Configure Domain & TLS For Loft (Optional)
Remote Cluster Required
Connecting a domain requires that you have deployed Loft to a remote cluster.
Configure Domain
NGINX Ingress Controller
- Automatic or Existing Installation
- Manual Ingress Controller Installation
Run the command:
loft start --host=loft.mydomain.tld # Make sure to change `loft.mydomain.tld`
Set the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yamlDetermine the External-IP address:
kubectl get ingress -n loft
NAME CLASS HOSTS ADDRESS PORTS AGE
loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10mSet up a DNS A record to the ingress address (x.x.x.x). Make sure Loft is reachable at the address via:
curl https://loft.mydomain.tld/version --insecure
{"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}
Deploy
nginx-ingress
controller to your cluster:helm upgrade --install ingress-nginx ingress-nginx --repository-config='' \
-n ingress-nginx --create-namespace \
--repo https://kubernetes.github.io/ingress-nginx \
--set-string controller.config.hsts=false \
--waitDetermine the External-IP address:
kubectl get ingress -n loft
NAME CLASS HOSTS ADDRESS PORTS AGE
loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10m
^^^^^^^Set up a DNS A record to the ingress address (x.x.x.x). Make sure Loft is reachable at the address via:
curl https://loft.mydomain.tld/version --insecure
{"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}Edit your existing
loft.yaml
file or create a new file namedloft.yaml
with the following content:ingress:
enabled: true
host: "loft.mydomain.tld" # Make sure to change this
ingressClass: "nginx" # OptionalSet the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml
Load Balancer
Create a file named
loft-loadbalancer.yaml
with the following content:- AWS ELB + ACM
- Other Load Balancers
apiVersion: v1
kind: Service
metadata:
annotations:
# Make sure to adjust the next line:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:xxx:certificate/xxx"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
name: loft-loadbalancer
namespace: loft
spec:
type: LoadBalancer
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 80
selector:
app: loft
release: loftapiVersion: v1
kind: Service
metadata:
name: loft-loadbalancer
namespace: loft
spec:
type: LoadBalancer
ports:
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app: loft
release: loftCreate the load balancer with this command:
kubectl apply -f loft-loadbalancer.yaml
Wait until the load balancer receives an External-IP address:
kubectl get svc loft-loadbalancer -n loft
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
loft-loadbalancer LoadBalancer 10.112.2.142 x.x.x.x 443:30933/TCP 3m16s
^^^^^^^Make sure Loft is reachable at the external ip address via:
curl https://x.x.x.x/version --insecure
{"kind":"Version","apiVersion":"version.loft.sh","metadata":{"creationTimestamp":null},"version":"v1.15.0","major":"1","minor":"15","instance":"","kubeVersion":"v1.21.3-gke.2001"}
AWS Load Balancers
If you are using AWS, make sure you are using a Network Load Balancer (NLB) to route traffic, since other load balancers do not support the SPDY protocol Kubernetes requires.
Configure TLS
Cert-Manager
Install
cert-manager
to your cluster:helm upgrade --install cert-manager cert-manager --repository-config=''\
--namespace cert-manager --create-namespace \
--repo https://charts.jetstack.io \
--set installCRDs=true \
--waitEdit your existing
loft.yaml
file, or create a new file namedloft.yaml
with content:ingress:
annotations:
# Make sure the following line matches the name of your issuer (or use the section below to create one)
cert-manager.io/cluster-issuer: lets-encrypt-http-issuer
tls:
enabled: true
secret: tls-loft
certIssuer:
create: true # Change this if you already have your own cert-issuer
name: lets-encrypt-http-issuer
email: "YOUR_EMAIL" # REQUIRED
secretName: loft-letsencrypt-credentials
httpResolver:
enabled: true
ingressClass: nginx
resolvers: []
server: https://acme-v02.api.letsencrypt.org/directorySet the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml
AWS Certificate Manager (ACM)
- Domain via Ingress
- Domain via Load Balancer
Determine the External-IP address of your ingress:
kubectl get ingress -n loft
NAME CLASS HOSTS ADDRESS PORTS AGE
loft-ingress <none> loft.mydomain.tld x.x.x.x 80, 443 10m
^^^^^^^Find the AWS Elastic Load Balancer(ELB) for this IP address in the AWS console
Switch to the tab
Listeners
In the column "SSL Certificates", click on the link
View/edit certificates
Click on the
+
Synbol next to the tabCertificates
and add your Access Control Manager (ACM) managed certificate to the ingress controller's Load Balancer
Make sure to follow the Load Balancer > AWS ELB + ACM guide above.
Manually Provisioned Certificate
Create a Kubernetes secret from your certificate:
kubectl create secret generic tls-loft -n loft --type=kubernetes.io/tls \
--from-file=tls.crt=tls.crt \
--from-file=tls.key=tls.keyEdit your existing
loft.yaml
file, or create a new file namedloft.yaml
with content:- Loft Ingress handles TLS
- Loft Pod handles TLS
- Load Balancer handles TLS
ingress:
tls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous steptls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous stepThis must be configured outside of the Loft deployment
Set the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml
Self-Signed Certificate
Create a new private key:
openssl genrsa -out tls.key 4096
Create a file named
ssl.conf
with the following content:[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
x509_extensions = usr_cert
[ req_distinguished_name ]
organizationName = Organization Name (eg, company)
organizationName_default = loft
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = loft.mydomain.tld
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = digitalSignature
extendedKeyUsage = serverAuth, clientAuth
[ v3_req ]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE
keyUsage = digitalSignature
[ alt_names ]
DNS.1 = localhostCreate a certificate signing request:
openssl req -new -sha256 \
-out tls.csr \
-key tls.key \
-config ssl.confGenerate the certificate:
openssl x509 -req \
-sha256 \
-days 3650 \
-in tls.csr \
-signkey tls.key \
-out tls.crt \
-extensions v3_req \
-extfile ssl.confCreate a Kubernetes secret from your certificate:
kubectl create secret generic tls-loft -n loft --type=kubernetes.io/tls \
--from-file=tls.crt=tls.crt \
--from-file=tls.key=tls.keyEdit your existing
loft.yaml
file, or create a new file namedloft.yaml
with content:- Loft Ingress handles TLS
- Loft Pod handles TLS
- Load Balancer handles TLS
ingress:
tls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous steptls:
enabled: true
secret: tls-loft # Make sure this matches the name of your cert from the previous stepThis must be configured outside of the Loft deployment
Set the
$VERSION
variable to the Loft version you want to upgrade to OR set it to the current version using:CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
VERSION=${CHART:5}Upgrade Loft via:
- CLI
- helm
To upgrade Loft via Loft CLI, run:
loft start --upgrade --version=$VERSION --values=loft.yaml
To upgrade Loft via
helm
, run:helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
--version $VERSION \
--reuse-values \
-f loft.yaml