Secrets come in two flavors, image-pull secrets and application secrets.
- Image-pull secrets that Kubernetes will use to pull Docker images from a private registry.
- Application secrets are simply sensitive values that your function requires to function, e.g. a database password.
faas-netes
supports both types of secrets.
If you are familiar with the inner workings of Kubernetes, then image-pull secrets will be used as you would expect from the Kubernetes documentation. In contrast, application secrets will behave in the same way that secrets are handled in Docker Swarm, specifically, they will be mounted as files in the /run/secrets
folder. This allows your functions to be agnostic of the deployment infrastructure. The relevant Kubernetes documentation for how this is implemented can be found here.
Note: You can transparently use both types of secrets simultaneously for a function. faas-netes
will gracefully inspect and handle secrets of different types.
$ docker pull functions/alpine:latest
$ docker tag functions/alpine:latest $DOCKER_USERNAME/private-alpine:latest
$ docker push $DOCKER_USERNAME/private-alpine:latest
Now log into the Hub and make your image private-alpine
private.
$ mkdir privatefuncs && cd privatefuncs
$ touch stack.yaml
In your favoriate editor, open stack.yaml
and add
provider:
name: faas
gateway: http://localhost:8080
functions:
protectedapi:
lang: Dockerfile
skip_build: true
image: username/private-alpine:latest
If you try to deploy using faas-cli deploy
it will fail because Kubernetes can not pull the image.
You can verify this in the Kubernetes dashboard or via the CLI using the kubectl describe
command.
To deploy the function, we need to create the Image Pull Secret
-
Set the following environmental variables:
- $DOCKER_USERNAME
- $DOCKER_PASSWORD
- $DOCKER_EMAIL
-
Then run this command to create the needed secret
$ kubectl create secret docker-registry dockerhub \ --docker-username=$DOCKER_USERNAME \ --docker-password=$DOCKER_PASSWORD \ --docker-email=$DOCKER_EMAIL
-
Update your stack file to include the secret:
provider: name: faas gateway: http://localhost:8080 functions: protectedapi: lang: Dockerfile skip_build: true image: username/private-alpine:latest secrets: - dockerhub
Now you can again deploy the project using faas-cli deploy
. Now when you inspect the Kubernetes pods, you will see that it can pull the docker image.
What if that previous function also requires access to a database and that you have store the username and password credentials in dbusername.txt
and dbpass.txt
. Using the Kuberenetes documentation as a basis, we can create a secret in Kubernetes
kubectl create secret generic db-user-pass --from-file=./dbusername.txt --from-file=./dbpass.txt
secret "db-user-pass" created
provider:
name: faas
gateway: http://localhost:8080
functions:
protectedapi:
lang: Dockerfile
skip_build: true
image: username/private-alpine:latest
secrets:
- dockerhub
- db-user-pass
You can again use faas-cli deploy
to deploy your function. Now, when you use kubectl describe pod <pod-name>
you should see the db-user-pass
referenced in the Mounts
and Volumes
sections of the output.