GitLab - Web Identity Federation¶
In this guide, you'll learn how to deploy from GitLab CI/CD using OpenFaaS's IAM support and Web Identity Federation.
You'll need to create YAML files for an Issuer, a Policy and a Role. These need to be applied through kubectl, Helm or a GitOps tool.
Your build will need to be adapted in order to receive an id_token from GitLab, which will be exchanged for an OpenFaaS access token.
Define an Issuer for GitLab.com¶
First define a new JwtIssuer resource, setting the aud field to the URL of your OpenFaaS Gateway.
apiVersion: openfaas.com/v1
kind: JwtIssuer
metadata:
name: token.actions.githubusercontent.com
namespace: openfaas
spec:
iss: https://token.actions.githubusercontent.com
aud:
- https://gw.example.com
tokenExpiry: 30m
Issuer for https://token.actions.githubusercontent.com
Create a Policy¶
Next, define a Policy with the least privileges required to perform the desired actions.
apiVersion: openfaas.com/v1
kind: Policy
metadata:
name: dev-rw
namespace: openfaas
spec:
statement:
- sid: 1-rw-dev
action:
- Function:Read
- Function:Admin
- Secret:Read
effect: Allow
resource: dev:*
Bind a Policy to a Role¶
Next, you need to bind the Policy to a Role.
There are around a dozen different fields available within GitLab's id_token, you can view a complete list at: GitLab OIDC: Shared information
apiVersion: openfaas.com/v1
kind: Role
metadata:
name: gitlab-dev-actions-deployer
namespace: openfaas
spec:
policy:
- dev-rw
condition:
StringEqual:
jwt:iss: ["https://gitlab.com"]
jwt:user_login: ["alexellis"]
StringLike:
jwt:project_path: ["consortia/*"]
The example must match the GitLab issuer, for the login of "alexellis", with any project within the "consortia" group.
Within your GitLab job, you must obtain an id_token with the proper audience aud field set with the address of your OpenFaaS gateway:
id_tokens:
ID_TOKEN_1:
aud: https://gw.example.com
See an example repository and .gitlab-ci.yml file on GitLab gitlab.com/consortia/deploy-fn