Skip to main content
Version: 1.15

Using loft with a self signed certificate

By default loft will start up listening on two ports: 80 and 443. Without any other configuration, the certificate used for port 443 is self signed and generated by loft. The usual recommended flow is to handle tls termination in front of loft with an ingress controller. However, if you want to expose loft via a NodePort or LoadBalancer service and without an ingress controller, loft is able to serve any tls certificate.

Create the tls certificate

You can start by creating a new private key:

openssl genrsa -out tls.key 4096

Then create a new ssl.conf with the following format (include any other domains loft should be reachable under):

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca
req_extensions     = v3_req
x509_extensions    = usr_cert

[ req_distinguished_name ]
organizationName          = Organization Name (eg, company)
organizationName_default  = loft
commonName                = Common Name (e.g. server FQDN or YOUR name)
commonName_default        = loft.my-url.com

[ usr_cert ]
basicConstraints  = CA:FALSE
nsCertType        = client, server
keyUsage          = digitalSignature
extendedKeyUsage  = serverAuth, clientAuth

[ v3_req ]
subjectAltName   = @alt_names
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE
keyUsage         = digitalSignature

[ alt_names ]
DNS.1 = localhost

Then create the certificate signing request:

openssl req -new -sha256 \
    -out tls.csr \
    -key tls.key \
    -config ssl.conf

You will be asked some basic questions about the certificate which you should answer. Then create the certificate via:

openssl x509 -req \
    -sha256 \
    -days 3650 \
    -in tls.csr \
    -signkey tls.key \
    -out tls.crt \
    -extensions v3_req \
    -extfile ssl.conf

Create the kubernetes secret & upgrade loft

In order for loft to find and use the self signed certificate, you need to create a kubernetes secret in the loft namespace. You can do this via kubectl:

kubectl create secret generic my-loft-cert -n loft --type=kubernetes.io/tls --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key

Now the only thing left to do is to tell loft to use tls instead of expecting the ingress controller to handle this. This can be done via helm:

helm upgrade loft loft --repo https://charts.loft.sh/ \
  --namespace loft \
  --reuse-values \
  --set tls.enabled=true \
  --set tls.secret=my-loft-cert

If loft was already configured to use the same secret for tls and just the certificate changed, please make sure to restart the loft pod by running:

kubectl delete po --selector=app=loft -n loft