GitLab - Web Identity Federation¶
In this guide, you'll learn how to deploy from GitLab CI/CD using OpenFaaS's IAM support and Web Identity Federation.
You'll need to create YAML files for an Issuer, a Policy and a Role. These need to be applied through kubectl, Helm or a GitOps tool.
Your build will need to be adapted in order to receive an id_token from GitLab, which will be exchanged for an OpenFaaS access token.
Pre-requisites¶
The faas-cli pro plugin requires a valid CLI license. The plugin looks for the license in the OPENFAAS_LICENSE environment variable.
Add OPENFAAS_LICENSE as a CI/CD variable in your GitLab project or group settings under Settings > CI/CD > Variables. Set the visibility to Masked and hidden to prevent the value from being exposed in job logs or the settings UI. You can also mark the variable as Protected to limit it to pipelines running on protected branches or tags only.
If you don't have a CLI license yet, contact your account representative at OpenFaaS to receive one.
Define an Issuer for GitLab.com¶
First define a new JwtIssuer resource, setting the aud field to the URL of your OpenFaaS Gateway.
apiVersion: iam.openfaas.com/v1
kind: JwtIssuer
metadata:
name: gitlab.com
namespace: openfaas
spec:
iss: https://gitlab.com
aud:
- https://gw.example.com
tokenExpiry: 30m
Issuer for https://gitlab.com
The tokenExpiry field controls how long the OpenFaaS access token is valid. A short expiry such as 30m is recommended to reduce the window in which a leaked token could be used, but it can be increased for longer-running CI jobs.
Create a Policy¶
Next, define a Policy with the least privileges required to perform the desired actions.
apiVersion: iam.openfaas.com/v1
kind: Policy
metadata:
name: dev-rw
namespace: openfaas
spec:
statement:
- sid: 1-rw-dev
action:
- Function:List
- Function:Create
- Function:Update
- Namespace:List
effect: Allow
resource: ["dev:*"]
Bind a Policy to a Role¶
Next, you need to bind the Policy to a Role.
There are around a dozen different fields available within GitLab's id_token, you can view a complete list at: GitLab OIDC: Shared information
apiVersion: iam.openfaas.com/v1
kind: Role
metadata:
name: gitlab-dev-actions-deployer
namespace: openfaas
spec:
policy:
- dev-rw
condition:
StringEqual:
jwt:iss: ["https://gitlab.com"]
jwt:user_login: ["alexellis"]
StringLike:
jwt:project_path: ["consortia/*"]
The example must match the GitLab issuer, for the login of "alexellis", with any project within the "consortia" group.
Create a GitLab CI/CD pipeline¶
To access the OpenFaaS gateway from a CI/CD pipeline you should adapt your job to:
- Obtain an id_token with the proper audience.
- Authenticate to OpenFaaS with the id_token using the faas-cli pro plugin.
Example .gitlab-ci.yml file:
stages:
- build
services:
- docker:dind
cache:
key: ${CI_COMMIT_REF_SLUG} # i.e. master
paths:
- ./faas-cli
- ./template
build_job:
stage: build
image: docker:latest
variables:
OPENFAAS_URL: https://gw.example.com
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- apk add --no-cache git curl
- if [ -f "./faas-cli" ] ; then cp ./faas-cli /usr/local/bin/faas-cli || 0 ; fi
- if [ ! -f "/usr/local/bin/faas-cli" ] ; then apk add --no-cache curl git && curl -sSL https://cli.openfaas.com | sh && chmod +x /usr/local/bin/faas-cli && cp /usr/local/bin/faas-cli ./faas-cli ; fi
- faas-cli plugin get pro
- faas-cli pro auth --token=$ID_TOKEN_1
- faas-cli list -n dev
- faas-cli ns
- faas-cli store deploy -n dev printer --name p1
id_tokens:
ID_TOKEN_1:
aud: https://gw.example.com
Within your GitLab job, you must obtain an id_token with the proper audience aud field set with the address of your OpenFaaS gateway.
Next the faas-cli pro plugin can be used to authenticate to the OpenFaaS gateway using the id_token. It will exchange the token for an OpenFaaS token and save it. The faas-cli can then be used to talk to the gateway.