From ee3750f674ad1e39b8cc9c657aa6d1bb4f951e20 Mon Sep 17 00:00:00 2001
From: "Alex Ellis (VMware)" <alexellis2@gmail.com>
Date: Fri, 13 Jul 2018 15:18:21 +0100
Subject: [PATCH 1/4] Enable basic-auth by default

The deployment script will enable basic-auth by default to help
avoid people deploying to a public IP with no protection from
malicious actors.

- In deploy_stash.sh /dev/random can hang on some systems, so using
  urandom will give a better experience, if less "random" data.
  For the purposes of creating an initial basic auth password this
  is sufficient.
- Alpine Linux does not have the shasum command, but sha256sum.
- Tested on MacOS with and without --no-auth flag.
- Does not apply for armhf or powershell.

BASIC_AUTH env-var added by Vivek Syngh @viveksyngh

Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
---
 deploy_stack.sh | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/deploy_stack.sh b/deploy_stack.sh
index aaea8aa1c..c38ce9177 100755
--- a/deploy_stack.sh
+++ b/deploy_stack.sh
@@ -5,6 +5,50 @@ if ! [ -x "$(command -v docker)" ]; then
   exit 1
 fi
 
-echo "Deploying stack"
-docker stack deploy func --compose-file docker-compose.yml
+export BASIC_AUTH="true"
+
+sha_cmd="shasum -a 256"
+if ! command -v shasum >/dev/null; then
+  sha_cmd="sha256sum"
+fi
+
+while [ ! $# -eq 0 ]
+do
+	case "$1" in
+		--no-auth | -n)
+			export BASIC_AUTH="false"
+			;;
+    --help | -h)
+			echo "Usage: \n [default]\tdeploy the OpenFaaS core services\n --no-auth [-n]\tdisable basic authentication.\n --help\tdisplays this screen"
+      exit
+			;;
+	esac
+	shift
+done
+
+# Secrets should be created even if basic-auth is disabled.
+echo "Attempting to create credentials for gateway.."
+echo "admin" | docker secret create basic-auth-user -
+secret=$(head -c 16 /dev/urandom| $sha_cmd | cut -d " " -f 1)
+echo "$secret" | docker secret create basic-auth-password -
+if [ $? = 0 ];
+then
+  echo "[Credentials]\n username: admin \n password: $secret\n echo -n "$secret" | faas-cli login --username=admin --password-stdin"
+else
+  echo "[Credentials]\n already exist, not creating"
+fi
+
+if [ $BASIC_AUTH = "true" ];
+then
+  echo ""
+  echo "Enabling basic authentication for gateway.."
+  echo ""
+else
+  echo ""
+  echo "Disabling basic authentication for gateway.."
+  echo ""
+fi
 
+echo "Deploying OpenFaaS core services"
+
+docker stack deploy func --compose-file docker-compose.yml

From 642ba9057839c18d4103d41a9eb712103ea3e30b Mon Sep 17 00:00:00 2001
From: "Alex Ellis (VMware)" <alexellis2@gmail.com>
Date: Mon, 16 Jul 2018 12:36:40 +0100
Subject: [PATCH 2/4] Reinstate basic_auth flag

- basic_auth is now set to true by default unless overriden
in the env-var "BASIC_AUTH"

Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index aaa985ff9..f60017a67 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,7 +16,7 @@ services:
             faas_nats_port: 4222
             direct_functions: "true"    # Functions are invoked directly over the overlay network
             direct_functions_suffix: ""
-            basic_auth: "false"
+            basic_auth: "${BASIC_AUTH:-true}"
             secret_mount_path: "/run/secrets/"
         deploy:
             resources:

From 95ea2e1c1ea069acbc6b5de0f1cefe0ecc0383b6 Mon Sep 17 00:00:00 2001
From: "Alex Ellis (VMware)" <alexellis2@gmail.com>
Date: Mon, 16 Jul 2018 12:40:12 +0100
Subject: [PATCH 3/4] Bind secrets to stack

Secrets for gateway needed to be bound to stack, but were
commented-out. Tested on Swarm.

Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
---
 docker-compose.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f60017a67..4680166cb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -32,9 +32,9 @@ services:
             placement:
                 constraints:
                     - 'node.platform.os == linux'
-        # secrets:
-        #     - basic-auth-user
-        #     - basic-auth-password
+        secrets:
+            - basic-auth-user
+            - basic-auth-password
 
     # Docker Swarm provider
     faas-swarm:
@@ -180,8 +180,8 @@ networks:
         labels:
           - "openfaas=true"
 
-# secrets:
-#     basic-auth-user:
-#         external: true
-#     basic-auth-password:
-#         external: true
+secrets:
+    basic-auth-user:
+        external: true
+    basic-auth-password:
+        external: true

From 2b5492a51b6c892978f7ae6eb9aedabbe5035098 Mon Sep 17 00:00:00 2001
From: "Alex Ellis (VMware)" <alexellis2@gmail.com>
Date: Mon, 16 Jul 2018 12:48:48 +0100
Subject: [PATCH 4/4] Bump gateway version

Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 4680166cb..683f69168 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ services:
     gateway:
         ports:
             - 8080:8080
-        image: openfaas/gateway:0.8.3
+        image: openfaas/gateway:0.8.5
         networks:
             - functions
         environment: