Mount public key to dashboard as secret

Signed-off-by: Brandon Wilson <brandon@coil.com>

Author: wilsonianb

dashboard/README.md

@@ -39,6 +39,16 @@ $ faas-cli store deploy nodeinfo --name alexellis-nodeinfo \
  --annotation com.openfaas.cloud.git-repo-url=https://github.com/alexellis/nodeinfo
 ```
 
+### Deploy SealedSecrets public key
+
+The dashboard serves the SealedSecrets public key file in `/var/openfaas/secrets/pub-cert.pem`.
+
+To mount the key in Kubernetes, run:
+
+```
+$ kubectl create secret generic sealedsecrets-public-key -n openfaas-fn --from-file=pub-cert.pem
+```
+
 ### Deploy at least the list-functions function
 
 From the root directory edit `gateway_config.yml`, if on Swarm remove any `.openfaas` suffix you see in URLs.
@@ -106,7 +116,7 @@ npm i -g yarn
 The source code for the dashboard (written in React.js) with Bootstrap 3 has to be built into a generated folder. In order to do this type in `make`
 
 ```bash
-make
+make build-dist
 ```
 
 You will see new files written into `of-cloud-dashboard/dist`

dashboard/client/public/index.html

@@ -20,7 +20,6 @@
     window.ALL_CLAIMS = '__ALL_CLAIMS__';
     window.GITHUB_APP_URL = '__GITHUB_APP_URL__';
     window.GITLAB_URL = '__GITLAB_URL__';
-    window.PUBLIC_KEY_EXISTS = '__PUBLIC_KEY_EXISTS__';
   </script>
 </head>
 

dashboard/client/src/components/NavBar/NavBar.jsx

@@ -118,18 +118,16 @@ class NavBarWithRouter extends Component {
                 </NavLink>
               </NavItem>
             }
-            { window.PUBLIC_KEY_EXISTS &&
-              <NavItem>
-                <NavLink
-                  className="py-3 px-3 px-md-2"
-                  href="dist/pub-cert.pem"
-                  title="Encrypt function secrets for use in your git repository"
-                >
-                  <FontAwesomeIcon icon={faKey} className="mr-1" />
-                  Public Key
-                </NavLink>
-              </NavItem>
-            }
+            <NavItem>
+              <NavLink
+                className="py-3 px-3 px-md-2"
+                href="api/pub-cert.pem"
+                title="Encrypt function secrets for use in your git repository"
+              >
+                <FontAwesomeIcon icon={faKey} className="mr-1" />
+                Public Key
+              </NavLink>
+            </NavItem>
           </Nav>
           <Nav navbar className="ml-auto">
             { this.isLoggedIn() && this.createNavLink(

dashboard/dashboard_config.yml

@@ -16,34 +16,4 @@ environment:
   # see https://github.com/settings/apps/
   # github_app_url: https://github.com/apps/o6s-io
   # Public URL for your GitLab instance
-  # gitlab_url: https://gitlab.o6s.io/
-  # SealedSecrets public key
-  # public_key: |
-  #   -----BEGIN CERTIFICATE-----
-  #   MIIErjCCApagAwIBAgIRAOpOnJ35KXJmoda4VjnxqgIwDQYJKoZIhvcNAQELBQAw
-  #   ADAeFw0yMDEwMjAyMzE5MzhaFw0zMDEwMTgyMzE5MzhaMAAwggIiMA0GCSqGSIb3
-  #   DQEBAQUAA4ICDwAwggIKAoICAQC1RNAnJC850lP00fWJVGs7y/AaWU08eitNmqgm
-  #   VkRg04baGLSOIwv5aMzHe68e1bZUAa3NzhL7lKEJdgU4+G0eidVjg4hngVvPfaCy
-  #   o6OYU+f9rTDTwOihwOu1rGBUrG42S8niWJpfDMmzyFgG/AZAJfiYOK6/FIP0JoZB
-  #   JQqorJvsmdrhve+LlwUlFIBj9cP5mWQ2OlrM49QV2rlauJfR8UEwQxsQYmxDrKxe
-  #   NltLrrsSVqqarcOCE7vHlnV+YoBK9CEAu4nCjCDV3B8fRI3ODoO5twAGJ21NeVKm
-  #   OeqgDm48lViol3Fn5iBEd1Xsp+HKG2aki7H8SkNMPvbJutt+9buhctMT1DZGfkf1
-  #   vfdYFEOQ0G8rnnYQa6hiVPwR/a1HQ0L3cSDgLCCk1O2bu69wQQDT+IdPK3HJMyWM
-  #   JgXnL3HdvuWB2/35/88pVn26tGtRLM3Ye6OqbDMpC8mvNPvKyyvwg4h+PEX5U09X
-  #   v7pJQiUCwp1bPcDGSifdN+pFvMx188G7clrLXwjW0Grvc1aXCvOM+0/ZFaxXm2DO
-  #   j0DrrvjwQy+v4DxNNjYd2n/6IJlA1ea0EV6VkS7eWhX44DU3ILwLhTo0r9TWye49
-  #   7yPJjZsyM+tTKSEBxtQ59PFpvAYC6zBMbOtn5wbVFNLuiz78lVpcvJuEfl66QoME
-  #   yposYQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAAEwDwYDVR0TAQH/BAUwAwEB/zAN
-  #   BgkqhkiG9w0BAQsFAAOCAgEAnc5P1bXQFQXxF4+3xTsFll3JL1/b40UvnCPz8mUw
-  #   RioBFrpHp7w5ETcjGf9/ADzKx7k/ffzKPxQEiQj01Lsqy02TkQLwvWA5KXlY9OnJ
-  #   J+8IyJAbmnd6X0boMcKwtUc/vvrzkTP7gDthEX5y2kFJCCg/5k/d100U6E+1CN4h
-  #   0tSEfzKfSYW8EUHv5r4PQfFgd7n+afEGw/XURhdNUdO0a5EyvzU9510+hCZM2uRJ
-  #   KpqaQZ7tPP/pFtziDHP9imlij2CfOP5IQn8zWzbAJUK5vM/mmEyW8sDGhYno2xJS
-  #   aRR3J1m2ieDPmat56J4hVCaLQLknEsLGhbEUdJGJTdA4m8L1dYbIh2E4Nwa/WUuz
-  #   IcyQ7cTLMwHnHtB6Z35PptdJ/0SnRLut8sgj36UMxP9/McGXxoBMGT5WGfJV0n16
-  #   eRCzbWDg8xkr5ZqTofoIHs9SXx7Dm1GM+aB+rvHgQDUlnarqbQyWclqbArAqtcFI
-  #   W3bt8vFpHympK9sKNRv0oGnMdT3NJCftdkF28aXnAESv0DzkzZxOKooesNe+j5nx
-  #   jHP/isiGskK0EdOVetJN+FuDo0Ys+Ev/d7vAyy32WIcnTfbJ7nAHnhvhPCDp05F3
-  #   aAgXn0ahlcFp/HqzyD+hxPKszH1NG0WXEXIhNBr+1MoGlwTJ+PIp9oY4wt5SoKcz
-  #   rl4=
-  #   -----END CERTIFICATE-----
+  # gitlab_url: https://gitlab.o6s.io/

dashboard/of-cloud-dashboard/handler.js

@@ -60,6 +60,20 @@ module.exports = async (event, context) => {
       console.log(`${method} ${upstreamURL} - 500, error: ${err}`);
       return context.status(500).fail('Proxy request failed');
     }
+  } else if (/^\/api\/pub-cert.pem\/?$/.test(path)) {
+    try {
+      const pubKey = await fsPromises.readFile('/var/openfaas/secrets/pub-cert.pem');
+      const headers = {
+        'Content-Type': 'text/plain',
+      };
+      return context
+        .headers(headers)
+        .status(200)
+        .succeed(pubKey);
+    } catch (err) {
+      console.log(`GET /api/pub-cert.pem, error: ${err}`);
+      return context.status(404).succeed('Not found');
+    }
   }
 
   let headers = {
@@ -76,18 +90,6 @@ module.exports = async (event, context) => {
     headers['Content-Type'] = 'application/json';
   } else if (/.*\.map/.test(path)) {
     headers['Content-Type'] = 'application/octet-stream';
-  } else if (/^\/dist\/pub-cert.pem\/?$/.test(path)) {
-    if (!process.env.public_key) {
-      return context
-        .status(404)
-        .fail('Not found');
-    }
-
-    headers['Content-Type'] = 'text/plain';
-    return context
-      .headers(headers)
-      .status(200)
-      .succeed(process.env.public_key);
   }
 
   let contentPath = `${__dirname}${path}`;
@@ -141,7 +143,7 @@ module.exports = async (event, context) => {
 }
 
 function replaceTokens(content, isSignedIn, claims) {
-    const { base_href, public_url, pretty_url, query_pretty_url, github_app_url, gitlab_url, public_key } = process.env;
+    const { base_href, public_url, pretty_url, query_pretty_url, github_app_url, gitlab_url } = process.env;
     let replaced = content
 
     replaced = replaced.replace(/__BASE_HREF__/g, base_href);
@@ -152,7 +154,6 @@ function replaceTokens(content, isSignedIn, claims) {
     replaced = replaced.replace(/__ALL_CLAIMS__/g, claims);
     replaced = replaced.replace(/__GITHUB_APP_URL__/g, github_app_url || "");
     replaced = replaced.replace(/__GITLAB_URL__/g, gitlab_url || "");
-    replaced = replaced.replace(/__PUBLIC_KEY_EXISTS__/g, public_key ? "true" : "");
 
     return replaced
 }

dashboard/stack.yml

@@ -13,6 +13,8 @@ functions:
       role: openfaas-system
     environment_file:
       - dashboard/dashboard_config.yml
+    secrets:
+      - sealedsecrets-public-key
     limits:
       memory: 256Mi
     requests: