我的书签
添加书签
移除书签Manage secrets
You can encrypt or seal secrets so that they can be committed to your git repository. Each secret can be sealed using the public key of the cluster which you can get from your administrator.
OpenFaaS Cloud uses for encrypting or sealing your confidential information.
Pre-reqs:
If you installed OpenFaaS Cloud using then SealedSecrets will already be installed and available
If you installed OpenFaaS Cloud manually, you can add it with the development guide
Follow the to install the dependency
kubesealExport the public key of your cluster
If you are using the Community Cluster, then use this link: pub-cert.pem.
Walk-through
- Create a new git repository under your account
username - Create a new function i.e.
faas new —lang go has-secret —prefix=username - Copy
pub-cert.peminto the root of the repository - Run
faas-cli cloud seal, this will createsecrets.yml.For information on the flags available see the
When sealing secrets we specify a unique —name for the set of secrets, this should always be prefixed with your username or organisation name, using only lower case characters. Then enter a number of —literal and/or —from-file flags which correspond to each secret in the set.
So if we wanted to seal a single secret called api-key with a value of test1234 we could run:
- faas-cli cloud seal --name username-my-secrets \
- --literal api-key=1234 \
- --literal hostname=myhost.com
Your function will access the secret via:
/var/openfaas/secrets/api-key/var/openfaas/secrets/hostnameYou can also read in an entire file:
- faas-cli cloud seal --name username-my-secrets \
- --from-file=private-key.pem
Your function will access the secret via:
/var/openfaas/secrets/private-key.pemEdit
stack.yml
Add the secret to the secrets: section of your YAML, use the value from —name, but remove the username prefix.
stack.yml
- Now run
git pushCheck the git commit status in the repo, or view your overview page at:https://system.example.com
faas-cli cloud seal reference
Example from reference repository:
We'll encrypt an incoming webhook URL for Slack, which should be considered as confidential information.
Let's write the example function:
- def handle(req):
- webhook_url = None
- with open("/var/openfaas/secrets/incoming-webhook-url") as webhook_url_text:
- webhook_url = webhook_url_text.read().strip()
- respond_to_user(req, webhook_url)
handler.py
Now let's look at how we seal the secret:
- # Seal secrets for owner alexellis named `fn-secrets`
- faas-cli cloud seal --name alexellis-fn-secrets \
- --literal incoming-webhook-url=https://...
Here's the file generated by the command above:
secrets.yaml
And finally, we now need to reference the name of our secret in stack.yml. Notice that the key and the secret name do not have to match, this is because we can have multiple secret key/values within a single secret.
- provider:
- name: faas
- gateway: http://127.0.0.1:8080
- functions:
- slack-me:
- lang: python
- handler: ./slack-me
- image: alexellis/slack-me
- secrets:
- - fn-secrets
stack.yml
Troubleshooting
The steps above must be followed precisely and if you have mis-read any of the details this may result in the secret not being accessible.
Notes:
- When using
faas-cli cloud sealyour secret set name needs to be prefixed with your username i.e.alexellis-my-secret - In your secrets should have no prefix, this is added later automatically
- The key from
—literalor—from-filewill be mounted under/var/openfaas/secrets/and can be read from there - You must commit
secrets.yamlinto the root of your repository and do agit pushIf in doubt check your results against .
Create secrets manually (not recommended)
You can create secrets manually via faas-cli secret create or by using kubectl. These secrets will be available to users if the prefix of the secret matches the owner of the code being deployed, i.e.
If you are using an organization or repo named myorg and want a secret named api-key you could run:
This method relies on you having administrative access or making a request to your administrator.
