├── .gitignore ├── LICENSE ├── README.md ├── docs └── screens │ ├── aws-cloudwatch-config.png │ ├── elb-monitoring.png │ ├── flux-git-push.png │ ├── flux-helm-chart-update.png │ ├── flux-helm-gitops.png │ ├── flux-helm-image-update.png │ ├── flux-helm-semver.png │ ├── flux-helm-v3.png │ ├── flux-helm.png │ ├── flux-image-update.png │ ├── flux-image-updates.png │ ├── flux-openfaas-operator.png │ ├── flux-openfaas.png │ ├── flux-secrets.png │ ├── network-policy.png │ ├── openfaas-operator.png │ ├── scope-of.png │ ├── weavecloud-eks.png │ ├── weavecloud-explore.png │ ├── weavecloud-golang.png │ ├── weavecloud-monitor.png │ └── weavecloud-openfaas.png ├── functions ├── .helmignore ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── certinfo.yaml │ └── podinfo.yaml └── values.yaml ├── install.sh ├── namespaces ├── openfaas-fn.yaml └── openfaas.yaml └── releases ├── functions.yaml ├── openfaas.yaml └── sealed-secrets.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | # OpenFaaS CLI 2 | build/ 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Stefan Prodan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenFaaS GitOps workflow with Flux and Helm v3 2 | 3 | This is a step-by-step guide on how to set up a [GitOps](https://www.weave.works/blog/kubernetes-anti-patterns-let-s-do-gitops-not-ciops) 4 | workflow for OpenFaaS with Flux CD and its Helm Operator. 5 | GitOps is a way to do Continuous Delivery, it works by using Git as a source of truth for 6 | declarative infrastructure and workloads. In practice this means using `git push` 7 | instead of `kubectl apply/delete` or `helm install/upgrade`. 8 | 9 | [OpenFaaS](https://www.openfaas.com/) is an open source function-as-a-service platform for Kubernetes. 10 | With OpenFaaS you can package your code or an existing binary in a Docker image to get a highly scalable endpoint with auto-scaling and metrics. 11 | 12 | [Flux](https://fluxcd.io) is a GitOps operator for Kubernetes that keeps your cluster state is sync with a Git repository. 13 | Because Flux is pull based and also runs inside Kubernetes, you don't have to expose the cluster 14 | credentials outside your production environment. 15 | Once you enable Flux on your cluster any changes in your production environment are done via 16 | pull request with rollback and audit logs provided by Git. 17 | 18 | You can define the desired state of your cluster with Helm charts, Kubernetes deployments, network policies and 19 | even custom resources like OpenFaaS functions or sealed secrets. Flux implements a control loop that continuously 20 | applies the desired state to your cluster, offering protection against harmful actions like deployments deletion or 21 | policies altering. 22 | 23 | ### Prerequisites 24 | 25 | You'll need a Kubernetes cluster v1.11 or newer with load balancer support, a GitHub account, git and kubectl installed locally. 26 | 27 | On GitHub, fork the [openfaas-flux](https://github.com/stefanprodan/openfaas-flux) repository and clone it locally 28 | (replace `stefanprodan` with your GitHub username): 29 | 30 | ```sh 31 | git clone https://github.com/stefanprodan/openfaas-flux 32 | cd openfaas-flux 33 | ``` 34 | 35 | Install Helm v3 and fluxctl for macOS with Homebrew: 36 | 37 | ```sh 38 | brew install helm fluxctl 39 | ``` 40 | 41 | On Windows you can use Chocolatey: 42 | 43 | ```sh 44 | choco install kubernetes-helm fluxctl 45 | ``` 46 | 47 | ### Install Flux and Helm Operator 48 | 49 | Add FluxCD repository to Helm repos: 50 | 51 | ```bash 52 | helm repo add fluxcd https://charts.fluxcd.io 53 | ``` 54 | 55 | Create the `fluxcd` namespace: 56 | 57 | ```sh 58 | kubectl create ns fluxcd 59 | ``` 60 | 61 | Install Flux by specifying your fork URL (replace `stefanprodan` with your GitHub username): 62 | 63 | ```bash 64 | helm upgrade -i flux fluxcd/flux --wait \ 65 | --namespace fluxcd \ 66 | --set git.url=git@github.com:stefanprodan/openfaas-flux 67 | ``` 68 | 69 | Install the `HelmRelease` Kubernetes custom resource definition: 70 | 71 | ```sh 72 | kubectl apply -f https://raw.githubusercontent.com/fluxcd/helm-operator/master/deploy/flux-helm-release-crd.yaml 73 | ``` 74 | 75 | Install Flux Helm Operator with ***Helm v3*** support: 76 | 77 | ```bash 78 | helm upgrade -i helm-operator fluxcd/helm-operator --wait \ 79 | --namespace fluxcd \ 80 | --set git.ssh.secretName=flux-git-deploy \ 81 | --set helm.versions=v3 82 | ``` 83 | 84 | ### Setup Git sync 85 | 86 | At startup, Flux generates a SSH key and logs the public key. Find the public key with: 87 | 88 | ```bash 89 | fluxctl identity --k8s-fwd-ns fluxcd 90 | ``` 91 | 92 | In order to sync your cluster state with git you need to copy the public key and 93 | create a **deploy key** with **write access** on your GitHub repository. 94 | 95 | Open GitHub, navigate to your repository, go to _Settings > Deploy keys_ click on _Add deploy key_, check 96 | _Allow write access_, paste the Flux public key and click _Add key_. 97 | 98 | After a couple of seconds Flux will create the `openfaas` and `openfaas-fn` namespaces and will install the OpenFaaS Helm release. 99 | 100 | Check the OpenFaaS deployment status: 101 | 102 | ``` 103 | watch kubectl -n openfaas get helmrelease openfaas 104 | ``` 105 | 106 | ### Manage Helm releases with Flux 107 | 108 | The Helm operator provides an extension to Flux that automates Helm chart releases. 109 | A chart release is described through a Kubernetes custom resource named `HelmRelease`. 110 | The Flux daemon synchronizes these resources from git to the cluster, 111 | and the Helm operator makes sure Helm charts are released as specified in the resources. 112 | 113 | ![flux helm v3](docs/screens/flux-helm-v3.png) 114 | 115 | Let's take a look at the OpenFaaS definition by running `cat ./releases/openfaas.yaml` inside the git repo: 116 | 117 | ```yaml 118 | apiVersion: helm.fluxcd.io/v1 119 | kind: HelmRelease 120 | metadata: 121 | name: openfaas 122 | namespace: openfaas 123 | spec: 124 | releaseName: openfaas 125 | chart: 126 | repository: https://openfaas.github.io/faas-netes/ 127 | name: openfaas 128 | version: 5.4.0 129 | values: 130 | generateBasicAuth: true 131 | exposeServices: false 132 | serviceType: LoadBalancer 133 | operator: 134 | create: true 135 | ``` 136 | 137 | The `spec.chart` section tells Flux Helm Operator where is the chart repository and what version to install. 138 | The `spec.values` are user customizations of default parameter values from the chart itself. 139 | Changing the version or a value in git, will make the Helm Operator upgrade the release. 140 | 141 | Edit the release and set two replicas for the queue worker with: 142 | 143 | ```sh 144 | cat << EOF | tee releases/openfaas.yaml 145 | apiVersion: helm.fluxcd.io/v1 146 | kind: HelmRelease 147 | metadata: 148 | name: openfaas 149 | namespace: openfaas 150 | spec: 151 | releaseName: openfaas 152 | chart: 153 | repository: https://openfaas.github.io/faas-netes/ 154 | name: openfaas 155 | version: 5.4.0 156 | values: 157 | generateBasicAuth: true 158 | serviceType: LoadBalancer 159 | operator: 160 | create: true 161 | queueWorker: 162 | replicas: 2 163 | EOF 164 | ``` 165 | 166 | A list of all supported chart values can be found in the 167 | [faas-netes](https://github.com/openfaas/faas-netes/tree/master/chart/openfaas) repo. 168 | 169 | Apply changes via git: 170 | 171 | ```sh 172 | git add -A && \ 173 | git commit -m "scale up queue worker" && \ 174 | git push origin master && \ 175 | fluxctl sync --k8s-fwd-ns fluxcd 176 | ``` 177 | 178 | Note that Flux does a git-cluster reconciliation every five minutes, 179 | the `fluxctl sync` command can be used to speed up the synchronization. 180 | 181 | Check that Helm Operator has upgraded the release and that the queue worker was scaled up: 182 | 183 | ```sh 184 | watch kubectl -n openfaas get pods 185 | ``` 186 | 187 | Retrieve the OpenFaaS credentials with: 188 | 189 | ```sh 190 | PASSWORD=$(kubectl -n openfaas get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode) && \ 191 | echo "OpenFaaS admin password: $PASSWORD" 192 | ``` 193 | 194 | Find the OpenFaaS gateway load balancer address with: 195 | 196 | ```sh 197 | kubectl -n openfaas get svc gateway-external -o wide 198 | ``` 199 | 200 | Navigate to the gateway address on port `8080` in your browser and login with the `admin` user and the password retrieved earlier. 201 | 202 | ### Manage OpenFaaS functions with Flux 203 | 204 | An OpenFaaS function is described through a Kubernetes custom resource named `function`. 205 | The Flux daemon synchronizes these resources from git to the cluster, 206 | and the OpenFaaS Operator creates for each function a Kubernetes deployment and a ClusterIP service as 207 | specified in the resources. 208 | 209 | ![functions](docs/screens/flux-openfaas-operator.png) 210 | 211 | You'll use a Helm chart stored in git to bundle multiple functions and manage the install and upgrade process. 212 | 213 | The functions chart contains two function manifests, certinfo and podinfo: 214 | 215 | ``` 216 | ./functions/ 217 | ├── Chart.yaml 218 | ├── templates 219 | │   ├── certinfo.yaml 220 | │   └── podinfo.yaml 221 | └── values.yaml 222 | ``` 223 | 224 | You can add. modify or remove functions in the `functions/templates` dir and Flux Helm Operator will create, update or 225 | delete functions in your cluster according to the changes pushed to the master branch. 226 | 227 | Install the chart by setting `fluxcd.io/ignore: "false"` (replace `stefanprodan` with your GitHub username): 228 | 229 | ```sh 230 | cat << EOF | tee releases/functions.yaml 231 | apiVersion: helm.fluxcd.io/v1 232 | kind: HelmRelease 233 | metadata: 234 | name: functions 235 | namespace: openfaas-fn 236 | annotations: 237 | fluxcd.io/ignore: "false" 238 | spec: 239 | releaseName: functions 240 | chart: 241 | git: git@github.com:stefanprodan/openfaas-flux 242 | ref: master 243 | path: functions 244 | EOF 245 | ``` 246 | 247 | The above manifest instructs Helm Operator to clone the git repository using Flux SSH key 248 | and install or upgrade the `functions` chart in the openfaas-fn namespace. 249 | 250 | Apply changes via git: 251 | 252 | ```sh 253 | git add -A && \ 254 | git commit -m "install functions" && \ 255 | git push origin master && \ 256 | fluxctl sync --k8s-fwd-ns fluxcd 257 | ``` 258 | 259 | List the installed functions with: 260 | 261 | ```sh 262 | kubectl -n openfaas-fn get functions 263 | ``` 264 | 265 | Invoke the certinfo function with: 266 | 267 | ```sh 268 | curl -d "openfaas.com" http://:8080/function/certinfo 269 | ``` 270 | 271 | ### Automate OpenFaaS functions updates 272 | 273 | Flux can be used to automate container image updates in your cluster. 274 | Flux periodically scans the pods running in your cluster and builds a list of all container images. 275 | Using the image pull secrets, it connects to the container registries, 276 | pulls the images metadata and stores the image tag list in memcached. 277 | 278 | ![Flux automation](docs/screens/flux-image-updates.png) 279 | 280 | You can enable the automate image tag updates by annotating your HelmReleases objects. 281 | You can also control what tags should be considered for an update by using glob, regex or semantic version expressions. 282 | 283 | Edit the functions release and add container image update policies for the OpenFaaS functions 284 | (replace `stefanprodan` with your GitHub username): 285 | 286 | ```sh 287 | cat << EOF | tee releases/functions.yaml 288 | apiVersion: helm.fluxcd.io/v1 289 | kind: HelmRelease 290 | metadata: 291 | name: functions 292 | namespace: openfaas-fn 293 | annotations: 294 | fluxcd.io/automated: "true" 295 | filter.fluxcd.io/certinfo: semver:~1.0 296 | filter.fluxcd.io/podinfo: semver:~3.1 297 | spec: 298 | releaseName: functions 299 | chart: 300 | git: git@github.com:stefanprodan/openfaas-flux 301 | ref: master 302 | path: functions 303 | values: 304 | certinfo: 305 | image: stefanprodan/certinfo:1.0.0 306 | podinfo: 307 | image: stefanprodan/podinfo:3.1.0 308 | EOF 309 | ``` 310 | 311 | The above annotations tell Flux to update the Helm release `values..image` 312 | every time a new image is pushed to Docker Hub with a tag that matches the semver filter. 313 | Note that Flux only works with immutable image tags (`:latest` is not supported). 314 | Every image tag must be unique, for this you can use the Git commit SHA or semver when tagging images. 315 | 316 | Apply the update policies via git: 317 | 318 | ```sh 319 | git add -A && \ 320 | git commit -m "enable functions updates" && \ 321 | git push origin master && \ 322 | fluxctl sync --k8s-fwd-ns fluxcd 323 | ``` 324 | 325 | Once the automation is enabled, Flux will apply the semver filter and update the functions images in git and in the cluster: 326 | 327 | ![functions update](docs/screens/flux-image-update.png) 328 | 329 | Verify that podinfo version has been updated: 330 | 331 | ``` 332 | $ curl -s http://:8080/function/podinfo/api/info | grep version 333 | 334 | "version": "3.1.5" 335 | ``` 336 | 337 | ### Encrypt Kubernetes secrets in git 338 | 339 | In order to store secrets safely in a public Git repo you can use the 340 | [Sealed Secrets controller](https://github.com/bitnami-labs/sealed-secrets) 341 | and encrypt your Kubernetes Secrets into SealedSecrets. 342 | The SealedSecret can be decrypted only by the controller running in your cluster. 343 | 344 | The Sealed Secrets controller has been installed by Flux in the `fluxcd` namespace, 345 | the Helm release can be found in `releases/sealed-secrets.yaml`. 346 | 347 | Install the kubeseal CLI: 348 | 349 | ```sh 350 | brew install kubeseal 351 | ``` 352 | 353 | At startup, the sealed-secrets controller generates a RSA key and logs the public key. 354 | Using kubeseal you can save your public key as `pub-cert.pem`, 355 | the public key can be safely stored in Git, and can be used to encrypt secrets without direct access to the Kubernetes cluster: 356 | 357 | ```sh 358 | kubeseal --fetch-cert \ 359 | --controller-namespace=adm \ 360 | --controller-name=sealed-secrets \ 361 | > pub-cert.pem 362 | ``` 363 | 364 | Generate a Kubernetes secret locally with kubectl: 365 | 366 | ```bash 367 | kubectl create secret generic db-credentials \ 368 | --from-literal=user=my-db-user \ 369 | --from-literal=password=my-db-pass \ 370 | --dry-run \ 371 | -o json > db-credentials.json 372 | ``` 373 | 374 | Encrypt the secret with kubeseal and add it to the functions chart: 375 | 376 | ```sh 377 | kubeseal --format=yaml --cert=pub-cert.pem \ 378 | < db-credentials.json > functions/templates/db-credentials.yaml 379 | ``` 380 | 381 | Edit certinfo and add the secret to the function definition: 382 | 383 | ```sh 384 | cat << EOF | tee functions/templates/certinfo.yaml 385 | apiVersion: openfaas.com/v1alpha2 386 | kind: Function 387 | metadata: 388 | name: certinfo 389 | labels: 390 | {{ include "functions.labels" . | indent 4 }} 391 | spec: 392 | name: certinfo 393 | image: {{ .Values.certinfo.image }} 394 | readOnlyRootFilesystem: true 395 | secrets: 396 | - db-credentials 397 | EOF 398 | ``` 399 | 400 | The above configuration instructs the OpenFaaS operator to mount the db-credentials secret as a file inside the function 401 | container at `/var/openfaas/secrets/`. 402 | 403 | Delete the plain text secret and apply changes via git: 404 | 405 | ```sh 406 | rm db-credentials.json && \ 407 | git add -A && \ 408 | git commit -m "add db credentials" && \ 409 | git push origin master && \ 410 | fluxctl sync --k8s-fwd-ns fluxcd 411 | ``` 412 | 413 | Flux will apply the sealed secret on your cluster and sealed-secrets controller will then decrypt it into a 414 | Kubernetes secret. 415 | 416 | ![SealedSecrets](https://github.com/fluxcd/helm-operator-get-started/blob/master/diagrams/flux-helm-operator-sealed-secrets.png) 417 | 418 | You can read more about secrets management on the OpenFaaS docs [website](https://docs.openfaas.com/reference/secrets/). 419 | 420 | ### Developer workflow 421 | 422 | You'll be using the OpenFaaS CLI to create functions, build and push them to a container registry. 423 | 424 | Install faas-cli and login to your instance: 425 | 426 | ```sh 427 | curl -sL https://cli.openfaas.com | sudo sh 428 | 429 | echo $PASSWORD | faas-cli login -u admin --password-stdin \ 430 | --gateway http://:8080 431 | ``` 432 | 433 | Create a function using the Go template (replace `stefanprodan` with your Docker Hub username): 434 | 435 | ```sh 436 | faas-cli new myfn --lang go --prefix stefanprodan 437 | ``` 438 | 439 | Implement your function logic by editing the `myfn/handler.go` file. 440 | 441 | Initialize a Git repository for your function and commit your changes: 442 | 443 | ```sh 444 | git init 445 | git add . && git commit -s -m "Init function" 446 | ``` 447 | 448 | Build the container image by tagging it with the Git branch and commit short SHA: 449 | 450 | ```sh 451 | $ faas-cli build --tag branch -f myfn.yml 452 | 453 | Image: stefanprodan/myfn:latest-master-eb656a6 built. 454 | ``` 455 | 456 | Push the image to Docker Hub with: 457 | 458 | ```sh 459 | $ faas-cli push --tag branch -f myfn.yml 460 | 461 | Pushing myfn [stefanprodan/myfn:latest-master-eb656a6] done. 462 | ``` 463 | 464 | Generate the function Kubernetes custom resource with: 465 | 466 | ```sh 467 | faas-cli generate -n "" --tag branch --yaml myfn.yml > myfn-k8s.yaml 468 | ``` 469 | 470 | Edit the generated YAML so that Flux can use Helm to control the version and labels: 471 | 472 | ```sh 473 | cat << EOF | tee functions/templates/myfn.yaml 474 | apiVersion: openfaas.com/v1alpha2 475 | kind: Function 476 | metadata: 477 | name: myfn 478 | labels: 479 | {{ include "functions.labels" . | indent 4 }} 480 | spec: 481 | name: myfn 482 | image: {{ .Values.myfn.image }} 483 | EOF 484 | ``` 485 | 486 | Add your function container image to the chart values.yaml: 487 | 488 | ```sh 489 | cat << EOF | tee functions/values.yaml 490 | certinfo: 491 | image: stefanprodan/certinfo:1.0.0 492 | podinfo: 493 | image: stefanprodan/podinfo:3.1.0 494 | myfn: 495 | image: stefanprodan/myfn:latest-master-eb656a6 496 | EOF 497 | ``` 498 | 499 | Add your function to the Helm release and set a Flux filter using a glob expression: 500 | 501 | ```sh 502 | cat << EOF | tee releases/functions.yaml 503 | apiVersion: helm.fluxcd.io/v1 504 | kind: HelmRelease 505 | metadata: 506 | name: functions 507 | namespace: openfaas-fn 508 | annotations: 509 | fluxcd.io/automated: "true" 510 | filter.fluxcd.io/certinfo: semver:~1.0 511 | filter.fluxcd.io/podinfo: semver:~3.1 512 | filter.fluxcd.io/myfn: glob:latest-master-* 513 | spec: 514 | releaseName: functions 515 | chart: 516 | git: git@github.com:stefanprodan/openfaas-flux 517 | ref: master 518 | path: functions 519 | values: 520 | certinfo: 521 | image: stefanprodan/certinfo:1.0.0 522 | podinfo: 523 | image: stefanprodan/podinfo:3.1.0 524 | myfn: 525 | image: stefanprodan/myfn:latest-master-eb656a6 526 | EOF 527 | ``` 528 | 529 | To automate the whole process you can use the [OpenFaaS GitHub action](https://github.com/LucasRoesler/openfaas-action) 530 | to run faas-cli build and push on every commit to the master branch. 531 | Flux will detect master builds and will deploy the new images to your cluster. 532 | -------------------------------------------------------------------------------- /docs/screens/aws-cloudwatch-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/aws-cloudwatch-config.png -------------------------------------------------------------------------------- /docs/screens/elb-monitoring.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/elb-monitoring.png -------------------------------------------------------------------------------- /docs/screens/flux-git-push.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-git-push.png -------------------------------------------------------------------------------- /docs/screens/flux-helm-chart-update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-helm-chart-update.png -------------------------------------------------------------------------------- /docs/screens/flux-helm-gitops.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-helm-gitops.png -------------------------------------------------------------------------------- /docs/screens/flux-helm-image-update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-helm-image-update.png -------------------------------------------------------------------------------- /docs/screens/flux-helm-semver.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-helm-semver.png -------------------------------------------------------------------------------- /docs/screens/flux-helm-v3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-helm-v3.png -------------------------------------------------------------------------------- /docs/screens/flux-helm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-helm.png -------------------------------------------------------------------------------- /docs/screens/flux-image-update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-image-update.png -------------------------------------------------------------------------------- /docs/screens/flux-image-updates.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-image-updates.png -------------------------------------------------------------------------------- /docs/screens/flux-openfaas-operator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-openfaas-operator.png -------------------------------------------------------------------------------- /docs/screens/flux-openfaas.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-openfaas.png -------------------------------------------------------------------------------- /docs/screens/flux-secrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/flux-secrets.png -------------------------------------------------------------------------------- /docs/screens/network-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/network-policy.png -------------------------------------------------------------------------------- /docs/screens/openfaas-operator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/openfaas-operator.png -------------------------------------------------------------------------------- /docs/screens/scope-of.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/scope-of.png -------------------------------------------------------------------------------- /docs/screens/weavecloud-eks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/weavecloud-eks.png -------------------------------------------------------------------------------- /docs/screens/weavecloud-explore.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/weavecloud-explore.png -------------------------------------------------------------------------------- /docs/screens/weavecloud-golang.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/weavecloud-golang.png -------------------------------------------------------------------------------- /docs/screens/weavecloud-monitor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/weavecloud-monitor.png -------------------------------------------------------------------------------- /docs/screens/weavecloud-openfaas.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/openfaas-flux/86f88569d95ffca36f864d961d9c7f507467745d/docs/screens/weavecloud-openfaas.png -------------------------------------------------------------------------------- /functions/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /functions/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: functions 3 | description: OpenFaaS functions Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 1.0.0 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: 1.0.0 22 | -------------------------------------------------------------------------------- /functions/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | List the installed functions with: 2 | kubectl -n {{ .Release.Namespace }} get functions 3 | -------------------------------------------------------------------------------- /functions/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "functions.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "functions.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "functions.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "functions.labels" -}} 38 | helm.sh/chart: {{ include "functions.chart" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end -}} 44 | -------------------------------------------------------------------------------- /functions/templates/certinfo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: openfaas.com/v1 2 | kind: Function 3 | metadata: 4 | name: certinfo 5 | labels: 6 | {{ include "functions.labels" . | indent 4 }} 7 | spec: 8 | name: certinfo 9 | image: {{ .Values.certinfo.image }} 10 | readOnlyRootFilesystem: true 11 | -------------------------------------------------------------------------------- /functions/templates/podinfo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: openfaas.com/v1alpha2 2 | kind: Function 3 | metadata: 4 | name: podinfo 5 | labels: 6 | {{ include "functions.labels" . | indent 4 }} 7 | spec: 8 | name: podinfo 9 | image: {{ .Values.podinfo.image }} 10 | annotations: 11 | com.openfaas.health.http.initialDelay: 2s 12 | com.openfaas.health.http.path: /healthz 13 | labels: 14 | com.openfaas.scale.min: "1" 15 | com.openfaas.scale.max: "5" 16 | environment: 17 | PODINFO_PORT: "8080" 18 | PODINFO_UI_COLOR: "#34577c" 19 | -------------------------------------------------------------------------------- /functions/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for functions. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | certinfo: 6 | image: stefanprodan/certinfo:1.0.0 7 | 8 | podinfo: 9 | image: stefanprodan/podinfo:3.1.0 10 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | set -eu 2 | 3 | if [[ ! -x "$(command -v kubectl)" ]]; then 4 | echo "kubectl not found" 5 | exit 1 6 | fi 7 | 8 | if [ ! -x "$(command -v helm)" ]; then 9 | echo "helm not found" 10 | exit 1 11 | fi 12 | 13 | GH_USER=${1:-stefanprodan} 14 | GH_REPO=${2:-openfaas-flux} 15 | GH_BRANCH=${3:-master} 16 | GH_URL="git@github.com:${GH_USER}/${GH_REPO}" 17 | REPO_ROOT=$(git rev-parse --show-toplevel) 18 | 19 | helm repo add fluxcd https://charts.fluxcd.io 20 | 21 | cat << EOF | kubectl apply -f - 22 | apiVersion: v1 23 | kind: Namespace 24 | metadata: 25 | name: fluxcd 26 | EOF 27 | 28 | helm upgrade -i flux fluxcd/flux --wait \ 29 | --namespace fluxcd \ 30 | --set git.url=${GH_URL} \ 31 | --set git.branch=${GH_BRANCH} 32 | 33 | kubectl apply -f https://raw.githubusercontent.com/fluxcd/helm-operator/master/chart/helm-operator/crds/helmrelease.yaml 34 | 35 | helm upgrade -i helm-operator fluxcd/helm-operator --wait \ 36 | --namespace fluxcd \ 37 | --set git.ssh.secretName=flux-git-deploy \ 38 | --set helm.versions=v3 39 | 40 | echo "" 41 | echo "Configure GitHub deploy key for $GH_URL with write access:" 42 | kubectl -n fluxcd logs deployment/flux | grep identity.pub | cut -d '"' -f2 43 | 44 | 45 | -------------------------------------------------------------------------------- /namespaces/openfaas-fn.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openfaas-fn 5 | labels: 6 | role: openfaas-fn 7 | -------------------------------------------------------------------------------- /namespaces/openfaas.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openfaas 5 | labels: 6 | role: openfaas-system 7 | access: openfaas-system 8 | -------------------------------------------------------------------------------- /releases/functions.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.fluxcd.io/v1 3 | kind: HelmRelease 4 | metadata: 5 | name: functions 6 | namespace: openfaas-fn 7 | annotations: 8 | fluxcd.io/ignore: "true" 9 | fluxcd.io/automated: "false" 10 | filter.fluxcd.io/certinfo: semver:~1.0 11 | filter.fluxcd.io/podinfo: semver:~3.1 12 | spec: 13 | releaseName: functions 14 | chart: 15 | git: git@github.com:stefanprodan/openfaas-flux 16 | ref: master 17 | path: functions 18 | values: 19 | certinfo: 20 | image: stefanprodan/certinfo:1.0.0 21 | podinfo: 22 | image: stefanprodan/podinfo:3.1.0 23 | -------------------------------------------------------------------------------- /releases/openfaas.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: openfaas 5 | namespace: openfaas 6 | spec: 7 | releaseName: openfaas 8 | chart: 9 | repository: https://openfaas.github.io/faas-netes/ 10 | name: openfaas 11 | version: 5.4.0 12 | values: 13 | generateBasicAuth: true 14 | serviceType: LoadBalancer 15 | operator: 16 | create: true 17 | -------------------------------------------------------------------------------- /releases/sealed-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: sealed-secrets 5 | namespace: fluxcd 6 | annotations: 7 | fluxcd.io/automated: "false" 8 | filter.fluxcd.io/chart-image: semver:~0.9 9 | spec: 10 | releaseName: sealed-secrets 11 | chart: 12 | repository: https://kubernetes-charts.storage.googleapis.com/ 13 | name: sealed-secrets 14 | version: 1.6.1 15 | values: 16 | image: 17 | repository: quay.io/bitnami/sealed-secrets-controller 18 | tag: v0.9.6 19 | --------------------------------------------------------------------------------