin can be used with public providers.

The plugin supports the "authorized party" OpenID Connect claim, which allows specialized providers to issue tokens to a client for a different client. See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

clientSecret required string pro

ClientSecret to issue tokens from the OIDC provider

redirectURI required string pro

loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback

postLogoutRedirectURI required string pro

Loft URI to be redirected to after successful logout by OIDC Provider

caFile required string pro

Path to a PEM encoded root certificate of the provider. Optional

insecureCa required boolean pro

Specify whether to communicate without validating SSL certificates

preferredUsername required string pro

Configurable key which contains the preferred username claims

loftUsernameClaim required string pro

LoftUsernameClaim is the JWT field to use as the user's username.

usernameClaim required string pro

UsernameClaim is the JWT field to use as the user's id.

emailClaim required string pro

EmailClaim is the JWT field to use as the user's email.

usernamePrefix required string pro

UsernamePrefix, if specified, causes claims mapping to username to be prefix with the provided value. A value "oidc:" would result in usernames like "oidc:john".

groupsClaim required string pro

GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

groups required string[] pro

If required groups is non empty, access is denied if the user is not part of at least one of the specified groups.

scopes required string[] pro

Scopes that should be sent to the server. If empty, defaults to "email" and "profile".

getUserInfo required boolean pro

GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's information from the UserInfo.

groupsPrefix required string pro

GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".

type required string pro

Type of the OIDC to show in the UI. Only for displaying purposes

github required object pro

Github holds github authentication configuration

clientId required string pro

ClientID holds the github client id

clientSecret required string pro

ClientID holds the github client secret

redirectURI required string pro

RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback

orgs required object[] pro

Loft queries the following organizations for group information. Group claims are formatted as "(org):(team)". For example if a user is part of the "engineering" team of the "coreos" org, the group claim would include "coreos:engineering".

If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to authenticate with loft.

name required string pro

Organization name in github (not slug, full name). Only users in this github organization can authenticate.

teams required string[] pro

Names of teams in a github organization. A user will be able to authenticate if they are members of at least one of these teams. Users in the organization can authenticate if this field is omitted from the config file.

hostName required string pro

Required ONLY for GitHub Enterprise. This is the Hostname of the GitHub Enterprise account listed on the management console. Ensure this domain is routable on your network.

rootCA required string pro

ONLY for GitHub Enterprise. Optional field. Used to support self-signed or untrusted CA root certificates.

gitlab required object pro

Gitlab holds gitlab authentication configuration

clientId required string pro

Gitlab client id

clientSecret required string pro

Gitlab client secret

redirectURI required string pro

Redirect URI

baseURL required string pro

BaseURL is optional, default = https://gitlab.com

groups required string[] pro

Optional groups whitelist, communicated through the "groups" scope. If groups is omitted, all of the user's GitLab groups are returned. If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.

google required object pro

Google holds google authentication configuration

clientId required string pro

Google client id

clientSecret required string pro

Google client secret

redirectURI required string pro

loft redirect uri. E.g. https://loft.my.domain/auth/google/callback

scopes required string[] pro

defaults to "profile" and "email"

hostedDomains required string[] pro

Optional list of whitelisted domains If this field is nonempty, only users from a listed domain will be allowed to log in

groups required string[] pro

Optional list of whitelisted groups If this field is nonempty, only users from a listed group will be allowed to log in

serviceAccountFilePath required string pro

Optional path to service account json If nonempty, and groups claim is made, will use authentication from file to check groups with the admin directory api

adminEmail required string pro

Required if ServiceAccountFilePath The email of a GSuite super user which the service account will impersonate when listing groups

microsoft required object pro

Microsoft holds microsoft authentication configuration

clientId required string pro

Microsoft client id

clientSecret required string pro

Microsoft client secret

redirectURI required string pro

loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback

tenant required string pro

tenant configuration parameter controls what kinds of accounts may be authenticated in loft. By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft. To change this, set the tenant parameter to one of the following:

common - both personal and business/school accounts can authenticate in loft via Microsoft (default) consumers - only personal accounts can authenticate in loft organizations - only business/school accounts can authenticate in loft tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft

groups required string[] pro

It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.

onlySecurityGroups required boolean pro

configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.

useGroupsAsWhitelist required boolean pro

Restrict the groups claims to include only the user’s groups that are in the configured groups

saml required object pro

SAML holds saml authentication configuration

redirectURI required string pro

If the response assertion status value contains a Destination element, it must match this value exactly. Usually looks like https://your-loft-domain/auth/saml/callback

ssoURL required string pro

SSO URL used for POST value.

caData required string pro

CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response. Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.

usernameAttr required string pro

Name of attribute in the returned assertions to map to username

emailAttr required string pro

Name of attribute in the returned assertions to map to email

groupsAttr required string pro

Name of attribute in the returned assertions to map to groups

ca required string pro

CA to use when validating the signature of the SAML response.

insecureSkipSignatureValidation required boolean pro

Ignore the ca cert

entityIssuer required string pro

When provided Loft will include this as the Issuer value during AuthnRequest. It will also override the redirectURI as the required audience when evaluating AudienceRestriction elements in the response.

ssoIssuer required string pro

Issuer value expected in the SAML response. Optional.

groupsDelim required string pro

If GroupsDelim is supplied the connector assumes groups are returned as a single string instead of multiple attribute values. This delimiter will be used split the groups string.

allowedGroups required string[] pro

List of groups to filter access based on membership

filterGroups required boolean pro

If used with allowed groups, only forwards the allowed groups and not all groups specified.

nameIDPolicyFormat required string pro

Requested format of the NameID. The NameID value is mapped to the ID Token 'sub' claim.

This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to "emailAddress" the format will resolve to:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If no value is specified, this value defaults to:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

disableTeamCreation required boolean pro

Prevents from team creation for the new groups associated with the user at the time of logging in through sso, Default behaviour is false, this means that teams will be created for new groups.

accessKeyMaxTTLSeconds required integer pro

AccessKeyMaxTTLSeconds is the global maximum lifespan of an accesskey in seconds. Leaving it 0 or unspecified will disable it. Specifying 2592000 will mean all keys have a Time-To-Live of 30 days.

loginAccessKeyTTLSeconds required integer pro

LoginAccessKeyTTLSeconds is the time in seconds an access key is kept until it is deleted. Leaving it unspecified will default to 20 days. Setting it to zero will disable the ttl. Specifying 2592000 will mean all keys have a default Time-To-Live of 30 days.

customHttpHeaders required object pro

CustomHttpHeaders are additional headers that should be set for the authentication endpoints

oidc required object pro

OIDC holds oidc provider relevant information

enabled required boolean pro

If true indicates that loft will act as an OIDC server

wildcardRedirect required boolean pro

If true indicates that loft will allow wildcard '*' in client redirectURIs

clients required object[] pro

The clients that are allowed to request loft tokens

name required string pro

The client name

clientId required string pro

The client id of the client

clientSecret required string pro

The client secret of the client

redirectURIs required string[] pro

A registered set of redirect URIs. When redirecting from dex to the client, the URI requested to redirect to MUST match one of these values, unless the client is "public".

apps required object pro

Apps holds configuration around apps

noDefault required boolean pro

If this option is true, loft will not try to parse the default apps

repositories required object[] pro

These are additional repositories that are parsed by loft

name required string pro

Name is the name of the repository

url required string pro

URL is the repository url

username required string pro

Username of the repository

password required string pro

Password of the repository

insecure required boolean pro

Insecure specifies if the chart should be retrieved without TLS verification

predefinedApps required object[] pro

Predefined apps that can be selected in the Spaces ) Space menu

chart required string pro

Chart holds the repo/chart name of the predefined app

initialVersion required string pro

InitialVersion holds the initial version of this app. This version will be selected automatically.

initialValues required string pro

InitialValues holds the initial values for this app. The values will be prefilled automatically. There are certain placeholders that can be used within the values that are replaced by the loft UI automatically.

clusters required string[] pro

Holds the cluster names where to display this app

title required string pro

Title is the name that should be displayed for the predefined app. If empty the chart name is used.

iconUrl required string pro

IconURL specifies an url to the icon that should be displayed for this app. If none is specified the icon from the chart metadata is used.

readmeUrl required string pro

ReadmeURL specifies an url to the readme page of this predefined app. If empty an url will be constructed to artifact hub.

audit required object pro

Audit holds audit configuration

enabled required boolean pro

If audit is enabled and incoming api requests will be logged based on the supplied policy.

disableAgentSyncBack required boolean pro

If true, the agent will not send back any audit logs to Loft itself.

level required integer pro

Level is an optional log level for audit logs. Cannot be used together with policy

policy required object pro

The audit policy to use and log requests. By default loft will not log anything

rules required object[] pro

Rules specify the audit Level a request should be recorded at. A request may match multiple rules, in which case the FIRST matching rule is used. The default audit level is None, but can be overridden by a catch-all rule at the end of the list. PolicyRules are strictly ordered.

level required string pro

The Level that requests matching this rule are recorded at.

users required string[] pro

The users (by authenticated user name) this rule applies to. An empty list implies every user.

userGroups required string[] pro

The user groups this rule applies to. A user is considered matching if it is a member of any of the UserGroups. An empty list implies every user group.

verbs required string[] pro

The verbs that match this rule. An empty list implies every verb.

resources required object[] pro

Resources that this rule matches. An empty list implies all kinds in all API groups.

group required string pro

Group is the name of the API group that contains the resources. The empty string represents the core API group.

resources required string[] pro

Resources is a list of resources this rule applies to.

For example: 'pods' matches pods. 'pods/log' matches the log subresource of pods. '' matches all resources and their subresources. 'pods/' matches all subresources of pods. '*/scale' matches all scale subresources.

If wildcard is present, the validation rule will ensure resources do not overlap with each other.

An empty list implies all resources and subresources in this API groups apply.

resourceNames required string[] pro

ResourceNames is a list of resource instance names that the policy matches. Using this field requires Resources to be specified. An empty list implies that every instance of the resource is matched.

namespaces required string[] pro

Namespaces that this rule matches. The empty string "" matches non-namespaced resources. An empty list implies every namespace.

nonResourceURLs required string[] pro

NonResourceURLs is a set of URL paths that should be audited. s are allowed, but only as the full, final step in the path. Examples: "/metrics" - Log requests for apiserver metrics "/healthz" - Log all health checks

omitStages required string[] pro

OmitStages is a list of stages for which no events are created. Note that this can also be specified policy wide in which case the union of both are omitted. An empty list means no restrictions will apply.

requestTargets required string[] pro

RequestTargets is a list of request targets for which events are created. An empty list implies every request.

clusters required string[] pro

Clusters that this rule matches. Only applies to cluster requests. If this is set, no events for non cluster requests will be created. An empty list means no restrictions will apply.

omitStages required string[] pro

OmitStages is a list of stages for which no events are created. Note that this can also be specified per rule in which case the union of both are omitted.

dataStoreEndpoint required string pro

DataStoreEndpoint is an endpoint to store events in.

dataStoreTTL required integer pro

DataStoreMaxAge is the maximum number of hours to retain old log events in the datastore

path required string pro

The path where to save the audit log files. This is required if audit is enabled. Backup log files will be retained in the same directory.

maxAge required integer pro

MaxAge is the maximum number of days to retain old log files based on the timestamp encoded in their filename. Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc. The default is not to remove old log files based on age.

maxBackups required integer pro

MaxBackups is the maximum number of old log files to retain. The default is to retain all old log files (though MaxAge may still cause them to get deleted.)

maxSize required integer pro

MaxSize is the maximum size in megabytes of the log file before it gets rotated. It defaults to 100 megabytes.

compress required boolean pro

Compress determines if the rotated log files should be compressed using gzip. The default is not to perform compression.

loftHost required string pro

LoftHost holds the domain where the loft instance is hosted. This should not include https or http. E.g. loft.my-domain.com

projectNamespacePrefix required string pro

ProjectNamespacePrefix holds the prefix for loft project namespaces. Omitted defaults to "p-"

devPodSubDomain required string pro

DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com

uiSettings required object pro

UISettings holds the settings for modifying the Loft user interface

loftVersion required string pro

LoftVersion holds the current loft version

logoURL required string pro

LogoURL is url pointing to the logo to use in the Loft UI. This path must be accessible for clients accessing the Loft UI.

logoBackgroundColor required string pro

LogoBackgroundColor is the color value (ex: "#12345") to use as the background color for the logo

legalTemplate required string pro

LegalTemplate is a text (html) string containing the legal template to prompt to users when authenticating to Loft

primaryColor required string pro

PrimaryColor is the color value (ex: "#12345") to use as the primary color

sidebarColor required string pro

SidebarColor is the color value (ex: "#12345") to use for the sidebar

accentColor required string pro

AccentColor is the color value (ex: "#12345") to use for the accent

customCss required string[] pro

CustomCSS holds URLs with custom css files that should be included when loading the UI

customJavaScript required string[] pro

CustomJavaScript holds URLs with custom js files that should be included when loading the UI

navBarButtons required object[] pro

NavBarButtons holds extra nav bar buttons

position required string pro

Position holds the position of the button, can be one of: TopStart, TopEnd, BottomStart, BottomEnd. Defaults to BottomEnd

text required string pro

Text holds text for the button

link required string pro

Link holds the link of the navbar button

icon required string pro

Icon holds the url of the icon to display

vault required object pro

VaultIntegration holds the vault integration configuration

enabled required boolean pro

Enabled indicates if the Vault Integration is enabled for the project -- this knob only enables the syncing of secrets to or from Vault, but does not setup Kubernetes authentication methods or Kubernetes secrets engines for virtual clusters.

address required string pro

Address defines the address of the Vault instance to use for this project. Will default to the VAULT_ADDR environment variable if not provided.

skipTLSVerify required boolean pro

SkipTLSVerify defines if TLS verification should be skipped when connecting to Vault.

namespace required string pro

Namespace defines the namespace to use when storing secrets in Vault.

auth required object pro

Auth defines the authentication method to use for this project.

token required string pro

Token defines the token to use for authentication.

tokenSecretRef required object pro

TokenSecretRef defines the Kubernetes secret to use for token authentication. Will be used if token is not provided.

Secret data should contain the token key.

name required string pro

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Drop kubebuilder:default when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.

key required string pro

The key of the secret to select from. Must be a valid secret key.

optional required boolean pro

Specify whether the Secret or its key must be defined

syncInterval required string pro

SyncInterval defines the interval at which to sync secrets from Vault. Defaults to 1m. See https://pkg.go.dev/time#ParseDuration for supported formats.