ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GHP publish

Browse Source
This commit is contained in:
ace
2021-01-17 04:09:41 +03:00
commit 9fe2c2adf2
457 changed files with 40068 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
openfaas/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
description: OpenFaaS - Serverless Functions Made Simple
home: https://www.openfaas.com
icon: https://raw.githubusercontent.com/openfaas/media/master/OpenFaaS_logo_stacked_opaque.png
keywords:
- serverless
- functions
- platform
- faas
maintainers:
- email: alex@openfaas.com
name: alexellis
- email: roesler.lucas@gmail.com
name: lucasroesler
- email: alistair.hey@gmail.com
name: Waterdrips
name: openfaas
sources:
- https://github.com/openfaas/faas
- https://github.com/openfaas/faas-netes
version: 6.2.3

8
openfaas/OWNERS Normal file
View File

@ -0,0 +1,8 @@
approvers:
- alexellis
- rimusz
- LucasRoesler
reviewers:
- alexellis
- rimusz
- LucasRoesler

459
openfaas/README.md Normal file
View File

@ -0,0 +1,459 @@
# OpenFaaS - Serverless Functions Made Simple
<img src="https://blog.alexellis.io/content/images/2017/08/faas_side.png" alt="OpenFaaS logo" width="60%">
[OpenFaaS](https://github.com/openfaas/faas) (Functions as a Service) is a framework for building serverless functions with Docker and Kubernetes which has first class support for metrics. Any process can be packaged as a function enabling you to consume a range of web events without repetitive boiler-plate coding.
## Highlights
* Ease of use through UI portal and *one-click* install
* Write functions in any language for Linux or Windows and package in Docker/OCI image format
* Portable - runs on existing hardware or public/private cloud. Native [Kubernetes](https://github.com/openfaas/faas-netes) support, Docker Swarm also available
* [Operator / CRD option available](https://github.com/openfaas/faas-netes/)
* [faas-cli](http://github.com/openfaas/faas-cli) available with stack.yml for creating and managing functions
* Auto-scales according to metrics from Prometheus
* Scales to zero and back again and can be tuned at a per-function level
* Works with service-meshes
* Tested with [Istio](https://istio.io) including mTLS
* Tested with [Linkerd2](https://github.com/openfaas-incubator/openfaas-linkerd2) including mTLS and traffic splitting with SMI
## Deploy OpenFaaS
### 1) Install with arkade
It is recommended that you use arkade to install OpenFaaS. arkade is a CLI tool which automates the helm CLI and chart download and installation. The `openfaas` app also has a number of options available via `arkade install openfaas --help`
The installation with arkade is as simple as the following which installs OpenFaaS, sets up an Ingress record, and a TLS certificate with cert-manager.
```bash
arkade install openfaas
arkade install openfaas-ingress \
--domain openfaas.example.com \
--email wm@example.com
```
See a complete example here: [Get TLS for OpenFaaS the easy way with arkade](https://blog.alexellis.io/tls-the-easy-way-with-openfaas-and-k3sup/)
If you wish to continue without using arkade, read on for instructions.
### 2) Install with helm
These instructions are for Intel (normal computers), jump to the end of the document for ARM and Raspberry Pi.
To use the chart, you will need Helm, we recommend helm 3:
Get it from arkade:
```bash
arkade get helm
```
Or use the helm3 installer:
```bash
curl -sSLf https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
```
We recommend creating two namespaces, one for the OpenFaaS *core services* and one for the *functions*:
```sh
kubectl apply -f https://raw.githubusercontent.com/openfaas/faas-netes/master/namespaces.yml
```
You will now have `openfaas` and `openfaas-fn`. If you want to change the names or to install into multiple installations then edit `namespaces.yml` from the `faas-netes` repo.
Add the OpenFaaS `helm` chart:
```sh
helm repo add openfaas https://openfaas.github.io/faas-netes/
```
Now decide how you want to expose the services and edit the `helm upgrade` command as required.
* To use NodePorts (default) pass no additional flags
* To use a LoadBalancer add `--set serviceType=LoadBalancer`
* To use an IngressController add `--set ingress.enabled=true`
> Note: even without a LoadBalancer or IngressController you can access your gateway at any time via `kubectl port-forward`.
### Deploy
Note that the commands will differ slightly between versions, if not specified, the instructions are for helm 2.
Now deploy OpenFaaS from the helm chart repo:
```sh
helm repo update \
&& helm upgrade openfaas --install openfaas/openfaas \
--namespace openfaas \
--set functionNamespace=openfaas-fn \
--set generateBasicAuth=true
```
> The above command will also update your helm repo to pull in any new releases.
Retrieve the OpenFaaS credentials with:
```sh
PASSWORD=$(kubectl -n openfaas get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode) && \
echo "OpenFaaS admin password: $PASSWORD"
```
#### Generate basic-auth credentials
The chart has a pre-install hook which can generate basic-auth credentials, enable it with `--set generateBasicAuth=true`.
Alternatively, you can set `generateBasicAuth` to `false` and generate or supply the basic-auth credentials yourself. This is the option you may want if you are using `helm template`.
```sh
# generate a random password
PASSWORD=$(head -c 12 /dev/urandom | shasum| cut -d' ' -f1)
kubectl -n openfaas create secret generic basic-auth \
--from-literal=basic-auth-user=admin \
--from-literal=basic-auth-password="$PASSWORD"
echo "OpenFaaS admin password: $PASSWORD"
```
#### Tuning cold-start
The concept of a cold-start in OpenFaaS only applies if you A) use faas-idler and B) set a specific function to scale to zero. Otherwise there is not a cold-start, because at least one replica of your function remains available.
There are two ways to reduce the Kubernetes cold-start for a pre-pulled image, which is around 1-2 seconds.
1) Don't set the function to scale down to zero, just set it a minimum availability i.e. 1/1 replicas
2) Use async invocations via the `/async-function/<name>` route on the gateway, so that the latency is hidden from the caller
3) Tune the readinessProbes to be aggressively low values. This will reduce the cold-start at the cost of more `kubelet` CPU usage
To achieve around 1s coldstart, set `values.yaml`:
```yaml
faasnetes:
# redacted
readinessProbe:
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 1
livenessProbe:
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 1
# redacted
imagePullPolicy: "IfNotPresent" # Image pull policy for deployed functions
```
In addition:
* Pre-pull images on each node
* Use an in-cluster registry to reduce the pull latency for images
* Set the `imagePullPolicy` to `IfNotPresent` so that the `kubelet` only pulls images which are not already available
* Explore alternatives such as not scaling to absolute zero, and using async calls which do not show the cold start
#### httpProbe vs. execProbe
A note on health-checking probes for functions:
* httpProbe - (`default`) most efficient. (compatible with Istio >= 1.1.5)
* execProbe - least efficient option, but compatible with Istio < 1.1.5
Use `--set faasnetes.httpProbe=true/false` to toggle between http / exec probes.
### Verify the installation
Once all the services are up and running, log into your gateway using the OpenFaaS CLI. This will cache your credentials into your `~/.openfaas/config.yml` file.
Fetch your public IP or NodePort via `kubectl get svc -n openfaas gateway-external -o wide` and set it as an environmental variable as below:
```sh
export OPENFAAS_URL=http://127.0.0.1:31112
```
If using a remote cluster, you can port-forward the gateway to your local machine:
```sh
export OPENFAAS_URL=http://127.0.0.1:8080
kubectl port-forward -n openfaas svc/gateway 8080:8080 &
```
Now log in with the CLI and check connectivity:
```sh
echo -n $PASSWORD | faas-cli login -g $OPENFAAS_URL -u admin --password-stdin
faas-cli version
```
## OpenFaaS Operator and Function CRD
If you would like to work with Function CRDs there is an alternative controller to faas-netes named [OpenFaaS Operator](https://github.com/openfaas-incubator/openfaas-operator) which can be swapped in at deployment time.
The OpenFaaS Operator is suitable for development and testing and may replace the faas-netes controller in the future.
The Operator is compatible with Kubernetes 1.9 or later.
To use it, add the flag: `--set operator.create=true` when installing with Helm.
### faas-netes vs OpenFaaS Operator
The faas-netes controller is the most tested, stable and supported version of the OpenFaaS integration with Kubernetes. In contrast the OpenFaaS Operator is based upon the codebase and features from `faas-netes`, but offers a tighter integration with Kubernetes through [CustomResourceDefinitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). This means you can type in `kubectl get functions` for instance.
See also: [Introducing the OpenFaaS Operator](https://www.openfaas.com/blog/kubernetes-operator-crd/)
## Deployment with `helm template`
This option is good for those that have issues with or concerns about installing Tiller, the server/cluster component of helm. Using the `helm` CLI, we can pre-render and then apply the templates using `kubectl`.
1. Clone the faas-netes repository
```sh
git clone https://github.com/openfaas/faas-netes.git
cd faas-netes
```
2. Render the chart to a Kubernetes manifest called `openfaas.yaml`
Helm 3:
```sh
helm template \
openfaas chart/openfaas/ \
--namespace openfaas \
--set basic_auth=true \
--set functionNamespace=openfaas-fn > openfaas.yaml
```
Helm 2:
```sh
helm template chart/openfaas \
--name openfaas \
--namespace openfaas \
--set basic_auth=true \
--set functionNamespace=openfaas-fn > openfaas.yaml
```
You can set the values and overrides just as you would in the install/upgrade commands above.
3. Install the components using `kubectl`
```sh
kubectl apply -f namespaces.yml,openfaas.yaml
```
Now [verify your installation](#verify-the-installation).
## Test a local helm chart
You can run the following command from within the `faas-netes/chart` folder in the `faas-netes` repo.
```sh
helm upgrade openfaas --install chart/openfaas \
--namespace openfaas \
--set basic_auth=true \
--set functionNamespace=openfaas-fn
```
## Exposing services
### NodePorts
By default a NodePort will be created for the API Gateway.
### Metrics
You temporarily access the Prometheus metrics by using `port-forward`
```sh
kubectl --namespace openfaas port-forward deployment/prometheus 31119:9090
```
Then open `http://localhost:31119` to directly query the OpenFaaS metrics scraped by Prometheus.
### LB
If you're running on a cloud such as AKS or GKE you will need to pass an additional flag of `--set serviceType=LoadBalancer` to tell `helm` to create LoadBalancer objects instead. An alternative to using multiple LoadBalancers is to install an Ingress controller.
### Deploy with an IngressController
In order to make use of automatic ingress settings you will need an IngressController in your cluster such as Traefik or Nginx.
Add `--set ingress.enabled` to enable ingress pass `--set ingress.enabled=true` when running the installation via `helm`.
By default services will be exposed with following hostnames (can be changed, see values.yaml for details):
* `gateway.openfaas.local`
### Endpoint load-balancing
Some configurations in combination with client-side KeepAlive settings may because load to be spread unevenly between replicas of a function. If you experience this, there are three ways to work around it:
* [Install Linkerd2](https://github.com/openfaas-incubator/openfaas-linkerd2) which takes over load-balancing from the Kubernetes L4 Service (recommended)
* Disable KeepAlive in the client-side code (not recommended)
* Configure the gateway to pass invocations through to the faas-netes provider (alternative to using Linkerd2)
```sh
--set gateway.directFunctions=false
```
In this mode, all invocations will pass through the gateway to faas-netes, which will look up endpoint IPs directly from Kubernetes, the additional hop may add some latency, but will do fair load-balancing, even with KeepAlive.
### SSL / TLS
If you require TLS/SSL then please make use of an IngressController. A full guide is provided to [enable TLS for the OpenFaaS Gateway using cert-manager and Let's Encrypt](https://docs.openfaas.com/reference/ssl/kubernetes-with-cert-manager/).
### Service meshes
If you use a service mesh like Linkerd or Istio in your cluster, then you should enable the `directFunctions` mode using:
```sh
--set gateway.directFunctions=true
```
### Istio mTLS
To install OpenFaaS with Istio mTLS pass `--set istio.mtls=true` and disable the HTTP probes:
```sh
helm upgrade openfaas --install chart/openfaas \
--namespace openfaas \
--set basic_auth=true \
--set functionNamespace=openfaas-fn \
--set exposeServices=false \
--set faasnetes.httpProbe=false \
--set httpProbe=false \
--set gateway.directFunctions=true \
--set istio.mtls=true
```
The above command will enable mTLS for the openfaas control plane services and functions excluding NATS.
> Note that the above instructions were tested on GKE 1.13 and Istio 1.2
## Zero scale
### Scale-up from zero (on by default)
Scaling up from zero replicas is enabled by default, to turn it off set `scaleFromZero` to `false` in the helm chart options for the `gateway` component.
```sh
--set gateway.scaleFromZero=true/false
```
### Scale-down to zero (off by default)
Scaling down to zero replicas can be achieved either through the REST API and your own controller, or by using the [faas-idler](https://github.com/openfaas-incubator/faas-idler) component.
By default the faas-idler is set to only do a dryRun and to not scale any functions down.
```sh
--set faasIdler.dryRun=true/false
```
The faas-idler will only scale down functions which have marked themselves as eligible for this behaviour through the use of a label: `com.openfaas.scale.zero=true`.
See also: [faas-idler README](https://docs.openfaas.com/architecture/autoscaling/#zero-scale).
## Removing the OpenFaaS
All control plane components can be cleaned up with helm:
Helm 3:
```sh
helm delete openfaas --namespace openfaas
```
Helm 2:
```sh
helm delete --purge openfaas
```
Follow this by the following to remove all other associated objects:
```sh
kubectl delete namespace openfaas openfaas-fn
```
In some cases your additional functions may need to be either deleted before deleting the chart with `faas-cli` or manually deleted using `kubectl delete`.
## ARM
If you would like to deploy OpenFaaS to ARM i.e. Raspberry Pi, ARM64 machines provided by Packet.net, Scaleway or to AWS Graviton, then you should use the appropriate values.yaml file.
* `values-armhf.yml` - for Raspberry Pi and other ARMv7 boards (run `uname -a` to find out which you have)
* `values-arm64.yml` - for everything else (`arm64` or `aarch64`)
It is recommended that you install OpenFaaS to ARM machines [using k3sup](https://k3sup.dev/) instead of helm directly since it will determine the correct values to be used.
See also: [Kubernetes and Raspberry Pi in the docs](https://docs.openfaas.com/deployment/kubernetes)
## Kubernetes versioning
This Helm chart currently supports version 1.16+
Note that OpenFaaS itself may support a wider range of versions, [see here](../../README.md#kubernetes-versions)
## Getting help
Feel free to seek out help using the [OpenFaaS Slack workspace](https://slack.openfaas.io/), please do not raise issues for technical support, unless you suspect and can provide instructions for reproducing an error in the chart.
## Configuration
Additional OpenFaaS options in `values.yaml`.
| Parameter | Description | Default |
| ----------------------- | ---------------------------------- | ---------------------------------------------------------- |
| `functionNamespace` | Functions namespace, preferred `openfaas-fn` | `default` |
| `clusterRole` | Use a `ClusterRole` for the Operator or faas-netes. Set to `true` for multiple namespace support | `false` |
| `createCRDs` | Create the CRDs for OpenFaaS Functions and Profiles | `true` |
| `basic_auth` | Enable basic authentication on the gateway and Prometheus. Warning: do not disable. | `true` |
| `async` | Enables asynchronous function invocations. If `.nats.external.enabled` is `false`, also deploys NATS Streaming | `true` |
| `exposeServices` | Expose `NodePorts/LoadBalancer` | `true` |
| `serviceType` | Type of external service to use `NodePort/LoadBalancer` | `NodePort` |
| `generateBasicAuth` | Generate admin password for basic authentication | `false` |
| `rbac` | Enable RBAC | `true` |
| `httpProbe` | Setting to true will use HTTP for readiness and liveness probe on the OpenFaaS system Pods (compatible with Istio >= 1.1.5) | `true` |
| `psp` | Enable [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for OpenFaaS accounts | `false` |
| `securityContext` | Deploy with a `securityContext` set, this can be disabled for use with Istio sidecar injection | `true` |
| `openfaasImagePullPolicy` | Image pull policy for openfaas components, can change to `IfNotPresent` in offline env | `Always` |
| `kubernetesDNSDomain` | Domain name of the Kubernetes cluster | `cluster.local` |
| `operator.create` | Use the OpenFaaS operator CRD controller, default uses faas-netes as the Kubernetes controller | `false` |
| `ingress.enabled` | Create ingress resources | `false` |
| `faasnetes.httpProbe` | Use a httpProbe instead of exec | `false` |
| `ingressOperator.create` | Create the ingress-operator component | `false` |
| `ingressOperator.replicas` | Replicas of the ingress-operator| `1` |
| `ingressOperator.image` | Container image used in ingress-operator| `openfaas/ingress-operator:0.6.2` |
| `ingressOperator.resources` | Limits and requests for memory and CPU usage | Memory Requests: 25Mi |
| `faasnetes.readTimeout` | Queue worker read timeout | `60s` |
| `faasnetes.writeTimeout` | Queue worker write timeout | `60s` |
| `faasnetes.imagePullPolicy` | Image pull policy for deployed functions | `Always` |
| `faasnetes.setNonRootUser` | Force all function containers to run with user id `12000` | `false` |
| `gateway.directFunctions` | Invoke functions directly without using the provider | `true` |
| `gateway.replicas` | Replicas of the gateway, pick more than `1` for HA | `1` |
| `gateway.readTimeout` | Queue worker read timeout | `65s` |
| `gateway.writeTimeout` | Queue worker write timeout | `65s` |
| `gateway.upstreamTimeout` | Maximum duration of upstream function call, should be lower than `readTimeout`/`writeTimeout` | `60s` |
| `gateway.scaleFromZero` | Enables an intercepting proxy which will scale any function from 0 replicas to the desired amount | `true` |
| `gateway.maxIdleConns` | Set max idle connections from gateway to functions | `1024` |
| `gateway.maxIdleConnsPerHost` | Set max idle connections from gateway to functions per host | `1024` |
| `gateway.logsProviderURL` | Set a custom logs provider url | `""` |
| `queueWorker.durableQueueSubscriptions` | Whether to use a durable queue subscription | `false` |
| `queueWorker.queueGroup` | The name of the queue group used to process asynchronous function invocations | `faas` |
| `queueWorker.replicas` | Replicas of the queue-worker, pick more than `1` for HA | `1` |
| `queueWorker.ackWait` | Max duration of any async task/request | `60s` |
| `nats.channel` | The name of the NATS Streaming channel to use for asynchronous function invocations | `faas-request` |
| `nats.external.clusterName` | The name of the externally-managed NATS Streaming server | `` |
| `nats.external.enabled` | Whether to use an externally-managed NATS Streaming server | `false` |
| `nats.external.host` | The host at which the externally-managed NATS Streaming server can be reached | `""` |
| `nats.external.port` | The port at which the externally-managed NATS Streaming server can be reached | `""` |
| `nats.enableMonitoring` | Enable the NATS monitoring endpoints on port `8222` for NATS Streaming deployments managed by this chart | `false` |
| `nats.metrics.enabled` | Export Prometheus metrics for NATS, no multi-arch support | `false` |
| `nats.metrics.image` | Container image used for the NATS Prometheus exporter, not multi-arch | `synadia/prometheus-nats-exporter:0.6.2` |
| `faasIdler.create` | Create the faasIdler component | `true` |
| `faasIdler.inactivityDuration` | Duration after which faas-idler will scale function down to 0 | `15m` |
| `faasIdler.reconcileInterval` | The time between each of reconciliation | `1m` |
| `faasIdler.dryRun` | When set to false the OpenFaaS API will be called to scale down idle functions, by default this is set to only print in the logs. | `true` |
| `prometheus.create` | Create the Prometheus component | `true` |
| `alertmanager.create` | Create the AlertManager component | `true` |
| `istio.mtls` | Create Istio policies and destination rules to enforce mTLS for OpenFaaS components and functions | `false` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
See values.yaml for detailed configuration.

9
openfaas/templates/NOTES.txt Normal file
View File

@ -0,0 +1,9 @@
To verify that openfaas has started, run:
kubectl -n {{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}, app={{ template "openfaas.name" . }}"
{{- if .Values.generateBasicAuth }}
To retrieve the admin password, run:
echo $(kubectl -n {{ .Release.Namespace }} get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode)
{{- end }}

20
openfaas/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openfaas.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "openfaas.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}

47
openfaas/templates/alertmanager-cfg.yaml Normal file
View File

@ -0,0 +1,47 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.alertmanager.create }}
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: alertmanager-config
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: alertmanager-config
namespace: {{ .Release.Namespace | quote }}
data:
alertmanager.yml: |
route:
group_by: ['alertname', 'cluster', 'service']
group_wait: 5s
group_interval: 10s
repeat_interval: 30s
receiver: scale-up
routes:
- match:
service: gateway
receiver: scale-up
severity: major
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
equal: ['alertname', 'cluster', 'service']
receivers:
- name: 'scale-up'
webhook_configs:
- url: http://gateway.{{ .Release.Namespace }}:8080/system/alert
send_resolved: true
{{- if .Values.basic_auth }}
http_config:
basic_auth:
username: admin
password_file: /var/secrets/basic-auth-password
{{- end -}}
{{- end }}

108
openfaas/templates/alertmanager-dep.yaml Normal file
View File

@ -0,0 +1,108 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.alertmanager.create }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: alertmanager
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: alertmanager
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: 1
selector:
matchLabels:
app: alertmanager
template:
metadata:
labels:
app: alertmanager
annotations:
sidecar.istio.io/inject: "true"
checksum/alertmanager-config: {{ include (print $.Template.BasePath "/alertmanager-cfg.yaml") . | sha256sum | quote }}
spec:
containers:
- name: alertmanager
image: {{ .Values.alertmanager.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
command:
- "alertmanager"
- "--config.file=/alertmanager.yml"
- "--storage.path=/alertmanager"
- "--cluster.listen-address="
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/ready
port: 9093
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9093/-/ready
{{- end }}
timeoutSeconds: 30
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/ready
port: 9093
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9093/-/ready
{{- end }}
timeoutSeconds: 30
ports:
- containerPort: 9093
protocol: TCP
resources:
{{- .Values.alertmanager.resources | toYaml | nindent 12 }}
volumeMounts:
- mountPath: /alertmanager.yml
name: alertmanager-config
subPath: alertmanager.yml
{{- if .Values.basic_auth }}
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
volumes:
- name: alertmanager-config
configMap:
name: alertmanager-config
items:
- key: alertmanager.yml
path: alertmanager.yml
mode: 0644
{{- if .Values.basic_auth }}
- name: auth
secret:
secretName: basic-auth
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

22
openfaas/templates/alertmanager-svc.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.alertmanager.create }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: alertmanager
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: alertmanager
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 9093
protocol: TCP
selector:
app: alertmanager
{{- end }}

106
openfaas/templates/basic-auth-plugin-dep.yaml Normal file
View File

@ -0,0 +1,106 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.basic_auth }}
{{- if not .Values.oauth2Plugin.enabled }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: basic-auth-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: basic-auth-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.basicAuthPlugin.replicas }}
selector:
matchLabels:
app: basic-auth-plugin
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: basic-auth-plugin
spec:
{{- if .Values.basic_auth }}
volumes:
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: basic-auth-plugin
resources:
{{- .Values.basicAuthPlugin.resources | toYaml | nindent 12 }}
image: {{ .Values.basicAuthPlugin.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
env:
{{- if .Values.basic_auth }}
- name: secret_mount_path
value: "/var/secrets"
- name: basic_auth
value: "{{ .Values.basic_auth }}"
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets"
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
{{- end }}

25
openfaas/templates/basic-auth-plugin-svc.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.basic_auth }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: basic-auth-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: basic-auth-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app: basic-auth-plugin
{{- end }}

227
openfaas/templates/controller-rbac.yaml Normal file
View File

@ -0,0 +1,227 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if eq .Values.operator.create false }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.rbac }}
{{- if .Values.clusterRole }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
- namespaces
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-controller
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
{{- else }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
- namespaces
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-controller
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-profiles
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

75
openfaas/templates/faas-idler-dep.yaml Normal file
View File

@ -0,0 +1,75 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.faasIdler.create }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: faas-idler
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-idler
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
replicas: {{ .Values.faasIdler.replicas }}
selector:
matchLabels:
app: faas-idler
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: faas-idler
spec:
containers:
- name: faas-idler
resources:
{{- .Values.faasIdler.resources | toYaml | nindent 12 }}
image: {{ .Values.faasIdler.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
env:
- name: gateway_url
value: "http://gateway.{{ .Release.Namespace }}:8080/"
- name: prometheus_host
value: "prometheus.{{ .Release.Namespace }}"
- name: prometheus_port
value: "9090"
- name: inactivity_duration
value: {{ .Values.faasIdler.inactivityDuration }}
- name: reconcile_interval
value: {{ .Values.faasIdler.reconcileInterval }}
{{- if .Values.faasIdler.writeDebug }}
- name: write_debug
value: {{ .Values.faasIdler.writeDebug }}
{{- end }}
command:
- /home/app/faas-idler
- -dry-run={{ .Values.faasIdler.dryRun }}
{{- if .Values.basic_auth }}
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets/"
volumes:
- name: auth
secret:
secretName: basic-auth
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

106
openfaas/templates/function-crd.yaml Normal file
View File

@ -0,0 +1,106 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.operator.create }}
{{- if .Values.createCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: functions.openfaas.com
spec:
group: openfaas.com
names:
kind: Function
listKind: FunctionList
plural: functions
singular: function
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: Function describes an OpenFaaS function
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: FunctionSpec is the spec for a Function resource
type: object
required:
- image
- name
properties:
annotations:
type: object
additionalProperties:
type: string
constraints:
type: array
items:
type: string
environment:
type: object
additionalProperties:
type: string
handler:
type: string
image:
type: string
labels:
type: object
additionalProperties:
type: string
limits:
description: FunctionResources is used to set CPU and memory limits
and requests
type: object
properties:
cpu:
type: string
memory:
type: string
name:
type: string
readOnlyRootFilesystem:
type: boolean
requests:
description: FunctionResources is used to set CPU and memory limits
and requests
type: object
properties:
cpu:
type: string
memory:
type: string
secrets:
type: array
items:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
{{- end }}
{{- end }}

260
openfaas/templates/gateway-dep.yaml Normal file
View File

@ -0,0 +1,260 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: gateway
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.gateway.replicas }}
selector:
matchLabels:
app: gateway
template:
metadata:
annotations:
prometheus.io.scrape: "true"
prometheus.io.port: "8082"
labels:
app: gateway
spec:
{{- if .Values.operator.create }}
serviceAccountName: {{ .Release.Name }}-operator
{{- else }}
serviceAccountName: {{ .Release.Name }}-controller
{{- end }}
volumes:
- name: faas-netes-temp-volume
emptyDir: {}
{{- if .Values.basic_auth }}
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: gateway
resources:
{{- .Values.gateway.resources | toYaml | nindent 12 }}
image: {{ .Values.gateway.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /healthz
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/healthz
{{- end }}
timeoutSeconds: 5
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /healthz
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/healthz
{{- end }}
timeoutSeconds: 5
env:
{{- if .Values.gateway.logsProviderURL }}
- name: logs_provider_url
value: "{{ .Values.gateway.logsProviderURL }}"
{{- end }}
- name: read_timeout
value: "{{ .Values.gateway.readTimeout }}"
- name: write_timeout
value: "{{ .Values.gateway.writeTimeout }}"
- name: upstream_timeout
value: "{{ .Values.gateway.upstreamTimeout }}"
- name: functions_provider_url
value: "http://127.0.0.1:8081/"
- name: direct_functions
{{- if .Values.gateway.directFunctions }}
value: "{{.Values.gateway.directFunctions}}"
{{- else}}
value: "false"
{{- end }}
- name: direct_functions_suffix
value: "{{ $functionNs }}.svc.{{ .Values.kubernetesDNSDomain }}"
- name: function_namespace
value: {{ $functionNs | quote }}
{{- if .Values.nats.external.enabled }}
- name: faas_nats_address
value: "{{ .Values.nats.external.host }}"
- name: faas_nats_port
value: "{{ .Values.nats.external.port }}"
- name: faas_nats_cluster_name
value: "{{ .Values.nats.external.clusterName }}"
- name: faas_nats_channel
value: "{{ .Values.nats.channel }}"
{{- else }}
{{- if .Values.async }}
- name: faas_nats_address
value: "nats.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
- name: faas_nats_port
value: "4222"
- name: faas_nats_channel
value: "{{ .Values.nats.channel }}"
{{- end }}
{{- end }}
{{- if .Values.basic_auth }}
- name: basic_auth
value: "true"
- name: secret_mount_path
value: "/var/secrets"
{{- if .Values.oauth2Plugin.enabled }}
- name: auth_proxy_url
value: "http://oauth2-plugin.{{ .Release.Namespace }}:8080/validate"
- name: auth_pass_body
value: "false"
{{- else }}
- name: auth_proxy_url
value: "http://basic-auth-plugin.{{ .Release.Namespace }}:8080/validate"
- name: auth_pass_body
value: "false"
{{- end }}
{{- end }}
- name: scale_from_zero
value: "{{ .Values.gateway.scaleFromZero }}"
- name: max_idle_conns
value: "{{ .Values.gateway.maxIdleConns }}"
- name: max_idle_conns_per_host
value: "{{ .Values.gateway.maxIdleConnsPerHost }}"
{{- if .Values.basic_auth }}
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- if .Values.operator.create }}
- name: operator
resources:
{{- .Values.operator.resources | toYaml | nindent 12 }}
image: {{ .Values.operator.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
command:
- ./faas-netes
- -operator=true
env:
- name: port
value: "8081"
- name: function_namespace
value: {{ $functionNs | quote }}
- name: profiles_namespace
value: {{ .Release.Namespace | quote }}
- name: read_timeout
value: "{{ .Values.faasnetes.readTimeout }}"
- name: write_timeout
value: "{{ .Values.faasnetes.writeTimeout }}"
- name: image_pull_policy
value: {{ .Values.faasnetes.imagePullPolicy | quote }}
- name: http_probe
value: "{{ .Values.faasnetes.httpProbe }}"
- name: set_nonroot_user
value: "{{ .Values.faasnetes.setNonRootUser }}"
- name: readiness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.readinessProbe.initialDelaySeconds }}"
- name: readiness_probe_timeout_seconds
value: "{{ .Values.faasnetes.readinessProbe.timeoutSeconds }}"
- name: readiness_probe_period_seconds
value: "{{ .Values.faasnetes.readinessProbe.periodSeconds }}"
- name: liveness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.livenessProbe.initialDelaySeconds }}"
- name: liveness_probe_timeout_seconds
value: "{{ .Values.faasnetes.livenessProbe.timeoutSeconds }}"
- name: liveness_probe_period_seconds
value: "{{ .Values.faasnetes.livenessProbe.periodSeconds }}"
- name: cluster_role
value: "{{ .Values.clusterRole }}"
ports:
- containerPort: 8081
protocol: TCP
{{- else }}
- name: faas-netes
resources:
{{- .Values.faasnetes.resources | toYaml | nindent 12 }}
image: {{ .Values.faasnetes.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
env:
- name: port
value: "8081"
- name: function_namespace
value: {{ $functionNs | quote }}
- name: read_timeout
value: "{{ .Values.faasnetes.readTimeout }}"
- name: profiles_namespace
value: {{ .Release.Namespace | quote }}
- name: write_timeout
value: "{{ .Values.faasnetes.writeTimeout }}"
- name: image_pull_policy
value: {{ .Values.faasnetes.imagePullPolicy | quote }}
- name: http_probe
value: "{{ .Values.faasnetes.httpProbe }}"
- name: set_nonroot_user
value: "{{ .Values.faasnetes.setNonRootUser }}"
- name: readiness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.readinessProbe.initialDelaySeconds }}"
- name: readiness_probe_timeout_seconds
value: "{{ .Values.faasnetes.readinessProbe.timeoutSeconds }}"
- name: readiness_probe_period_seconds
value: "{{ .Values.faasnetes.readinessProbe.periodSeconds }}"
- name: liveness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.livenessProbe.initialDelaySeconds }}"
- name: liveness_probe_timeout_seconds
value: "{{ .Values.faasnetes.livenessProbe.timeoutSeconds }}"
- name: liveness_probe_period_seconds
value: "{{ .Values.faasnetes.livenessProbe.periodSeconds }}"
- name: cluster_role
value: "{{ .Values.clusterRole }}"
volumeMounts:
- mountPath: /tmp
name: faas-netes-temp-volume
ports:
- containerPort: 8081
protocol: TCP
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

29
openfaas/templates/gateway-external-svc.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.exposeServices }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.gatewayExternal.annotations }}
annotations: {{ toYaml .Values.gatewayExternal.annotations | nindent 4 }}
{{- end }}
name: gateway-external
namespace: {{ .Release.Namespace | quote }}
spec:
type: {{ .Values.serviceType }}
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
{{- if contains "NodePort" .Values.serviceType }}
nodePort: {{ .Values.gateway.nodePort }}
{{- end }}
selector:
app: gateway
{{- end }}

20
openfaas/templates/gateway-svc.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: gateway
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
selector:
app: gateway

94
openfaas/templates/ingress-operator-crd.yaml Normal file
View File

@ -0,0 +1,94 @@
{{- if .Values.ingressOperator.create }}
{{- if .Values.createCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: functioningresses.openfaas.com
spec:
group: openfaas.com
names:
kind: FunctionIngress
listKind: FunctionIngressList
plural: functioningresses
singular: functioningress
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
description: FunctionIngress describes an OpenFaaS function
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: FunctionIngressSpec is the spec for a FunctionIngress resource.
It must be created in the same namespace as the gateway, i.e. openfaas.
type: object
required:
- domain
- function
properties:
bypassGateway:
description: BypassGateway, when true creates an Ingress record directly
for the Function name without using the gateway in the hot path
type: boolean
domain:
description: Domain such as "api.example.com"
type: string
function:
description: Function such as "nodeinfo"
type: string
ingressType:
description: IngressType such as "nginx"
type: string
path:
description: Path such as "/v1/profiles/view/(.*)", or leave empty
for default
type: string
tls:
description: Enable TLS via cert-manager
type: object
properties:
enabled:
type: boolean
issuerRef:
description: ObjectReference is a reference to an object with
a given name and kind.
type: object
required:
- name
properties:
kind:
type: string
name:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
{{- end }}
{{- end }}

41
openfaas/templates/ingress-operator-dep.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.ingressOperator.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: ingress-operator
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.ingressOperator.replicas }}
selector:
matchLabels:
app: ingress-operator
template:
metadata:
annotations:
prometheus.io.scrape: "true"
labels:
app: ingress-operator
spec:
serviceAccountName: ingress-operator
containers:
- name: operator
resources:
{{- .Values.ingressOperator.resources | toYaml | nindent 10 }}
image: {{ .Values.ingressOperator.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
command:
- ./ingress-operator
- -logtostderr
env:
- name: function_namespace
value: {{ $functionNs | quote }}
- name: ingress_namespace
value: {{ .Release.Namespace | quote }}
{{- end }}

65
openfaas/templates/ingress-operator-rbac.yaml Normal file
View File

@ -0,0 +1,65 @@
{{- if .Values.ingressOperator.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-operator
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.rbac }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-operator-rw
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["openfaas.com"]
resources: ["functioningresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-operator-rw
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-operator-rw
subjects:
- kind: ServiceAccount
name: ingress-operator
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

31
openfaas/templates/ingress.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "openfaas.name" . }}-ingress
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host.host }}
http:
paths:
- path: {{ $host.path }}
backend:
serviceName: {{ $host.serviceName }}
servicePort: {{ $host.servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

58
openfaas/templates/istio-mtls.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.istio.mtls -}}
# enforce mTLS to openfaas control plane
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: {{ .Release.Namespace }}
spec:
peers:
- mtls: {}
---
# enforce mTLS to openfaas control plane
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: {{ .Release.Namespace }}
spec:
host: "*.{{ .Release.Namespace }}.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
# enforce mTLS to functions
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: {{ $functionNs }}
spec:
peers:
- mtls: {}
---
# enforce mTLS to functions
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: {{ $functionNs | quote }}
spec:
host: "*.{{ $functionNs }}.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
# disable mTLS to nats, the nats protocol is not supported by Istio
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "nats-no-mtls"
namespace: {{ .Release.Namespace }}
spec:
host: "nats.{{ .Release.Namespace }}.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
{{- end -}}

82
openfaas/templates/nats-dep.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- if and .Values.async (not .Values.nats.external.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: nats
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: nats
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: 1
selector:
matchLabels:
app: nats
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
prometheus.io.scrape: {{ .Values.nats.metrics.enabled | quote }}
{{- if .Values.nats.metrics.enabled }}
prometheus.io.port: "7777"
{{- end }}
labels:
app: nats
spec:
containers:
- name: nats
resources:
{{- .Values.nats.resources | toYaml | nindent 12 }}
image: {{ .Values.nats.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
ports:
- containerPort: 4222
protocol: TCP
{{- if .Values.nats.enableMonitoring }}
- containerPort: 8222
protocol: TCP
{{- end }}
command: ["/nats-streaming-server"]
args:
- --store
- memory
- --cluster_id
- faas-cluster
{{- if or .Values.nats.enableMonitoring .Values.nats.metrics.enabled }}
- -m
- "8222"
{{- end }}
{{- if .Values.nats.metrics.enabled }}
- name: metrics
image: {{ .Values.nats.metrics.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
ports:
- containerPort: 7777
protocol: TCP
args:
- -port
- "7777"
- -connz
- -routez
- -subz
- -varz
- -channelz
- -serverz
- http://localhost:8222
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

32
openfaas/templates/nats-svc.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if and .Values.async (not .Values.nats.external.enabled) }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: nats
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: nats
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 4222
protocol: TCP
name: clients
{{- if .Values.nats.enableMonitoring }}
- port: 8222
protocol: TCP
name: monitoring
{{- end }}
{{- if .Values.nats.metrics.enabled }}
- port: 7777
protocol: TCP
name: metrics
{{- end }}
selector:
app: nats
{{- end }}

139
openfaas/templates/oauth2-plugin-dep.yaml Normal file
View File

@ -0,0 +1,139 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.oauth2Plugin.enabled }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: oauth2-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: oauth2-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.oauth2Plugin.replicas }}
selector:
matchLabels:
app: oauth2-plugin
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: oauth2-plugin
spec:
volumes:
- name: oauth2-plugin-temp-volume
emptyDir: {}
{{- if .Values.basic_auth }}
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: oauth2-plugin
resources:
{{- .Values.oauth2Plugin.resources | toYaml | nindent 12 }}
image: {{ .Values.oauth2Plugin.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
args:
- "-license={{- .Values.oauth2Plugin.license}}"
- "-provider={{- .Values.oauth2Plugin.provider}}"
env:
- name: client_id
value: "{{- .Values.oauth2Plugin.clientID}}"
- name: client_secret
value: "{{- .Values.oauth2Plugin.clientSecret}}"
- name: cookie_domain
value: "{{- .Values.oauth2Plugin.cookieDomain}}"
- name: base_host
value: "{{- .Values.oauth2Plugin.baseHost}}"
- name: port
value: "8080"
- name: authorize_url
value: "{{- .Values.oauth2Plugin.authorizeURL}}"
- name: welcome_page_url
value: "{{- .Values.oauth2Plugin.welcomePageURL}}"
- name: public_key_path
value: "" # leave blank if using jwks
- name: audience
value: "{{- .Values.oauth2Plugin.audience}}"
- name: token_url
value: "{{- .Values.oauth2Plugin.tokenURL}}"
- name: scopes
value: "{{- .Values.oauth2Plugin.scopes}}"
- name: jwks_url
value: "{{- .Values.oauth2Plugin.jwksURL}}"
- name: insecure_tls
value: "{{- .Values.oauth2Plugin.insecureTLS}}"
{{- if .Values.basic_auth }}
- name: secret_mount_path
value: "/var/secrets"
{{- end }}
volumeMounts:
- name: oauth2-plugin-temp-volume
mountPath: /tmp
{{- if .Values.basic_auth }}
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

26
openfaas/templates/oauth2-plugin-svc.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.oauth2Plugin.enabled }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: oauth2-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: oauth2-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app: oauth2-plugin
{{- end }}

124
openfaas/templates/operator-rbac.yaml Normal file
View File

@ -0,0 +1,124 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.operator.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-operator
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.rbac }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-operator-rw
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["openfaas.com"]
resources: ["functions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-operator-rw
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-operator-rw
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-operator
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.clusterRole}}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-operator-controller
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["openfaas.com"]
resources: ["functions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["openfaas.com"]
resources: ["profiles"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-operator-controller
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-operator-controller
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-operator
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

830
openfaas/templates/profile-crd.yaml Normal file
View File

@ -0,0 +1,830 @@
{{- if .Values.createCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: profiles.openfaas.com
spec:
group: openfaas.com
names:
kind: Profile
listKind: ProfileList
plural: profiles
singular: profile
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: Profile and ProfileSpec are used to customise the Pod template
for functions
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'ProfileSpec is an openfaas api extensions that can be predefined
and applied to functions by annotating them with `com.openfaas/profile:
name1,name2`'
type: object
properties:
affinity:
description: "If specified, the pod's scheduling constraints \n copied
to the Pod Affinity, this will replace any existing value or previously
applied Profile. We use a replacement strategy because it is not
clear that merging affinities will actually produce a meaning Affinity
definition, it would likely result in an impossible to satisfy constraint"
type: object
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the
pod.
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to
nodes that satisfy the affinity expressions specified by
this field, but it may choose a node that violates one or
more of the expressions. The node that is most preferred
is the one with the greatest sum of weights, i.e. for each
node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions,
etc.), compute a sum by iterating through the elements of
this field and adding "weight" to the sum if the node matches
the corresponding matchExpressions; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: An empty preferred scheduling term matches
all objects with implicit weight 0 (i.e. it's a no-op).
A null preferred scheduling term matches no objects (i.e.
is also a no-op).
type: object
required:
- preference
- weight
properties:
preference:
description: A node selector term, associated with the
corresponding weight.
type: object
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node selector requirements
by node's fields.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
weight:
description: Weight associated with matching the corresponding
nodeSelectorTerm, in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this
field are not met at scheduling time, the pod will not be
scheduled onto the node. If the affinity requirements specified
by this field cease to be met at some point during pod execution
(e.g. due to an update), the system may or may not try to
eventually evict the pod from its node.
type: object
required:
- nodeSelectorTerms
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms.
The terms are ORed.
type: array
items:
description: A null or empty node selector term matches
no objects. The requirements of them are ANDed. The
TopologySelectorTerm type implements a subset of the
NodeSelectorTerm.
type: object
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node selector requirements
by node's fields.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate
this pod in the same node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to
nodes that satisfy the affinity expressions specified by
this field, but it may choose a node that violates one or
more of the expressions. The node that is most preferred
is the one with the greatest sum of weights, i.e. for each
node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions,
etc.), compute a sum by iterating through the elements of
this field and adding "weight" to the sum if the node has
pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
type: array
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces
the labelSelector applies to (matches against);
null or empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey
matches that of any node on which any of the selected
pods is running. Empty topologyKey is not allowed.
type: string
weight:
description: weight associated with matching the corresponding
podAffinityTerm, in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this
field are not met at scheduling time, the pod will not be
scheduled onto the node. If the affinity requirements specified
by this field cease to be met at some point during pod execution
(e.g. due to a pod label update), the system may or may
not try to eventually evict the pod from its node. When
there are multiple elements, the lists of nodes corresponding
to each podAffinityTerm are intersected, i.e. all terms
must be satisfied.
type: array
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s))
that this pod should be co-located (affinity) or not co-located
(anti-affinity) with, where co-located is defined as running
on a node whose value of the label with key <topologyKey>
matches that of any node on which a pod of the set of
pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
type: array
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces the
labelSelector applies to (matches against); null or
empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where
co-located is defined as running on a node whose value
of the label with key topologyKey matches that of
any node on which any of the selected pods is running.
Empty topologyKey is not allowed.
type: string
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g.
avoid putting this pod in the same node, zone, etc. as some
other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to
nodes that satisfy the anti-affinity expressions specified
by this field, but it may choose a node that violates one
or more of the expressions. The node that is most preferred
is the one with the greatest sum of weights, i.e. for each
node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions,
etc.), compute a sum by iterating through the elements of
this field and adding "weight" to the sum if the node has
pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
type: array
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces
the labelSelector applies to (matches against);
null or empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey
matches that of any node on which any of the selected
pods is running. Empty topologyKey is not allowed.
type: string
weight:
description: weight associated with matching the corresponding
podAffinityTerm, in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by
this field are not met at scheduling time, the pod will
not be scheduled onto the node. If the anti-affinity requirements
specified by this field cease to be met at some point during
pod execution (e.g. due to a pod label update), the system
may or may not try to eventually evict the pod from its
node. When there are multiple elements, the lists of nodes
corresponding to each podAffinityTerm are intersected, i.e.
all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s))
that this pod should be co-located (affinity) or not co-located
(anti-affinity) with, where co-located is defined as running
on a node whose value of the label with key <topologyKey>
matches that of any node on which a pod of the set of
pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
type: array
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces the
labelSelector applies to (matches against); null or
empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where
co-located is defined as running on a node whose value
of the label with key topologyKey matches that of
any node on which any of the selected pods is running.
Empty topologyKey is not allowed.
type: string
podSecurityContext:
description: "SecurityContext holds pod-level security attributes
and common container settings. Optional: Defaults to empty. See
type description for default values of each field. \n each non-nil
value will be merged into the function's PodSecurityContext, the
value will replace any existing value or previously applied Profile"
type: object
properties:
fsGroup:
description: "A special supplemental group that applies to all
containers in a pod. Some volume types allow the Kubelet to
change the ownership of that volume to be owned by the pod:
\n 1. The owning GID will be the FSGroup 2. The setgid bit is
set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- \n If unset,
the Kubelet will not modify the ownership and permissions of
any volume."
type: integer
format: int64
fsGroupChangePolicy:
description: 'fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod. This field will only apply to volume types which
support fsGroup based ownership(and permissions). It will have
no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always".
If not specified defaults to "Always".'
type: string
runAsGroup:
description: The GID to run the entrypoint of the container process.
Uses runtime default if unset. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container.
type: integer
format: int64
runAsNonRoot:
description: Indicates that the container must run as a non-root
user. If true, the Kubelet will validate the image at runtime
to ensure that it does not run as UID 0 (root) and fail to start
the container if it does. If unset or false, no such validation
will be performed. May also be set in SecurityContext. If set
in both SecurityContext and PodSecurityContext, the value specified
in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
type: integer
format: int64
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container.
type: object
properties:
level:
description: Level is SELinux level label that applies to
the container.
type: string
role:
description: Role is a SELinux role label that applies to
the container.
type: string
type:
description: Type is a SELinux type label that applies to
the container.
type: string
user:
description: User is a SELinux user label that applies to
the container.
type: string
supplementalGroups:
description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID. If
unspecified, no groups will be added to any container.
type: array
items:
type: integer
format: int64
sysctls:
description: Sysctls hold a list of namespaced sysctls used for
the pod. Pods with unsupported sysctls (by the container runtime)
might fail to launch.
type: array
items:
description: Sysctl defines a kernel parameter to be set
type: object
required:
- name
- value
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
windowsOptions:
description: The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext
will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
type: object
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named by
the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA
credential spec to use.
type: string
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in PodSecurityContext.
If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
type: string
runtimeClassName:
description: "RuntimeClassName refers to a RuntimeClass object in
the node.k8s.io group, which should be used to run this pod. If
no RuntimeClass resource matches the named class, the pod will not
be run. If unset or empty, the \"legacy\" RuntimeClass will be used,
which is an implicit class with an empty definition that uses the
default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
This is a beta feature as of Kubernetes v1.14. \n copied to the
Pod RunTimeClass, this will replace any existing value or previously
applied Profile."
type: string
tolerations:
description: "If specified, the function's pod tolerations. \n merged
into the Pod Tolerations"
type: array
items:
description: The pod this Toleration is attached to tolerates any
taint that matches the triple <key,value,effect> using the matching
operator <operator>.
type: object
properties:
effect:
description: Effect indicates the taint effect to match. Empty
means match all taint effects. When specified, allowed values
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match all
values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the
value. Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod
can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time
the toleration (which must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint. By default, it
is not set, which means tolerate the taint forever (do not
evict). Zero and negative values will be treated as 0 (evict
immediately) by the system.
type: integer
format: int64
value:
description: Value is the taint value the toleration matches
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
{{- end }}

82
openfaas/templates/prometheus-cfg.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus-config
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: prometheus-config
namespace: {{ .Release.Namespace | quote }}
data:
prometheus.yml: |
global:
scrape_interval: 15s
evaluation_interval: 15s
external_labels:
monitor: 'faas-monitor'
rule_files:
- 'alert.rules.yml'
scrape_configs:
- job_name: 'prometheus'
scrape_interval: 5s
static_configs:
- targets: ['localhost:9090']
- job_name: 'kubernetes-pods'
scrape_interval: 5s
honor_labels: false
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- {{ .Release.Namespace }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
- {{ $functionNs }}
{{- end }}
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: kubernetes_pod_name
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
alerting:
alertmanagers:
- static_configs:
- targets:
- alertmanager:9093
alert.rules.yml: |
groups:
- name: openfaas
rules:
- alert: service_down
expr: up == 0
- alert: APIHighInvocationRate
expr: sum(rate(gateway_function_invocation_total{code="200"}[10s])) BY (function_name) > 5
for: 5s
labels:
service: gateway
severity: major
annotations:
description: High invocation total on "{{ "{{" }}$labels.function_name{{ "}}" }}"
summary: High invocation total on "{{ "{{" }}$labels.function_name{{ "}}" }}"
{{- end }}

108
openfaas/templates/prometheus-dep.yaml Normal file
View File

@ -0,0 +1,108 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: prometheus
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
annotations:
sidecar.istio.io/inject: "true"
checksum/prometheus-config: {{ include (print $.Template.BasePath "/prometheus-cfg.yaml") . | sha256sum | quote }}
spec:
serviceAccountName: {{ .Release.Name }}-prometheus
containers:
- name: prometheus
resources:
{{- .Values.prometheus.resources | toYaml | nindent 12 }}
image: {{ .Values.prometheus.image }}
command:
- "prometheus"
- "--config.file=/etc/prometheus/prometheus.yml"
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/healthy
port: 9090
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9090/-/healthy
{{- end }}
timeoutSeconds: 30
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/healthy
port: 9090
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9090/-/healthy
{{- end }}
timeoutSeconds: 30
ports:
- containerPort: 9090
protocol: TCP
volumeMounts:
- mountPath: /etc/prometheus/prometheus.yml
name: prometheus-config
subPath: prometheus.yml
- mountPath: /etc/prometheus/alert.rules.yml
name: prometheus-config
subPath: alert.rules.yml
- mountPath: /prometheus/data
name: prom-data
volumes:
- name: prometheus-config
configMap:
name: prometheus-config
items:
- key: prometheus.yml
path: prometheus.yml
mode: 0644
- key: alert.rules.yml
path: alert.rules.yml
mode: 0644
- name: prom-data
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

162
openfaas/templates/prometheus-rbac.yaml Normal file
View File

@ -0,0 +1,162 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
{{- if .Values.clusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-prometheus
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- else -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-prometheus
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-prometheus-fn
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus-fn
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus-fn
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

22
openfaas/templates/prometheus-svc.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: prometheus
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 9090
protocol: TCP
selector:
app: prometheus
{{- end }}

69
openfaas/templates/psp.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if .Values.psp }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}-psp
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
hostIPC: false
hostNetwork: false
hostPID: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
allowedCapabilities:
- NET_ADMIN
- NET_RAW
fsGroup:
rule: RunAsAny
hostPorts:
- max: 65535
min: 1
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}-psp
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ .Release.Name }}-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-psp
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-psp
subjects:
# bind the PSP cluster role to all service accounts in the OF namespace
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}

87
openfaas/templates/queueworker-dep.yaml Normal file
View File

@ -0,0 +1,87 @@
{{- if .Values.async }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: queue-worker
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: queue-worker
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.queueWorker.replicas }}
selector:
matchLabels:
app: queue-worker
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: queue-worker
spec:
{{- if .Values.basic_auth }}
volumes:
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: queue-worker
resources:
{{- .Values.queueWorker.resources | toYaml | nindent 12 }}
image: {{ .Values.queueWorker.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
env:
{{- if .Values.nats.external.enabled }}
- name: faas_nats_address
value: "{{ .Values.nats.external.host }}"
- name: faas_nats_port
value: "{{ .Values.nats.external.port }}"
- name: faas_nats_cluster_name
value: "{{ .Values.nats.external.clusterName }}"
{{- else }}
- name: faas_nats_address
value: "nats.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
{{- end}}
- name: faas_nats_channel
value: "{{ .Values.nats.channel }}"
- name: faas_nats_queue_group
value: "{{ .Values.queueWorker.queueGroup }}"
- name: faas_gateway_address
value: "gateway.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
- name: "gateway_invoke"
value: "{{ .Values.queueWorker.gatewayInvoke }}"
{{- if .Values.functionNamespace }}
- name: faas_function_suffix
value: ".{{ .Values.functionNamespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
{{- end }}
- name: max_inflight
value: "{{ .Values.queueWorker.maxInflight }}"
- name: ack_wait # Max duration of any async task / request
value: {{ .Values.queueWorker.ackWait }}
{{- if .Values.basic_auth }}
- name: secret_mount_path
value: "/var/secrets"
- name: basic_auth
value: "{{ .Values.basic_auth }}"
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

19
openfaas/templates/secret.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.generateBasicAuth }}
apiVersion: v1
kind: Secret
metadata:
name: basic-auth
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": "pre-install"
data:
basic-auth-user: {{ "admin" | b64enc | quote }}
# kubectl -n openfaas get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode
basic-auth-password: {{ randAlphaNum 12 | b64enc | quote }}
{{- end }}

48
openfaas/values-arm64.yaml Normal file
View File

@ -0,0 +1,48 @@
basic_auth: true
clusterRole: false
createCRDs: true
nodeSelector:
beta.kubernetes.io/arch: arm64
gateway:
image: openfaas/gateway:0.20.1-arm64
directFunctions: true
oauth2Plugin:
enabled: false
faasnetes:
image: ghcr.io/openfaas/faas-netes:0.12.12
operator:
image: ghcr.io/openfaas/faas-netes:0.12.12
create: false
queueWorker:
image: openfaas/queue-worker:0.11.2
prometheus:
image: prom/prometheus:v2.11.0
resources:
requests:
memory: "100Mi"
alertmanager:
image: prom/alertmanager:v0.18.0
faasIdler:
image: openfaas/faas-idler:0.4.0-arm64
basicAuthPlugin:
image: openfaas/basic-auth-plugin:0.20.1-arm64
replicas: 1
ingressOperator:
create: false
# Unfortunately the exporter is not multi-arch (yet)
nats:
metrics:
enabled: false

48
openfaas/values-armhf.yaml Normal file
View File

@ -0,0 +1,48 @@
basic_auth: true
clusterRole: false
createCRDs: true
nodeSelector:
beta.kubernetes.io/arch: arm
gateway:
image: openfaas/gateway:0.20.2-armhf
directFunctions: true
oauth2Plugin:
enabled: false
faasnetes:
image: ghcr.io/openfaas/faas-netes:0.12.12
operator:
image: ghcr.io/openfaas/faas-netes:0.12.12
create: false
queueWorker:
image: openfaas/queue-worker:0.11.2
prometheus:
image: prom/prometheus:v2.11.0
resources:
requests:
memory: "100Mi"
alertmanager:
image: prom/alertmanager:v0.18.0
faasIdler:
image: openfaas/faas-idler:0.4.0-armhf
basicAuthPlugin:
image: openfaas/basic-auth-plugin:0.20.1-armhf
replicas: 1
ingressOperator:
create: false
# Unfortunately the exporter is not multi-arch (yet)
nats:
metrics:
enabled: false

203
openfaas/values.yaml Normal file
View File

@ -0,0 +1,203 @@
functionNamespace: openfaas-fn # Default namespace for functions
async: true
exposeServices: true
serviceType: NodePort
httpProbe: true # Setting to true will use HTTP for readiness and liveness probe on the OpenFaaS system Pods (incompatible with Istio < 1.1.5)
rbac: true
clusterRole: false # Set to true to have OpenFaaS administrate multiple namespaces
createCRDs: true
# create pod security policies for OpenFaaS control plane
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
psp: false
securityContext: true
basic_auth: true
generateBasicAuth: false
# image pull policy for openfaas components, can change to `IfNotPresent` in offline env
openfaasImagePullPolicy: "Always"
gatewayExternal:
annotations: {}
gateway:
image: openfaas/gateway:0.20.2
readTimeout : "65s"
writeTimeout : "65s"
upstreamTimeout : "60s" # Must be smaller than read/write_timeout
replicas: 1
scaleFromZero: true
# change the port when creating multiple releases in the same baremetal cluster
nodePort: 31112
maxIdleConns: 1024
maxIdleConnsPerHost: 1024
directFunctions: false
# Custom logs provider url. For example openfaas-loki would be
# "http://ofloki-openfaas-loki.openfaas:9191/"
logsProviderURL: ""
resources:
requests:
memory: "120Mi"
cpu: "50m"
basicAuthPlugin:
image: openfaas/basic-auth-plugin:0.20.1
replicas: 1
resources:
requests:
memory: "50Mi"
cpu: "20m"
oauth2Plugin:
enabled: false
provider: "" # Leave blank, or put "azure"
license: "example"
insecureTLS: false
scopes: "openid profile email"
jwksURL: https://example.eu.auth0.com/.well-known/jwks.json
tokenURL: https://example.eu.auth0.com/oauth/token
audience: https://example.eu.auth0.com/api/v2/
authorizeURL: https://example.eu.auth0.com/authorize
welcomePageURL: https://gw.oauth.example.com
cookieDomain: ".oauth.example.com"
baseHost: "http://auth.oauth.example.com"
clientSecret: SECRET
clientID: ID
resources:
requests:
memory: "120Mi"
cpu: "50m"
replicas: 1
image: openfaas/openfaas-oidc-plugin:0.3.7
securityContext: true
faasnetes:
image: ghcr.io/openfaas/faas-netes:0.12.12
readTimeout : "60s"
writeTimeout : "60s"
imagePullPolicy : "Always" # Image pull policy for deployed functions
httpProbe: true # Setting to true will use HTTP for readiness and liveness probe on Pods (incompatible with Istio < 1.1.5)
setNonRootUser: false
readinessProbe:
initialDelaySeconds: 2
timeoutSeconds: 1 # Tuned-in to run checks early and quickly to support fast cold-start from zero replicas
periodSeconds: 2 # Reduce to 1 for a faster cold-start, increase higher for lower-CPU usage
livenessProbe:
initialDelaySeconds: 2
timeoutSeconds: 1
periodSeconds: 2 # Reduce to 1 for a faster cold-start, increase higher for lower-CPU usage
resources:
requests:
memory: "120Mi"
cpu: "50m"
# replaces faas-netes with openfaas-operator
operator:
image: ghcr.io/openfaas/faas-netes:0.12.12
create: false
# set this to false when creating multiple releases in the same cluster
# must be true for the first one only
createCRD: true
resources:
requests:
memory: "120Mi"
cpu: "50m"
queueWorker:
image: openfaas/queue-worker:0.11.2
# Control HA of queue-worker
replicas: 1
# Control the concurrent invocations
maxInflight: 1
gatewayInvoke: true
queueGroup: "faas"
ackWait : "60s"
resources:
requests:
memory: "120Mi"
cpu: "50m"
# monitoring and auto-scaling components
# both components
prometheus:
image: prom/prometheus:v2.11.0
create: true
resources:
requests:
memory: "512Mi"
alertmanager:
image: prom/alertmanager:v0.18.0
create: true
resources:
requests:
memory: "25Mi"
limits:
memory: "50Mi"
# async provider
nats:
channel: "faas-request"
external:
clusterName: ""
enabled: false
host: ""
port: ""
image: nats-streaming:0.17.0
enableMonitoring: false
metrics:
enabled: false
image: synadia/prometheus-nats-exporter:0.6.2
resources:
requests:
memory: "120Mi"
# ingress configuration
ingress:
enabled: false
# Used to create Ingress record (should be used with exposeServices: false).
hosts:
- host: gateway.openfaas.local # Replace with gateway.example.com if public-facing
serviceName: gateway
servicePort: 8080
path: /
annotations:
kubernetes.io/ingress.class: nginx
tls:
# Secrets must be manually created in the namespace.
# ingressOperator (optional) component to have specific FQDN and TLS for Functions
# https://github.com/openfaas-incubator/ingress-operator
ingressOperator:
image: openfaas/ingress-operator:0.6.6
replicas: 1
create: false
resources:
requests:
memory: "25Mi"
# faas-idler configuration
faasIdler:
image: openfaas/faas-idler:0.4.0
replicas: 1
create: true
inactivityDuration: 30m # If a function is inactive for 15 minutes, it may be scaled to zero
reconcileInterval: 2m # The interval between each attempt to scale functions to zero
dryRun: true # Set to false to enable the idler to apply changes and scale to zero
resources:
requests:
memory: "64Mi"
nodeSelector:
beta.kubernetes.io/arch: amd64
tolerations: []
affinity: {}
kubernetesDNSDomain: cluster.local
istio:
mtls: false