A secured OpenFaaS environment
This repository should provide guidelines in which way an OpenFaaS environment can be secured by relying on techniques and technologies such as OpenID Connect and Kong as ingress controller.
Getting Started
Prerequisites
- Minikube (>= 1.4.0)
- FaaS-CLI (>= 0.9.3)
- Kubectl (>= 1.16.1)
- Helm (>= 3.0.0)
Installing
-
Choose an Identity Provider (such as Auth0)
-
Sign up and add the application
OpenFaaS Gateway
-
Setup two callback URLs for your application:
-
When
Auth0
is used, you should chooseRegular Web Application
as application type -
Edit
/oidc-plugin/oidc-plugin-dep.yaml
to set your OpenID Connect configuration. All endpoints can be found by showing the advanced settings and choosingEndpoints
. Theclient-id
andclient-secret
can be found in the application settings. -
Edit
/oidc-plugin/oidc-plugin-dep.yaml
to set your license key for the OIDC-plugin. You can request a trial or purchase a license from OpenFaaS Ltd via sales@openfaas.com. -
Run the deployment script:
$ ./deploy.sh
-
Use the OpenFaaS Gateway: https://gw.secure-faas.com (You have to ignore the warning, because a self-signed certificate is used)
Deployment of Functions
-
Deploy the provided functions by adding the
authorization URL
,audience URL
andclient-id
to thefaas_cli_login.sh
script and then executing it:$ ./functions/faas_cli_login.sh
Make sure that cookies are deleted (after redeployment).
-
After exporting the provided token, you should run:
$ ./functions/deploy_functions.sh
Enable routing and basic authentication
-
Enable routing to the functions:
$ ./ingress/kong/auth/enable_routing.sh
-
Now, you are able to enable basic-authentication for the functions by executing:
$ ./ingress/kong/auth/01_enable_basic_auth.sh
-
Test your setup:
$ ./ingress/kong/auth/02_test_basic_auth.sh
or:
$ curl --url ${INGRESS_PROXY_URL}/function/protected-haveibeenpwned --data 'test@test.com' -H "Authorization: Basic ${BASE64_CREDENTIALS}" -v
For more information see the script
ingress/kong/auth/02_test_basic_auth.sh