OpenFaaS 支持部署至以下环境中:
Kubernetes、K3s、OpenShift 等容器编排环境
运行 faasd 服务的单点服务器环境
相比之下,与 Kubernetes 等容器编排环境集成能够提供更好的可扩展能力。
OpenFaaS CE
based on 0.26.3
OpenFaaS Community Edition 版本面向内部使用、开发和概念验证。
OpenFaaS CE 安装方法:
arkade arkade 本质上为一站式部署工具,支持许多服务部署,其中对于 OpenFaaS 服务支持完善。内部集成了二进制的下载与 Helm chart 的安装,arkade 封装了 helm 的参数赋值与部署,也就是在 helm 中通过 –set 设置的变量,arkade 通过 –flags 的方式处理了 Helm chart、Flux 或者 ArgoCD
静态 YAML 配置文件
安装 faas-cli 使用 arkade 安装
1 2 3 4 5 6 # 安装 arkade $ curl -sSL https://get.arkade.dev | sudo -E sh # 安装 faas-cli $ arkade get faas-cli $ sudo mv /root/.arkade/bin/faas-cli /usr/local/bin/
使用 bash 安装
1 2 3 $ curl -sSL https://cli.openfaas.com | sh New version of faas-cli installed to /usr/local/bin Creating alias 'faas' for 'faas-cli'.
OpenFaaS 使用 arkade 安装
arkade 封装了 helm 的参数赋值与部署,也就是在 helm 中通过 –set 设置的变量,arkade 通过 –flags 的方式处理了
1 2 3 4 5 6 7 8 # 安装 arkade $ curl -sSL https://get.arkade.dev | sudo -E sh # 默认安装 $ arkade install openfaas # 安装可选参数 $ arkade install openfaas --help
使用 helm 安装
1 2 3 4 5 6 7 8 9 # 安装 helm $ curl -sSLf https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash # 推荐创建两个 namespace:openfaas 和 openfaas-fn,前者用于部署 OpenFaaS 服务组件,后者用于部署函数 # arkade 部署中,默认创建了这两个 namespace $ kubectl apply -f https://raw.githubusercontent.com/openfaas/faas-netes/master/namespaces.yml $ helm repo add openfaas https://openfaas.github.io/faas-netes/ $ helm repo update && helm upgrade openfaas --install openfaas/openfaas --namespace openfaas
安装结果
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ kubectl get deploy -n openfaas NAME READY UP-TO-DATE AVAILABLE AGE alertmanager 1/1 1 1 71s gateway 1/1 1 1 71s nats 1/1 1 1 71s prometheus 1/1 1 1 71s queue-worker 1/1 1 1 71s $ kubectl get svc -n openfaas NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE alertmanager ClusterIP 10.96.76.14 <none> 9093/TCP 74s gateway ClusterIP 10.96.4.162 <none> 8080/TCP 74s gateway-external NodePort 10.96.10.134 <none> 8080:31112/TCP 74s nats ClusterIP 10.96.196.157 <none> 4222/TCP 74s prometheus ClusterIP 10.96.166.131 <none> 9090/TCP 74s
网关认证 这里采用 NodePort 的形式部署 OpenFaaS CE 服务。其中,gateway-external 为对外暴露的网关服务,gateway 为对内暴露的网关服务,其后端均为 gateway Pod。无论哪种方式均采用 HTTP 认证登录方式,认证用户名和密码在 Secret 中保存:
1 2 3 4 $ USER=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-user}" | base64 --decode; echo ) $ PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo ) $ echo "OpenFaaS user: $USER " $ echo "OpenFaaS password: $PASSWORD "
gateway
1 2 3 4 5 6 $ kubectl rollout status -n openfaas deploy/gateway $ kubectl port-forward -n openfaas svc/gateway 8080:8080 & $ echo -n $PASSWORD | faas-cli login --username admin --password-stdinCalling the OpenFaaS server to validate the credentials... Handling connection for 8080 credentials saved for admin http://127.0.0.1:8080
默认 faas-cli 操作的 OpenFaaS 实例为 http://127.0.0.1:8080,也可以通过 –gateway 进一步指定。
gateway-external
HTTP 认证登录 gateway-external 暴露的服务,即 http://178.104.162.69:31112/ui/。认证后,即可进入 OpenFaaS UI:
模板商店 社区提供的模板商店为 https://github.com/openfaas/store/blob/master/templates.json,其中来源自 OpenFaaS 官方社区与周边社区。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 { { "template": "go", "platform": "x86_64", "language": "Go", "source": "openfaas", "description": "Legacy Golang template", "repo": "https://github.com/openfaas/templates", "official": "true" }, { "template": "rust", "platform": "x86_64", "language": "Rust", "source": "openfaas-incubator", "description": "Community Rust template", "repo": "https://github.com/openfaas-incubator/openfaas-rust-template", "official": "false" }, }
查看默认支持的模板商店。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 $ faas-cli template store list NAME RECOMMENDED DESCRIPTION SOURCE bash-streaming [x] openfaas-incubator Bash Streaming template dockerfile [x] openfaas Classic Dockerfile template golang-middleware [x] openfaas HTTP middleware interface in Go java11-vert-x [x] openfaas Java 11 Vert.x template node18 [x] openfaas HTTP-based Node 18 template php8 [x] openfaas Classic PHP 8 template python3-http [x] openfaas Python 3 with Flask and HTTP python3-http-debian [x] openfaas Python 3 with Flask and HTTP based on Debian ruby-http [x] openfaas Ruby 2.4 HTTP template cobol [ ] devries COBOL Template crystal [ ] tpei Crystal template crystal-http [ ] koffeinfrei Crystal HTTP template csharp-httprequest [ ] distantcam C# HTTP template csharp-kestrel [ ] burtonr C# Kestrel HTTP template lua53 [ ] affix Lua 5.3 Template perl-alpine [ ] tmiklas Perl language template based on Alpine image python3-dlrs [ ] intel Deep Learning Reference Stack v0.4 for ML workloads quarkus-native [ ] pmlopes Quarkus.io native image template rust [ ] openfaas-incubator Community Rust template rust-http [ ] openfaas-incubator Community Rust template with HTTP bindings swift [ ] affix Swift 4.2 Template vala [ ] affix Vala Template vala-http [ ] affix Non-Forking Vala Template vertx-native [ ] pmlopes Eclipse Vert.x native image template csharp [ ] openfaas Classic C# template go [ ] openfaas Legacy Golang template golang-http [ ] openfaas Request/response style HTTP template java11 [ ] openfaas Java 11 template node [ ] openfaas Legacy Node 12 template node12 [ ] openfaas HTTP-based Node 12 template node14 [ ] openfaas HTTP-based Node 14 template node16 [ ] openfaas HTTP-based Node 16 template node17 [ ] openfaas HTTP-based Node 17 template php7 [ ] openfaas Classic PHP 7 template powershell-http-template [ ] openfaas-incubator Powershell Core HTTP Ubuntu:16.04 template powershell-template [ ] openfaas-incubator Powershell Core Ubuntu:16.04 template puppeteer-nodelts [ ] alexellis A puppeteer template for headless Chrome python [ ] openfaas Classic Python 2.7 template python27-flask [ ] openfaas Python 2.7 Flask template python3 [ ] openfaas Classic Python 3 template python3-debian [ ] openfaas Python 3 Debian template python3-flask [ ] openfaas Python 3 Flask template python3-flask-debian [ ] openfaas Python 3 Flask template based on Debian ruby [ ] openfaas Classic Ruby 2.5 template
获取托管在模板商店中的 OpenFaaS 官方经典模板。
1 2 3 4 $ faas-cli template pull Fetch templates from repository: https://github.com/openfaas/templates.git at 2023/06/05 17:15:07 Attempting to expand templates from https://github.com/openfaas/templates.git 2023/06/05 17:15:09 Fetched 18 template(s) : [csharp dockerfile go java11 java11-vert-x node node12 node12-debian node14 node16 node17 node18 php7 php8 python python3 python3-debian ruby] from https://github.com/openfaas/templates.git
获取托管在模板商店中的指定模板。
1 2 3 4 $ faas-cli template store pull rust Fetch templates from repository: https://github.com/openfaas-incubator/openfaas-rust-template at 2023/06/05 17:41:58 Attempting to expand templates from https://github.com/openfaas-incubator/openfaas-rust-template 2023/06/05 17:42:02 Fetched 1 template(s) : [rust] from https://github.com/openfaas-incubator/openfaas-rust-template
也可以通过 –url 参数,获取指定来源的模板。
1 $ faas-cli template store pull --url=https://raw.githubusercontent.com/openfaas/store/master/templates.json
获取到的模板文件保存在当前的 template 目录中。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 $ ls template/csharp dockerfile go java11 java11-vert-x node node12 node12-debian node14 node16 node17 node18 php7 php8 python python3 python3-debian ruby $ tree template/golang-middleware/ template/golang-middleware/ ├── Dockerfile # 函数最终会构建成镜像 ├── function # 业务代码,比如实现 HTTP endpoint 处理请求 │ ├── go.mod │ └── handler.go ├── go.mod ├── go.work ├── main.go # 函数入口,用于启动 HTTP 服务器,注册 endpoint └── template.yml # 模板说明 1 directory, 7 files $ faas-cli new --list Languages available as templates: - csharp - dockerfile - go - java11 - java11-vert-x - node - node12 - node12-debian - node14 - node16 - node17 - node18 - php7 - php8 - python - python3 - python3-debian - ruby
Hello World
based on Kubernetes 1.24.10
创建函数 这里以 Golang 的 golang-middleware 函数模板为例,该函数为简单的 HTTP 请求响应。
使用 golang-middleware 模板创建名为 go-fn 的函数。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 $ faas-cli new go-fn --lang golang-middleware Folder: go-fn created. ___ _____ ____ / _ \ _ __ ___ _ __ | ___|_ _ __ _/ ___| | | | | '_ \ / _ \ '_ \| |_ / _` |/ _` \___ \ | |_| | |_) | __/ | | | _| (_| | (_| |___) | \___/| .__/ \___|_| |_|_| \__,_|\__,_|____/ |_| Function created in folder: go-fn Stack file written: go-fn.yml Notes: You have created a new function which uses Go 1.19 and Alpine Linux as its base image. To disable the go module, for private vendor code, please use "--build-arg GO111MODULE=off" with faas-cli build or configure this via your stack.yml file. See more: https://docs.openfaas.com/cli/templates/ For the template's repo and more examples: https://github.com/openfaas/golang-http-template
函数模板创建后,会在当前目录生成 go-fn 目录,其内容源自于 template/golang-middleware/function 以及 go-fn.yml 文件,用于描述函数构建的具体规格,例如:
1 2 3 4 5 6 7 8 9 version: 1.0 provider: name: openfaas gateway: http://127.0.0.1:8080 functions: go-fn: lang: golang-middleware handler: ./go-fn image: harbor.archeros.cn/dev/ake/openfaas-fn:dev
构建函数镜像 faas-cli build 构建函数时,默认读取当前目录下的 stack.yml 文件,也可以通过 -f 指定。
1 2 3 4 $ faas-cli build -f go-fn.yml $ docker images harbor.archeros.cn/dev/ake/openfaas-fn dev 891e42d0a44c 23 minutes ago 21MB
构建时使用的 Dockerfile 位于 build/go-fn/Dockerfile(源自 template/golang-middleware/Dockerfile)。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 FROM --platform=${TARGETPLATFORM:-linux/amd64} ghcr.io/openfaas/of-watchdog:0.9 .11 as watchdogFROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19 -alpine as buildARG TARGETPLATFORMARG BUILDPLATFORMARG TARGETOSARG TARGETARCHRUN apk --no-cache add git COPY --from=watchdog /fwatchdog /usr/bin/fwatchdog RUN chmod +x /usr/bin/fwatchdog RUN mkdir -p /go/src/handler WORKDIR /go/src/handler COPY . . ARG GO111MODULE="on" ARG GOPROXY="" ARG GOFLAGS="" ARG CGO_ENABLED=0 ENV CGO_ENABLED=${CGO_ENABLED}RUN test -z "$(gofmt -l $(find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./function/vendor/*" ) )" || { echo "Run \"gofmt -s -w\" on your Golang code" ; exit 1; } WORKDIR /go/src/handler/function RUN mkdir -p /go/src/handler/function/static RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go test ./... -cover WORKDIR /go/src/handler RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} \ go build --ldflags "-s -w" -o handler . FROM --platform=${TARGETPLATFORM:-linux/amd64} alpine:3.17 .2 as shipRUN apk --no-cache add ca-certificates \ && addgroup -S app && adduser -S -g app app RUN mkdir -p /home/app \ && chown app /home/app WORKDIR /home/app COPY --from=build --chown =app /go/src/handler/handler . COPY --from=build --chown =app /usr/bin/fwatchdog . COPY --from=build --chown =app /go/src/handler/function/static static USER appENV fprocess="./handler" ENV mode="http" ENV upstream_url="http://127.0.0.1:8082" ENV prefix_logs="false" CMD ["./fwatchdog" ]
此外,构建参数可以通过 stack.yml 文件中的 build_args 选项指定,效果等价于 faas-cli build --build-arg key1=value1,key2=value2。最终,build_args 指定的参数会通过 docker build –build-arg 透传给 Dockerfile 中的 ARG。
例如,指定使用本地 vendor 构建 Golang 应用
1 2 3 4 5 6 7 functions: with_go_modules: handler: ./with_go_modules lang: go build_args: GO111MODULE: off GOFLAGS: "-mod=vendor"
默认函数应用镜像拉取策略为 Always,需要将镜像推送至远程仓库。
1 $ faas-cli push -f go-fn.yml
发布函数 1 2 3 4 5 6 $ faas-cli deploy -f go-fn.yml Deploying: go-fn. Handling connection for 8080 Deployed. 202 Accepted. URL: http://127.0.0.1:8080/function/go-fn
函数发布后,对应着一个 Deploy 创建。OpenFaaS CE 版本中,副本数最小为 1。
1 2 3 $ kubectl get pod -n openfaas-fn NAME READY STATUS RESTARTS AGE go-fn-757f844cc5-v5tvn 1/1 Running 0 8s
Pod 的关键参数为:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 spec: containers: - env: - name: fprocess value: ./handler image: harbor.archeros.cn/dev/ake/openfaas-fn:dev imagePullPolicy: Always livenessProbe: failureThreshold: 3 httpGet: path: /_/health port: 8080 scheme: HTTP initialDelaySeconds: 2 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 name: go-fn ports: - containerPort: 8080 name: http protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /_/health port: 8080 scheme: HTTP initialDelaySeconds: 2 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: {} securityContext: readOnlyRootFilesystem: false terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-b7kx5 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: wnx preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: kube-api-access-b7kx5 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
已发布的函数中,Invocations 为调用次数,Replicas 为当前函数应用的副本。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ faas-cli list Function Invocations Replicas go-fn 0 1 $ faas describe go-fn Name: go-fn Status: Not Ready Replicas: 1 Available Replicas: 0 Invocations: 17542 Image: harbor.archeros.cn/dev/ake/openfaas-fn:dev Function Process: ./handler URL: http://127.0.0.1:8080/function/go-fn Async URL: http://127.0.0.1:8080/async-function/go-fn Labels: faas_function: go-fn Annotations: prometheus.io.scrape: false
也可以通过部署时指定 –label 限制扩容规格等信息。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ faas-cli deploy -f go-fn.yml --label com.openfaas.scale.max=2 # 此时无论多大的请求量,最大扩容规格为 2 副本 $ faas-cli describe go-fn Name: go-fn Status: Ready Replicas: 2 Available Replicas: 2 Invocations: 21517 Image: harbor.archeros.cn/dev/ake/openfaas-fn:dev Function Process: ./handler URL: http://127.0.0.1:8080/function/go-fn Async URL: http://127.0.0.1:8080/async-function/go-fn Labels: com.openfaas.scale.max: 2 faas_function: go-fn Annotations: prometheus.io.scrape: false
除了 faas-cli,函数的创建、构建与发布也可以通过 OpenFaaS UI 操作:
调用函数 1 2 3 4 5 6 7 8 9 $ faas-cli invoke go-fn Reading from STDIN - hit (Control + D) to stop. Hello World Body: Hello World # 等价于 $ echo Hello World | faas-cli invoke go-fn$ faas-cli invoke go-fn --from-literal="Hello World" $ faas-cli invoke go-fn --from-file=~/Downloads/derek.pem
UI 调用方式为:
此外,根据函数调用的路由,也分为同步调用与异步调用:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # 同步调用 function 路由 $ curl -i -d "Hello World" http://127.0.0.1:8080/function/go-fn Handling connection for 8080 HTTP/1.1 200 OK Content-Length: 17 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Jun 2023 03:43:13 GMT X-Call-Id: 98630f05-1b39-4fc5-bb89-7c2c66c1cf7f X-Duration-Seconds: 0.002147 X-Start-Time: 1686282193791968394 Body: Hello World # 异步调用 async-function 路由 $ curl -i -d "Hello World" http://127.0.0.1:8080/async-function/go-fn Handling connection for 8080 HTTP/1.1 202 Accepted X-Call-Id: fea5f39d-e7ad-4454-8283-1a213710f3a7 X-Start-Time: 1686282228379248896 Date: Fri, 09 Jun 2023 03:43:48 GMT Content-Length: 0
自动扩缩容 模拟海量请求,观察 OpenFaaS 函数应用的 自动扩容。
1 $ while true ;do echo Hello World | faas-cli invoke go-fn; done
随着请求调用量的增加,副本数也逐渐增加。
1 2 3 4 5 6 7 8 9 10 11 $ kubectl get deploy -n openfaas-fn go-fn -w NAME READY UP-TO-DATE AVAILABLE AGE go-fn 1/1 1 1 7m57s go-fn 1/2 2 1 8m35s go-fn 2/2 2 2 8m38s go-fn 2/3 3 2 9m15s go-fn 3/3 3 3 9m18s go-fn 3/4 3 3 9m55s go-fn 4/4 4 4 9m59s go-fn 4/5 4 4 10m go-fn 5/5 5 5 10m
当停止模拟请求时,副本数也逐渐减少。
1 2 3 4 5 $ kubectl get deploy -n openfaas-fn go-fn -w NAME READY UP-TO-DATE AVAILABLE AGE go-fn 5/5 5 5 11m go-fn 5/1 5 5 11m go-fn 1/1 1 1 11m
也可以通过部署时指定 –label 限制扩容规格等信息。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ faas-cli deploy -f go-fn.yml --label com.openfaas.scale.max=2 $ faas-cli describe go-fn Name: go-fn Status: Ready Replicas: 2 Available Replicas: 2 Invocations: 21517 Image: harbor.archeros.cn/dev/ake/openfaas-fn:dev Function Process: ./handler URL: http://127.0.0.1:8080/function/go-fn Async URL: http://127.0.0.1:8080/async-function/go-fn Labels: com.openfaas.scale.max: 2 faas_function: go-fn Annotations: prometheus.io.scrape: false
函数日志 针对 Kubernetes 的日志 provider 为 faas-netes 组件,其获取日志的方式等价于 kubectl logs -n openfaas-fn deploy/function。
1 2 3 4 5 6 $ faas-cli logs go-fn 2023-06-07T16:15:23+08:00 2023/06/07 08:15:23 POST / - 200 OK - ContentLength: 18B (0.0008s) 2023-06-07T16:15:23+08:00 2023/06/07 08:15:23 POST / - 200 OK - ContentLength: 18B (0.0005s) 2023-06-07T16:15:24+08:00 2023/06/07 08:15:24 POST / - 200 OK - ContentLength: 18B (0.0015s) 2023-06-07T16:15:24+08:00 2023/06/07 08:15:24 POST / - 200 OK - ContentLength: 18B (0.0007s) 2023-06-07T16:15:24+08:00 2023/06/07 08:15:24 POST / - 200 OK - ContentLength: 18B (0.0017s)
移除函数 1 2 3 4 $ faas-cli remove go-fn Deleting: go-fn. Handling connection for 8080 Removing old function.
Secret 管理 之所以二次封装 API,是为了便于管理函数所用到的 Secret。
默认操作的 Secret 位于 openfaas-fn 命名空间下,可以通过 –namespace 指定;默认操作的 OpenFaaS 实例为
create
1 2 3 4 5 6 7 8 9 10 11 $ faas-cli secret create my-secret Reading from STDIN - hit (Control + D) to stop. my-password Creating secret: my-secret. Handling connection for 8080 Created: 202 Accepted # 等价于 $ echo my-password | faas-cli secret create my-secret$ faas-cli secret create my-secret --from-literal="my-password" $ faas-cli secret create my-secret --from-file=~/Downloads/derek.pem
1 2 3 4 5 6 7 8 9 10 11 12 13 apiVersion: v1 data: my-secret: bXktcGFzc3dvcmQ= kind: Secret metadata: creationTimestamp: "2023-06-07T06:19:14Z" labels: app.kubernetes.io/managed-by: openfaas name: my-secret namespace: openfaas-fn resourceVersion: "11584461" uid: dd0803f2-76d8-453a-a770-ec2633cd6b22 type: Opaque
update
1 2 3 4 5 6 7 8 9 10 11 $ faas-cli secret update my-secret Reading from STDIN - hit (Control + D) to stop. my-new-pasword Updating secret: my-secret Handling connection for 8080 Updated: 202 Accepted # 等价于 $ echo my-new-secret | faas-cli secret update my-secret$ faas-cli secret update my-secret --from-literal="my-password" $ faas-cli secret update my-secret --from-file=~/Downloads/derek.pem
list
1 2 3 4 5 $ faas-cli secret list Handling connection for 8080 NAME my-secret
delete
1 2 3 4 $ faas-cli secret remove my-secret faas-cli secret remove my-secret Handling connection for 8080 Removed.. OK.
OpenFaaS Pro
based on 0.26.3
OpenFaaS Pro 是 OpenFaaS 的商业许可发行版,具有附加功能、配置和商业支持。
安装 faas-cli pro faas-cli 对于 OpenFaaS Pro 的支持是通过插件的方式:
1 2 3 4 5 6 $ faas-cli plugin get pro Fetching plugin: pro Downloaded in (4s) Usage: faas-cli pro
根据 github 账号校验 OpenFaaS Pro 购买认证:
1 2 3 4 5 6 7 8 $ faas-cli pro enable Please visit: https://github.com/login/device and enter the code: 168C-29B2 Waiting for authorization... Waiting for authorization... Waiting for authorization... Waiting for authorization... GET https://api.github.com/user/memberships/orgs: 401 Bad credentials []
对比 Support
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
Suitability
Open Source developers and initial exploration
Production, business critical, or PoC
Regulated companies which may have additional legal and compliance requirements
SLA
N/a
N/a
Response within 1 business day for P1
Buying process
N/a
Invoice paid by bank transfer
Supplier portals, custom paperwork, negotiation with procurement.
Legal review of contract
N/a
N/a
Yes
Signing of Mutual NDA
N/a
N/a
Subject to agreement
Additional compliance needs
N/a
N/a
Subject to agreement
Support via email
N/a
Pro features only
All certified Open Source and commercial components
Support via GitHub
N/a
Pro features only using the Customer Community
N/a
Support via Slack
N/a
N/a
Up to 5 developers
License
MIT Commercial license EULA As per Pro
Architecture review
N/a
N/a
With our team via Zoom
Onboarding call
N/a
N/a
With our team via Zoom
Customer Community N/a
Private access to Customer Community - one user per licensed cluster
Custom amount of users
Autoscaling
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
Scale to Zero
Not supported
Global default, or custom time per function As per Pro
Maximum replicas per function
5 Pods
No limit applied
As per Pro
Scale to From
Not supported
Supported, with additional checks for Istio
As per Pro
Autoscaling strategy
RPS-only
CPU utilization, Capacity (inflight requests) or RPS As per Pro
Autoscaling granularity
Single rule for all functions
Configurable per function
As per Pro
Core Features
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
UI Dashboard
Legacy UI (in code-freeze)
New UI dashboard with metrics, logs & CI integrationAs per Pro, but with support for multiple namespaces
Consume secrets in faas-cli build for npm, Go and Pypy
Not available
Via build-time secrets
As Per Pro
Kubernetes service accounts for functions
N/a
Supported per function As per Pro
Async / queueing
In-memory only, max 10 items in queue, 256KB message size
JetStream with shared queue
JetStream with dedicated queues
Metrics
Basic function metrics
Function, HTTP, CPU/RAM usage, and async/queue metrics
As per Pro
CPU & RAM utilization
Not available
Integrated with Prometheus metrics, OpenFaaS REST API & CLI
As per Pro
Grafana Dashboards
N/a
4x dashboards supplied in Customer Community - overview, spotlight for debugging a function, queue-worker and Function Builder API
As per Pro
GitOps & CRD support
Not available
ArgoCD, FluxCD and Helm compatibility using the Function CRD
As per Pro
Deployment options
faas-cli or REST API
As per CE, plus: Function CRD with kubectl, Helm or GitOps
As per Pro
Custom Resource Definition
Not available
Function and Profile
Event Connectors
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
Number of topics per function
One topic per function
Multiple topics per function
As per Pro
Kafka event trigger Not supported
Supports SASL or TLS auth, Aiven, Confluent and self-hosted
Support with SLA
Postgres trigger Not supported
Supports insert, update and delete, with table-level filters using WAL or LISTEN/NOTIFY.
Support with SLA
AWS SQS trigger Not supported
Standard support
Support with SLA
Cron and scheduled invocations Community support
Standard support
Support with SLA
Durability and Reliability
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
Readiness probes
Not supported
Readiness probes supported with custom HTTP path and intervals per functionAs per Pro
Retries for failed function invocations
Not supported
Retry invocations for configured HTTP codes with an exponential back-offAs per Pro
Highly Available messaging
Not available, in-memory only
Available for NATS JetStream, with 3x servers.
As per Pro
Long executions of async functions
Limited to 5 minutes
Configurable duration
As per Pro
Callback to custom URL for async functions
Supported
As per CE
As per CE
Security
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
Authentication for OpenFaaS API, CLI and UI
Shared admin password between everyone who uses OpenFaaS
N/a
Single Sign-On with OIDC
Compatibility with Istio for mTLS
N/a
Supported
As per Pro
PCI/GDPR compliance
Sensitive information such as the request body/response body, headers may be printed into the logs for each asynchronous invocation
Sensitive information is not printed to the logs for asynchronous requests
As per Pro
Secure isolation with Kata containers or gVisor
N/a
N/a
Supported using an OpenFaaS Pro Profile and runtimeClass
Service links injected as environment variablesYes, cannot be disabled
Disabled as a default
As per Pro
Pod privilege escalation Default for Kubernetes
Explicitly disabled
As per Pro
Split installation without ClusterAdmin role
N/a
Provided in Customer Community
As per Pro
Description
OpenFaaS CE
OpenFaaS Pro
OpenFaaS for Enterprise
Deploy functions via REST API
Yes
As per CE
As per CE
Build containers and functions via REST API
N/a
N/a
Yes via Function Builder API
Multiple namespace support
No support
N/a
Supported with Kubernetes namespaces
faasd
based on 0.16.9
faasd 是 OpenFaaS 的重新构想,但没有 Kubernetes 的成本和复杂性。其本质就是一个 Golang 二进制文件,它可以在要求非常低的单个主机上运行,使其快速且易于管理。在底层,它使用 Containerd 和 CNI 以及来自主项目的相同核心 OpenFaaS 组件,因此在使用层面可以完全参考 OpenFaaS CE 的操作。
安装 1 2 $ wget https://github.com/openfaas/faasd/releases/download/0.16.9/faasd $ chmod +x faasd && mv faasd /usr/local/bin
1 2 3 4 5 6 7 8 9 # basic-auth-user 和 secrets/basic-auth-password 为网关认证的用户名和密码 $ faasd install 2023/06/08 17:53:15 Writing to: "/var/lib/faasd/secrets/basic-auth-password" 2023/06/08 17:53:15 Writing to: "/var/lib/faasd/secrets/basic-auth-user" Check status with: sudo journalctl -u faasd --lines 100 -f Login with: sudo cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ systemctl status faasd ● faasd.service - faasd Loaded: loaded (/usr/lib/systemd/system/faasd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2023-06-08 17:53:17 CST; 4min 26s ago Main PID: 43031 (faasd) Tasks: 11 Memory: 30.9M (limit: 500.0M) CGroup: /system.slice/faasd.service └─43031 /usr/local/bin/faasd up Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Looking up IP for: "prometheus" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Resolver: "localhost"="127.0.0.1" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Resolver: "faasd-provider"="10.62.0.1" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Resolver: "nats"="10.62.0.2" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Resolver: "prometheus"="10.62.0.3" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Resolver: "gateway"="10.62.0.4" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Resolver: "queue-worker"="10.62.0.5" Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Proxy from: 127.0.0.1:9090, to: prometheus:9090 (10.62.0.3) Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 faasd: waiting for SIGTERM or SIGINT Jun 08 17:54:34 wnx faasd[43031]: 2023/06/08 17:54:34 Proxy from: 0.0.0.0:8080, to: gateway:8080 (10.62.0.4)
通过服务状态可以看到,10.62.0.1 ~ 10.62.0.5 用于监听 OpenFaaS 核心服务,位于 Containerd 的 openfaas 命名空间中:
1 2 3 4 5 6 $ ctr -n openfaas c ls CONTAINER IMAGE RUNTIME gateway ghcr.io/openfaas/gateway:0.26.3 io.containerd.runc.v2 nats docker.io/library/nats-streaming:0.25.3 io.containerd.runc.v2 prometheus docker.io/prom/prometheus:v2.42.0 io.containerd.runc.v2 queue-worker ghcr.io/openfaas/queue-worker:0.13.3 io.containerd.runc.v2
网关认证 外部网关为 http://178.104.162.69:8080/ui,认证信息位于 /var/lib/faasd/secrets/basic-auth-user 和 /var/lib/faasd/secrets/basic-auth-password。
1 2 3 $ cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -sCalling the OpenFaaS server to validate the credentials... credentials saved for admin http://127.0.0.1:8080
其余模板商店和使用方式等操作和 OpenFaaS CE 完全一致。其中,OpenFaaS 函数容器托管在 Containerd 的 openfaas-fn 命名空间中:
1 2 3 $ ctr -n openfaas-fn c ls CONTAINER IMAGE RUNTIME go-fn harbor.archeros.cn/dev/ake/openfaas-fn:dev io.containerd.runc.v2
