ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GHP publish

Browse Source
This commit is contained in:
ace
2021-01-17 04:09:41 +03:00
commit 9fe2c2adf2
457 changed files with 40068 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
openfaas/templates/NOTES.txt Normal file
View File

@ -0,0 +1,9 @@
To verify that openfaas has started, run:
kubectl -n {{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}, app={{ template "openfaas.name" . }}"
{{- if .Values.generateBasicAuth }}
To retrieve the admin password, run:
echo $(kubectl -n {{ .Release.Namespace }} get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode)
{{- end }}

20
openfaas/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openfaas.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "openfaas.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}

47
openfaas/templates/alertmanager-cfg.yaml Normal file
View File

@ -0,0 +1,47 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.alertmanager.create }}
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: alertmanager-config
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: alertmanager-config
namespace: {{ .Release.Namespace | quote }}
data:
alertmanager.yml: |
route:
group_by: ['alertname', 'cluster', 'service']
group_wait: 5s
group_interval: 10s
repeat_interval: 30s
receiver: scale-up
routes:
- match:
service: gateway
receiver: scale-up
severity: major
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
equal: ['alertname', 'cluster', 'service']
receivers:
- name: 'scale-up'
webhook_configs:
- url: http://gateway.{{ .Release.Namespace }}:8080/system/alert
send_resolved: true
{{- if .Values.basic_auth }}
http_config:
basic_auth:
username: admin
password_file: /var/secrets/basic-auth-password
{{- end -}}
{{- end }}

108
openfaas/templates/alertmanager-dep.yaml Normal file
View File

@ -0,0 +1,108 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.alertmanager.create }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: alertmanager
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: alertmanager
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: 1
selector:
matchLabels:
app: alertmanager
template:
metadata:
labels:
app: alertmanager
annotations:
sidecar.istio.io/inject: "true"
checksum/alertmanager-config: {{ include (print $.Template.BasePath "/alertmanager-cfg.yaml") . | sha256sum | quote }}
spec:
containers:
- name: alertmanager
image: {{ .Values.alertmanager.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
command:
- "alertmanager"
- "--config.file=/alertmanager.yml"
- "--storage.path=/alertmanager"
- "--cluster.listen-address="
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/ready
port: 9093
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9093/-/ready
{{- end }}
timeoutSeconds: 30
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/ready
port: 9093
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9093/-/ready
{{- end }}
timeoutSeconds: 30
ports:
- containerPort: 9093
protocol: TCP
resources:
{{- .Values.alertmanager.resources | toYaml | nindent 12 }}
volumeMounts:
- mountPath: /alertmanager.yml
name: alertmanager-config
subPath: alertmanager.yml
{{- if .Values.basic_auth }}
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
volumes:
- name: alertmanager-config
configMap:
name: alertmanager-config
items:
- key: alertmanager.yml
path: alertmanager.yml
mode: 0644
{{- if .Values.basic_auth }}
- name: auth
secret:
secretName: basic-auth
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

22
openfaas/templates/alertmanager-svc.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.alertmanager.create }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: alertmanager
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: alertmanager
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 9093
protocol: TCP
selector:
app: alertmanager
{{- end }}

106
openfaas/templates/basic-auth-plugin-dep.yaml Normal file
View File

@ -0,0 +1,106 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.basic_auth }}
{{- if not .Values.oauth2Plugin.enabled }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: basic-auth-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: basic-auth-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.basicAuthPlugin.replicas }}
selector:
matchLabels:
app: basic-auth-plugin
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: basic-auth-plugin
spec:
{{- if .Values.basic_auth }}
volumes:
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: basic-auth-plugin
resources:
{{- .Values.basicAuthPlugin.resources | toYaml | nindent 12 }}
image: {{ .Values.basicAuthPlugin.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
env:
{{- if .Values.basic_auth }}
- name: secret_mount_path
value: "/var/secrets"
- name: basic_auth
value: "{{ .Values.basic_auth }}"
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets"
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
{{- end }}

25
openfaas/templates/basic-auth-plugin-svc.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.basic_auth }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: basic-auth-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: basic-auth-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app: basic-auth-plugin
{{- end }}

227
openfaas/templates/controller-rbac.yaml Normal file
View File

@ -0,0 +1,227 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if eq .Values.operator.create false }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.rbac }}
{{- if .Values.clusterRole }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
- namespaces
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-controller
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
{{- else }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- pods
- pods/log
- namespaces
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-controller
namespace: {{ $functionNs | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-controller
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-profiles
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

75
openfaas/templates/faas-idler-dep.yaml Normal file
View File

@ -0,0 +1,75 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.faasIdler.create }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: faas-idler
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-idler
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
replicas: {{ .Values.faasIdler.replicas }}
selector:
matchLabels:
app: faas-idler
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: faas-idler
spec:
containers:
- name: faas-idler
resources:
{{- .Values.faasIdler.resources | toYaml | nindent 12 }}
image: {{ .Values.faasIdler.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
env:
- name: gateway_url
value: "http://gateway.{{ .Release.Namespace }}:8080/"
- name: prometheus_host
value: "prometheus.{{ .Release.Namespace }}"
- name: prometheus_port
value: "9090"
- name: inactivity_duration
value: {{ .Values.faasIdler.inactivityDuration }}
- name: reconcile_interval
value: {{ .Values.faasIdler.reconcileInterval }}
{{- if .Values.faasIdler.writeDebug }}
- name: write_debug
value: {{ .Values.faasIdler.writeDebug }}
{{- end }}
command:
- /home/app/faas-idler
- -dry-run={{ .Values.faasIdler.dryRun }}
{{- if .Values.basic_auth }}
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets/"
volumes:
- name: auth
secret:
secretName: basic-auth
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

106
openfaas/templates/function-crd.yaml Normal file
View File

@ -0,0 +1,106 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.operator.create }}
{{- if .Values.createCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: functions.openfaas.com
spec:
group: openfaas.com
names:
kind: Function
listKind: FunctionList
plural: functions
singular: function
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: Function describes an OpenFaaS function
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: FunctionSpec is the spec for a Function resource
type: object
required:
- image
- name
properties:
annotations:
type: object
additionalProperties:
type: string
constraints:
type: array
items:
type: string
environment:
type: object
additionalProperties:
type: string
handler:
type: string
image:
type: string
labels:
type: object
additionalProperties:
type: string
limits:
description: FunctionResources is used to set CPU and memory limits
and requests
type: object
properties:
cpu:
type: string
memory:
type: string
name:
type: string
readOnlyRootFilesystem:
type: boolean
requests:
description: FunctionResources is used to set CPU and memory limits
and requests
type: object
properties:
cpu:
type: string
memory:
type: string
secrets:
type: array
items:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
{{- end }}
{{- end }}

260
openfaas/templates/gateway-dep.yaml Normal file
View File

@ -0,0 +1,260 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: gateway
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.gateway.replicas }}
selector:
matchLabels:
app: gateway
template:
metadata:
annotations:
prometheus.io.scrape: "true"
prometheus.io.port: "8082"
labels:
app: gateway
spec:
{{- if .Values.operator.create }}
serviceAccountName: {{ .Release.Name }}-operator
{{- else }}
serviceAccountName: {{ .Release.Name }}-controller
{{- end }}
volumes:
- name: faas-netes-temp-volume
emptyDir: {}
{{- if .Values.basic_auth }}
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: gateway
resources:
{{- .Values.gateway.resources | toYaml | nindent 12 }}
image: {{ .Values.gateway.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /healthz
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/healthz
{{- end }}
timeoutSeconds: 5
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /healthz
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/healthz
{{- end }}
timeoutSeconds: 5
env:
{{- if .Values.gateway.logsProviderURL }}
- name: logs_provider_url
value: "{{ .Values.gateway.logsProviderURL }}"
{{- end }}
- name: read_timeout
value: "{{ .Values.gateway.readTimeout }}"
- name: write_timeout
value: "{{ .Values.gateway.writeTimeout }}"
- name: upstream_timeout
value: "{{ .Values.gateway.upstreamTimeout }}"
- name: functions_provider_url
value: "http://127.0.0.1:8081/"
- name: direct_functions
{{- if .Values.gateway.directFunctions }}
value: "{{.Values.gateway.directFunctions}}"
{{- else}}
value: "false"
{{- end }}
- name: direct_functions_suffix
value: "{{ $functionNs }}.svc.{{ .Values.kubernetesDNSDomain }}"
- name: function_namespace
value: {{ $functionNs | quote }}
{{- if .Values.nats.external.enabled }}
- name: faas_nats_address
value: "{{ .Values.nats.external.host }}"
- name: faas_nats_port
value: "{{ .Values.nats.external.port }}"
- name: faas_nats_cluster_name
value: "{{ .Values.nats.external.clusterName }}"
- name: faas_nats_channel
value: "{{ .Values.nats.channel }}"
{{- else }}
{{- if .Values.async }}
- name: faas_nats_address
value: "nats.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
- name: faas_nats_port
value: "4222"
- name: faas_nats_channel
value: "{{ .Values.nats.channel }}"
{{- end }}
{{- end }}
{{- if .Values.basic_auth }}
- name: basic_auth
value: "true"
- name: secret_mount_path
value: "/var/secrets"
{{- if .Values.oauth2Plugin.enabled }}
- name: auth_proxy_url
value: "http://oauth2-plugin.{{ .Release.Namespace }}:8080/validate"
- name: auth_pass_body
value: "false"
{{- else }}
- name: auth_proxy_url
value: "http://basic-auth-plugin.{{ .Release.Namespace }}:8080/validate"
- name: auth_pass_body
value: "false"
{{- end }}
{{- end }}
- name: scale_from_zero
value: "{{ .Values.gateway.scaleFromZero }}"
- name: max_idle_conns
value: "{{ .Values.gateway.maxIdleConns }}"
- name: max_idle_conns_per_host
value: "{{ .Values.gateway.maxIdleConnsPerHost }}"
{{- if .Values.basic_auth }}
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- if .Values.operator.create }}
- name: operator
resources:
{{- .Values.operator.resources | toYaml | nindent 12 }}
image: {{ .Values.operator.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
command:
- ./faas-netes
- -operator=true
env:
- name: port
value: "8081"
- name: function_namespace
value: {{ $functionNs | quote }}
- name: profiles_namespace
value: {{ .Release.Namespace | quote }}
- name: read_timeout
value: "{{ .Values.faasnetes.readTimeout }}"
- name: write_timeout
value: "{{ .Values.faasnetes.writeTimeout }}"
- name: image_pull_policy
value: {{ .Values.faasnetes.imagePullPolicy | quote }}
- name: http_probe
value: "{{ .Values.faasnetes.httpProbe }}"
- name: set_nonroot_user
value: "{{ .Values.faasnetes.setNonRootUser }}"
- name: readiness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.readinessProbe.initialDelaySeconds }}"
- name: readiness_probe_timeout_seconds
value: "{{ .Values.faasnetes.readinessProbe.timeoutSeconds }}"
- name: readiness_probe_period_seconds
value: "{{ .Values.faasnetes.readinessProbe.periodSeconds }}"
- name: liveness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.livenessProbe.initialDelaySeconds }}"
- name: liveness_probe_timeout_seconds
value: "{{ .Values.faasnetes.livenessProbe.timeoutSeconds }}"
- name: liveness_probe_period_seconds
value: "{{ .Values.faasnetes.livenessProbe.periodSeconds }}"
- name: cluster_role
value: "{{ .Values.clusterRole }}"
ports:
- containerPort: 8081
protocol: TCP
{{- else }}
- name: faas-netes
resources:
{{- .Values.faasnetes.resources | toYaml | nindent 12 }}
image: {{ .Values.faasnetes.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
env:
- name: port
value: "8081"
- name: function_namespace
value: {{ $functionNs | quote }}
- name: read_timeout
value: "{{ .Values.faasnetes.readTimeout }}"
- name: profiles_namespace
value: {{ .Release.Namespace | quote }}
- name: write_timeout
value: "{{ .Values.faasnetes.writeTimeout }}"
- name: image_pull_policy
value: {{ .Values.faasnetes.imagePullPolicy | quote }}
- name: http_probe
value: "{{ .Values.faasnetes.httpProbe }}"
- name: set_nonroot_user
value: "{{ .Values.faasnetes.setNonRootUser }}"
- name: readiness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.readinessProbe.initialDelaySeconds }}"
- name: readiness_probe_timeout_seconds
value: "{{ .Values.faasnetes.readinessProbe.timeoutSeconds }}"
- name: readiness_probe_period_seconds
value: "{{ .Values.faasnetes.readinessProbe.periodSeconds }}"
- name: liveness_probe_initial_delay_seconds
value: "{{ .Values.faasnetes.livenessProbe.initialDelaySeconds }}"
- name: liveness_probe_timeout_seconds
value: "{{ .Values.faasnetes.livenessProbe.timeoutSeconds }}"
- name: liveness_probe_period_seconds
value: "{{ .Values.faasnetes.livenessProbe.periodSeconds }}"
- name: cluster_role
value: "{{ .Values.clusterRole }}"
volumeMounts:
- mountPath: /tmp
name: faas-netes-temp-volume
ports:
- containerPort: 8081
protocol: TCP
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

29
openfaas/templates/gateway-external-svc.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.exposeServices }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.gatewayExternal.annotations }}
annotations: {{ toYaml .Values.gatewayExternal.annotations | nindent 4 }}
{{- end }}
name: gateway-external
namespace: {{ .Release.Namespace | quote }}
spec:
type: {{ .Values.serviceType }}
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
{{- if contains "NodePort" .Values.serviceType }}
nodePort: {{ .Values.gateway.nodePort }}
{{- end }}
selector:
app: gateway
{{- end }}

20
openfaas/templates/gateway-svc.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: gateway
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
selector:
app: gateway

94
openfaas/templates/ingress-operator-crd.yaml Normal file
View File

@ -0,0 +1,94 @@
{{- if .Values.ingressOperator.create }}
{{- if .Values.createCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: functioningresses.openfaas.com
spec:
group: openfaas.com
names:
kind: FunctionIngress
listKind: FunctionIngressList
plural: functioningresses
singular: functioningress
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
description: FunctionIngress describes an OpenFaaS function
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: FunctionIngressSpec is the spec for a FunctionIngress resource.
It must be created in the same namespace as the gateway, i.e. openfaas.
type: object
required:
- domain
- function
properties:
bypassGateway:
description: BypassGateway, when true creates an Ingress record directly
for the Function name without using the gateway in the hot path
type: boolean
domain:
description: Domain such as "api.example.com"
type: string
function:
description: Function such as "nodeinfo"
type: string
ingressType:
description: IngressType such as "nginx"
type: string
path:
description: Path such as "/v1/profiles/view/(.*)", or leave empty
for default
type: string
tls:
description: Enable TLS via cert-manager
type: object
properties:
enabled:
type: boolean
issuerRef:
description: ObjectReference is a reference to an object with
a given name and kind.
type: object
required:
- name
properties:
kind:
type: string
name:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
{{- end }}
{{- end }}

41
openfaas/templates/ingress-operator-dep.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.ingressOperator.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: ingress-operator
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.ingressOperator.replicas }}
selector:
matchLabels:
app: ingress-operator
template:
metadata:
annotations:
prometheus.io.scrape: "true"
labels:
app: ingress-operator
spec:
serviceAccountName: ingress-operator
containers:
- name: operator
resources:
{{- .Values.ingressOperator.resources | toYaml | nindent 10 }}
image: {{ .Values.ingressOperator.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
command:
- ./ingress-operator
- -logtostderr
env:
- name: function_namespace
value: {{ $functionNs | quote }}
- name: ingress_namespace
value: {{ .Release.Namespace | quote }}
{{- end }}

65
openfaas/templates/ingress-operator-rbac.yaml Normal file
View File

@ -0,0 +1,65 @@
{{- if .Values.ingressOperator.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-operator
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.rbac }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-operator-rw
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["openfaas.com"]
resources: ["functioningresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-operator-rw
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: ingress-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-operator-rw
subjects:
- kind: ServiceAccount
name: ingress-operator
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

31
openfaas/templates/ingress.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "openfaas.name" . }}-ingress
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host.host }}
http:
paths:
- path: {{ $host.path }}
backend:
serviceName: {{ $host.serviceName }}
servicePort: {{ $host.servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

58
openfaas/templates/istio-mtls.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.istio.mtls -}}
# enforce mTLS to openfaas control plane
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: {{ .Release.Namespace }}
spec:
peers:
- mtls: {}
---
# enforce mTLS to openfaas control plane
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: {{ .Release.Namespace }}
spec:
host: "*.{{ .Release.Namespace }}.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
# enforce mTLS to functions
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: {{ $functionNs }}
spec:
peers:
- mtls: {}
---
# enforce mTLS to functions
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: {{ $functionNs | quote }}
spec:
host: "*.{{ $functionNs }}.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
# disable mTLS to nats, the nats protocol is not supported by Istio
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "nats-no-mtls"
namespace: {{ .Release.Namespace }}
spec:
host: "nats.{{ .Release.Namespace }}.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
{{- end -}}

82
openfaas/templates/nats-dep.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- if and .Values.async (not .Values.nats.external.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: nats
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: nats
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: 1
selector:
matchLabels:
app: nats
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
prometheus.io.scrape: {{ .Values.nats.metrics.enabled | quote }}
{{- if .Values.nats.metrics.enabled }}
prometheus.io.port: "7777"
{{- end }}
labels:
app: nats
spec:
containers:
- name: nats
resources:
{{- .Values.nats.resources | toYaml | nindent 12 }}
image: {{ .Values.nats.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
ports:
- containerPort: 4222
protocol: TCP
{{- if .Values.nats.enableMonitoring }}
- containerPort: 8222
protocol: TCP
{{- end }}
command: ["/nats-streaming-server"]
args:
- --store
- memory
- --cluster_id
- faas-cluster
{{- if or .Values.nats.enableMonitoring .Values.nats.metrics.enabled }}
- -m
- "8222"
{{- end }}
{{- if .Values.nats.metrics.enabled }}
- name: metrics
image: {{ .Values.nats.metrics.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
ports:
- containerPort: 7777
protocol: TCP
args:
- -port
- "7777"
- -connz
- -routez
- -subz
- -varz
- -channelz
- -serverz
- http://localhost:8222
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

32
openfaas/templates/nats-svc.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if and .Values.async (not .Values.nats.external.enabled) }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: nats
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: nats
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 4222
protocol: TCP
name: clients
{{- if .Values.nats.enableMonitoring }}
- port: 8222
protocol: TCP
name: monitoring
{{- end }}
{{- if .Values.nats.metrics.enabled }}
- port: 7777
protocol: TCP
name: metrics
{{- end }}
selector:
app: nats
{{- end }}

139
openfaas/templates/oauth2-plugin-dep.yaml Normal file
View File

@ -0,0 +1,139 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.oauth2Plugin.enabled }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: oauth2-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: oauth2-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.oauth2Plugin.replicas }}
selector:
matchLabels:
app: oauth2-plugin
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: oauth2-plugin
spec:
volumes:
- name: oauth2-plugin-temp-volume
emptyDir: {}
{{- if .Values.basic_auth }}
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: oauth2-plugin
resources:
{{- .Values.oauth2Plugin.resources | toYaml | nindent 12 }}
image: {{ .Values.oauth2Plugin.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
{{- if .Values.securityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 10001
{{- end }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /health
port: 8080
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=5
- --spider
- http://localhost:8080/health
{{- end }}
timeoutSeconds: 5
args:
- "-license={{- .Values.oauth2Plugin.license}}"
- "-provider={{- .Values.oauth2Plugin.provider}}"
env:
- name: client_id
value: "{{- .Values.oauth2Plugin.clientID}}"
- name: client_secret
value: "{{- .Values.oauth2Plugin.clientSecret}}"
- name: cookie_domain
value: "{{- .Values.oauth2Plugin.cookieDomain}}"
- name: base_host
value: "{{- .Values.oauth2Plugin.baseHost}}"
- name: port
value: "8080"
- name: authorize_url
value: "{{- .Values.oauth2Plugin.authorizeURL}}"
- name: welcome_page_url
value: "{{- .Values.oauth2Plugin.welcomePageURL}}"
- name: public_key_path
value: "" # leave blank if using jwks
- name: audience
value: "{{- .Values.oauth2Plugin.audience}}"
- name: token_url
value: "{{- .Values.oauth2Plugin.tokenURL}}"
- name: scopes
value: "{{- .Values.oauth2Plugin.scopes}}"
- name: jwks_url
value: "{{- .Values.oauth2Plugin.jwksURL}}"
- name: insecure_tls
value: "{{- .Values.oauth2Plugin.insecureTLS}}"
{{- if .Values.basic_auth }}
- name: secret_mount_path
value: "/var/secrets"
{{- end }}
volumeMounts:
- name: oauth2-plugin-temp-volume
mountPath: /tmp
{{- if .Values.basic_auth }}
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

26
openfaas/templates/oauth2-plugin-svc.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.oauth2Plugin.enabled }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: oauth2-plugin
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: oauth2-plugin
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app: oauth2-plugin
{{- end }}

124
openfaas/templates/operator-rbac.yaml Normal file
View File

@ -0,0 +1,124 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.operator.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-operator
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.rbac }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-operator-rw
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["openfaas.com"]
resources: ["functions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-operator-rw
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-operator-rw
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-operator
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.clusterRole}}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-operator-controller
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["openfaas.com"]
resources: ["functions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["openfaas.com"]
resources: ["profiles"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}-operator-controller
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: openfaas-operator
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-operator-controller
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-operator
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

830
openfaas/templates/profile-crd.yaml Normal file
View File

@ -0,0 +1,830 @@
{{- if .Values.createCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: profiles.openfaas.com
spec:
group: openfaas.com
names:
kind: Profile
listKind: ProfileList
plural: profiles
singular: profile
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: Profile and ProfileSpec are used to customise the Pod template
for functions
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'ProfileSpec is an openfaas api extensions that can be predefined
and applied to functions by annotating them with `com.openfaas/profile:
name1,name2`'
type: object
properties:
affinity:
description: "If specified, the pod's scheduling constraints \n copied
to the Pod Affinity, this will replace any existing value or previously
applied Profile. We use a replacement strategy because it is not
clear that merging affinities will actually produce a meaning Affinity
definition, it would likely result in an impossible to satisfy constraint"
type: object
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the
pod.
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to
nodes that satisfy the affinity expressions specified by
this field, but it may choose a node that violates one or
more of the expressions. The node that is most preferred
is the one with the greatest sum of weights, i.e. for each
node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions,
etc.), compute a sum by iterating through the elements of
this field and adding "weight" to the sum if the node matches
the corresponding matchExpressions; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: An empty preferred scheduling term matches
all objects with implicit weight 0 (i.e. it's a no-op).
A null preferred scheduling term matches no objects (i.e.
is also a no-op).
type: object
required:
- preference
- weight
properties:
preference:
description: A node selector term, associated with the
corresponding weight.
type: object
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node selector requirements
by node's fields.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
weight:
description: Weight associated with matching the corresponding
nodeSelectorTerm, in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this
field are not met at scheduling time, the pod will not be
scheduled onto the node. If the affinity requirements specified
by this field cease to be met at some point during pod execution
(e.g. due to an update), the system may or may not try to
eventually evict the pod from its node.
type: object
required:
- nodeSelectorTerms
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms.
The terms are ORed.
type: array
items:
description: A null or empty node selector term matches
no objects. The requirements of them are ANDed. The
TopologySelectorTerm type implements a subset of the
NodeSelectorTerm.
type: object
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node selector requirements
by node's fields.
type: array
items:
description: A node selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists, DoesNotExist. Gt, and
Lt.
type: string
values:
description: An array of string values. If
the operator is In or NotIn, the values
array must be non-empty. If the operator
is Exists or DoesNotExist, the values array
must be empty. If the operator is Gt or
Lt, the values array must have a single
element, which will be interpreted as an
integer. This array is replaced during a
strategic merge patch.
type: array
items:
type: string
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate
this pod in the same node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to
nodes that satisfy the affinity expressions specified by
this field, but it may choose a node that violates one or
more of the expressions. The node that is most preferred
is the one with the greatest sum of weights, i.e. for each
node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions,
etc.), compute a sum by iterating through the elements of
this field and adding "weight" to the sum if the node has
pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
type: array
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces
the labelSelector applies to (matches against);
null or empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey
matches that of any node on which any of the selected
pods is running. Empty topologyKey is not allowed.
type: string
weight:
description: weight associated with matching the corresponding
podAffinityTerm, in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this
field are not met at scheduling time, the pod will not be
scheduled onto the node. If the affinity requirements specified
by this field cease to be met at some point during pod execution
(e.g. due to a pod label update), the system may or may
not try to eventually evict the pod from its node. When
there are multiple elements, the lists of nodes corresponding
to each podAffinityTerm are intersected, i.e. all terms
must be satisfied.
type: array
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s))
that this pod should be co-located (affinity) or not co-located
(anti-affinity) with, where co-located is defined as running
on a node whose value of the label with key <topologyKey>
matches that of any node on which a pod of the set of
pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
type: array
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces the
labelSelector applies to (matches against); null or
empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where
co-located is defined as running on a node whose value
of the label with key topologyKey matches that of
any node on which any of the selected pods is running.
Empty topologyKey is not allowed.
type: string
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g.
avoid putting this pod in the same node, zone, etc. as some
other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to
nodes that satisfy the anti-affinity expressions specified
by this field, but it may choose a node that violates one
or more of the expressions. The node that is most preferred
is the one with the greatest sum of weights, i.e. for each
node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions,
etc.), compute a sum by iterating through the elements of
this field and adding "weight" to the sum if the node has
pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
type: array
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces
the labelSelector applies to (matches against);
null or empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey
matches that of any node on which any of the selected
pods is running. Empty topologyKey is not allowed.
type: string
weight:
description: weight associated with matching the corresponding
podAffinityTerm, in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by
this field are not met at scheduling time, the pod will
not be scheduled onto the node. If the anti-affinity requirements
specified by this field cease to be met at some point during
pod execution (e.g. due to a pod label update), the system
may or may not try to eventually evict the pod from its
node. When there are multiple elements, the lists of nodes
corresponding to each podAffinityTerm are intersected, i.e.
all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s))
that this pod should be co-located (affinity) or not co-located
(anti-affinity) with, where co-located is defined as running
on a node whose value of the label with key <topologyKey>
matches that of any node on which a pod of the set of
pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
type: array
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies which namespaces the
labelSelector applies to (matches against); null or
empty list means "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where
co-located is defined as running on a node whose value
of the label with key topologyKey matches that of
any node on which any of the selected pods is running.
Empty topologyKey is not allowed.
type: string
podSecurityContext:
description: "SecurityContext holds pod-level security attributes
and common container settings. Optional: Defaults to empty. See
type description for default values of each field. \n each non-nil
value will be merged into the function's PodSecurityContext, the
value will replace any existing value or previously applied Profile"
type: object
properties:
fsGroup:
description: "A special supplemental group that applies to all
containers in a pod. Some volume types allow the Kubelet to
change the ownership of that volume to be owned by the pod:
\n 1. The owning GID will be the FSGroup 2. The setgid bit is
set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- \n If unset,
the Kubelet will not modify the ownership and permissions of
any volume."
type: integer
format: int64
fsGroupChangePolicy:
description: 'fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod. This field will only apply to volume types which
support fsGroup based ownership(and permissions). It will have
no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always".
If not specified defaults to "Always".'
type: string
runAsGroup:
description: The GID to run the entrypoint of the container process.
Uses runtime default if unset. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container.
type: integer
format: int64
runAsNonRoot:
description: Indicates that the container must run as a non-root
user. If true, the Kubelet will validate the image at runtime
to ensure that it does not run as UID 0 (root) and fail to start
the container if it does. If unset or false, no such validation
will be performed. May also be set in SecurityContext. If set
in both SecurityContext and PodSecurityContext, the value specified
in SecurityContext takes precedence.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext
and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
type: integer
format: int64
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in SecurityContext. If
set in both SecurityContext and PodSecurityContext, the value
specified in SecurityContext takes precedence for that container.
type: object
properties:
level:
description: Level is SELinux level label that applies to
the container.
type: string
role:
description: Role is a SELinux role label that applies to
the container.
type: string
type:
description: Type is a SELinux type label that applies to
the container.
type: string
user:
description: User is a SELinux user label that applies to
the container.
type: string
supplementalGroups:
description: A list of groups applied to the first process run
in each container, in addition to the container's primary GID. If
unspecified, no groups will be added to any container.
type: array
items:
type: integer
format: int64
sysctls:
description: Sysctls hold a list of namespaced sysctls used for
the pod. Pods with unsupported sysctls (by the container runtime)
might fail to launch.
type: array
items:
description: Sysctl defines a kernel parameter to be set
type: object
required:
- name
- value
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
windowsOptions:
description: The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext
will be used. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
type: object
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named by
the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the GMSA
credential spec to use.
type: string
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in PodSecurityContext.
If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
type: string
runtimeClassName:
description: "RuntimeClassName refers to a RuntimeClass object in
the node.k8s.io group, which should be used to run this pod. If
no RuntimeClass resource matches the named class, the pod will not
be run. If unset or empty, the \"legacy\" RuntimeClass will be used,
which is an implicit class with an empty definition that uses the
default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
This is a beta feature as of Kubernetes v1.14. \n copied to the
Pod RunTimeClass, this will replace any existing value or previously
applied Profile."
type: string
tolerations:
description: "If specified, the function's pod tolerations. \n merged
into the Pod Tolerations"
type: array
items:
description: The pod this Toleration is attached to tolerates any
taint that matches the triple <key,value,effect> using the matching
operator <operator>.
type: object
properties:
effect:
description: Effect indicates the taint effect to match. Empty
means match all taint effects. When specified, allowed values
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match all
values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the
value. Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod
can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time
the toleration (which must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint. By default, it
is not set, which means tolerate the taint forever (do not
evict). Zero and negative values will be treated as 0 (evict
immediately) by the system.
type: integer
format: int64
value:
description: Value is the taint value the toleration matches
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
{{- end }}

82
openfaas/templates/prometheus-cfg.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus-config
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: prometheus-config
namespace: {{ .Release.Namespace | quote }}
data:
prometheus.yml: |
global:
scrape_interval: 15s
evaluation_interval: 15s
external_labels:
monitor: 'faas-monitor'
rule_files:
- 'alert.rules.yml'
scrape_configs:
- job_name: 'prometheus'
scrape_interval: 5s
static_configs:
- targets: ['localhost:9090']
- job_name: 'kubernetes-pods'
scrape_interval: 5s
honor_labels: false
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- {{ .Release.Namespace }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
- {{ $functionNs }}
{{- end }}
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: kubernetes_pod_name
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
alerting:
alertmanagers:
- static_configs:
- targets:
- alertmanager:9093
alert.rules.yml: |
groups:
- name: openfaas
rules:
- alert: service_down
expr: up == 0
- alert: APIHighInvocationRate
expr: sum(rate(gateway_function_invocation_total{code="200"}[10s])) BY (function_name) > 5
for: 5s
labels:
service: gateway
severity: major
annotations:
description: High invocation total on "{{ "{{" }}$labels.function_name{{ "}}" }}"
summary: High invocation total on "{{ "{{" }}$labels.function_name{{ "}}" }}"
{{- end }}

108
openfaas/templates/prometheus-dep.yaml Normal file
View File

@ -0,0 +1,108 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: prometheus
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
annotations:
sidecar.istio.io/inject: "true"
checksum/prometheus-config: {{ include (print $.Template.BasePath "/prometheus-cfg.yaml") . | sha256sum | quote }}
spec:
serviceAccountName: {{ .Release.Name }}-prometheus
containers:
- name: prometheus
resources:
{{- .Values.prometheus.resources | toYaml | nindent 12 }}
image: {{ .Values.prometheus.image }}
command:
- "prometheus"
- "--config.file=/etc/prometheus/prometheus.yml"
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
livenessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/healthy
port: 9090
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9090/-/healthy
{{- end }}
timeoutSeconds: 30
readinessProbe:
{{- if .Values.httpProbe }}
httpGet:
path: /-/healthy
port: 9090
{{- else }}
exec:
command:
- wget
- --quiet
- --tries=1
- --timeout=30
- --spider
- http://localhost:9090/-/healthy
{{- end }}
timeoutSeconds: 30
ports:
- containerPort: 9090
protocol: TCP
volumeMounts:
- mountPath: /etc/prometheus/prometheus.yml
name: prometheus-config
subPath: prometheus.yml
- mountPath: /etc/prometheus/alert.rules.yml
name: prometheus-config
subPath: alert.rules.yml
- mountPath: /prometheus/data
name: prom-data
volumes:
- name: prometheus-config
configMap:
name: prometheus-config
items:
- key: prometheus.yml
path: prometheus.yml
mode: 0644
- key: alert.rules.yml
path: alert.rules.yml
mode: 0644
- name: prom-data
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

162
openfaas/templates/prometheus-rbac.yaml Normal file
View File

@ -0,0 +1,162 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
{{- if .Values.clusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-prometheus
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- else -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-prometheus
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-prometheus-fn
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus-fn
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus-fn
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}
{{- end }}

22
openfaas/templates/prometheus-svc.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: prometheus
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
ports:
- port: 9090
protocol: TCP
selector:
app: prometheus
{{- end }}

69
openfaas/templates/psp.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if .Values.psp }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}-psp
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
hostIPC: false
hostNetwork: false
hostPID: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
allowedCapabilities:
- NET_ADMIN
- NET_RAW
fsGroup:
rule: RunAsAny
hostPorts:
- max: 65535
min: 1
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}-psp
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ .Release.Name }}-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-psp
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-psp
subjects:
# bind the PSP cluster role to all service accounts in the OF namespace
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}

87
openfaas/templates/queueworker-dep.yaml Normal file
View File

@ -0,0 +1,87 @@
{{- if .Values.async }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: queue-worker
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: queue-worker
namespace: {{ .Release.Namespace | quote }}
spec:
replicas: {{ .Values.queueWorker.replicas }}
selector:
matchLabels:
app: queue-worker
template:
metadata:
annotations:
prometheus.io.scrape: "false"
labels:
app: queue-worker
spec:
{{- if .Values.basic_auth }}
volumes:
- name: auth
secret:
secretName: basic-auth
{{- end }}
containers:
- name: queue-worker
resources:
{{- .Values.queueWorker.resources | toYaml | nindent 12 }}
image: {{ .Values.queueWorker.image }}
imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
env:
{{- if .Values.nats.external.enabled }}
- name: faas_nats_address
value: "{{ .Values.nats.external.host }}"
- name: faas_nats_port
value: "{{ .Values.nats.external.port }}"
- name: faas_nats_cluster_name
value: "{{ .Values.nats.external.clusterName }}"
{{- else }}
- name: faas_nats_address
value: "nats.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
{{- end}}
- name: faas_nats_channel
value: "{{ .Values.nats.channel }}"
- name: faas_nats_queue_group
value: "{{ .Values.queueWorker.queueGroup }}"
- name: faas_gateway_address
value: "gateway.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
- name: "gateway_invoke"
value: "{{ .Values.queueWorker.gatewayInvoke }}"
{{- if .Values.functionNamespace }}
- name: faas_function_suffix
value: ".{{ .Values.functionNamespace }}.svc.{{ .Values.kubernetesDNSDomain }}"
{{- end }}
- name: max_inflight
value: "{{ .Values.queueWorker.maxInflight }}"
- name: ack_wait # Max duration of any async task / request
value: {{ .Values.queueWorker.ackWait }}
{{- if .Values.basic_auth }}
- name: secret_mount_path
value: "/var/secrets"
- name: basic_auth
value: "{{ .Values.basic_auth }}"
volumeMounts:
- name: auth
readOnly: true
mountPath: "/var/secrets"
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}

19
openfaas/templates/secret.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.generateBasicAuth }}
apiVersion: v1
kind: Secret
metadata:
name: basic-auth
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: gateway
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": "pre-install"
data:
basic-auth-user: {{ "admin" | b64enc | quote }}
# kubectl -n openfaas get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode
basic-auth-password: {{ randAlphaNum 12 | b64enc | quote }}
{{- end }}