OpenFaaS Cloud is a complete and portable platform which can be deployed to Kubernetes. It offers built-in CI/CD (GitOps), auto-scaling compute, and free TLS. OpenFaaS Cloud can be installed to any local or remote, managed Kubernetes cluster.
A production-ready installation on Amazon's managed Kubernetes service (EKS) may take a first-timer several hours to configure properly, especially if they get something wrong.
I wrote this guide to reduce the learning curve and "mean-time-to-dopamine", so you don't need to feel like you're in deep waters or re-creating expensive cloud infrastructure.
This guide is for development and shows how you can deploy OpenFaaS Cloud for in a relatively short period of time by turning off OAuth and TLS. The OpenFaaS deployment still retains authentication by default and you don't have to worry about being rate-limited by LetsEncrypt if you get things wrong.
You'll need Docker if you don't have it already and a Docker Hub account. Once that's ready, you'll setup Kubernetes using k3d (it takes 1-2 mins), install the inlets-operator to provide a public IP, setup the GitHub app, create an
init.yaml file and finally run the tool.
Pictured: ofc-bootstrap bundles a number of tools to deploy OpenFaaS Cloud with a known-configuration.
Get Docker locally
You should use a Mac, a Linux machine or a Windows computer with Git bash. Although OpenFaaS supports Raspberry Pi, OpenFaaS Cloud does not at this time.
Install Docker for Mac/Windows or Linux.
k3d runs Kubernetes with k3s within a tiny Docker container, which makes it portable and fast. If you've not tried it, then I think that you really should.
curl -s https://raw.githubusercontent.com/rancher/k3d/master/install.sh | bash
Create a cluster
k3d create --version v1.0.0 --server-arg "--no-deploy=traefik"
k3s ships with Traefik, but ofc-bootstrap installs Nginx, therefore we disable traefik with a flag. The
--version arg pins the k3s version to Kubernetes 1.15.4.
Change the context
export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')"
Remember this command, if you forget it, you may run commands against a different cluster. You need to run it in every new terminal window.
Install the inlets-operator
The inlets-operator will give you a public IP so that GitHub can contact your cluster for CI/CD. GitHub will send an event when repositories are added/removed and when there is a push event for a repo.
Create an API key on your DigitalOcean account
Save it as
Install the operator
# k3sup can install the operator curl -sSLf https://get.k3sup.dev | sudo sh k3sup app install inlets-operator \ --token-file=$HOME/Downloads/do-access-token
Register your domain name
You will need a domain name to setup OFC, even for development. You cannot edit your
/etc/hosts file since GitHub needs to send you webhooks.
If you registered
example.com, then we'll use a sub-domain for convenience.
Later when you have a public IP from this tutorial, you'll create these DNS entries:
If you cannot create a wildcard domain for the second entry, then create a domain for each user or GitHub org that you will deploy from. i.e. if your name is
alexellis then create
You don't have to include the sub-domain of
.k3d., but I've done so for convenience and to separate this from any production clusters I may run on the same domain.
Prepare to run the ofc-bootstrap tool
Clone the repo
git clone https://github.com/openfaas-incubator/ofc-bootstrap cd ofc-bootstrap cp example.init.yaml init.yaml
Now install the binary:
curl -sLfS https://raw.githubusercontent.com/openfaas-incubator/ofc-bootstrap/master/get.sh | sudo sh
Setup your GitHub App
You have two options here, you can follow the manual steps, or you can use my new GitHub App generator which automates everything.
Whichever approach you take, replace
http://wherever you see it.
Follow these instructions and ignore the steps for the OAuth app which are not using today.
Enter a webhook secret on GitHub on the screen and update
init.yamlwith the value in the
github-webhook-secretsecret. If you used the generator, then it will tell you what value to save for
github-webhook-secretin the final step.
Example of what you get when using the GitHub App generator:
- Set your domain in the
- Set the GitHub App ID in the
- Set the path to your GitHub private key
- Set the value for your
registry, use your Docker Hub account
- Check your
~/.docker/config.jsonfile and make sure that it's base64-encoded, it will not work if your password is stored in the keychain. If in doubt, see the extended instructions in the README
Deploy OpenFaaS cloud
Run the tool in the folder you cloned:
# Make helm available in the $PATH export $PATH=$PATH:$HOME/.k3sup/bin/ ofc-bootstrap -yaml init.yaml
When I ran this at home it took < 100 seconds and was up and running. If you're connected to hotel WiFi or low-speed broadband then it could take longer.
Find your public IP
kubectl get svc
Find the public IP for Nginx and create your DNS records:
You can use two static entries:
Or use a wildcard:
Deploy a function
Go to the settings for your GitHub App and click "Install App", install it onto a repo and trigger the build with a commit.
The function will appear on:
You can now follow the User guide for OpenFaaS Cloud where you will deploy a function using Node.js.
Did anything go wrong?
The first port of call should be to try the steps in the Troubleshooting guide
k3d is very light-weight and you don't have to tear it down at all, you can keep everything running or run
k3d stop. The tunnel will retain its public IP address and everything will reconnect next time you re-start k3d or Docker.
Here's OpenFaaS Cloud which I installed using k3d earlier at home, reconnecting at a coffee shop through public WiFi.
inlets-operator brings a Service LoadBalancer with public IP to any Kubernetes cluster i.e. minikube/k3d/KinD/kubeadm— Alex Ellis (@alexellisuk) October 18, 2019
I set up @openfaascloud on my laptop at home, when I got to a coffee shop it reconnected with the same public IP from @digitalocean😱https://t.co/PanfWfMRlT pic.twitter.com/hHCeMRW7z2
If you really do want to tear things down, then just run the following:
kubectl delete svc --all k3d delete
The first command ensures that the inlets-operator removes the VM created for your public IP. The second deletes the k3d cluster.
Since we turned off TLS and OAuth, the time to get OpenFaaS Cloud running in this way should be just a few minutes. Adding TLS and OAuth can take additional time due to the learning curve about how certificates and DNS works. OAuth can add additional time to setting up due to configuration in GitHub.
This configuration is suitable for testing and development. The inlets-operatorinlets-operator gave us a tunnel so that we could expose the site to other users and to GitHub in order to receive webhooks.
If you want to go to production with TLS and OAuth checkout one of these tutorials: