openfaas
diff --git a/‎USER_GUIDE.md
+7-47 b/‎USER_GUIDE.md
+7-47
diff --git a/‎cmd/apply.go
+39-22 b/‎cmd/apply.go
+39-22
diff --git a/‎example.init.yaml
+4-4 b/‎example.init.yaml
+4-4
diff --git a/‎scripts/clone-cloud-components.sh
+1-1 b/‎scripts/clone-cloud-components.sh
+1-1
diff --git a/‎templates/edge-auth-dep.yml
+100 b/‎templates/edge-auth-dep.yml
+100
@@ -4,7 +4,7 @@ You will need admin access to a Kubernetes cluster, some CLI tooling and a GitHu
 
 ## Pre-reqs
 
-This tool automates the installation of OpenFaaS Cloud on Kubernetes. Before starting you will need to install some tools and then create either a local or remote cluster.
+This tool automates the installation of OpenFaaS Cloud on Kubernetes. Before starting, you will need to install some tools and then create either a local or remote cluster.
 
 For your cluster the following specifications are recommended:
 
@@ -513,28 +513,8 @@ At this point you can also view your UI dashboard at: http://127.0.0.1:31112
 
 ## Re-deploy the OpenFaaS Cloud functions (advanced)
 
-If you run the step above `Access your OpenFaaS UI or API`, then you can edit settings for OpenFaaS Cloud and redeploy your functions. This is an advanced step.
-
-```
-cd tmp/openfaas-cloud/
-
-# Edit stack.yml
-# Edit github.yml or gitlab.yml
-# Edit gateway_config.yml
-# Edit buildshiprun_limits.yml
-
-# Edit aws.yml if you want to change AWS ECR settings such as the region
-
-# Update all functions
-faas-cli deploy -f stack.yml
-
-
-# Update AWS ECR functions if needed
-faas-cli deploy -f aws.yml
-
-# Update a single function, such as "buildshiprun"
-faas-cli deploy -f stack.yml --filter=buildshiprun
-```
+Run `ofc-bootstrap` passing `--update-cloud` as a flag.
+This will re-deploy the ofc helm chart using the new settings in init.yaml
 
 ## Invite your team
 
@@ -549,29 +529,9 @@ alexellis
 
 When you want to switch to the Production issuer from staging do the following:
 
-Flush out the staging certificates and orders
+Update the staging setting in init.yaml to "prod" and re-run `ofc-bootstrap` passing `--update-cloud` as a flag.
+This will re-deploy the ofc helm chart using the new settings.
 
-```sh
-kubectl delete certificates --all  -n openfaas
-kubectl delete secret -n openfaas -l="cert-manager.io/certificate-name"
-kubectl delete order -n openfaas --all
+```sh 
+ofc-bootstrap apply -f init.yaml --update-cloud
 ```
-
-Now update the staging references to "prod":
-
-```sh
-sed -i '' s/letsencrypt-staging/letsencrypt-prod/g ./tmp/generated-ingress-ingress-wildcard.yaml
-sed -i '' s/letsencrypt-staging/letsencrypt-prod/g ./tmp/generated-ingress-ingress-auth.yaml
-sed -i '' s/letsencrypt-staging/letsencrypt-prod/g ./tmp/generated-tls-auth-domain-cert.yml
-sed -i '' s/letsencrypt-staging/letsencrypt-prod/g ./tmp/generated-tls-wildcard-domain-cert.yml
-```
-
-Now create the new ingress and certificates:
-
-```sh
-kubectl apply -f ./tmp/generated-ingress-ingress-wildcard.yaml
-kubectl apply -f ./tmp/generated-ingress-ingress-auth.yaml
-kubectl apply -f ./tmp/generated-tls-auth-domain-cert.yml
-kubectl apply -f ./tmp/generated-tls-wildcard-domain-cert.yml
-```
-
@@ -34,6 +34,7 @@ func init() {
 	applyCmd.Flags().Bool("skip-minio", false, "Skip Minio installation")
 	applyCmd.Flags().Bool("skip-create-secrets", false, "Skip creating secrets")
 	applyCmd.Flags().Bool("print-plan", false, "Print merged plan and exit")
+	applyCmd.Flags().Bool("update-cloud", false, "set to true to only upgrade OFC components")
 }
 
 var applyCmd = &cobra.Command{
@@ -158,15 +159,28 @@ func runApplyCommandE(command *cobra.Command, _ []string) error {
 	os.MkdirAll("tmp", 0700)
 	ioutil.WriteFile("tmp/go.mod", []byte("\n"), 0700)
 
-	fmt.Fprint(os.Stdout, "Validating registry credentials file")
+	fmt.Fprint(os.Stdout, "Validating registry credentials file\n")
 
 	registryAuthErr := validateRegistryAuth(plan.Registry, plan.Secrets, plan.EnableECR)
 	if registryAuthErr != nil {
 		fmt.Fprint(os.Stderr, "error with registry credentials file. Please ensure it has been created correctly")
 	}
 
+	cloudOnly, err := command.Flags().GetBool("update-cloud")
+	if err != nil {
+		return err
+	}
+
+	if cloudOnly {
+		err := cloudComponentsInstall(plan)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+
 	start := time.Now()
-	err = process(plan, prefs, additionalPaths)
+	err = process(plan, prefs)
 	done := time.Since(start)
 
 	if err != nil {
@@ -264,7 +278,7 @@ func filesExists(files []types.FileSecret) error {
 	return nil
 }
 
-func process(plan types.Plan, prefs InstallPreferences, additionalPaths []string) error {
+func process(plan types.Plan, prefs InstallPreferences) error {
 
 	if plan.OpenFaaSCloudVersion == "" {
 		plan.OpenFaaSCloudVersion = "master"
@@ -297,7 +311,7 @@ func process(plan types.Plan, prefs InstallPreferences, additionalPaths []string
 		return err
 	}
 
-	installIngressErr := installIngressController(plan.Ingress, additionalPaths)
+	installIngressErr := installIngressController(plan.Ingress)
 	if installIngressErr != nil {
 		log.Println(installIngressErr.Error())
 		return installIngressErr
@@ -332,7 +346,7 @@ func process(plan types.Plan, prefs InstallPreferences, additionalPaths []string
 		log.Println(functionAuthErr.Error())
 	}
 
-	ofErr := installOpenfaas(plan.ScaleToZero, plan.IngressOperator, additionalPaths)
+	ofErr := installOpenfaas(plan.ScaleToZero, plan.IngressOperator)
 	if ofErr != nil {
 		log.Println(ofErr)
 	}
@@ -372,7 +386,16 @@ func process(plan types.Plan, prefs InstallPreferences, additionalPaths []string
 		}
 	}
 
-	cloneErr := cloneCloudComponents(plan.OpenFaaSCloudVersion, additionalPaths)
+	err := cloudComponentsInstall(plan)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func cloudComponentsInstall(plan types.Plan) error {
+	cloneErr := cloneCloudComponents(plan.OpenFaaSCloudVersion)
 	if cloneErr != nil {
 		return cloneErr
 	}
@@ -382,11 +405,10 @@ func process(plan types.Plan, prefs InstallPreferences, additionalPaths []string
 		return ofcValuesErr
 	}
 
-	deployErr := deployCloudComponents(plan, additionalPaths)
+	deployErr := deployCloudComponents(plan)
 	if deployErr != nil {
 		return deployErr
 	}
-
 	return nil
 }
 
@@ -431,13 +453,10 @@ func writeOFCValuesYaml(plan types.Plan) error {
 		ofcOptions.TLS.Enabled = false
 	}
 
-	if plan.CustomersSecret {
-		ofcOptions.Customers.CustomersSecret = true
-	} else {
-		if len(plan.CustomersURL) == 0 {
-			return errors.New("unable to continue without a customers secret or url")
-		}
-		ofcOptions.Customers.URL = plan.CustomersURL
+	ofcOptions.Customers.CustomersSecret = plan.CustomersSecret
+	ofcOptions.Customers.URL = plan.CustomersURL
+	if len(plan.CustomersURL) == 0 && !plan.CustomersSecret {
+		return errors.New("unable to continue without a customers secret or url")
 	}
 
 	ofcOptions.Global.EnableECR = plan.EnableECR
@@ -524,7 +543,7 @@ func createFunctionsAuth() error {
 	return nil
 }
 
-func installIngressController(ingress string, additionalPaths []string) error {
+func installIngressController(ingress string) error {
 	log.Println("Creating Ingress Controller")
 
 	var env []string
@@ -572,7 +591,7 @@ func installSealedSecrets() error {
 	return nil
 }
 
-func installOpenfaas(scaleToZero, ingressOperator bool, additionalPaths []string) error {
+func installOpenfaas(scaleToZero, ingressOperator bool) error {
 	log.Println("Creating OpenFaaS")
 
 	task := execute.ExecTask{
@@ -725,7 +744,7 @@ func certManagerReady() bool {
 	return res.Stdout == "True"
 }
 
-func cloneCloudComponents(tag string, additionalPaths []string) error {
+func cloneCloudComponents(tag string) error {
 	task := execute.ExecTask{
 		Command: "./scripts/clone-cloud-components.sh",
 		Shell:   true,
@@ -735,17 +754,15 @@ func cloneCloudComponents(tag string, additionalPaths []string) error {
 		StreamStdio: true,
 	}
 
-	res, err := task.Execute()
+	_, err := task.Execute()
 	if err != nil {
 		return err
 	}
 
-	fmt.Println(res)
-
 	return nil
 }
 
-func deployCloudComponents(plan types.Plan, additionalPaths []string) error {
+func deployCloudComponents(plan types.Plan) error {
 
 	authEnv := ""
 	if plan.EnableOAuth {
 
@@ -104,7 +104,7 @@ secrets:
         value_from: "~/Downloads/do-access-token"
     filters:
       - "do_dns01"
-    namespace: "cert-manager"
+    namespace: "openfaas"
 
   ## Use Google Cloud DNS
   ### Create a service account for DNS management and export it
@@ -114,7 +114,7 @@ secrets:
         value_from: "~/Downloads/service-account.json"
     filters:
       - "gcp_dns01"
-    namespace: "cert-manager"
+    namespace: "openfaas"
 
   ## Use Route 53
   ### Create role and download its secret access key
@@ -124,7 +124,7 @@ secrets:
         value_from: "~/Downloads/route53-secret-access-key"
     filters:
       - "route53_dns01"
-    namespace: "cert-manager"
+    namespace: "openfaas"
 
   ## Use Cloudflare
   ### Create role and download its secret access key
@@ -134,7 +134,7 @@ secrets:
         value_from: "~/Downloads/cloudflare-secret-access-key"
     filters:
       - "cloudflare_dns01"
-    namespace: "cert-manager"
+    namespace: "openfaas"
 
   # Used by Buildkit to push images to your registry
   - name: "registry-secret"
 
@@ -2,7 +2,7 @@
 
 rm -rf ./tmp/openfaas-cloud
 
-git clone https://github.com/openfaas/openfaas-cloud ./tmp/openfaas-cloud
+git clone https://github.com/openfaas/openfaas-cloud --depth 1 ./tmp/openfaas-cloud
 
 cd ./tmp/openfaas-cloud
 echo "Checking out openfaas/openfaas-cloud@$TAG"
 
@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: edge-auth
+  namespace: openfaas
+  labels:
+    app: edge-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: edge-auth
+  template:
+    metadata:
+      annotations:
+        prometheus.io.scrape: "false"
+      labels:
+        app: edge-auth
+    spec:
+      volumes:
+        - name: jwt-private-key
+          secret:
+            secretName: jwt-private-key
+        - name: jwt-public-key
+          secret:
+            secretName: jwt-public-key
+        - name: of-client-secret
+          secret:
+            secretName: of-client-secret
+        - name: of-customers
+          secret:
+            secretName: of-customers
+      containers:
+      - name: edge-auth
+        image: openfaas/edge-auth:0.7.1
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 2
+          periodSeconds: 10
+          timeoutSeconds: 2
+        env:
+          - name: port
+            value: "8080"
+          - name: oauth_client_secret_path
+            value: "/var/secrets/of-client-secret/of-client-secret"
+          - name: public_key_path
+            value: "/var/secrets/public/key.pub"
+          - name: private_key_path
+            value: "/var/secrets/private/key"
+          - name: customers_path
+            value: "{{.OFCustomersSecretPath}}"
+# Update for your configuration:
+          - name: client_secret # this can also be provided via a secret named of-client-secret
+            value: ""
+          - name: client_id
+            value: "{{.ClientId}}"
+          - name: oauth_provider_base_url
+            value: "{{.OAuthProviderBaseURL}}"
+          - name: oauth_provider
+            value: "{{.OAuthProvider}}"
+# Local test config
+          # - name: external_redirect_domain
+          #   value: "http://auth.system.gw.io:8081"
+          # - name: cookie_root_domain
+          #   value: ".system.gw.io"
+
+# Community cluster config:
+          - name: external_redirect_domain
+            value: "{{.Scheme}}://auth.system.{{.RootDomain}}"
+          - name: cookie_root_domain
+            value: ".system.{{.RootDomain}}"
+# This is a default and can be overridden
+          - name: customers_url
+            value: "{{.CustomersURL}}"
+          - name: write_debug
+            value: "false"
+          # Config for setting the cookie to "secure", set this to true for HTTPS only OAuth
+          - name: secure_cookie
+            value: "{{.TLSEnabled}}"
+
+
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        volumeMounts:
+        - name: jwt-private-key
+          readOnly: true
+          mountPath: "/var/secrets/private/"
+        - name: jwt-public-key
+          readOnly: true
+          mountPath: "/var/secrets/public"
+        - name: of-client-secret
+          readOnly: true
+          mountPath: "/var/secrets/of-client-secret"
+        - name: of-customers
+          readOnly: true
+          mountPath: "/var/secrets/of-customers"