Shared Secrets

Shared secrets are a way to securely store Loft wide secrets. A shared secret is very similar to a Kubernetes secret, but can be managed through Loft UI or CLI. They can be used to store and share sensitive information across your users and teams independent of the connected clusters. Shared secrets consist of multiple keys and values. Shared secrets are namespace scoped and can be optionally encrypted with a custom defined encryption key.

One special use case are shared image pull secrets that will automatically log in a user into a container image registry.

Create a new Shared Secret

Shared secrets can be created via kubectl, loft CLI or the loft UI.

Go to the Secrets view and click on 'Add Shared Secret'.
Shared Secrets
Create a new Shared Secret
Enter the name of the secret, the namespace you want to create the secret in and press 'Create'.
Use a single Shared Secret for multiple Values

It is good practice to use a single shared secret for multiple keys, e.g. it makes sense to have a shared secret prod and development with different access rights for different teams and users.

Manage Access to Shared Secrets

You can define which users or teams are able to view, update or delete the shared secrets. This can be done either by using the loft UI or kubectl in the management cluster (the cluster where loft is installed).

Go to the Secrets view and click on a shared secret. Then click on 'Access' and on the 'Add Access' button.

Adding Access
Add Access to a Shared Secret

When the drawer opens you are able to configure the following options:

  • Verbs: what access rights should the defined users and teams have to this shared secret
  • Users: which users are effected by these access rights
  • Teams: which teams are effected by these access rights

After you have configured the verbs, users and teams, press the 'Save' button.

Adding Access
Save Access
How Access Works Behind the Scenes

If a user can access a shared secret is purely defined through kubernetes RBAC. loft creates the required roles and role bindings automatically in the background based on what is defined in the spec.access section of the SharedSecret resource.

A user or team can access a shared secret if the right is granted to 'get' (verb) 'sharedsecrets' (resource) in '' (api group) in the namespace where the secret is stored (typically the namespace where loft is installed). This however also means that cluster admins will be able to access all shared secrets, since they have the right to access all resources in all namespaces.

Read from a Shared Secret

Reading a key from a shared secret can be done through the loft UI, loft CLI or kubectl.

Go to the Secrets view and click on a shared secret name. A list of available keys should appear. Then click on 'Show Value'.

Read Secret
Read a secret key value

Change data in a Shared Secret

Changing the data of a shared secret can be done through the loft UI, loft CLI or kubectl.

Go to the Secrets view and click on a shared secret name. A list of available keys should appear. Then either click on an already existing key name or on 'Add Key'.

Read Secret
Add a secret key

Click on 'Save' and the key should appear in the list.

Image Pull Secrets

Shared image pull secrets are created and maintained like every other shared loft secret. However, they can be used to automatically login users to specified container image registries as soon as they run loft login (no locally installed docker needed).

Creating a shared image pull secret is very similar to creating an image pull secret in kubernetes itself:

On your computer, you must authenticate with a registry in order to grant other users or teams access to it:

docker login [optional-docker-registry]

When prompted, enter your Docker username and password.

The login process creates or updates a config.json file that holds an authorization token.

View the config.json file:

cat ~/.docker/config.json

The output contains a section similar to this:

"auths": {
"": {
"auth": "c3R...zE2"

Note: If you use a Docker credentials store, you won't see that auth entry but a credsStore entry with the name of the store as value.

With that information you can create a shared loft secret.

Create Secret
Create a shared secret with docker credentials

Note: The actual name of the shared secret or key name do not matter and can be chosen freely.

Next, you can configure a user or team to use that image pull secret, by editing the Image Pull Secrets section of the user or team.

Assign Secret
Assign the shared secret to an user

Then press 'Update'. If the user will now login, he will also login into the specified container registry:

$ loft login
[info] If the browser does not open automatically, please navigate to
[done] √ Successfully logged into loft at
[done] √ Successfully logged into docker registry 'docker hub'
User or Team need view access

In order for the user to login with an image pull secret, the user or the team need to have access to view the shared secret, otherwise they will not be able to login into the container registry. You can change the access to a shared secret in the Secrets > YOUR-SECRET > Access tab.

Enable Shared Secrets Encryption

Enterprise Feature

This is an enterprise feature. Please make sure your license permits secrets encryption before you follow this guide.

By default, secrets are not encrypted and stored plain text (base64 encoded) in the underlying shared secrets custom resource. You can configure loft to encrypt the data of secrets by specifying an encryption key. This can be done via helm:

helm upgrade loft loft --repo \
--namespace loft \
--reuse-values \
--set env.SECRETS_ENCRYPTION_KEY=my-secret-encryption-key

From now on all secrets will be encrypted with the specified encryption key.

Loss of Encryption Key

If you lose the encryption key, the secrets data cannot be recovered. You will have to manually delete all shared secrets via kubectl: kubectl delete -n loft --all