IAM improvements and pro-builder with build-time secrets

* Improvements on IAM policy conditions
* Build-time secrets are now supported when enabled for the
pro-builder

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>

Author: alexellis

chart/openfaas/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 type: application
 description: OpenFaaS - Serverless Functions Made Simple
 name: openfaas
-version: 15.0.2
+version: 15.0.3
 sources:
 - https://github.com/openfaas/faas
 - https://github.com/openfaas/faas-netes

chart/openfaas/values.yaml

@@ -152,7 +152,7 @@ eventWorker:
 
 # For OpenFaaS Pro and the Function CRD
 operator:
-  image: ghcr.io/openfaasltd/faas-netes:0.5.88
+  image: ghcr.io/openfaasltd/faas-netes:0.5.89
   create: false
   logs:
     debug: false
@@ -199,7 +199,7 @@ operator:
     successThreshold: 1
 
 faasnetesPro:
-  image: ghcr.io/openfaasltd/faas-netes:0.5.88
+  image: ghcr.io/openfaasltd/faas-netes:0.5.89
   logs:
     debug: false
     format: "console"

chart/pro-builder/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: Build OpenFaaS functions via a REST API
 name: pro-builder
-version: 0.6.6
+version: 0.6.7
 sources:
 - https://github.com/openfaas/faas-netes
 home: https://www.openfaas.com

chart/pro-builder/README.md

@@ -70,6 +70,37 @@ kubectl create secret generic payload-secret \
   --from-file payload-secret=payload.txt -n openfaas
 ```
 
+### Optional sealed build secrets
+
+To enable per-build sealed secrets, generate a keypair:
+
+```bash
+faas-cli secret keygen -o private.key
+
+kubectl create secret generic -n openfaas \
+  pro-builder-build-secrets-key \
+  --from-file private.key=./private.key
+```
+
+Distribute `private.key.pub` to build clients. They seal secrets with:
+
+```bash
+faas-cli secret seal \
+  --public-key ./private.key.pub \
+  --key-id builder-key-1 \
+  --from-literal pip_token=s3cr3t
+```
+
+Then enable the feature in your custom values file:
+
+```yaml
+buildSecrets:
+  keyID: builder-key-1
+  privateKeySecret: pro-builder-build-secrets-key
+```
+
+When enabled, the builder unseals `com.openfaas.secrets` from the build tar and exposes `GET /publickey` so callers can fetch the public key and `key_id`.
+
 ## Install the Chart
 
 - Create the required secret with your OpenFaaS Pro license code:

chart/pro-builder/templates/deployment.yml

@@ -52,6 +52,14 @@ spec:
           secret:
             defaultMode: 420
             secretName: openfaas-license
+        {{- if .Values.buildSecrets.privateKeySecret }}
+        - name: build-secrets-key
+          secret:
+            secretName: {{ .Values.buildSecrets.privateKeySecret }}
+            items:
+              - key: {{ .Values.buildSecrets.privateKeyKey | quote }}
+                path: {{ .Values.buildSecrets.privateKeyKey | quote }}
+        {{- end }}
         - name: builder-workspace
           emptyDir: {}
         - name: buildkit-workspace
@@ -85,6 +93,14 @@ spec:
             value: {{ .Values.disableHmac | quote }}
           - name: "max_inflight"
             value: {{ or .Values.proBuilder.maxInflight 0  | quote }}
+          {{- if .Values.buildSecrets.privateKeySecret }}
+          - name: build_secrets_private_key_path
+            value: {{ printf "%s/%s" .Values.buildSecrets.mountPath .Values.buildSecrets.privateKeyKey | quote }}
+          {{- if .Values.buildSecrets.keyID }}
+          - name: build_secrets_key_id
+            value: {{ .Values.buildSecrets.keyID | quote }}
+          {{- end }}
+          {{- end }}
           {{- if .Values.awsCredentialsSecret }}
           - name: AWS_SHARED_CREDENTIALS_FILE
             value: /var/secrets/aws-credentials/{{ .Values.awsCredentialsSecret }}
@@ -127,6 +143,11 @@ spec:
         - name: license
           readOnly: true
           mountPath: "/var/secrets/license"
+        {{- if .Values.buildSecrets.privateKeySecret }}
+        - name: build-secrets-key
+          readOnly: true
+          mountPath: {{ .Values.buildSecrets.mountPath | quote }}
+        {{- end }}
         - name: builder-workspace
           mountPath: /tmp/
           readOnly: false

chart/pro-builder/values.yaml

@@ -16,7 +16,7 @@ securityContext: {}
 
 # image is for the pro-builder API
 proBuilder:
-  image: ghcr.io/openfaasltd/pro-builder:0.5.3
+  image: ghcr.io/openfaasltd/pro-builder:0.5.4
 
   # Set to 0 for unlimited, or some non-zero value for a hard limit
   # the builder will return a HTTP 429 status code, then the client
@@ -83,6 +83,21 @@ disableHmac: false
 # enableLchown is usually set to false
 enableLchown: false
 
+buildSecrets:
+  # Name of the Kubernetes Secret containing the nacl/box private key.
+  # Set this to enable build secrets — the feature is on when a key is configured.
+  privateKeySecret: ""
+
+  # A stable identifier returned by GET /publickey and validated on incoming
+  # build secrets envelopes.
+  keyID: ""
+
+  # Key within privateKeySecret to mount into the Pod.
+  privateKeyKey: private.key
+
+  # Directory mount for the private key file within the pro-builder container.
+  mountPath: /var/secrets/buildkit
+
 imagePullPolicy: IfNotPresent
 
 fullnameOverride: "pro-builder"