Add initial notes on IAM

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>

Author: alexellis

README.md

@@ -5,7 +5,7 @@ This is the source repository for the OpenFaaS documentation site.
 For local development:
 
 ```shell
-# docker run --rm -it -p 8000:8000 -v `pwd`:/docs squidfunk/mkdocs-material
+docker run --rm -it -p 8000:8000 -v `pwd`:/docs squidfunk/mkdocs-material:latest
 ```
 
 ## Published page

docs/openfaas-pro/iam/example-auth0.md

@@ -0,0 +1,136 @@
+# Auth0 Example for OpenFaaS IAM
+
+In order to access the OpenFaaS API, a JWT Issuer must first be registered with the system.
+
+Create an application on Auth0 for the OpenFaaS gateway, you'll need to obtain the corresponding "client_id".
+
+## Register the Issuer for Auth0
+
+An Issuer for `https://alexellis.eu.auth0.com/` might look like this:
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: JwtIssuer
+metadata:
+  name: alexellis.eu.auth0.com
+  namespace: openfaas
+spec:
+  iss: https://alexellis.eu.auth0.com/
+  aud:
+    - 17F3M3rS8ORQUPDHsgkq0YVHheZVH8dpaGHRTjAx5x0
+    - MO7Eq6O53SOxr3ie19TUMvo71ioYouJHsJEIw0PHc
+  tokenExpiry: 12h
+```
+
+## Define a Role
+
+Once registered, a Role must be created which maps users within the Issuer to be mapped to a set of Policies
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Role
+metadata:
+  name: dev-staff-deployers
+  namespace: openfaas
+spec:
+  policy:
+  - dev-rw
+  - staging-readonly
+  principal:
+    jwt:sub:
+      - github|1234567
+      - github|7654321
+  condition:
+    StringEqual:
+      jwt:iss: ["https://alexellis.eu.auth0.com/"]
+```
+> A Role including statements to evaluate its bindings to: two staff members
+
+Valid conditions include: `StringEqual` or `StringLike`.
+
+Every condition must return true for the Role to be considered as a match.
+
+The principal field is optional, however if it is given, both the principal and the condition must match. If there are multiple items given, then only one must match the token.
+
+If you configure Auth0 to emit a "group" claim such as "example.com/group", you could match this with a condition, instead of specifying individual "sub" fields.
+
+A user's email could also be fuzzy matched with a condition, for example:
+
+```yaml
+  condition:
+    StringLike:
+      jwt:email: ["*@example.com"]
+```
+
+## Bind a Policy to a Role
+
+Finally, one or more Policies must be created which describe which permissions a user has, and on which resources.
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Policy
+metadata:
+  name: dev-rw
+  namespace: openfaas
+spec:
+  statement:
+  - sid: 1-rw-dev
+    action:
+    - Function:Read
+    - Function:Admin
+    - Secret:Read
+    effect: Allow
+    resource: dev:*
+```
+
+> Allow read and write to functions and secrets within the `dev` namespace:
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Policy
+metadata:
+  name: staging-readonly
+  namespace: openfaas
+spec:
+  statement:
+  - sid: 1-ro-staging
+    action:
+    - Function:Read
+    effect: Allow
+    resource: staging-fn:*
+```
+
+> Allow only read access to functions within the `staging-fn` namespace:
+
+The JwtIssuer, Role and Policy resources are Kubernetes Custom Resources, and must be created within the `openfaas` namespace.
+
+## Authenticate as the user
+
+The `faas-cli` needs to be used to obtain a token from Auth0, and then exchange it for an OpenFaaS Access token.
+
+Note the `--audience` flag which must be set to the URL of the OpenFaaS gateway.
+
+```bash
+faas-cli pro auth \
+  --grant code \
+  --auth-url https://alexellis.eu.auth0.com/authorize \
+  --token-url https://alexellis.eu.auth0.com/oauth/token \
+  --client-id 17F3M3rS8ORQUPDHsgkq0YVHheZVH8dpaGHRTjAx5x0 \
+  --audience https://gw.example.com
+```
+
+Exchange the resulting id_token for an OpenFaaS Access token:
+
+```bash
+export ID_TOKEN=""
+export ACCESS_TOKEN=$(curl -s https://gw.example.com/oauth/token?grant_type=urn:ietf:params:oauth:grant-type:token-exchange -d "$id_token")
+```
+
+You can then use the OpenFaaS Access token as follows:
+
+```bash
+faas-cli list --token $ACCESS_TOKEN
+```
+
+In a future version of the `faas-cli` the above token exchange will be automated.
+

docs/openfaas-pro/iam/github-actions-federation.md

@@ -0,0 +1,106 @@
+# GitHub Actions - Web Identity Federation
+
+In this guide, you'll learn how to deploy from GitHub Actions CI/CD using OpenFaaS's IAM support and Web Identity Federation. 
+
+You'll need to create YAML files for an Issuer, a Policy and a Role. These need to be applied through kubectl, Helm or a GitOps tool.
+
+Your build will need to be adapted in order to receive an id_token from GitLab, which will be exchanged for an OpenFaaS access token.
+
+## Define an Issuer for GitHub Actions
+
+First define a new JwtIssuer resource, setting the `aud` field to the URL of your OpenFaaS Gateway.
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: JwtIssuer
+metadata:
+  name: token.actions.githubusercontent.com
+  namespace: openfaas
+spec:
+  iss: https://token.actions.githubusercontent.com
+  aud:
+  - https://gw.example.com
+  tokenExpiry: 30m
+```
+
+> Issuer for https://token.actions.githubusercontent.com
+
+## Create a Policy
+
+Next, define a Policy with the least privileges required to perform the desired actions.
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Policy
+metadata:
+  name: dev-rw
+  namespace: openfaas
+spec:
+  statement:
+  - sid: 1-rw-dev
+    action:
+    - Function:Read
+    - Function:Admin
+    - Secret:Read
+    effect: Allow
+    resource: dev:*
+```
+
+## Bind a Policy to a Role
+
+Next, you need to bind the Policy to a Role.
+
+There are around a dozen different fields available within the GitHub Actions `id_token`:
+
+```json
+{
+  "actor": "aidansteele",
+  "aud": "https://github.com/aidansteele/aws-federation-github-actions",
+  "base_ref": "",
+  "event_name": "push",
+  "exp": 1631672856,
+  "head_ref": "",
+  "iat": 1631672556,
+  "iss": "https://token.actions.githubusercontent.com",
+  "job_workflow_ref": "aidansteele/aws-federation-github-actions/.github/workflows/test.yml@refs/heads/main",
+  "jti": "8ea8373e-0f9d-489d-a480-ac37deexample",
+  "nbf": 1631671956,
+  "ref": "refs/heads/main",
+  "ref_type": "branch",
+  "repository": "aidansteele/aws-federation-github-actions",
+  "repository_owner": "aidansteele",
+  "run_attempt": "1",
+  "run_id": "1235992580",
+  "run_number": "5",
+  "sha": "bf96275471e83ff04ce5c8eb515c04a75d43f854",
+  "sub": "repo:aidansteele/aws-federation-github-actions:ref:refs/heads/main",
+  "workflow": "CI"
+}
+```
+
+> Example from: [Deploy without credentials with GitHub Actions and OIDC](https://blog.alexellis.io/deploy-without-credentials-using-oidc-and-github-actions/)
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Role
+metadata:
+  name: dev-actions-deployer
+  namespace: openfaas
+spec:
+  policy:
+  - dev-rw
+  condition:
+    StringEqual:
+      jwt:iss: ["https://token.actions.githubusercontent.com"]
+      jwt:repository_owner: ["openfaas"]
+    StringLike:
+      jwt:ref: ["refs/heads/*"]
+```
+
+The example must match the issuer and organisation name of "openfaas", and can match any branch name.
+
+You could restrict this further by looking at the "actor" for instance.
+
+Finally, you need to apply all of the above objects, and can test it end to end.
+
+See an example [GitHub Actions Workflow](https://github.com/alexellis/minty/blob/master/.github/workflows/federate.yml)

docs/openfaas-pro/iam/gitlab-federation.md

@@ -0,0 +1,82 @@
+# GitLab - Web Identity Federation
+
+In this guide, you'll learn how to deploy from GitLab CI/CD using OpenFaaS's IAM support and Web Identity Federation. 
+
+You'll need to create YAML files for an Issuer, a Policy and a Role. These need to be applied through kubectl, Helm or a GitOps tool.
+
+Your build will need to be adapted in order to receive an id_token from GitLab, which will be exchanged for an OpenFaaS access token.
+
+## Define an Issuer for GitLab.com
+
+First define a new JwtIssuer resource, setting the `aud` field to the URL of your OpenFaaS Gateway.
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: JwtIssuer
+metadata:
+  name: token.actions.githubusercontent.com
+  namespace: openfaas
+spec:
+  iss: https://token.actions.githubusercontent.com
+  aud:
+  - https://gw.example.com
+  tokenExpiry: 30m
+```
+
+> Issuer for https://token.actions.githubusercontent.com
+
+## Create a Policy
+
+Next, define a Policy with the least privileges required to perform the desired actions.
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Policy
+metadata:
+  name: dev-rw
+  namespace: openfaas
+spec:
+  statement:
+  - sid: 1-rw-dev
+    action:
+    - Function:Read
+    - Function:Admin
+    - Secret:Read
+    effect: Allow
+    resource: dev:*
+```
+
+## Bind a Policy to a Role
+
+Next, you need to bind the Policy to a Role.
+
+There are around a dozen different fields available within GitLab's `id_token`, you can view a complete list at: [GitLab OIDC: Shared information](https://docs.gitlab.com/ee/integration/openid_connect_provider.html#shared-information)
+
+```yaml
+apiVersion: openfaas.com/v1
+kind: Role
+metadata:
+  name: gitlab-dev-actions-deployer
+  namespace: openfaas
+spec:
+  policy:
+  - dev-rw
+  condition:
+    StringEqual:
+      jwt:iss: ["https://gitlab.com"]
+      jwt:user_login: ["alexellis"]
+    StringLike:
+      jwt:project_path: ["consortia/*"]
+```
+
+The example must match the GitLab issuer, for the login of "alexellis", with any project within the "consortia" group.
+
+Within your GitLab job, you must obtain an id_token with the proper audience `aud` field set with the address of your OpenFaaS gateway:
+
+```yaml
+  id_tokens:
+    ID_TOKEN_1:
+      aud: https://gw.example.com
+```
+
+See an example repository and `.gitlab-ci.yml` file on GitLab [gitlab.com/consortia/deploy-fn](https://gitlab.com/consortia/deploy-fn/-/blob/main/.gitlab-ci.yml)