Version: 3.4

Private Helm Repositories

Loft apps allow specifying credentials to access private helm chart repositories.

Specify static credentials

You can specify credentials either directly inside the app or via a project secret.

The following example shows specifying the credentials directly within the app itself:

apiVersion: management.loft.sh/v1
kind: App
metadata:
  name: my-app
spec:
  config:
    chart:
      name: argo-cd
      repoURL: https://private-repo.com/my-repo
      username: my-username
      password: my-password

You can also reference a project secret via:

apiVersion: management.loft.sh/v1
kind: App
metadata:
  name: my-app
spec:
  config:
    chart:
      name: argo-cd
      repoURL: https://private-repo.com/my-repo
      usernameRef:
        projectSecretRef:
          name: my-secret
          project: my-project
          key: my-username-key
      passwordRef:
        projectSecretRef:
          name: my-secret
          project: my-project
          key: my-password-key

Using dynamic credentials (ECR etc.)

For dynamic credentials, such as ECR credentials, we recommend to use external-secrets and export the credentials to a project secret.

For example, for ECR credentials, this can be done via:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "ecr-secret"
spec:
  refreshInterval: "1h"
  target:
    name: ecr-secret
    template:
      metadata:
        labels:
          loft.sh/project-secret: "true"
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: "ecr-gen"
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-gen
spec:
  # specify aws region (mandatory)
  region: eu-west-1
  # choose an authentication strategy
  # if no auth strategy is defined it falls back to using
  # credentials from the environment of the controller.
  auth:
    # 1: static credentials
    # point to a secret that contains static credentials
    # like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
    secretRef:
      accessKeyIDSecretRef:
        name: "my-aws-creds"
        key: "key-id"
      secretAccessKeySecretRef:
        name: "my-aws-creds"
        key: "access-secret"

tip

Remember to set the label loft.sh/project-secret on the Kubernetes secret, in order for Loft to pick it up correctly. Also make sure the secret is created in the correct project namespace in the form of loft-p-.

Then just reference the created secret within the app itself:

apiVersion: management.loft.sh/v1
kind: App
metadata:
  name: my-app
spec:
  config:
    chart:
      name: argo-cd
      repoURL: https://private-repo.com/my-repo
      usernameRef:
        projectSecretRef:
          name: ecr-secret
          project: my-project
          key: my-username-key
      passwordRef:
        projectSecretRef:
          name: ecr-secret
          project: my-project
          key: my-password-key

Specify static credentials​

Using dynamic credentials (ECR etc.)​

Specify static credentials

Using dynamic credentials (ECR etc.)