Skip to main content
Version: 3.0 (beta)

Configure Domain & TLS For Loft (Optional)

Remote Cluster Required

Connecting a domain requires that you have deployed Loft to a remote cluster.

After installing Loft, you may also choose to configure Domain and Transport Layer Security (TLS). Configuring Domain and TLS enables you to use Loft together with other members of your team who do not have direct access to Kubernetes, but want a common trusted endpoint for their Loft instance.

Configure Domain

NGINX Ingress Controller

  1. Run the command:

    loft start --host=loft.mydomain.tld     # Make sure to change `loft.mydomain.tld`
  2. Set the $VERSION variable to the Loft version you want to upgrade to OR set it to the current version using:

    CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
    VERSION=${CHART:5}
  3. Upgrade Loft via:

    To upgrade Loft via Loft CLI, run:

    loft start --upgrade --version=$VERSION --values=loft.yaml
  4. Determine the External-IP address:

    kubectl get ingress -n loft
    NAME CLASS HOSTS ADDRESS PORTS AGE
    loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10m
  5. Set up a DNS A record to the ingress address (x.x.x.x). Make sure Loft is reachable at the address via:

    curl https://loft.mydomain.tld/version --insecure
    {"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}

Load Balancer

  1. Create a file named loft-loadbalancer.yaml with the following content:

    apiVersion: v1
    kind: Service
    metadata:
    annotations:
    # Make sure to adjust the next line:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:xxx:certificate/xxx"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    name: loft-loadbalancer
    namespace: loft
    spec:
    type: LoadBalancer
    ports:
    - name: http
    port: 80
    protocol: TCP
    targetPort: 80
    - name: https
    port: 443
    protocol: TCP
    targetPort: 80
    selector:
    app: loft
    release: loft
  2. Create the load balancer with this command:

    kubectl apply -f loft-loadbalancer.yaml
  3. Wait until the load balancer receives an External-IP address:

    kubectl get svc loft-loadbalancer -n loft
    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    loft-loadbalancer LoadBalancer 10.112.2.142 x.x.x.x 443:30933/TCP 3m16s
    ^^^^^^^
  4. Make sure Loft is reachable at the external ip address via:

    curl https://x.x.x.x/version --insecure
    {"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}
AWS Load Balancers

If you are using AWS, make sure you are using a Network Load Balancer (NLB) to route traffic, since other load balancers do not support the SPDY protocol Kubernetes requires.

Configure TLS

Cert-Manager

  1. Install cert-manager to your cluster:

    helm upgrade --install  cert-manager cert-manager  --repository-config=''\
    --namespace cert-manager --create-namespace \
    --repo https://charts.jetstack.io \
    --set installCRDs=true \
    --wait
  2. Edit your existing loft.yaml file, or create a new file named loft.yaml with content:

    ingress:
    annotations:
    # Make sure the following line matches the name of your issuer (or use the section below to create one)
    cert-manager.io/cluster-issuer: lets-encrypt-http-issuer
    tls:
    enabled: true
    secret: tls-loft

    certIssuer:
    create: true # Change this if you already have your own cert-issuer
    name: lets-encrypt-http-issuer
    email: "YOUR_EMAIL" # REQUIRED
    secretName: loft-letsencrypt-credentials
    httpResolver:
    enabled: true
    ingressClass: nginx
    resolvers: []
    server: https://acme-v02.api.letsencrypt.org/directory
  3. Set the $VERSION variable to the Loft version you want to upgrade to OR set it to the current version using:

    CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
    VERSION=${CHART:5}
  4. Upgrade Loft via:

    To upgrade Loft via Loft CLI, run:

    loft start --upgrade --version=$VERSION --values=loft.yaml

AWS Certificate Manager (ACM)

  1. Determine the External-IP address of your ingress:

    kubectl get ingress -n loft
    NAME CLASS HOSTS ADDRESS PORTS AGE
    loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10m
    ^^^^^^^
  2. Find the AWS Elastic Load Balancer(ELB) for this IP address in the AWS console

  3. Switch to the tab Listeners

  4. In the column "SSL Certificates", click on the link View/edit certificates

  5. Click on the + Synbol next to the tab Certificates and add your Access Control Manager (ACM) managed certificate to the ingress controller's Load Balancer

Manually Provisioned Certificate

  1. Create a Kubernetes secret from your certificate:

    kubectl create secret generic tls-loft -n loft --type=kubernetes.io/tls \
    --from-file=tls.crt=tls.crt \
    --from-file=tls.key=tls.key
  2. Edit your existing loft.yaml file, or create a new file named loft.yaml with content:

    ingress:
    tls:
    enabled: true
    secret: tls-loft # Make sure this matches the name of your cert from the previous step
  3. Set the $VERSION variable to the Loft version you want to upgrade to OR set it to the current version using:

    CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
    VERSION=${CHART:5}
  4. Upgrade Loft via:

    To upgrade Loft via Loft CLI, run:

    loft start --upgrade --version=$VERSION --values=loft.yaml

Self-Signed Certificate

  1. Create a new private key:

    openssl genrsa -out tls.key 4096
  2. Create a file named ssl.conf with the following content:

    [ req ]
    default_bits = 4096
    distinguished_name = req_distinguished_name
    x509_extensions = v3_ca
    req_extensions = v3_req
    x509_extensions = usr_cert

    [ req_distinguished_name ]
    organizationName = Organization Name (eg, company)
    organizationName_default = loft
    commonName = Common Name (e.g. server FQDN or YOUR name)
    commonName_default = loft.mydomain.tld

    [ usr_cert ]
    basicConstraints = CA:FALSE
    nsCertType = client, server
    keyUsage = digitalSignature
    extendedKeyUsage = serverAuth, clientAuth

    [ v3_req ]
    subjectAltName = @alt_names
    extendedKeyUsage = serverAuth, clientAuth
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature

    [ alt_names ]
    DNS.1 = localhost
  3. Create a certificate signing request:

    openssl req -new -sha256 \
    -out tls.csr \
    -key tls.key \
    -config ssl.conf
  4. Generate the certificate:

    openssl x509 -req \
    -sha256 \
    -days 3650 \
    -in tls.csr \
    -signkey tls.key \
    -out tls.crt \
    -extensions v3_req \
    -extfile ssl.conf
  5. Create a Kubernetes secret from your certificate:

    kubectl create secret generic tls-loft -n loft --type=kubernetes.io/tls \
    --from-file=tls.crt=tls.crt \
    --from-file=tls.key=tls.key
  6. Edit your existing loft.yaml file, or create a new file named loft.yaml with content:

    ingress:
    tls:
    enabled: true
    secret: tls-loft # Make sure this matches the name of your cert from the previous step
  7. Set the $VERSION variable to the Loft version you want to upgrade to OR set it to the current version using:

    CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
    VERSION=${CHART:5}
  8. Upgrade Loft via:

    To upgrade Loft via Loft CLI, run:

    loft start --upgrade --version=$VERSION --values=loft.yaml