OpenFaaS Cloud for Development

OpenFaaS Cloud is a complete and portable platform which can be deployed to Kubernetes. It offers built-in CI/CD (GitOps), auto-scaling compute, and free TLS. OpenFaaS Cloud can be installed to any local or remote, managed Kubernetes cluster.

A production-ready installation on Amazon's managed Kubernetes service (EKS) may take a first-timer several hours to configure properly, especially if they get something wrong.

I wrote this guide to reduce the learning curve and "mean-time-to-dopamine", so you don't need to feel like you're in deep waters or re-creating expensive cloud infrastructure.

This guide is for development and shows how you can deploy OpenFaaS Cloud for in a relatively short period of time by turning off OAuth and TLS. The OpenFaaS deployment still retains authentication by default and you don't have to worry about being rate-limited by LetsEncrypt if you get things wrong.


You'll need Docker if you don't have it already and a Docker Hub account. Once that's ready, you'll setup Kubernetes using k3d (it takes 1-2 mins), install the inlets-operator to provide a public IP, setup the GitHub app, create an init.yaml file and finally run the tool.

Conceptual diagram for ofc-bootstrap

Pictured: ofc-bootstrap bundles a number of tools to deploy OpenFaaS Cloud with a known-configuration.

Get Docker locally

You should use a Mac, a Linux machine or a Windows computer with Git bash. Although OpenFaaS supports Raspberry Pi, OpenFaaS Cloud does not at this time.

  • Install Docker for Mac/Windows or Linux.

  • Install k3d

    k3d runs Kubernetes with k3s within a tiny Docker container, which makes it portable and fast. If you've not tried it, then I think that you really should.

    curl -s | bash
  • Create a cluster

    k3d create --version v1.0.0 --server-arg "--no-deploy=traefik"

k3s ships with Traefik, but ofc-bootstrap installs Nginx, therefore we disable traefik with a flag. The --version arg pins the k3s version to Kubernetes 1.15.4.

  • Change the context

    export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')"

Remember this command, if you forget it, you may run commands against a different cluster. You need to run it in every new terminal window.

Install the inlets-operator

The inlets-operator will give you a public IP so that GitHub can contact your cluster for CI/CD. GitHub will send an event when repositories are added/removed and when there is a push event for a repo.

The Operator obtains a public IP for you by creating a low-cost VM on DigitalOcean, is also supported. The VM costs 5 USD / mo.

  • Create an API key on your DigitalOcean account

    Save it as ~/Downloads/do-access-token

  • Install the operator

    # k3sup can install the operator
    curl -sSLf | sudo sh
    k3sup app install inlets-operator \

Register your domain name

You will need a domain name to setup OFC, even for development. You cannot edit your /etc/hosts file since GitHub needs to send you webhooks.

Get a domain from for 1-2USD or from Google Domains

If you registered, then we'll use a sub-domain for convenience.

Later when you have a public IP from this tutorial, you'll create these DNS entries:

  • *

If you cannot create a wildcard domain for the second entry, then create a domain for each user or GitHub org that you will deploy from. i.e. if your name is alexellis then create

You don't have to include the sub-domain of .k3d., but I've done so for convenience and to separate this from any production clusters I may run on the same domain.

Prepare to run the ofc-bootstrap tool

  • Clone the repo

    git clone
    cd ofc-bootstrap
    cp example.init.yaml init.yaml
  • Now install the binary:

    curl -sLfS | sudo sh
  • Setup your GitHub App

    You have two options here, you can follow the manual steps, or you can use my new GitHub App generator which automates everything.

    Whichever approach you take, replace https:// with http:// wherever you see it.

    Follow these instructions and ignore the steps for the OAuth app which are not using today.

    Enter a webhook secret on GitHub on the screen and update init.yaml with the value in the github-webhook-secret secret. If you used the generator, then it will tell you what value to save for github-webhook-secret in the final step.

Example of what you get when using the GitHub App generator:


Edit init.yaml

  • Set your domain in the root_domain field i.e.
  • Set the GitHub App ID in the app_id field
  • Set the path to your GitHub private key
  • Set the value for your registry, use your Docker Hub account
  • Check your ~/.docker/config.json file and make sure that it's base64-encoded, it will not work if your password is stored in the keychain. If in doubt, see the extended instructions in the README

Deploy OpenFaaS cloud

Run the tool in the folder you cloned:

# Make helm available in the $PATH
export $PATH=$PATH:$HOME/.k3sup/bin/

ofc-bootstrap -yaml init.yaml

When I ran this at home it took < 100 seconds and was up and running. If you're connected to hotel WiFi or low-speed broadband then it could take longer.

Find your public IP

kubectl get svc

Find the public IP for Nginx and create your DNS records:

You can use two static entries:


Or use a wildcard:

  • *

Deploy a function

Go to the settings for your GitHub App and click "Install App", install it onto a repo and trigger the build with a commit.

The function will appear on:

You can now follow the User guide for OpenFaaS Cloud where you will deploy a function using Node.js.

Did anything go wrong?

The first port of call should be to try the steps in the Troubleshooting guide


k3d is very light-weight and you don't have to tear it down at all, you can keep everything running or run k3d stop. The tunnel will retain its public IP address and everything will reconnect next time you re-start k3d or Docker.

Here's OpenFaaS Cloud which I installed using k3d earlier at home, reconnecting at a coffee shop through public WiFi.

If you really do want to tear things down, then just run the following:

kubectl delete svc --all
k3d delete

The first command ensures that the inlets-operator removes the VM created for your public IP. The second deletes the k3d cluster.

Wrapping up

Since we turned off TLS and OAuth, the time to get OpenFaaS Cloud running in this way should be just a few minutes. Adding TLS and OAuth can take additional time due to the learning curve about how certificates and DNS works. OAuth can add additional time to setting up due to configuration in GitHub.

This configuration is suitable for testing and development. The inlets-operatorinlets-operator gave us a tunnel so that we could expose the site to other users and to GitHub in order to receive webhooks.

You can get help with OpenFaaS Cloud from OpenFaaS Ltd or via OpenFaaS Community Slack

If you want to go to production with TLS and OAuth checkout one of these tutorials:

See also:

Alex Ellis

Read more posts by this author.

Subscribe to alex ellis' blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!