Setup: loft Management Cluster


To install the on-premise edition of loft, you need:

  • kubectl
  • helm v3 (check with helm version)
  • a kube-context with admin access to a Kubernetes cluster

Install loft

Cloud Clusters

Choose this option if you want to deploy loft to a Kubernetes cluster such as:

  • GKE (Google Cloud)
  • EKS (Amazon Web Services)
  • AKS (Azure Cloud)
  • DOKS (Digital Ocean)
  • ACK (Alibaba Cloud)
  • RKE (Rancher)
  • any other Kubernetes clusters that support LoadBalancer provisioning via Kubernetes services


Ensure Ingress Controller

To use the loft UI and API via a domain or subdomain, we recommend to install an ingress controller to your cluster. If you already have an ingress controller set up and running, you can skip this step.

If you do not have an ingress controller running in your cluster, you can install one using Helm v3:

helm install nginx-ingress nginx-ingress --repo \
--namespace nginx-ingress \
--create-namespace \
Configuring DNS

After the ingress controller has been deployed, create a DNS record to point the domain or subdomain you want to use for loft to the IP address (create DNS A record) or hostname (create DNS CNAME record) of your load balancer.

To get the IP address or hostname of the load balancer for your ingress controller, run the following command and look for the EXTERNAL-IP:

kubectl -n nginx-ingress get service nginx-ingress-controller
nginx-ingress-controller LoadBalancer | | 80:30984/TCP,443:31758/TCP 19m
Pending External IP

If the EXTERNAL-IP of this service remains pending for a long time, make sure your Kubernetes cluster supports services of type LoadBalancer or manually reconfigure this service.


Ensure Cert Manager

To use the loft UI and API via a domain or subdomain, you need to install cert-manager v0.12+ to your cluster. If you already have cert-manager set up and running, you can skip this step.

If you do not have cert-manager deployed yet, you can do this using the following command:

helm install cert-manager cert-manager --repo \
--set installCRDs=true \
--namespace cert-manager \
--create-namespace \

Cert Manager will automatically provision SSL certificates for your ingress hostnames using Let's Encrypt.


Install loft to management cluster via helm v3

helm install loft loft --repo \
--namespace loft \
--create-namespace \
--set admin.username=admin \ # Username for your (admin) user
--set \ # Your email address

For a list of all available configuration options, take a look at the loft Helm chart README.


Installing loft requires Helm v3 and may take up to 10 minutes.


Open loft UI and create admin user

Wait For SSL Certificate

If you configured ingress.tls.enabled=true above, you may first have to wait until the SSL certificate is provisioned by cert-manager and Let's encrypt. You can check the status using this command:

kubectl -n loft-sh get certificate

After deploying loft, helm install will show an output similar to this one:

########## Set Admin Password ##########[RESET_PASSWORD_TOKEN]

Copy the link from the terminal output and open it in the browser to configure your admin account. (If you installed loft locally, accept any untrusted certificates)

loft UI - Create Admin User

If you lost the output of the helm install command, run the following command to view it again:

helm status -n loft loft

Install loft CLI

Installing the loft CLI lets you create spaces and retrieve kube-contexts for your spaces right from the terminal of your IDE, which is often much faster than using the UI.

curl -s -L "" | sed -nE 's!.*"([^"]*loft-darwin-amd64)".*!\1!p' | xargs -n 1 curl -L -o loft && chmod +x loft;
sudo mv loft /usr/local/bin;

Alternatively, you can simply download the binary for your platform from the GitHub Releases page and add this binary to your PATH.

Login via CLI

After installing the CLI, you must login to loft:

# Add the --insecure flag if you have installed loft with a self-signed certificate
loft login https://my-loft.url.tld

This command will generate an access key and securely store it on your computer, so the loft CLI can authenticate when running any further commands.