This repository should provide guidelines in which way an OpenFaaS environment can be secured by relying on techniques and technologies such as OpenID Connect and Kong as ingress controller.
- Minikube (>= 1.4.0)
- FaaS-CLI (>= 0.9.3)
- Kubectl (>= 1.16.1)
- Helm (>= 3.0.0)
-
Choose an Identity Provider (such as Auth0)
-
Sign up and add the application
OpenFaaS Gateway -
Setup two callback URLs for your application:
-
When
Auth0is used, you should chooseRegular Web Applicationas application type -
Edit
/oidc-plugin/oidc-plugin-dep.yamlto set your OpenID Connect configuration. All endpoints can be found by showing the advanced settings and choosingEndpoints. Theclient-idandclient-secretcan be found in the application settings. -
Edit
/oidc-plugin/oidc-plugin-dep.yamlto set your license key for the OIDC-plugin. You can request a trial or purchase a license from OpenFaaS Ltd via sales@openfaas.com. -
Run the deployment script:
$ ./deploy.sh
-
Use the OpenFaaS Gateway: https://gw.secure-faas.com (You have to ignore the warning, because a self-signed certificate is used)
-
Deploy the provided functions by adding the
authorization URL,audience URLandclient-idto thefaas_cli_login.shscript and then executing it:$ ./functions/faas_cli_login.sh
Make sure that cookies are deleted (after redeployment).
-
After exporting the provided token, you should run:
$ ./functions/deploy_functions.sh
-
Enable routing to the functions:
$ ./ingress/kong/auth/enable_routing.sh
-
Now, you are able to enable basic-authentication for the functions by executing:
$ ./ingress/kong/auth/01_enable_basic_auth.sh
-
Test your setup:
$ ./ingress/kong/auth/02_test_basic_auth.sh
or:
$ curl --url ${INGRESS_PROXY_URL}/function/protected-haveibeenpwned --data 'test@test.com' -H "Authorization: Basic ${BASE64_CREDENTIALS}" -v
For more information see the script
ingress/kong/auth/02_test_basic_auth.sh