Platform Configuration
Modify the platform's behavior and enable or turn off certain features, such as SSO login, custom branding, or auditing.
Changing the platform config​
The platform config can be applied directly via helm values or through the UI in Admin > Config
. Using helm values allows you to declaratively deploy the platform.
When using helm, you can apply the platform config via a
values.yaml file. This
also makes it possible to deploy the platform through GitOps
solutions such as ArgoCD. An example platform values.yaml
could look like this:
config:
loftHost: my-vcluster-host.com
audit:
enabled: true
auth:
github:
clientId: $CLIENT_ID
clientSecret: $CLIENT_SECRET
redirectURI: https://my-vcluster-host.com/auth/github/callback
For a complete overview of possible Helm values, please refer to the values.yaml.
Changing the loftHost
variable​
After setting up the platform, TLS certificates, and configuring the ingress to
use a custom domain, you need to change the loftHost
variable.
Initially, that value is set to the URL of either the Loft Router domain or no
domain in the case of air-gapped setups. This value should be equal to the hostname specified in the ingress resource for accessing the platform.
The value of the loftHost
variable should only be the hostname that the platform is reachable at and not contain protocols (such as HTTP) or subpaths.
After changing the loftHost
, all currently connected clusters must be redeployed by running the same connection commands in the corresponding Kubernetes context. See the instructions on connecting clusters for more guidance.
Clusters must also be reconnected if the additionalCA
or insecureSkipVerify
values are changed after the initial setup.
Sensitive information in the platform config​
Some fields within the platform config allow placeholders for environment variables, such as the clientId
and clientSecret
fields. This makes it possible to not expose sensitive information directly inside the platform values and instead mount this information into the platform through an external secret.
To load the GitHub clientId
and clientSecret
through a Kubernetes secret my-secret
, use the following configuration:
envValueFrom:
CLIENT_ID:
secretKeyRef:
name: my-secret
key: client_id
CLIENT_SECRET:
secretKeyRef:
name: my-secret
key: client_secret
config:
auth:
github:
clientId: $CLIENT_ID
clientSecret: $CLIENT_SECRET
redirectURI: https://my-vcluster-platform-host.com/auth/github/callback
Then use Helm to apply this configuration and update $PLATFORM_VERSION
with a valid platform version.
helm upgrade loft vcluster-platform --install \
--repo https://charts.loft.sh/ \
--namespace vcluster-platform \
--create-namespace \
--values values.yaml \
--version $PLATFORM_VERSION
Custom HTTP headers​
The platform allows you to add custom HTTP headers to all requests that are sent to the platform API. This can be useful if you want to add custom headers to all requests, such as X-Frame-Options
or X-XSS-Protection
.
To add custom HTTP headers, use the following configuration:
config:
auth:
customHttpHeaders:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Setting additional certificate authority for platform​
If you want to have all your virtual clusters managed by the platform use a specific certificate authority to establish the connection between the virtual cluster and the platform, you can set it as a configuration option on the platform instead of configuring it on each individual virtual cluster. This enables secure communication between your virtual clusters and the platform.
As a prerequisite, you have to configure TLS for the platform first.
additionalCA: "(base64 encoded CA)"
If you need to import externally managed virtual clusters to the platform, you can also enable a secure connection by grabbing the value from the existing platform. You can do this by running:
helm get values --namespace [namespace where vCluster Platform is deployed] [loft helm release name] --all | grep additionalCA
Using the additionalCA
value from the preceding command, import the vCluster using the following vCluster CLI command:
vcluster platform add vcluster <VCLUSTER_NAME> \
--namespace=<VCLUSTER_NAMESPACE> \
--project=<PROJECT_NAME> \
--ca-data [base64 string grabbed from the command above]
Once the command succeeds, the imported vCluster pod restarts and reports Ready
.
The platform agent​
Every connected cluster in a platform environment, including the "main" cluster that platform is deployed in, must have a platform Agent deployed. This agent pod handles reconciliation of cluster-scoped (as in not platform instance-wide) resources.
By default, when the platform is installed, the platform pod also installs the
platform Agent into the cluster you are deploying platform into. This is usually
a desirable behavior since the platform requires the Agent to be present in all
clusters. Sometimes, however, admins wish to manage the installation of the
platform Agent themselves, either by installing it explicitly or by
installing it via GitOps tooling. In this situation, it is possible to turn off the Agent deployment by setting the DISABLE_AGENT
environment variable to "true". This can be accomplished in the env
section of the platform values:
env:
DISABLE_AGENT: true
It is also possible to tell platform not to install Agents into individual
clusters. This can be accomplished by setting the loft.sh/cluster-ignore-agent
Annotation of the Cluster resource to "true" for any clusters that the platform should not manage the Agent deployment on.
The platform Agent is required for every connected cluster in a platform deployment, including the cluster platform itself is deployed into. If you are disabling the agent deployment via one of the mechanisms described preceding, make sure you are still getting an Agent installed into every connected cluster by some other means.
If you are electing to manage the Agent installation yourself, you can install the Agent directly using Helm. Update $PLATFORM_VERSION
with a valid platform version.
helm upgrade vcluster-platform vcluster-platform --install \
--repo https://charts.loft.sh/ \
--namespace vcluster-platform \
--create-namespace \
--set agentOnly=true \
--version $PLATFORM_VERSION
Platform agent values​
As with the primary platform chart, the platform Agent chart exposes values that can be configured by an administrator to suit their needs. The Agent chart and values can be seen in the public repository here.
If you have deployed the platform with the default behavior of not disabling the Agent deployment, you can still provide values to influence the deployment of the Agent itself. This can be accomplished by providing any valid Agent values in the agentValues
section of the platform chart values. These values are received by the platform deployment and used when deploying the Agent pods. Below is an example of the platform values agentValues
section.
agentValues:
securityContext:
enabled: true
Administrators can also provide Agent values for specific clusters by setting the loft.sh/agent-values
Annotation of a specific cluster object. These values always override any values provided in the parent platform chart.
Config reference​
auth
required object pro​
Authentication holds the information for authentication
auth
required object pro​oidc
required object pro​
OIDC holds oidc authentication configuration
oidc
required object pro​issuerUrl
required string pro​
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl
required string pro​clientId
required string pro​
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId
required string pro​clientSecret
required string pro​
ClientSecret to issue tokens from the OIDC provider
clientSecret
required string pro​redirectURI
required string pro​
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI
required string pro​postLogoutRedirectURI
required string pro​
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI
required string pro​caFile
required string pro​
Path to a PEM encoded root certificate of the provider. Optional
caFile
required string pro​insecureCa
required boolean pro​
Specify whether to communicate without validating SSL certificates
insecureCa
required boolean pro​preferredUsername
required string pro​
Configurable key which contains the preferred username claims
preferredUsername
required string pro​loftUsernameClaim
required string pro​
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim
required string pro​usernameClaim
required string pro​
UsernameClaim is the JWT field to use as the user's id.
usernameClaim
required string pro​emailClaim
required string pro​
EmailClaim is the JWT field to use as the user's email.
emailClaim
required string pro​usernamePrefix
required string pro​
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix
required string pro​groupsClaim
required string pro​
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim
required string pro​groups
required string[] pro​
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups
required string[] pro​scopes
required string[] pro​
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes
required string[] pro​getUserInfo
required boolean pro​
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo
required boolean pro​groupsPrefix
required string pro​
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix
required string pro​type
required string pro​
Type of the OIDC to show in the UI. Only for displaying purposes
type
required string pro​github
required object pro​
Github holds github authentication configuration
github
required object pro​clientId
required string pro​
ClientID holds the github client id
clientId
required string pro​clientSecret
required string pro​
ClientID holds the github client secret
clientSecret
required string pro​redirectURI
required string pro​
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI
required string pro​orgs
required object[] pro​
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs
required object[] pro​name
required string pro​
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name
required string pro​teams
required string[] pro​
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams
required string[] pro​hostName
required string pro​
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName
required string pro​rootCA
required string pro​
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA
required string pro​gitlab
required object pro​
Gitlab holds gitlab authentication configuration
gitlab
required object pro​clientId
required string pro​
Gitlab client id
clientId
required string pro​clientSecret
required string pro​
Gitlab client secret
clientSecret
required string pro​redirectURI
required string pro​
Redirect URI
redirectURI
required string pro​baseURL
required string pro​
BaseURL is optional, default = https://gitlab.com
baseURL
required string pro​groups
required string[] pro​
Optional groups whitelist, communicated through the "groups" scope.
If groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.
groups
required string[] pro​groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.google
required object pro​
Google holds google authentication configuration
google
required object pro​clientId
required string pro​
Google client id
clientId
required string pro​clientSecret
required string pro​
Google client secret
clientSecret
required string pro​redirectURI
required string pro​
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI
required string pro​scopes
required string[] pro​
defaults to "profile" and "email"
scopes
required string[] pro​hostedDomains
required string[] pro​
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains
required string[] pro​groups
required string[] pro​
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups
required string[] pro​serviceAccountFilePath
required string pro​
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath
required string pro​adminEmail
required string pro​
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail
required string pro​microsoft
required object pro​
Microsoft holds microsoft authentication configuration
microsoft
required object pro​clientId
required string pro​
Microsoft client id
clientId
required string pro​clientSecret
required string pro​
Microsoft client secret
clientSecret
required string pro​redirectURI
required string pro​
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI
required string pro​tenant
required string pro​
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant
required string pro​groups
required string[] pro​
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups
required string[] pro​onlySecurityGroups
required boolean pro​
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups
required boolean pro​useGroupsAsWhitelist
required boolean pro​
Restrict the groups claims to include only the user’s groups that are in the configured groups
useGroupsAsWhitelist
required boolean pro​saml
required object pro​
SAML holds saml authentication configuration
saml
required object pro​redirectURI
required string pro​
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI
required string pro​ssoURL
required string pro​
SSO URL used for POST value.
ssoURL
required string pro​caData
required string pro​
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData
required string pro​usernameAttr
required string pro​
Name of attribute in the returned assertions to map to username
usernameAttr
required string pro​emailAttr
required string pro​
Name of attribute in the returned assertions to map to email
emailAttr
required string pro​groupsAttr
required string pro​
Name of attribute in the returned assertions to map to groups
groupsAttr
required string pro​ca
required string pro​
CA to use when validating the signature of the SAML response.
ca
required string pro​insecureSkipSignatureValidation
required boolean pro​
Ignore the ca cert
insecureSkipSignatureValidation
required boolean pro​entityIssuer
required string pro​
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer
required string pro​ssoIssuer
required string pro​
Issuer value expected in the SAML response. Optional.
ssoIssuer
required string pro​groupsDelim
required string pro​
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim
required string pro​allowedGroups
required string[] pro​
List of groups to filter access based on membership
allowedGroups
required string[] pro​filterGroups
required boolean pro​
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups
required boolean pro​nameIDPolicyFormat
required string pro​
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat
required string pro​rancher
required object pro​
Rancher holds the rancher authentication options
rancher
required object pro​password
required object pro​
Password holds password authentication relevant information
password
required object pro​disabled
required boolean pro​
If true login via password is disabled
disabled
required boolean pro​connectors
required object[] pro​
Connectors are optional additional connectors for Loft.
connectors
required object[] pro​id
required string pro​
ID is the id that should show up in the url
id
required string pro​displayName
required string pro​
DisplayName is the name that should show up in the ui
displayName
required string pro​oidc
required object pro​
OIDC holds oidc authentication configuration
oidc
required object pro​issuerUrl
required string pro​
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl
required string pro​clientId
required string pro​
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId
required string pro​clientSecret
required string pro​
ClientSecret to issue tokens from the OIDC provider
clientSecret
required string pro​redirectURI
required string pro​
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI
required string pro​postLogoutRedirectURI
required string pro​
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI
required string pro​caFile
required string pro​
Path to a PEM encoded root certificate of the provider. Optional
caFile
required string pro​insecureCa
required boolean pro​
Specify whether to communicate without validating SSL certificates
insecureCa
required boolean pro​preferredUsername
required string pro​
Configurable key which contains the preferred username claims
preferredUsername
required string pro​loftUsernameClaim
required string pro​
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim
required string pro​usernameClaim
required string pro​
UsernameClaim is the JWT field to use as the user's id.
usernameClaim
required string pro​emailClaim
required string pro​
EmailClaim is the JWT field to use as the user's email.
emailClaim
required string pro​usernamePrefix
required string pro​
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix
required string pro​groupsClaim
required string pro​
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim
required string pro​groups
required string[] pro​
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups
required string[] pro​scopes
required string[] pro​
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes
required string[] pro​getUserInfo
required boolean pro​
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo
required boolean pro​groupsPrefix
required string pro​
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix
required string pro​type
required string pro​
Type of the OIDC to show in the UI. Only for displaying purposes
type
required string pro​github
required object pro​
Github holds github authentication configuration
github
required object pro​clientId
required string pro​
ClientID holds the github client id
clientId
required string pro​clientSecret
required string pro​
ClientID holds the github client secret
clientSecret
required string pro​redirectURI
required string pro​
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI
required string pro​orgs
required object[] pro​
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs
required object[] pro​name
required string pro​
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name
required string pro​teams
required string[] pro​
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams
required string[] pro​hostName
required string pro​
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName
required string pro​rootCA
required string pro​
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA
required string pro​gitlab
required object pro​
Gitlab holds gitlab authentication configuration
gitlab
required object pro​clientId
required string pro​
Gitlab client id
clientId
required string pro​clientSecret
required string pro​
Gitlab client secret
clientSecret
required string pro​redirectURI
required string pro​
Redirect URI
redirectURI
required string pro​baseURL
required string pro​
BaseURL is optional, default = https://gitlab.com
baseURL
required string pro​groups
required string[] pro​
Optional groups whitelist, communicated through the "groups" scope.
If groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.
groups
required string[] pro​groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.google
required object pro​
Google holds google authentication configuration
google
required object pro​clientId
required string pro​
Google client id
clientId
required string pro​clientSecret
required string pro​
Google client secret
clientSecret
required string pro​redirectURI
required string pro​
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI
required string pro​scopes
required string[] pro​
defaults to "profile" and "email"
scopes
required string[] pro​hostedDomains
required string[] pro​
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains
required string[] pro​groups
required string[] pro​
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups
required string[] pro​serviceAccountFilePath
required string pro​
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath
required string pro​adminEmail
required string pro​
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail
required string pro​microsoft
required object pro​
Microsoft holds microsoft authentication configuration
microsoft
required object pro​clientId
required string pro​
Microsoft client id
clientId
required string pro​clientSecret
required string pro​
Microsoft client secret
clientSecret
required string pro​redirectURI
required string pro​
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI
required string pro​tenant
required string pro​
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant
required string pro​groups
required string[] pro​
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups
required string[] pro​onlySecurityGroups
required boolean pro​
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups
required boolean pro​useGroupsAsWhitelist
required boolean pro​
Restrict the groups claims to include only the user’s groups that are in the configured groups
useGroupsAsWhitelist
required boolean pro​saml
required object pro​
SAML holds saml authentication configuration
saml
required object pro​redirectURI
required string pro​
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI
required string pro​ssoURL
required string pro​
SSO URL used for POST value.
ssoURL
required string pro​caData
required string pro​
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData
required string pro​usernameAttr
required string pro​
Name of attribute in the returned assertions to map to username
usernameAttr
required string pro​emailAttr
required string pro​
Name of attribute in the returned assertions to map to email
emailAttr
required string pro​groupsAttr
required string pro​
Name of attribute in the returned assertions to map to groups
groupsAttr
required string pro​ca
required string pro​
CA to use when validating the signature of the SAML response.
ca
required string pro​insecureSkipSignatureValidation
required boolean pro​
Ignore the ca cert
insecureSkipSignatureValidation
required boolean pro​entityIssuer
required string pro​
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer
required string pro​ssoIssuer
required string pro​
Issuer value expected in the SAML response. Optional.
ssoIssuer
required string pro​groupsDelim
required string pro​
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim
required string pro​allowedGroups
required string[] pro​
List of groups to filter access based on membership
allowedGroups
required string[] pro​filterGroups
required boolean pro​
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups
required boolean pro​nameIDPolicyFormat
required string pro​
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat
required string pro​disableTeamCreation
required boolean pro​
Prevents from team creation for the new groups associated with the user at the time of logging in through sso,
Default behaviour is false, this means that teams will be created for new groups.
disableTeamCreation
required boolean pro​disableUserCreation
required boolean pro​
DisableUserCreation prevents the SSO connectors from creating a new user on a users initial signin through sso.
Default behaviour is false, this means that a new user object will be created once a user without
a Kubernetes user object logs in.
disableUserCreation
required boolean pro​accessKeyMaxTTLSeconds
required integer pro​
AccessKeyMaxTTLSeconds is the global maximum lifespan of an accesskey in seconds.
Leaving it 0 or unspecified will disable it.
Specifying 2592000 will mean all keys have a Time-To-Live of 30 days.
accessKeyMaxTTLSeconds
required integer pro​loginAccessKeyTTLSeconds
required integer pro​
LoginAccessKeyTTLSeconds is the time in seconds an access key is kept
until it is deleted.
Leaving it unspecified will default to 20 days.
Setting it to zero will disable the ttl.
Specifying 2592000 will mean all keys have a default Time-To-Live of 30 days.
loginAccessKeyTTLSeconds
required integer pro​customHttpHeaders
required object pro​
CustomHttpHeaders are additional headers that should be set for the authentication endpoints
customHttpHeaders
required object pro​groupsFilters
required string[] pro​
GroupsFilters is a regex expression to only save matching sso groups into the user resource
groupsFilters
required string[] pro​oidc
required object pro​
DEPRECATED: Configure the OIDC clients using either the OIDC Client UI or a secret. By default, vCluster Platform as an OIDC Provider is enabled but does not function without OIDC clients.
oidc
required object pro​enabled
required boolean pro​
If true indicates that loft will act as an OIDC server
enabled
required boolean pro​wildcardRedirect
required boolean pro​
If true indicates that loft will allow wildcard '*' in client redirectURIs
wildcardRedirect
required boolean pro​clients
required object[] pro​
The clients that are allowed to request loft tokens
clients
required object[] pro​name
required string pro​
The client name
name
required string pro​clientId
required string pro​
The client id of the client
clientId
required string pro​clientSecret
required string pro​
The client secret of the client
clientSecret
required string pro​redirectURIs
required string[] pro​
A registered set of redirect URIs. When redirecting from dex to the client, the URI
requested to redirect to MUST match one of these values, unless the client is "public".
redirectURIs
required string[] pro​apps
required object pro​
Apps holds configuration around apps
apps
required object pro​noDefault
required boolean pro​
If this option is true, loft will not try to parse the default apps
noDefault
required boolean pro​repositories
required object[] pro​
These are additional repositories that are parsed by loft
repositories
required object[] pro​name
required string pro​
Name is the name of the repository
name
required string pro​url
required string pro​
URL is the repository url
url
required string pro​username
required string pro​
Username of the repository
username
required string pro​password
required string pro​
Password of the repository
password
required string pro​insecure
required boolean pro​
Insecure specifies if the chart should be retrieved without TLS
verification
insecure
required boolean pro​predefinedApps
required object[] pro​
Predefined apps that can be selected in the Spaces ) Space menu
predefinedApps
required object[] pro​chart
required string pro​
Chart holds the repo/chart name of the predefined app
chart
required string pro​initialVersion
required string pro​
InitialVersion holds the initial version of this app.
This version will be selected automatically.
initialVersion
required string pro​initialValues
required string pro​
InitialValues holds the initial values for this app.
The values will be prefilled automatically. There are certain
placeholders that can be used within the values that are replaced
by the loft UI automatically.
initialValues
required string pro​clusters
required string[] pro​
Holds the cluster names where to display this app
clusters
required string[] pro​title
required string pro​
Title is the name that should be displayed for the predefined app.
If empty the chart name is used.
title
required string pro​iconUrl
required string pro​
IconURL specifies an url to the icon that should be displayed for this app.
If none is specified the icon from the chart metadata is used.
iconUrl
required string pro​readmeUrl
required string pro​
ReadmeURL specifies an url to the readme page of this predefined app. If empty
an url will be constructed to artifact hub.
readmeUrl
required string pro​audit
required object pro​
Audit holds audit configuration
audit
required object pro​enabled
required boolean pro​
If audit is enabled and incoming api requests will be logged based on the supplied policy.
enabled
required boolean pro​disableAgentSyncBack
required boolean pro​
If true, the agent will not send back any audit logs to Loft itself.
disableAgentSyncBack
required boolean pro​level
required integer pro​
Level is an optional log level for audit logs. Cannot be used together with policy
level
required integer pro​policy
required object pro​
The audit policy to use and log requests. By default loft will not log anything
policy
required object pro​rules
required object[] pro​
Rules specify the audit Level a request should be recorded at.
A request may match multiple rules, in which case the FIRST matching rule is used.
The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
PolicyRules are strictly ordered.
rules
required object[] pro​level
required string pro​
The Level that requests matching this rule are recorded at.
level
required string pro​users
required string[] pro​
The users (by authenticated user name) this rule applies to.
An empty list implies every user.
users
required string[] pro​userGroups
required string[] pro​
The user groups this rule applies to. A user is considered matching
if it is a member of any of the UserGroups.
An empty list implies every user group.
userGroups
required string[] pro​verbs
required string[] pro​
The verbs that match this rule.
An empty list implies every verb.
verbs
required string[] pro​resources
required object[] pro​
Resources that this rule matches. An empty list implies all kinds in all API groups.
resources
required object[] pro​group
required string pro​
Group is the name of the API group that contains the resources.
The empty string represents the core API group.
group
required string pro​resources
required string[] pro​
Resources is a list of resources this rule applies to.
For example:
'pods' matches pods.
'pods/log' matches the log subresource of pods.
'' matches all resources and their subresources.
'pods/' matches all subresources of pods.
'*/scale' matches all scale subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
An empty list implies all resources and subresources in this API groups apply.
resources
required string[] pro​resourceNames
required string[] pro​
ResourceNames is a list of resource instance names that the policy matches.
Using this field requires Resources to be specified.
An empty list implies that every instance of the resource is matched.
resourceNames
required string[] pro​namespaces
required string[] pro​
Namespaces that this rule matches.
The empty string "" matches non-namespaced resources.
An empty list implies every namespace.
namespaces
required string[] pro​nonResourceURLs
required string[] pro​
NonResourceURLs is a set of URL paths that should be audited.
s are allowed, but only as the full, final step in the path.
Examples:
"/metrics" - Log requests for apiserver metrics
"/healthz" - Log all health checks
nonResourceURLs
required string[] pro​omitStages
required string[] pro​
OmitStages is a list of stages for which no events are created. Note that this can also
be specified policy wide in which case the union of both are omitted.
An empty list means no restrictions will apply.
omitStages
required string[] pro​requestTargets
required string[] pro​
RequestTargets is a list of request targets for which events are created.
An empty list implies every request.
requestTargets
required string[] pro​clusters
required string[] pro​
Clusters that this rule matches. Only applies to cluster requests.
If this is set, no events for non cluster requests will be created.
An empty list means no restrictions will apply.
clusters
required string[] pro​omitStages
required string[] pro​
OmitStages is a list of stages for which no events are created. Note that this can also
be specified per rule in which case the union of both are omitted.
omitStages
required string[] pro​dataStoreEndpoint
required string pro​
DataStoreEndpoint is an endpoint to store events in.
dataStoreEndpoint
required string pro​dataStoreTTL
required integer pro​
DataStoreMaxAge is the maximum number of hours to retain old log events in the datastore
dataStoreTTL
required integer pro​path
required string pro​
The path where to save the audit log files. This is required if audit is enabled. Backup log files will
be retained in the same directory.
path
required string pro​maxAge
required integer pro​
MaxAge is the maximum number of days to retain old log files based on the
timestamp encoded in their filename. Note that a day is defined as 24
hours and may not exactly correspond to calendar days due to daylight
savings, leap seconds, etc. The default is not to remove old log files
based on age.
maxAge
required integer pro​maxBackups
required integer pro​
MaxBackups is the maximum number of old log files to retain. The default
is to retain all old log files (though MaxAge may still cause them to get
deleted.)
maxBackups
required integer pro​maxSize
required integer pro​
MaxSize is the maximum size in megabytes of the log file before it gets
rotated. It defaults to 100 megabytes.
maxSize
required integer pro​compress
required boolean pro​
Compress determines if the rotated log files should be compressed
using gzip. The default is not to perform compression.
compress
required boolean pro​loftHost
required string pro​
LoftHost holds the domain where the loft instance is hosted. This should not include https or http. E.g. loft.my-domain.com
loftHost
required string pro​projectNamespacePrefix
required string pro​
ProjectNamespacePrefix holds the prefix for loft project namespaces. Omitted defaults to "p-"
projectNamespacePrefix
required string pro​devPodSubDomain
required string pro​
DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com
devPodSubDomain
required string pro​uiSettings
required object pro​
UISettings holds the settings for modifying the Loft user interface
uiSettings
required object pro​loftVersion
required string pro​
LoftVersion holds the current loft version
loftVersion
required string pro​logoURL
required string pro​
LogoURL is url pointing to the logo to use in the Loft UI. This path must be accessible for clients accessing
the Loft UI!
logoURL
required string pro​logoBackgroundColor
required string pro​
LogoBackgroundColor is the color value (ex: "#12345") to use as the background color for the logo
logoBackgroundColor
required string pro​legalTemplate
required string pro​
LegalTemplate is a text (html) string containing the legal template to prompt to users when authenticating to Loft
legalTemplate
required string pro​primaryColor
required string pro​
PrimaryColor is the color value (ex: "#12345") to use as the primary color
primaryColor
required string pro​sidebarColor
required string pro​
SidebarColor is the color value (ex: "#12345") to use for the sidebar
sidebarColor
required string pro​accentColor
required string pro​
AccentColor is the color value (ex: "#12345") to use for the accent
accentColor
required string pro​customCss
required string[] pro​
CustomCSS holds URLs with custom css files that should be included when loading the UI
customCss
required string[] pro​customJavaScript
required string[] pro​
CustomJavaScript holds URLs with custom js files that should be included when loading the UI
customJavaScript
required string[] pro​navBarButtons
required object[] pro​
NavBarButtons holds extra nav bar buttons
navBarButtons
required object[] pro​position
required string pro​
Position holds the position of the button, can be one of:
TopStart, TopEnd, BottomStart, BottomEnd. Defaults to BottomEnd
position
required string pro​text
required string pro​
Text holds text for the button
text
required string pro​link
required string pro​
Link holds the link of the navbar button
link
required string pro​icon
required string pro​
Icon holds the url of the icon to display
icon
required string pro​vault
required object pro​
VaultIntegration holds the vault integration configuration
vault
required object pro​enabled
required boolean pro​
Enabled indicates if the Vault Integration is enabled for the project -- this knob only
enables the syncing of secrets to or from Vault, but does not setup Kubernetes authentication
methods or Kubernetes secrets engines for vclusters.
enabled
required boolean pro​address
required string pro​
Address defines the address of the Vault instance to use for this project.
Will default to the VAULT_ADDR
environment variable if not provided.
address
required string pro​VAULT_ADDR
environment variable if not provided.skipTLSVerify
required boolean pro​
SkipTLSVerify defines if TLS verification should be skipped when connecting to Vault.
skipTLSVerify
required boolean pro​namespace
required string pro​
Namespace defines the namespace to use when storing secrets in Vault.
namespace
required string pro​auth
required object pro​
Auth defines the authentication method to use for this project.
auth
required object pro​token
required string pro​
Token defines the token to use for authentication.
token
required string pro​tokenSecretRef
required object pro​
TokenSecretRef defines the Kubernetes secret to use for token authentication.
Will be used if token
is not provided.
Secret data should contain the token
key.
tokenSecretRef
required object pro​token
is not provided.token
key.name
required string pro​
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop kubebuilder:default
when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
name
required string pro​kubebuilder:default
when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.key
required string pro​
The key of the secret to select from. Must be a valid secret key.
key
required string pro​optional
required boolean pro​
Specify whether the Secret or its key must be defined
optional
required boolean pro​syncInterval
required string pro​
SyncInterval defines the interval at which to sync secrets from Vault.
Defaults to 1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.
syncInterval
required string pro​1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.disableConfigEndpoint
required boolean pro​
DisableLoftConfigEndpoint will disable setting config via the UI and config.management.loft.sh endpoint
disableConfigEndpoint
required boolean pro​cloud
required object pro​
Cloud holkds the settings to be used exclusively in vCluster Cloud based
environments and deployments.
cloud
required object pro​releaseChannel
required string pro​
ReleaseChannel specifies the release channel for the cloud configuration.
This can be used to determine which updates or versions are applied.
releaseChannel
required string pro​maintenanceWindow
required object pro​
MaintenanceWindow specifies the maintenance window for the cloud configuration.
This is a structured representation of the time window during which maintenance can occur.
maintenanceWindow
required object pro​dayOfWeek
required string pro​
DayOfWeek specifies the day of the week for the maintenance window.
It should be a string representing the day, e.g., "Monday", "Tuesday", etc.
dayOfWeek
required string pro​timeWindow
required string pro​
TimeWindow specifies the time window for the maintenance.
It should be a string representing the time range in 24-hour format, in UTC, e.g., "02:00-03:00".
timeWindow
required string pro​