Skip to main content
Version: 3.4

Loft Configuration

The Loft config allows you to modify Loft's behaviour and enable or disable certain features, such as SSO login, custom branding or auditing.

Changing Loft Config

Loft config can be applied directly via helm values or through the Loft UI in Admin > Config. Using helm values allows you to declaratively deploy Loft.

When using helm you can apply the Loft config via a values.yaml file. This also makes it possible to deploy Loft through GitOps solutions such as ArgoCD. An example Loft values.yaml could look like this:

config:
loftHost: my-loft-host.com
audit:
enabled: true
auth:
github:
clientId: $CLIENT_ID
clientSecret: $CLIENT_SECRET
redirectURI: https://my-loft-host.com/auth/github/callback

For a complete overview what helm values are possible, please take a look at the Loft github repository directly.

Changing the Loft Host variable

After setting up the platform and TLS certificates and configuring the ingress to use a custom domain, one should change the loftHost variable shown above. Initially, that value will be set to the URL of either the Loft Router domain or no domain in the case of air-gapped setups. This value should be equal to the hostname specified in the ingress resource for accessing the platform.

info

This value of the loftHost variable should only be the hostname that Loft is reachable at and not contain protocols (such as HTTP) or subpaths.

After changing the loftHost, all currently connected clusters must be redeployed by running the same connection commands in the corresponding Kubernetes context. See the instructions on connecting Clusters for more guidance.

Clusters will also have to be reconnected if the additionalCA or insecureSkipVerify values are changed after the initial setup.

Sensitive Information in the Loft Config

Some fields within the Loft config allow placeholders for environment variables, such as the clientId and clientSecret fields. This makes it possible to not expose the sensitive information directly inside the Loft values and instead mount this information into Loft through an external secret.

To load the github clientId and clientSecret through a Kubernetes secret my-secret, use the following configuration:

envValueFrom:
CLIENT_ID:
secretKeyRef:
name: my-secret
key: client_id
CLIENT_SECRET:
secretKeyRef:
name: my-secret
key: client_secret

config:
auth:
github:
clientId: $CLIENT_ID
clientSecret: $CLIENT_SECRET
redirectURI: https://my-loft-host.com/auth/github/callback

Then use helm to apply this configuration:

helm upgrade loft loft --install \
--repo https://charts.loft.sh/ \
--version $VERSION
--namespace loft \
--create-namespace \
--values values.yaml
info

Make sure to replace the $VERSION in the above statement with the Loft version you are using

Custom HTTP Headers

Loft allows you to add custom HTTP headers to all requests that are sent to the Loft API. This can be useful if you want to add custom headers to all requests, such as X-Frame-Options or X-XSS-Protection.

To add custom HTTP headers, use the following configuration:

config:
auth:
customHttpHeaders:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

Config Reference

kind required string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

apiVersion required string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

metadata required object

name required string

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names

generateName required string

GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.

If this field is specified and the generated name exists, the server will return a 409.

Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency

namespace required string

Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.

Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces

Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.

uid required string

UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.

Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids

resourceVersion required string

An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.

Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

generation required integer

A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.

creationTimestamp required object

CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.

Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

deletionTimestamp required object

DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.

Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

deletionGracePeriodSeconds required integer

Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.

labels required object

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels

annotations required object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations

ownerReferences required object[]

List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.

apiVersion required string

API version of the referent.

kind required string

Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

name required string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names

uid required string

UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids

controller required boolean false

If true, this reference points to the managing controller.

blockOwnerDeletion required boolean false

If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.

finalizers required string[]

Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.

managedFields required object[]

ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.

manager required string

Manager is an identifier of the workflow managing these fields.

operation required string

Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.

apiVersion required string

APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.

time required object

Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.

fieldsType required string

FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"

fieldsV1 required object

FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.

subresource required string

Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.

spec required object

raw required string

Raw holds the raw config

status required object

auth required object

Authentication holds the information for authentication

oidc required object

OIDC holds oidc authentication configuration

issuerUrl required string

IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" field of all tokens produced by the provider and is used for configuration discovery.

The URL is usually the provider's URL without a path, for example "https://accounts.google.com" or "https://login.salesforce.com".

The provider must implement configuration discovery. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

clientId required string

ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single client to ensure the plugin can be used with public providers.

The plugin supports the "authorized party" OpenID Connect claim, which allows specialized providers to issue tokens to a client for a different client. See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

clientSecret required string

ClientSecret to issue tokens from the OIDC provider

redirectURI required string

loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback

postLogoutRedirectURI required string

Loft URI to be redirected to after successful logout by OIDC Provider

caFile required string

Path to a PEM encoded root certificate of the provider. Optional

insecureCa required boolean false

Specify whether to communicate without validating SSL certificates

preferredUsername required string

Configurable key which contains the preferred username claims

loftUsernameClaim required string

LoftUsernameClaim is the JWT field to use as the user's username.

usernameClaim required string

UsernameClaim is the JWT field to use as the user's id.

emailClaim required string

EmailClaim is the JWT field to use as the user's email.

usernamePrefix required string

UsernamePrefix, if specified, causes claims mapping to username to be prefix with the provided value. A value "oidc:" would result in usernames like "oidc:john".

groupsClaim required string

GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

groups required string[]

If required groups is non empty, access is denied if the user is not part of at least one of the specified groups.

scopes required string[]

Scopes that should be sent to the server. If empty, defaults to "email" and "profile".

getUserInfo required boolean false

GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's information from the UserInfo.

groupsPrefix required string

GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".

type required string

Type of the OIDC to show in the UI. Only for displaying purposes

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

github required object

Github holds github authentication configuration

clientId required string

ClientID holds the github client id

clientSecret required string

ClientID holds the github client secret

redirectURI required string

RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback

orgs required object[]

Loft queries the following organizations for group information. Group claims are formatted as "(org):(team)". For example if a user is part of the "engineering" team of the "coreos" org, the group claim would include "coreos:engineering".

If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to authenticate with loft.

name required string

Organization name in github (not slug, full name). Only users in this github organization can authenticate.

teams required string[]

Names of teams in a github organization. A user will be able to authenticate if they are members of at least one of these teams. Users in the organization can authenticate if this field is omitted from the config file.

hostName required string

Required ONLY for GitHub Enterprise. This is the Hostname of the GitHub Enterprise account listed on the management console. Ensure this domain is routable on your network.

rootCA required string

ONLY for GitHub Enterprise. Optional field. Used to support self-signed or untrusted CA root certificates.

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

gitlab required object

Gitlab holds gitlab authentication configuration

clientId required string

Gitlab client id

clientSecret required string

Gitlab client secret

redirectURI required string

Redirect URI

baseURL required string

BaseURL is optional, default = https://gitlab.com

groups required string[]

Optional groups whitelist, communicated through the "groups" scope. If groups is omitted, all of the user's GitLab groups are returned. If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

google required object

Google holds google authentication configuration

clientId required string

Google client id

clientSecret required string

Google client secret

redirectURI required string

loft redirect uri. E.g. https://loft.my.domain/auth/google/callback

scopes required string[]

defaults to "profile" and "email"

hostedDomains required string[]

Optional list of whitelisted domains If this field is nonempty, only users from a listed domain will be allowed to log in

groups required string[]

Optional list of whitelisted groups If this field is nonempty, only users from a listed group will be allowed to log in

serviceAccountFilePath required string

Optional path to service account json If nonempty, and groups claim is made, will use authentication from file to check groups with the admin directory api

adminEmail required string

Required if ServiceAccountFilePath The email of a GSuite super user which the service account will impersonate when listing groups

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

microsoft required object

Microsoft holds microsoft authentication configuration

clientId required string

Microsoft client id

clientSecret required string

Microsoft client secret

redirectURI required string

loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback

tenant required string

tenant configuration parameter controls what kinds of accounts may be authenticated in loft. By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft. To change this, set the tenant parameter to one of the following:

common - both personal and business/school accounts can authenticate in loft via Microsoft (default) consumers - only personal accounts can authenticate in loft organizations - only business/school accounts can authenticate in loft tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft

groups required string[]

It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.

onlySecurityGroups required boolean false

configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.

useGroupsAsWhitelist required boolean false

Restrict the groups claims to include only the user’s groups that are in the configured groups

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

saml required object

SAML holds saml authentication configuration

redirectURI required string

If the response assertion status value contains a Destination element, it must match this value exactly. Usually looks like https://your-loft-domain/auth/saml/callback

ssoURL required string

SSO URL used for POST value.

caData required string

CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response. Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.

usernameAttr required string

Name of attribute in the returned assertions to map to username

emailAttr required string

Name of attribute in the returned assertions to map to email

groupsAttr required string

Name of attribute in the returned assertions to map to groups

ca required string

CA to use when validating the signature of the SAML response.

insecureSkipSignatureValidation required boolean false

Ignore the ca cert

entityIssuer required string

When provided Loft will include this as the Issuer value during AuthnRequest. It will also override the redirectURI as the required audience when evaluating AudienceRestriction elements in the response.

ssoIssuer required string

Issuer value expected in the SAML response. Optional.

groupsDelim required string

If GroupsDelim is supplied the connector assumes groups are returned as a single string instead of multiple attribute values. This delimiter will be used split the groups string.

allowedGroups required string[]

List of groups to filter access based on membership

filterGroups required boolean false

If used with allowed groups, only forwards the allowed groups and not all groups specified.

nameIDPolicyFormat required string

Requested format of the NameID. The NameID value is is mapped to the ID Token 'sub' claim.

This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to "emailAddress" the format will resolve to:

    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If no value is specified, this value defaults to:

    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

rancher required object

Rancher holds the rancher authentication options

host required string

Host holds the rancher host, e.g. my-domain.com

bearerToken required string

BearerToken holds the rancher API key in token username and password form. E.g. my-token:my-secret

insecure required boolean false

Insecure tells Loft if the Rancher endpoint is insecure.

password required object

Password holds password authentication relevant information

disabled required boolean true

If true login via password is disabled

connectors required object[]

Connectors are optional additional connectors for Loft.

id required string

ID is the id that should show up in the url

displayName required string

DisplayName is the name that should show up in the ui

oidc required object

OIDC holds oidc authentication configuration

issuerUrl required string

IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" field of all tokens produced by the provider and is used for configuration discovery.

The URL is usually the provider's URL without a path, for example "https://accounts.google.com" or "https://login.salesforce.com".

The provider must implement configuration discovery. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

clientId required string

ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single client to ensure the plugin can be used with public providers.

The plugin supports the "authorized party" OpenID Connect claim, which allows specialized providers to issue tokens to a client for a different client. See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

clientSecret required string

ClientSecret to issue tokens from the OIDC provider

redirectURI required string

loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback

postLogoutRedirectURI required string

Loft URI to be redirected to after successful logout by OIDC Provider

caFile required string

Path to a PEM encoded root certificate of the provider. Optional

insecureCa required boolean false

Specify whether to communicate without validating SSL certificates

preferredUsername required string

Configurable key which contains the preferred username claims

loftUsernameClaim required string

LoftUsernameClaim is the JWT field to use as the user's username.

usernameClaim required string

UsernameClaim is the JWT field to use as the user's id.

emailClaim required string

EmailClaim is the JWT field to use as the user's email.

usernamePrefix required string

UsernamePrefix, if specified, causes claims mapping to username to be prefix with the provided value. A value "oidc:" would result in usernames like "oidc:john".

groupsClaim required string

GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

groups required string[]

If required groups is non empty, access is denied if the user is not part of at least one of the specified groups.

scopes required string[]

Scopes that should be sent to the server. If empty, defaults to "email" and "profile".

getUserInfo required boolean false

GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's information from the UserInfo.

groupsPrefix required string

GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".

type required string

Type of the OIDC to show in the UI. Only for displaying purposes

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

github required object

Github holds github authentication configuration

clientId required string

ClientID holds the github client id

clientSecret required string

ClientID holds the github client secret

redirectURI required string

RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback

orgs required object[]

Loft queries the following organizations for group information. Group claims are formatted as "(org):(team)". For example if a user is part of the "engineering" team of the "coreos" org, the group claim would include "coreos:engineering".

If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to authenticate with loft.

name required string

Organization name in github (not slug, full name). Only users in this github organization can authenticate.

teams required string[]

Names of teams in a github organization. A user will be able to authenticate if they are members of at least one of these teams. Users in the organization can authenticate if this field is omitted from the config file.

hostName required string

Required ONLY for GitHub Enterprise. This is the Hostname of the GitHub Enterprise account listed on the management console. Ensure this domain is routable on your network.

rootCA required string

ONLY for GitHub Enterprise. Optional field. Used to support self-signed or untrusted CA root certificates.

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

gitlab required object

Gitlab holds gitlab authentication configuration

clientId required string

Gitlab client id

clientSecret required string

Gitlab client secret

redirectURI required string

Redirect URI

baseURL required string

BaseURL is optional, default = https://gitlab.com

groups required string[]

Optional groups whitelist, communicated through the "groups" scope. If groups is omitted, all of the user's GitLab groups are returned. If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

google required object

Google holds google authentication configuration

clientId required string

Google client id

clientSecret required string

Google client secret

redirectURI required string

loft redirect uri. E.g. https://loft.my.domain/auth/google/callback

scopes required string[]

defaults to "profile" and "email"

hostedDomains required string[]

Optional list of whitelisted domains If this field is nonempty, only users from a listed domain will be allowed to log in

groups required string[]

Optional list of whitelisted groups If this field is nonempty, only users from a listed group will be allowed to log in

serviceAccountFilePath required string

Optional path to service account json If nonempty, and groups claim is made, will use authentication from file to check groups with the admin directory api

adminEmail required string

Required if ServiceAccountFilePath The email of a GSuite super user which the service account will impersonate when listing groups

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

microsoft required object

Microsoft holds microsoft authentication configuration

clientId required string

Microsoft client id

clientSecret required string

Microsoft client secret

redirectURI required string

loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback

tenant required string

tenant configuration parameter controls what kinds of accounts may be authenticated in loft. By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft. To change this, set the tenant parameter to one of the following:

common - both personal and business/school accounts can authenticate in loft via Microsoft (default) consumers - only personal accounts can authenticate in loft organizations - only business/school accounts can authenticate in loft tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft

groups required string[]

It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.

onlySecurityGroups required boolean false

configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.

useGroupsAsWhitelist required boolean false

Restrict the groups claims to include only the user’s groups that are in the configured groups

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

groupClusterAccountTemplates required object[]

A mapping between groups and cluster account templates. If the user has a certain group, the cluster account template will be added during creation

group required string

Group is the name of the group that should be matched

clusterAccountTemplates required object[]

Cluster Account Templates that will be applied for users logging in through this authentication

name required string

Name of the cluster account template to apply

sync required boolean false

Sync defines if Loft should sync changes to the cluster account template to the cluster accounts and create new accounts if new clusters match the templates.

accountName required string

AccountName is the name of the account that should be created. Defaults to the user or team kubernetes name.

saml required object

SAML holds saml authentication configuration

redirectURI required string

If the response assertion status value contains a Destination element, it must match this value exactly. Usually looks like https://your-loft-domain/auth/saml/callback

ssoURL required string

SSO URL used for POST value.

caData required string

CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response. Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.

usernameAttr required string

Name of attribute in the returned assertions to map to username

emailAttr required string

Name of attribute in the returned assertions to map to email

groupsAttr required string

Name of attribute in the returned assertions to map to groups

ca required string

CA to use when validating the signature of the SAML response.

insecureSkipSignatureValidation required boolean false

Ignore the ca cert

entityIssuer required string

When provided Loft will include this as the Issuer value during AuthnRequest. It will also override the redirectURI as the required audience when evaluating AudienceRestriction elements in the response.

ssoIssuer required string

Issuer value expected in the SAML response. Optional.

groupsDelim required string

If GroupsDelim is supplied the connector assumes groups are returned as a single string instead of multiple attribute values. This delimiter will be used split the groups string.

allowedGroups required string[]

List of groups to filter access based on membership

filterGroups required boolean false

If used with allowed groups, only forwards the allowed groups and not all groups specified.

nameIDPolicyFormat required string

Requested format of the NameID. The NameID value is is mapped to the ID Token 'sub' claim.

This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to "emailAddress" the format will resolve to:

    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If no value is specified, this value defaults to:

    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

disableTeamCreation required boolean false

Prevents from team creation for the new groups associated with the user at the time of logging in through sso, Default behaviour is false, this means that teams will be created for new groups.

accessKeyMaxTTLSeconds required integer

AccessKeyMaxTTLSeconds is the global maximum lifespan of an accesskey in seconds. Leaving it 0 or unspecified will disable it. Specifying 2592000 will mean all keys have a Time-To-Live of 30 days.

loginAccessKeyTTLSeconds required integer

LoginAccessKeyTTLSeconds is the time in seconds an access key is kept until it is deleted. Leaving it unspecified will default to 20 days. Setting it to zero will disable the ttl. Specifying 2592000 will mean all keys have a default Time-To-Live of 30 days.

customHttpHeaders required object

CustomHttpHeaders are additional headers that should be set for the authentication endpoints

oidc required object

OIDC holds oidc provider relevant information

enabled required boolean true

If true indicates that loft will act as an OIDC server

wildcardRedirect required boolean true

If true indicates that loft will allow wildcard '*' in client redirectURIs

clients required object[]

The clients that are allowed to request loft tokens

name required string

The client name

clientId required string

The client id of the client

clientSecret required string

The client secret of the client

redirectURIs required string[]

A registered set of redirect URIs. When redirecting from dex to the client, the URI requested to redirect to MUST match one of these values, unless the client is "public".

apps required object

Apps holds configuration around apps

noDefault required boolean false

If this option is true, loft will not try to parse the default apps

repositories required object[]

These are additional repositories that are parsed by loft

name required string

Name is the name of the repository

url required string

URL is the repository url

username required string

Username of the repository

password required string

Password of the repository

insecure required boolean false

Insecure specifies if the chart should be retrieved without TLS verification

predefinedApps required object[]

Predefined apps that can be selected in the Spaces ) Space menu

chart required string

Chart holds the repo/chart name of the predefined app

initialVersion required string

InitialVersion holds the initial version of this app. This version will be selected automatically.

initialValues required string

InitialValues holds the initial values for this app. The values will be prefilled automatically. There are certain placeholders that can be used within the values that are replaced by the loft UI automatically.

clusters required string[]

Holds the cluster names where to display this app

title required string

Title is the name that should be displayed for the predefined app. If empty the chart name is used.

iconUrl required string

IconURL specifies an url to the icon that should be displayed for this app. If none is specified the icon from the chart metadata is used.

readmeUrl required string

ReadmeURL specifies an url to the readme page of this predefined app. If empty an url will be constructed to artifact hub.

audit required object

Audit holds audit configuration

enabled required boolean false

If audit is enabled and incoming api requests will be logged based on the supplied policy.

disableAgentSyncBack required boolean false

If true, the agent will not send back any audit logs to Loft itself.

level required integer

Level is an optional log level for audit logs. Cannot be used together with policy

policy required object

The audit policy to use and log requests. By default loft will not log anything

rules required object[]

Rules specify the audit Level a request should be recorded at. A request may match multiple rules, in which case the FIRST matching rule is used. The default audit level is None, but can be overridden by a catch-all rule at the end of the list. PolicyRules are strictly ordered.

level required string

The Level that requests matching this rule are recorded at.

users required string[]

The users (by authenticated user name) this rule applies to. An empty list implies every user.

userGroups required string[]

The user groups this rule applies to. A user is considered matching if it is a member of any of the UserGroups. An empty list implies every user group.

verbs required string[]

The verbs that match this rule. An empty list implies every verb.

resources required object[]

Resources that this rule matches. An empty list implies all kinds in all API groups.

group required string

Group is the name of the API group that contains the resources. The empty string represents the core API group.

resources required string[]

Resources is a list of resources this rule applies to.

For example: 'pods' matches pods. 'pods/log' matches the log subresource of pods. '' matches all resources and their subresources. 'pods/' matches all subresources of pods. '*/scale' matches all scale subresources.

If wildcard is present, the validation rule will ensure resources do not overlap with each other.

An empty list implies all resources and subresources in this API groups apply.

resourceNames required string[]

ResourceNames is a list of resource instance names that the policy matches. Using this field requires Resources to be specified. An empty list implies that every instance of the resource is matched.

namespaces required string[]

Namespaces that this rule matches. The empty string "" matches non-namespaced resources. An empty list implies every namespace.

nonResourceURLs required string[]

NonResourceURLs is a set of URL paths that should be audited. s are allowed, but only as the full, final step in the path. Examples: "/metrics" - Log requests for apiserver metrics "/healthz" - Log all health checks

omitStages required string[]

OmitStages is a list of stages for which no events are created. Note that this can also be specified policy wide in which case the union of both are omitted. An empty list means no restrictions will apply.

requestTargets required string[]

RequestTargets is a list of request targets for which events are created. An empty list implies every request.

clusters required string[]

Clusters that this rule matches. Only applies to cluster requests. If this is set, no events for non cluster requests will be created. An empty list means no restrictions will apply.

omitStages required string[]

OmitStages is a list of stages for which no events are created. Note that this can also be specified per rule in which case the union of both are omitted.

dataStoreEndpoint required string

DataStoreEndpoint is an endpoint to store events in.

dataStoreTTL required integer

DataStoreMaxAge is the maximum number of hours to retain old log events in the datastore

path required string

The path where to save the audit log files. This is required if audit is enabled. Backup log files will be retained in the same directory.

maxAge required integer

MaxAge is the maximum number of days to retain old log files based on the timestamp encoded in their filename. Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc. The default is not to remove old log files based on age.

maxBackups required integer

MaxBackups is the maximum number of old log files to retain. The default is to retain all old log files (though MaxAge may still cause them to get deleted.)

maxSize required integer

MaxSize is the maximum size in megabytes of the log file before it gets rotated. It defaults to 100 megabytes.

compress required boolean false

Compress determines if the rotated log files should be compressed using gzip. The default is not to perform compression.

loftHost required string

LoftHost holds the domain where the loft instance is hosted. This should not include https or http. E.g. loft.my-domain.com

devPodSubDomain required string

DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com

uiSettings required object

UISettings holds the settings for modifying the Loft user interface

loftVersion required string

LoftVersion holds the current loft version

logoURL required string

LogoURL is url pointing to the logo to use in the Loft UI. This path must be accessible for clients accessing the Loft UI!

logoBackgroundColor required string

LogoBackgroundColor is the color value (ex: "#12345") to use as the background color for the logo

legalTemplate required string

LegalTemplate is a text (html) string containing the legal template to prompt to users when authenticating to Loft

primaryColor required string

PrimaryColor is the color value (ex: "#12345") to use as the primary color

sidebarColor required string

SidebarColor is the color value (ex: "#12345") to use for the sidebar

accentColor required string

AccentColor is the color value (ex: "#12345") to use for the accent

customCss required string[]

CustomCSS holds URLs with custom css files that should be included when loading the UI

customJavaScript required string[]

CustomJavaScript holds URLs with custom js files that should be included when loading the UI

navBarButtons required object[]

NavBarButtons holds extra nav bar buttons

position required string

Position holds the position of the button, can be one of: TopStart, TopEnd, BottomStart, BottomEnd. Defaults to BottomEnd

text required string

Text holds text for the button

Link holds the link of the navbar button

icon required string

Icon holds the url of the icon to display

vault required object

VaultIntegration holds the vault integration configuration

enabled required boolean false

Enabled indicates if the Vault Integration is enabled for the project -- this knob only enables the syncing of secrets to or from Vault, but does not setup Kubernetes authentication methods or Kubernetes secrets engines for vclusters.

address required string

Address defines the address of the Vault instance to use for this project. Will default to the VAULT_ADDR environment variable if not provided.

skipTLSVerify required boolean false

SkipTLSVerify defines if TLS verification should be skipped when connecting to Vault.

namespace required string

Namespace defines the namespace to use when storing secrets in Vault.

auth required object

Auth defines the authentication method to use for this project.

token required string

Token defines the token to use for authentication.

tokenSecretRef required object

TokenSecretRef defines the Kubernetes secret to use for token authentication. Will be used if token is not provided.

Secret data should contain the token key.

name required string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

key required string

The key of the secret to select from. Must be a valid secret key.

optional required boolean false

Specify whether the Secret or its key must be defined

syncInterval required string

SyncInterval defines the interval at which to sync secrets from Vault. Defaults to 1m. See https://pkg.go.dev/time#ParseDuration for supported formats.