Skip to main content
Version: 3.4

Project Secrets

Project Secrets allow you to define and share secrets across the allowed clusters where space and virtual cluster instances of the project are deployed. There are two ways to utilize project secrets. The first is to create a project secret and populate it with its own secret data. The second is to sync a project secret with a Global Secret. In both cases, to utilize the secret data, you will create a regular Kubernetes Secret with labels referring to the Project Secret. Once created, Loft will handle synchronizing the project secret data to your secret.

Data or Global Secrets, but not both

It is not possible to define custom data in a project secret and synchronize a global secret. If you need to define additional secret data that is specific to your project, it is best to create a separate secret, and combine them in your pod specifications.

Project Secret with Data

To create a project secret with its own data follow these steps:

  1. Navigate to the Projects view using the menu on the left.
  2. Select the project you'd like to configure using the drop down menu.
  3. Click on Project Secrets.
  4. Click on the button.
  5. Add a display name, such as "My Secret" and optional description for the project secret. The UI will automatically fill in the `.metadata.name` with `my-secret`. If you wish to change this name you may edit the YAML directly.
  6. In the Secret Data input, add your secret key/value pairs.
  7. Click on the button to save your changes.

To use this project secret, create a secret in the namespace where you need the secret data:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: my-secret
type: Opaque

The secret will be synchronized with the project secret momentarily.

Virtual Cluster Secrets

Secrets inside virtual clusters will be synchronized whenever the project secret is modified. Since it would be inefficient to watch secrets in all virtual clusters, Loft will instead synchronize virtual cluster secrets on an interval.

Project Secret synced from Global Secret

When you have a global secret defined in Loft and wish to use it inside your project, you can configure syncing between a project secret and the global secret.

To configure this, follow these steps:

  1. Navigate to the Projects view using the menu on the left.
  2. Select the project you'd like to configure using the drop down menu.
  3. Click on Project Secrets.
  4. Click on the button.
  5. Add a display name, such as "My Secret" and optional description for the project secret. The UI will automatically fill in the `.metadata.name` with `my-secret`. If you wish to change this name you may edit the YAML directly.
  6. In the Optional: Select a global secret input, select the global secret that you wish to sync to the project secret.
  7. Click on the button to save your changes.

To use this project secret, create a secret in the namespace where you need the secret data:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: my-secret
type: Opaque

The secret will be synchronized with the project secret momentarily. Using this configuration, updates to the shared secret will automatically propagate down to the space or virtual cluster secret.

Global Secret Permissions

When creating a project secret that refers to a global secret you must have permissions to read the shared secret or the request will be denied.