OpenFaaS (Functions as a Service) is a framework for building serverless functions with Docker and Kubernetes which has first class support for metrics. Any process can be packaged as a function enabling you to consume a range of web events without repetitive boiler-plate coding.
Highlights
- Ease of use through UI portal and one-click install
- Write functions in any language for Linux or Windows and package in Docker/OCI image format
- Portable - runs on existing hardware or public/private cloud - Kubernetes and Docker Swarm native
- CLI available with YAML format for templating and defining functions
- Auto-scales as demand increases
- Scales to zero and back again
- Compatible with Istio Service Mesh. mTLS supported via
exechealth checks.
Note: You must also pass --set rbac=false if your cluster is not configured with role-based access control. For further information, see here.
Note: If you can not use helm with Tiller, skip below for alternative install instructions.
See also: Install Helm
We recommend creating two namespaces, one for the OpenFaaS core services and one for the functions:
kubectl apply -f https://raw.githubusercontent.com/openfaas/faas-netes/master/namespaces.ymlYou will now have openfaas and openfaas-fn. If you want to change the names or to install into multiple installations then edit namespaces.yml from the faas-netes repo.
Add the OpenFaaS helm chart:
helm repo add openfaas https://openfaas.github.io/faas-netes/Generate secrets so that we can enable basic authentication for the gateway:
# generate a random password
PASSWORD=$(head -c 12 /dev/urandom | shasum| cut -d' ' -f1)
kubectl -n openfaas create secret generic basic-auth \
--from-literal=basic-auth-user=admin \
--from-literal=basic-auth-password="$PASSWORD"Now decide how you want to expose the services and edit the helm upgrade command as required.
- To use NodePorts (default) pass no additional flags
- To use a LoadBalancer add
--set serviceType=LoadBalancer - To use an IngressController add
--set ingress.enabled=true
Note: even without a LoadBalancer or IngressController you can access your gateway at any time via
kubectl port-forward.
Now deploy OpenFaaS from the helm chart repo:
helm repo update \
&& helm upgrade openfaas --install openfaas/openfaas \
--namespace openfaas \
--set basic_auth=true \
--set functionNamespace=openfaas-fnThe above command will also update your helm repo to pull in any new releases.
Once all the services are up and running, log into your gateway using the OpenFaaS CLI. This will cache your credentials into your ~/.openfaas/config.yml file.
Fetch your public IP or NodePort via kubectl get svc -n openfaas gateway-external -o wide and set it as an environmental variable as below:
export OPENFAAS_URL=http://127.0.0.1:31112If using a remote cluster, you can port-forward the gateway to your local machine:
kubectl port-forward -n openfaas svc/gateway 31112:8080 &Now log in with the CLI and check connectivity:
echo -n $PASSWORD | faas-cli login -g $OPENFAAS_URL -u admin --password-stdin
faas-cli versionIf you would like to work with Function CRDs there is an alternative controller to faas-netes named OpenFaaS Operator which can be swapped in at deployment time. The OpenFaaS Operator is suitable for development and testing and may replace the faas-netes controller in the future. The Operator is compatible with Kubernetes 1.9 or later.
To use it, add the flag: --set operator.create=true when installing with Helm.
The faas-netes controller is the most tested, stable and supported version of the OpenFaaS integration with Kubernetes. In contrast the OpenFaaS Operator is based upon the codebase and features from faas-netes, but offers a tighter integration with Kubernetes through CustomResourceDefinitions. This means you can type in kubectl get functions for instance.
See also: Introducing the OpenFaaS Operator
This option is good for those that have issues with installing Tiller, the server/cluster component of helm. Using the helm CLI, we can pre-render and then apply the templates using kubectl.
-
Clone the faas-netes repository git clone https://github.com/openfaas/faas-netes.git
-
Render the chart to a Kubernetes manifest called
openfaas.yamlhelm template faas-netes/chart/openfaas
--name openfaas
--namespace openfaas
--set basic_auth=true
--set functionNamespace=openfaas-fn > $HOME/openfaas.yamlYou can set the values and overrides just as you would in the install/upgrade commands above.
-
Install the components using
kubectlkubectl apply -f faas-netes/namespaces.yml kubectl apply -f $HOME/openfaas.yaml
You can run the following command from within the faas-netes/chart folder in the faas-netes repo.
helm upgrade --install openfaas openfaas/ \
--namespace openfaas \
--set basic_auth=true \
--set functionNamespace=openfaas-fnBy default a NodePort will be created for the API Gateway.
If you're running on a cloud such as AKS or GKE you will need to pass an additional flag of --set serviceType=LoadBalancer to tell helm to create LoadBalancer objects instead. An alternative to using multiple LoadBalancers is to install an Ingress controller.
In order to make use of automatic ingress settings you will need an IngressController in your cluster such as Traefik or Nginx.
Add --set ingress.enabled to enable ingress pass --set ingress.enabled=true when running the installation via helm.
By default services will be exposed with following hostnames (can be changed, see values.yaml for details):
gateway.openfaas.local
If you require TLS/SSL then please make use of an IngressController. A full guide is provided to enable TLS for the OpenFaaS Gateway using cert-manager and Let's Encrypt.
Scaling up from zero replicas is enabled by default, to turn it off set zero_scale to false in the helm chart.
Scaling to zero is done by the faas-idler component and by default will only carry out a dry-run. Pass the following to helm to enable scaling to zero replicas of idle functions. You will also need to read the docs on how to configure functions to opt into scaling down.
--set faasIdler.dryRun=falseTo enable message signing when using asynchronous functions we need to generate a key pair. Using HTTP message signing allows function callbacks to verify the authenticity of the callee. Only the OpenFaaS gateway should invoke the callback URL. This feature enables you to verify that.
rm signing.key > /dev/null 2>&1 || true && rm signing.key.pub > /dev/null 2>&1 || true
ssh-keygen -t rsa -b 2048 -N "" -m PEM -f signing.key > /dev/null 2>&1
openssl rsa -in ./signing.key -pubout -outform PEM -out signing.key.pub > /dev/null 2>&1
kubectl create secret generic http-signing-private-key -n openfaas \
--from-file=http-signing-private-key=./signing.key
kubectl create secret generic http-signing-public-key -n openfaas \
--from-file=http-signing-public-key=./signing.key.pub
rm signing.key || true && rm signing.key.pub || trueAdditional OpenFaaS options in values.yaml.
| Parameter | Description | Default |
|---|---|---|
functionNamespace |
Functions namespace, preferred openfaas-fn |
default |
async |
Deploys NATS | true |
exposeServices |
Expose NodePorts/LoadBalancer |
true |
serviceType |
Type of external service to use NodePort/LoadBalancer |
NodePort |
basic_auth |
Enable basic authentication on the Gateway | false |
rbac |
Enable RBAC | true |
securityContext |
Deploy with a securityContext set, this can be disabled for use with Istio sidecar injection |
true |
http_signatures |
Enable http message signing for non-repudiation of asynchronous function callbacks | false |
openfaasImagePullPolicy |
Image pull policy for openfaas components, can change to IfNotPresent in offline env |
Always |
kubernetesDNSDomain |
Domain name of the Kubernetes cluster | cluster.local |
operator.create |
Use the OpenFaaS operator CRD controller, default uses faas-netes as the Kubernetes controller | false |
operator.createCRD |
Create the CRD for OpenFaaS Function definition | true |
ingress.enabled |
Create ingress resources | false |
faasnetes.readTimeout |
Queue worker read timeout | 60s |
faasnetes.writeTimeout |
Queue worker write timeout | 60s |
faasnetes.imagePullPolicy |
Image pull policy for deployed functions | Always |
gateway.replicas |
Replicas of the gateway, pick more than 1 for HA |
1 |
gateway.readTimeout |
Queue worker read timeout | 65s |
gateway.writeTimeout |
Queue worker write timeout | 65s |
gateway.upstreamTimeout |
Maximum duration of upstream function call, should be lower than readTimeout/writeTimeout |
60s |
gateway.scaleFromZero |
Enables an intercepting proxy which will scale any function from 0 replicas to the desired amount | true |
gateway.maxIdleConns |
Set max idle connections from gateway to functions | 1024 |
gateway.maxIdleConnsPerHost |
Set max idle connections from gateway to functions per host | 1024 |
queueWorker.replicas |
Replicas of the queue-worker, pick more than 1 for HA |
1 |
queueWorker.ackWait |
Max duration of any async task/request | 60s |
nats.enableMonitoring |
Enable the NATS monitoring endpoints on port 8222 |
false |
faasIdler.create |
Create the faasIdler component | true |
faasIdler.inactivityDuration |
Duration after which faas-idler will scale function down to 0 | 5m |
faasIdler.reconcileInterval |
The time between each of reconciliation | 30s |
faasIdler.dryRun |
When set to false the OpenFaaS API will be called to scale down idle functions, by default this is set to only print in the logs. | true |
prometheus.create |
Create the Prometheus component | true |
alertmanager.create |
Create the AlertManager component | true |
Specify each parameter using the --set key=value[,key=value] argument to helm install.
See values.yaml for detailed configuration.
All control plane components can be cleaned up with helm:
helm delete --purge openfaasFollow this by the following to remove all other associated objects:
kubectl delete namespace openfaas openfaas-fnIn some cases your additional functions may need to be either deleted before deleting the chart with faas-cli or manually deleted using kubectl delete.