Using secrets

    Using secrets is a two step process. First you need to define a new secret in your cluster and then you need to 'use' the secret to your function by adding it the deployment request or stack YAML file.

    • Secrets can be specified via API, CLI or YAML file
    • Secrets must exist in the cluster at deployment time
    • You can create, list, delete and update secrets via the .

    The OpenFaaS contributors believe that enviromental variables should be reserved for non-confidential data only. All secrets are made available in the container file-system and should be read from the following location: . Both Kubernetes and Swarm have excellent stores for secrets. In the sample below we show how to create and consume a secret in a function.

    Sample

    We have built a sample function that can be deployed alongside a secret (an API key) to validate incoming requests. It is available in the openfaas/faas repo: . Only requests presenting a valid API key value will be validated.

    Create a text file named secret-api-key.txt and add the following value:

    Now we can import the secret into the cluster.

    Define the secret with faas-cli

    1. faas-cli secret create secret-api-key \
    2.   --from-file=secret-api-key.txt

    You can create the secret with faas-cli secret create, or by using the Docker / Kubernetes CLI.

    Define a secret in Kubernetes (advanced)

    Type in:

    1. kubectl create secret generic secret-api-key \
    2.   --from-file=secret-api-key=secret-api-key.txt \
    3.   --namespace openfaas-fn

    Here we have explicitly named the key of the secret value so that when it is mounted into the function container, it will be named exactly secret-api-key instead of secret_api_key.txt.

    You can skip creating a file and use input directly from the command-line like this:

    Define a secret in Docker Swarm (advanced)

    Docker has a built-in secrets store just like Kubernetes which can be used to securely store secrets for our functions.

    Type in:

    1. docker secret create secret-api-key \
    2.  ~/secrets/secret_api_key.txt

    or:

    1. echo "R^YqzKzSJw51K9zPpQ3R3N" | docker secret create secret-api-key -

    OpenFaaS secrets are mounted as files to inside your function's filesystem. To use a secret, just read the file from the secrets location using the name of the secret for the filename such as: /var/openfaas/secrets/secret-api-key.

    A simple go implementation could look like this

    This example comes from the sample function.

    Create a stack.yaml file in the current directory:

    1.     name: faas
    2.  
    3.   functions:
    4.     protectedapi:
    5.       lang: dockerfile
    6.       skip_build: true
    7.       image: functions/api-key-protected:latest
    8.       secrets:
    9.       - secret-api-key

    Now deploy the function with: faas-cli deploy

    Once the deploy is done you can test the function using the faas-cli or curl. The function reads the secret value that was mounted into the container by OpenFaaS and then returns a success or failure message based on if your header matches that secret value. The same code runs exactly the same without modifications on both Kubernetes and Docker Swarm.

    Let's see how that works:

    1. echo | faas-cli invoke protectedapi -H "X-Api-Key=R^YqzKzSJw51K9zPpQ3R3N"

    Now let's use an incorrect value for the api-key: