-
Notifications
You must be signed in to change notification settings - Fork 438
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
81 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
This document shows how to access your OpenFaaS functions securly via Gloo. We will deploy everything | ||
to minikube. With minor adjustments can be applied to any kubernets cluster. | ||
|
||
# Deploy Fission & Gloo | ||
The official OpenFaas install guide is here: https://docs.fission.io/0.6.0/installation/installation/ | ||
|
||
Setting up kubernetes: https://docs.fission.io/0.6.0/installation/kubernetessetup/ | ||
|
||
|
||
To install gloo, run: | ||
``` | ||
kubectl apply -f https://raw.githubusercontent.com/solo-io/gloo-install/master/kube/install.yaml | ||
``` | ||
|
||
# Deploy Function | ||
|
||
Let's deploy an example function: this can also be found on the install guide, here: https://docs.fission.io/0.6.0/installation/installation/#run-an-example | ||
|
||
``` | ||
fission env create --name nodejs --image fission/node-env | ||
curl -LO https://raw.githubusercontent.com/fission/fission/master/examples/nodejs/hello.js | ||
fission function create --name hello --env nodejs --code hello.js | ||
fission function test --name hello | ||
``` | ||
|
||
With in a minute or so, you will see a function added to the gateway upstream: | ||
``` | ||
$ glooctl upstream get fission-router-80 | ||
+-------------------+------------+----------+----------+ | ||
| NAME | TYPE | STATUS | FUNCTION | | ||
+-------------------+------------+----------+----------+ | ||
| fission-router-80 | kubernetes | Accepted | hello | | ||
+-------------------+------------+----------+----------+ | ||
``` | ||
|
||
# Secure Access | ||
Lets provide secure access for it! | ||
|
||
create a pair of ssl certs. make sure to provide a Common Name when creating the certificate, | ||
envoy will reject a certificate without one: | ||
``` | ||
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.cert -days 365 -nodes | ||
``` | ||
|
||
Add the certificates as secrets to kubernetes (this makes them available to gloo): | ||
``` | ||
glooctl secret create certificate --name gloo-secure -c server.cert -p server.key | ||
``` | ||
|
||
Configure gloo's default virtual host to route to the function and use the certificates: | ||
``` | ||
$ cat <<EOF | glooctl virtualhost create -f - | ||
name: default | ||
routes: | ||
- request_matcher: | ||
path_exact: /hello | ||
single_destination: | ||
function: | ||
upstream_name: fission-router-80 | ||
function_name: hello | ||
ssl_config: | ||
secret_ref: gloo-secure | ||
EOF | ||
``` | ||
|
||
|
||
# Test! | ||
|
||
Get gloo's SSL endpoint: | ||
``` | ||
HTTPS_GW=https://$(kubectl get po -l gloo=ingress -n gloo-system -o 'jsonpath={.items[0].status.hostIP}'):$(kubectl get svc ingress -n gloo-system -o 'jsonpath={.spec.ports[?(@.name=="https")].nodePort}') | ||
``` | ||
|
||
Invoke the function: | ||
``` | ||
$ curl --cacert server.cert -k $HTTPS_GW/hello | ||
Hello, world! | ||
``` | ||
|
||
Your function will respond and say hi! |