Add flag to toggle customers_secret

customers_secret when enabled uses a Kubernetes secret instead
of a URL

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>

.gitignore

@@ -17,3 +17,4 @@ credentials/
 /github.yml
 /github.yaml
 /private-key
+CUSTOMERS

example.init.yaml

@@ -178,14 +178,14 @@ secrets:
   - name: "of-customers"
     literals:
       - name: "of-customers"
-        value: "alexellis"
+        value_from: "/dev/null"
     namespace: "openfaas"
     filters:
       - "default"
   - name: "customers"
     literals:
       - name: "customers"
-        value: ""
+        value_from: "/dev/null"
     namespace: "openfaas-fn"
     filters:
       - "default"
@@ -198,6 +198,10 @@ secrets:
 
 registry: docker.io/ofctest/
 
+### Use a secret instead of a publicly accessible URL for the ACL
+### of valid users.
+customers_secret: false
+
 ### Enable only if using AWS ECR
 enable_ecr: false
 
@@ -312,9 +316,6 @@ enable_dockerfile_lang: false
 ### of com.openfaas.scale.zero: "false"
 scale_to_zero: false
 
-## Version of OpenFaaS Cloud from https://github.com/openfaas/openfaas-cloud/releases/
-openfaas_cloud_version: 0.12.2
-
 ## Enable network policies
 ### Prevents functions from talking to the openfaas namespace, and to each other.
 ### Use the ingress address for the gateway or the external IP instead.
@@ -324,3 +325,5 @@ network_policies: false
 ## You should change this if you want a different branch to be built and deployed instead of master
 build_branch: master
 
+## Version of OpenFaaS Cloud from https://github.com/openfaas/openfaas-cloud/releases/
+openfaas_cloud_version: 0.13.1

pkg/stack/stack.go

@@ -9,6 +9,11 @@ import (
 	"github.com/openfaas-incubator/ofc-bootstrap/pkg/types"
 )
 
+type gitlabConfig struct {
+	GitLabInstance      string `yaml:"gitlab_instance,omitempty"`
+	CustomersSecretPath string
+}
+
 type gatewayConfig struct {
 	Registry             string
 	RootDomain           string
@@ -18,15 +23,30 @@ type gatewayConfig struct {
 	CustomTemplates      string
 	EnableDockerfileLang bool
 	BuildBranch          string
+	CustomersSecretPath  string
 }
 
 type authConfig struct {
-	RootDomain           string
-	ClientId             string
-	CustomersURL         string
-	Scheme               string
-	OAuthProvider        string
-	OAuthProviderBaseURL string
+	RootDomain            string
+	ClientId              string
+	CustomersURL          string
+	Scheme                string
+	OAuthProvider         string
+	OAuthProviderBaseURL  string
+	OFCustomersSecretPath string
+}
+
+type builderConfig struct {
+	ECR bool
+}
+
+type stackConfig struct {
+	GitHub              bool
+	CustomersSecretPath string
+}
+
+type awsConfig struct {
+	ECRRegion string
 }
 
 // Apply creates `templates/gateway_config.yml` to be referenced by stack.yml
@@ -36,7 +56,13 @@ func Apply(plan types.Plan) error {
 		scheme += "s"
 	}
 
-	gwConfigErr := generateTemplate("gateway_config", plan, gatewayConfig{
+	customersSecretPath := ""
+
+	if plan.CustomersSecret {
+		customersSecretPath = "/var/openfaas/secrets/customers"
+	}
+
+	if gwConfigErr := generateTemplate("gateway_config", plan, gatewayConfig{
 		Registry:             plan.Registry,
 		RootDomain:           plan.RootDomain,
 		CustomersURL:         plan.CustomersURL,
@@ -45,17 +71,14 @@ func Apply(plan types.Plan) error {
 		CustomTemplates:      plan.Deployment.FormatCustomTemplates(),
 		EnableDockerfileLang: plan.EnableDockerfileLang,
 		BuildBranch:          plan.BuildBranch,
-	})
-
-	if gwConfigErr != nil {
+	}); gwConfigErr != nil {
 		return gwConfigErr
 	}
 
-	githubConfigErr := generateTemplate("github", plan, types.Github{
+	if githubConfigErr := generateTemplate("github", plan, types.Github{
 		AppID:          plan.Github.AppID,
 		PrivateKeyFile: plan.Github.PrivateKeyFile,
-	})
-	if githubConfigErr != nil {
+	}); githubConfigErr != nil {
 		return githubConfigErr
 	}
 
@@ -66,10 +89,10 @@ func Apply(plan types.Plan) error {
 	}
 
 	if plan.SCM == "gitlab" {
-		gitlabConfigErr := generateTemplate("gitlab", plan, types.Gitlab{
-			GitLabInstance: plan.Gitlab.GitLabInstance,
-		})
-		if gitlabConfigErr != nil {
+		if gitlabConfigErr := generateTemplate("gitlab", plan, gitlabConfig{
+			GitLabInstance:      plan.Gitlab.GitLabInstance,
+			CustomersSecretPath: customersSecretPath,
+		}); gitlabConfigErr != nil {
 			return gitlabConfigErr
 		}
 	}
@@ -82,59 +105,47 @@ func Apply(plan types.Plan) error {
 	}
 
 	if plan.EnableOAuth {
-		ofAuthDepErr := generateTemplate("edge-auth-dep", plan, authConfig{
-			RootDomain:           plan.RootDomain,
-			ClientId:             plan.OAuth.ClientId,
-			CustomersURL:         plan.CustomersURL,
-			Scheme:               scheme,
-			OAuthProvider:        plan.SCM,
-			OAuthProviderBaseURL: plan.OAuth.OAuthProviderBaseURL,
-		})
-		if ofAuthDepErr != nil {
+		ofCustomersSecretPath := ""
+		if plan.CustomersSecret {
+			ofCustomersSecretPath = "/var/secrets/of-customers/of-customers"
+		}
+
+		if ofAuthDepErr := generateTemplate("edge-auth-dep", plan, authConfig{
+			RootDomain:            plan.RootDomain,
+			ClientId:              plan.OAuth.ClientId,
+			CustomersURL:          plan.CustomersURL,
+			Scheme:                scheme,
+			OAuthProvider:         plan.SCM,
+			OAuthProviderBaseURL:  plan.OAuth.OAuthProviderBaseURL,
+			OFCustomersSecretPath: ofCustomersSecretPath,
+		}); ofAuthDepErr != nil {
 			return ofAuthDepErr
 		}
 	}
 
 	isGitHub := plan.SCM == "github"
-	stackErr := generateTemplate("stack", plan, stackConfig{
-		GitHub: isGitHub,
-	})
-
-	if stackErr != nil {
+	if stackErr := generateTemplate("stack", plan, stackConfig{
+		GitHub:              isGitHub,
+		CustomersSecretPath: customersSecretPath,
+	}); stackErr != nil {
 		return stackErr
 	}
 
-	builderErr := generateTemplate("of-builder-dep", plan, builderConfig{
+	if builderErr := generateTemplate("of-builder-dep", plan, builderConfig{
 		ECR: plan.EnableECR,
-	})
-
-	if builderErr != nil {
+	}); builderErr != nil {
 		return builderErr
 	}
 
-	ecrErr := generateTemplate("aws", plan, awsConfig{
+	if ecrErr := generateTemplate("aws", plan, awsConfig{
 		ECRRegion: plan.ECRConfig.ECRRegion,
-	})
-
-	if ecrErr != nil {
+	}); ecrErr != nil {
 		return ecrErr
 	}
 
 	return nil
 }
 
-type builderConfig struct {
-	ECR bool
-}
-
-type stackConfig struct {
-	GitHub bool
-}
-
-type awsConfig struct {
-	ECRRegion string
-}
-
 func generateTemplate(fileName string, plan types.Plan, templateType interface{}) error {
 
 	generatedData, err := applyTemplate("templates/"+fileName+".yml", templateType)

pkg/types/types.go

@@ -68,6 +68,7 @@ type Plan struct {
 	BuildBranch          string                   `yaml:"build_branch,omitempty"`
 	EnableECR            bool                     `yaml:"enable_ecr,omitempty"`
 	ECRConfig            ECRConfig                `yaml:"ecr_config,omitempty"`
+	CustomersSecret      bool                     `yaml:"customers_secret,omitempty"`
 }
 
 // Deployment is the deployment section of YAML concerning

templates/gitlab.yml

@@ -19,7 +19,7 @@ functions:
       read_debug: true
       installation_tag: "openfaas-cloud"
       gitlab_instance: "{{.GitLabInstance}}"
-      customers_path: /var/openfaas/secrets/customers
+      customers_path: {{.CustomersSecretPath}}
     environment_file:
       - gateway_config.yml
     secrets:

templates/stack.yml

@@ -17,7 +17,7 @@ functions:
       write_debug: true
       read_debug: true
       validate_customers: true
-      customers_path: /var/openfaas/secrets/customers
+      customers_path: "{{.CustomersSecretPath}}"
     environment_file:
       - github.yml
       - gateway_config.yml