🚀 New Features
- api: Cluster Account Templates are now applied automatically to a new cluster (or a cluster whose labels got changed) for users and teams that already have one or more cluster account templates configured that would match this cluster and do not already have an account there
- api: Accounts and account resources can now be synced from cluster account templates. This will be enabled by default for newly added cluster account templates to users and teams through the UI. For single sign on this can be enabled via:
auth:
oidc: # same for github, gitlab, google etc.
clusterAccountTemplates:
- name: my-template
sync: true # <- new option that enables sync for this template
groupClusterAccountTemplates:
- group: my-oidc-group
clusterAccountTemplates:
- name: my-other-template
sync: true # <- new option that enables sync for this template
As soon as a change in the cluster account template is recognized by loft (e.g. a new resource was added for the account, account spec has changed etc.), Loft will apply a three way merge (think of kubectl apply
) to the already created cluster account and other resources in the underlying clusters reflecting the changes made to the template. It will also take care of creating newly added resources and deleting resources that should not be there anymore.
- api: New field
auth.oidc.groups
to specify OIDC groups of which at least one has to be present in the ID token to sign in into loft - api: New field
auth.oidc.insecureCa
to tell loft to communicate with insecure OIDC providers - ui: New section to specify cluster labels and annotations during cluster connect
- api: New experimental environment variable
ROUTE_MANAGEMENT_API_THROUGH_CLUSTER
to route management api requests through the kubernetes cluster, this has the advantage that these requests can be mutated or validated via webhooks
🐛 Fixes
- cli: Fixed an issue where
loft use space
would not work correctly if the user has exactly 1 space - api: Fixed an issue where loft would not restart if there was no loft config and a new config was applied
- ui: Fixed many instances where long usernames, cluster names or other long resource names would look very strange in tables
📦 Other
- audit: For requests that target vclusters, loft now also shows user info as with requests to the management api or clusters
- license: Disabled users do not count into the user limit anymore
- license: Loft will now block user create and user enable requests if the user limit is reached (this is to prevent that new users are created through something like SSO automatically which would exceed the user limit and block other users as well)
- ui/cli: Loft now assigns a user or team the cluster role
loft-cluster-space-default
instead ofadmin
if the space is shared via UI or CLI. This has the advantage that the user or team is able to access the vclusters in that space as well - cli: Loft will now ask which kube context you want to use during
loft start
, if you previously used it with a different context - Updated kiosk to version v0.2.4 (kiosk supports now high availability and has better templating functionality with ${account.metadata.labels} etc.)
- Updated vcluster to version v0.1.0 (vcluster is also open-source now and can be found at https://github.com/loft-sh/vcluster)