Enable non-repudiation for function callbacks

chart/openfaas/README.md

@@ -174,6 +174,25 @@ Scaling to zero is done by the `faas-idler` component and by default will only c
 --set faasIdler.dryRun=false
 ```
 
+## HTTP message signing
+To enable message signing when using asynchronous functions we need to generate a key pair. Using HTTP message signing 
+allows function callbacks to verify the authenticity of the callee. Only the OpenFaaS gateway should invoke the callback
+URL. This feature enables you to verify that.
+
+```bash
+rm signing.key > /dev/null 2>&1 || true && rm signing.key.pub > /dev/null 2>&1 || true
+ssh-keygen -t rsa -b 2048 -N "" -m PEM -f signing.key > /dev/null 2>&1
+openssl rsa -in ./signing.key -pubout -outform PEM -out signing.key.pub > /dev/null 2>&1
+
+kubectl create secret generic http-signing-private-key -n openfaas \
+    --from-file=http-signing-private-key=./signing.key
+
+kubectl create secret generic http-signing-public-key -n openfaas \
+    --from-file=http-signing-public-key=./signing.key.pub
+
+rm signing.key || true && rm signing.key.pub || true
+```
+
 ## Configuration
 
 Additional OpenFaaS options in `values.yaml`.
@@ -187,6 +206,7 @@ Additional OpenFaaS options in `values.yaml`.
 | `basic_auth` | Enable basic authentication on the Gateway | `false` |
 | `rbac` | Enable RBAC | `true` |
 | `securityContext` | Deploy with a `securityContext` set, this can be disabled for use with Istio sidecar injection | `true` |
+| `http_signatures` | Enable http message signing for non-repudiation of asynchronous function callbacks | `false` |
 | `openfaasImagePullPolicy` | Image pull policy for openfaas components, can change to `IfNotPresent` in offline env | `Always` |
 | `kubernetesDNSDomain` | Domain name of the Kubernetes cluster | `cluster.local` |
 | `operator.create` | Use the OpenFaaS operator CRD controller, default uses faas-netes as the Kubernetes controller | `false` |

chart/openfaas/templates/gateway-dep.yaml

@@ -25,12 +25,17 @@ spec:
       {{- else }}
       serviceAccountName: {{ .Release.Name }}-controller
       {{- end }}
-      {{- if .Values.basic_auth }}
       volumes:
+      {{- if .Values.basic_auth }}
       - name: auth
         secret:
           secretName: basic-auth
       {{- end }}
+      {{- if .Values.http_signatures }}
+      - name: http-signing-public-key
+        secret:
+          secretName: http-signing-public-key
+      {{- end }}
       containers:
       - name: gateway
         image: {{ .Values.gateway.image }}
@@ -73,6 +78,8 @@ spec:
           value: "true"
         - name: direct_functions_suffix
           value: "{{ $functionNs }}.svc.{{ .Values.kubernetesDNSDomain }}"
+        - name: secret_mount_path
+          value: "/var/secrets"
         {{- if .Values.async }}
         - name: faas_nats_address
           value: "nats.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
@@ -82,21 +89,24 @@ spec:
         {{- if .Values.basic_auth }}
         - name: basic_auth
           value: "true"
-        - name: secret_mount_path
-          value: "/var/secrets"
         {{- end }}
         - name: scale_from_zero
           value: "{{ .Values.gateway.scaleFromZero }}"
         - name: max_idle_conns
           value: "{{ .Values.gateway.maxIdleConns }}"
         - name: max_idle_conns_per_host
           value: "{{ .Values.gateway.maxIdleConnsPerHost }}"
-        {{- if .Values.basic_auth }}
         volumeMounts:
+        {{- if .Values.basic_auth }}
         - name: auth
           readOnly: true
           mountPath: "/var/secrets"
         {{- end }}
+        {{- if .Values.http_signatures }}
+        - name: http-signing-public-key
+          readOnly: true
+          mountPath: "/var/secrets"
+        {{- end }}
         ports:
         - name: http
           containerPort: 8080

chart/openfaas/templates/queueworker-dep.yaml

@@ -19,35 +19,49 @@ spec:
       labels:
         app: queue-worker
     spec:
-      {{- if .Values.basic_auth }}
       volumes:
+      {{- if .Values.basic_auth }}
       - name: auth
         secret:
           secretName: basic-auth
       {{- end }}
+      {{- if .Values.http_signatures }}
+      - name: http-signing-private-key
+        secret:
+          secretName: http-signing-private-key
+      {{- end }}
       containers:
       - name:  queue-worker
         image: {{ .Values.queueWorker.image }}
         imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
         env:
+        - name : write_debug
+          value : "true"
         {{- if .Values.functionNamespace }}
         - name: faas_function_suffix
           value: ".{{ .Values.functionNamespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
         {{- end }}
         - name: ack_wait    # Max duration of any async task / request
           value: {{ .Values.queueWorker.ackWait }}
-        {{- if .Values.basic_auth }}
         - name: secret_mount_path
           value: "/var/secrets"
+        {{- if .Values.basic_auth }}
         - name: basic_auth
           value: "{{ .Values.basic_auth }}"
+        {{- end }}
         - name: faas_nats_address
           value: "nats.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
         volumeMounts:
+        {{- if .Values.basic_auth }}
         - name: auth
           readOnly: true
           mountPath: "/var/secrets"
         {{- end }}
+        {{- if .Values.http_signatures }}
+        - name: http-signing-private-key
+          readOnly: true
+          mountPath: "/var/secrets"
+        {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

chart/openfaas/values.yaml

@@ -7,6 +7,7 @@ serviceType: NodePort
 rbac: true
 securityContext: true
 basic_auth: false
+http_signatures: false
 
 faasnetes:
   image: openfaas/faas-netes:0.7.1

yaml/README.md

@@ -64,3 +64,68 @@ Now attempt to login with:
 ```
 echo -n $GW_PASS | faas-cli login --username=admin --password-stdin
 ```
+
+## 2.0 Enable Non-repudiation for asynchronous function callbacks
+
+To enable built-in Non-repudiation for asynchronous function callbacks: create secrets, 
+configure and mount the secrets to the gateway and queue worker.
+
+### 2.1 Create secrets:
+
+```
+rm signing.key > /dev/null 2>&1 || true && rm signing.key.pub > /dev/null 2>&1 || true
+ssh-keygen -t rsa -b 2048 -N "" -m PEM -f signing.key > /dev/null 2>&1
+openssl rsa -in ./signing.key -pubout -outform PEM -out signing.key.pub > /dev/null 2>&1
+
+kubectl create secret generic http-signing-private-key -n openfaas \
+    --from-file=http-signing-private-key=./signing.key
+
+kubectl create secret generic http-signing-public-key -n openfaas \
+    --from-file=http-signing-public-key=./signing.key.pub
+
+rm signing.key || true && rm signing.key.pub || true
+```
+
+### 2.2 Add volume mount to gateway
+
+```
+        volumeMounts:
+        - name: http-signing-public-key
+          readOnly: true
+          mountPath: "/etc/openfaas"
+```
+
+### 2.3 Add secrets as volumes to gateway
+
+```
+      volumes:
+      - name: http-signing-public-key
+        secret:
+          secretName: http-signing-public-key
+```
+
+
+### 2.4 Add volume mount to queue worker
+
+```
+        volumeMounts:
+        - name: http-signing-private-key
+          readOnly: true
+          mountPath: "/etc/openfaas"
+```
+
+### 2.5 Add secrets as volumes to queue worker
+
+```
+      volumes:
+      - name: http-signing-private-key
+        secret:
+          secretName: http-signing-private-key
+```
+
+Apply the changes to the gateway and queue worker(deployment only):
+
+```
+$ kubectl apply -f ./yaml/gateway-dep.yml
+$ kubectl apply -f ./yaml/queueworker-dep.yml
+```