Skip to main content
Version: 3.0 (beta)

Secret Management with Loft

Loft allows you to managed shared secrets that can either be retrieved via Loft CLI and kubectl, or they can be instantiated as synchronized Kubernetes secrets in namespaces and virtual clusters.

Working with Shared Secrets

Creating Shared Secrets

Create a Shared Secret
  1. Go to the Secrets view using the menu on the left
  2. Click on the button
  3. Use the Display Name field to define the name of this secret
  4. Use the Secret Data textarea to add key: value pairs as secret data
  5. OPTIONAL: Expand the Access To This Shared Secret section to configure who can view or edit this secret
  6. Click on the button at the very bottom

Using Shared Secrets

Retrieve via Loft CLI

To retrieve the value of a shared secret using Loft CLI, run:

loft get secret [secret-name].[data-key]
Use In Kubernetes Secrets
  1. Create a file named secret.yaml with content:

    apiVersion: v1
    kind: Secret
    metadata:
    name: my-secret
    labels:
    loft.sh/sharedsecret-name: my-shared-secret
    loft.sh/sharedsecret-namespace: loft
    type: Opaque
  2. Create the Kubernetes secret using kubectl:

    kubectl apply -f secret.yaml
  3. Shortly after creating the secret, Loft will populate the data of this secret with the data from our shared secret:

    kubectl get secret my-secret -o yaml
    Data Sync

    By default, Loft will update the data of this secret whenever the shared secret's data is updated. To disable this behavior, set the loft.sh/disable-sync: true annotation on the Kubernetes secret.

Control Access To Shared Secrets

Configure Access To Shared Secrets
  1. In the Secrets view, hover over the secret that you want to give someone access to
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to Edit the secret
  4. In the drawer that appears on the right, expand the Access To This Shared Secret section
  5. If the user or team is not listed under Users & Teams yet, click the + Rule button to add another row for a new user or team
  6. Use the Users & Teams field to select the Users and/or Teams who should get access to this app
  7. Use the Permissions field to specify if a user is allows to view, update, ... this app definition
  8. On the very bottom, click on the button to save the changes

Configuration

Metadata

Display Name

JSONPath in SharedSecrets CRD:
 spec.displayName (type: string)

Kubernetes Name

JSONPath in SharedSecrets CRD:
 metadata.name (type: string)

Description

JSONPath in SharedSecrets CRD:
 spec.description (type: string)

Labels

JSONPath in SharedSecrets CRD:
 metadata.labels (type: map[string]string)

Annotations

JSONPath in SharedSecrets CRD:
 metadata.annotations (type: map[string]string)

Namespace

JSONPath in SharedSecrets CRD:
 metadata.namespace (type: string)

Data

JSONPath in SharedSecrets CRD:
 spec.data (type: map[string]string)

Access To Secret

JSONPath in SharedSecrets CRD:
 spec.access (type: Access[])

CRDs

SharedSecret

apiVersion
string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind
string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

object (io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta)

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

object (com.github.loft-sh.api.pkg.apis.management.v1.SharedSecretSpec)

SharedSecretSpec holds the specification

status
object (com.github.loft-sh.api.pkg.apis.management.v1.SharedSecretStatus)

SharedSecretStatus holds the status

{
  • "apiVersion": "string",
  • "kind": "string",
  • "metadata": {
    },
  • "spec": {
    },
  • "status": { }
}