Manage secrets

Secrets with OpenFaaS Cloud

There are two ways to bind to OpenFaaS secrets with OpenFaaS Cloud which apply when self-hosted.

Encrypt a secret for use in your git repository

You can encrypt or seal secrets so that they can be committed to your git repository. Each secret can be sealed using the public key of the cluster which you can get from your administrator.

OpenFaaS Cloud uses SealedSecrets by Bitnami for encrypting or sealing your confidential information.

Pre-reqs:

  • If you installed OpenFaaS Cloud using ofc-bootstrap then SealedSecrets will already be installed and available

  • If you installed OpenFaaS Cloud manually, you can add it with the development guide

  • Follow the instructions to install the dependency kubeseal

  • Export the public key of your cluster

  • If you are using the Community Cluster, then use this link: pub-cert.pem.

Walk-through

  • Create a new git repository under your account username
  • Create a new function i.e. faas new —lang go has-secret —prefix=username
  • Copy pub-cert.pem into the root of the repository
  • Run faas-cli cloud seal, this will create secrets.yml.For information on the flags available see the faas-cli docs

When sealing secrets we specify a unique —name for the set of secrets, this should always be prefixed with your username or organisation name, using only lower case characters. Then enter a number of —literal and/or —from-file flags which correspond to each secret in the set.

So if we wanted to seal a single secret called api-key with a value of test1234 we could run:

  1. faas-cli cloud seal --name username-my-secrets \
  2.   --literal api-key=1234

Your function will access the secret via:

  • /var/openfaas/secrets/api-keyIf you have more than one secret you can enter additional —literal flags:
  1. faas-cli cloud seal --name username-my-secrets \
  2.   --literal api-key=1234 \
  3.   --literal hostname=myhost.com

Your function will access the secret via:

  • /var/openfaas/secrets/api-key
  • /var/openfaas/secrets/hostnameYou can also read in an entire file:
  1. faas-cli cloud seal --name username-my-secrets \
  2.   --from-file=private-key.pem

Your function will access the secret via:

  • /var/openfaas/secrets/private-key.pem

  • Edit stack.yml

Add the secret to the secrets: section of your YAML, use the value from —name, but remove the username prefix.

  1. provider:
  2.   name: faas
  3.   gateway: http://127.0.0.1:8080
  4.  
  5. functions:
  6.   has-secret:
  7.     lang: go
  8.     handler: ./has-secret
  9.     image: alexellis/has-secret
  10.     secrets:
  11.       - my-secrets

stack.yml

faas-cli cloud seal reference

FlagDescription
—nameThe name of the secret object prefixed with your GitHub username
—certpub-cert.pem from the Community Cluster, or your local cluster
—literalSecret key and value pair. You can specify this parameter more than once to add more secrets
—from-fileRead secret from file. Note secret key name will be the filename
Example from reference repository:

We'll encrypt an incoming webhook URL for Slack, which should be considered as confidential information.

Let's write the example function:

  1. def handle(req):
  2.     webhook_url = None
  3.     with open("/var/openfaas/secrets/incoming-webhook-url") as webhook_url_text:
  4.         webhook_url = webhook_url_text.read().strip()
  5.  
  6.     respond_to_user(req, webhook_url)

handler.py

We see that the secret is read as per any other OpenFaaS secret, from the mounted location on disk at: /var/openfaas/secrets/.

Now let's look at how we seal the secret:

  1. # Seal secrets for owner alexellis named `fn-secrets`
  2.  
  3. faas-cli cloud seal --name alexellis-fn-secrets \
  4.   --literal incoming-webhook-url=https://...

Here's the file generated by the command above:

  1. apiVersion: bitnami.com/v1alpha1
  2. kind: SealedSecret
  3. metadata:
  4.   creationTimestamp: null
  5.   name: alexellis-fn-secrets
  6.   namespace: openfaas-fn
  7. spec:
  8.   encryptedData:
  9.     incoming-webhook-url: (redacted)

secrets.yaml

And finally, we now need to reference the name of our secret in stack.yml. Notice that the key and the secret name do not have to match, this is because we can have multiple secret key/values within a single secret.

  1. provider:
  2.   name: faas
  3.   gateway: http://127.0.0.1:8080
  4.  
  5. functions:
  6.   slack-me:
  7.     lang: python
  8.     handler: ./slack-me
  9.     image: alexellis/slack-me
  10.     secrets:
  11.       - fn-secrets

stack.yml

Troubleshooting

The steps above must be followed precisely and if you have mis-read any of the details this may result in the secret not being accessible.

Notes:

  • When using faas-cli cloud seal your secret set name needs to be prefixed with your username i.e. alexellis-my-secret
  • In stack.yml your secrets should have no prefix, this is added later automatically
  • The key from —literal or —from-file will be mounted under /var/openfaas/secrets/ and can be read from there
  • You must commit secrets.yaml into the root of your repository and do a git pushIf in doubt check your results against this reference repository.

Create secrets manually (not recommended)

You can create secrets manually via faas-cli secret create or by using kubectl. These secrets will be available to users if the prefix of the secret matches the owner of the code being deployed, i.e.

If you are using an organization or repo named myorg and want a secret named api-key you could run:

  1. $ faas-cli secret create myorg-api-key

In your stack.yml file in the secrets section, you could then reference the api-key secret.

This method relies on you having administrative access or making a request to your administrator.