Get TLS for OpenFaaS the easy way with arkade

TLS certificates are offered for free by LetsEncrypt and cert-manager, a popular tool from Jetstack makes the management and renewal automatic. The tooling changes often and even experienced Kubernetes users find the process confusing.

Last Updated: September 2020 - to include ingress-nginx rename, and inlets-operator to run these instructions at home or on-premises.

For that reason there is documentation on the OpenFaaS website for how to configure a TLS certificate for your OpenFaaS Gateway. Once in place, traffic between your users and your Kubernetes cluster is encrypted.

Today I'll show you how to bootstrap everything from scratch on a managed Kubernetes service using the OSS arkade tool.

Provision your Kubernetes cluster

You can provision a cluster wherever you want, whether that be Google Kubernetes Engine, DigitalOcean Kubernetes, AWS EKS or somewhere else.

I suggest you create a cluster with DigitalOcean since it's fast, cheap, and a fully managed cluster. Once you have everything working, move on to your preferred choice for your company or team.

Product page for: DOKS

  • Setup a cluster in your preferred region with around 2-4GB RAM total and at least 2x vCPUs.
  • Download your KUBECONFIG file and run export KUBECONFIG=~/Downloads/kube.config (replace the path with the actual name)

Get arkade

arkade can be used to install apps to Kubernetes clusters. The way an app is installed is by using its helm chart to generate YAML manifest files and then apply them. This process bypasses tiller completely, something which will be deprecated in helm 3.

Install arkade, which is a Kubernetes app installer.

curl -sLS https://dl.get-arkade.dev | sh
sudo install arkade /usr/local/bin/

arkade --help

Install nginx IngressController

We need an IngressController to use with cert-manager, so let's install nginx-ingress.

arkade install ingress-nginx

Install cert-manager

arkade install cert-manager

This command installs JetStack's cert-manager using the helm chart, but without tiller.

Install openfaas

arkade install openfaas

This command installs OpenFaaS using the helm chart, but without tiller. Try the output given by arkade to check the installation worked correctly.

Are you on public cloud?

If you're running in your homelab, on-premises or with a Raspberry Pi cluster, then it's likely that you don't have a Public IP.

Before creating an IP forwarding rule on your router, remember that you are exposing your location and ISP information to the world, there's a better way

Get a public IP for ingress-nginx through inlets PRO and the inlets-operator:

arkade install inlets-operator \
 --helm3 \
 --provider digitalocean \
 --region lon1 \
 --token-file ~/Downloads/digitalocean-api-key \
 --license-file ~/Downloads/inlets-pro-license.txt

The inlets-operator will create a public IP for you, and you can continue as if you were running on Public Cloud.

Get a free trial or purchase inlets PRO here

Configure your Ingress

Let's say that you have a domain called example.com. If you don't have a domain yet, just buy one from Google Domains or from Namecheap.com. They start at under 2 USD, so there is no reason not to.

We'll use a sub-domain of openfaas so the full address would be: openfaas.example.com.

export TOP_DOMAIN=example.com
export DOMAIN=openfaas.$TOP_DOMAIN

export EMAIL=webmaster@$DOMAIN
arkade install openfaas-ingress \
 --domain $DOMAIN \
 --email $EMAIL

This creates an Issuer with your email address and an Ingress record, which cert-manager will use to create your TLS certificate automatically.

Update your DNS record

In order for the certificate to be issued, your new LoadBalancer created for Nginx needs to point at the domain name you used in the previous step i.e. echo $DOMAIN.

Now find the IP with kubectl get svc - you'll see Nginx has an EXTERNAL-IP.

  • For EKS create a DNS CNAME record for the DNS entry given
  • For all other cluster create a DNS A record with the IP given

If you have the DigitalOcean CLI installed doctl then you can run:

export IP="" # populate from above
doctl compute domain create $DOMAIN --ip-address $IP

Wait a little

You now need to wait for your DNS entry to propagate and for cert-manager to obtain a certificate.

Check how things are going with:

kubectl logs deploy/cert-manager -n cert-manager -f

Log-in to OpenFaaS with TLS

export OPENFAAS_URL=https://$DOMAIN

PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)

echo $PASSWORD | faas-cli login -s

faas-cli store deploy nodeinfo
faas-cli list -v

faas-cli invoke figlet

You can also open the OpenFaaS UI over an encrypted connection:

echo Open a browser at https://$DOMAIN

Screenshot-2019-10-25-at-14.12.43

Wrapping up

When I proposed that arkade should configure TLS for OpenFaaS in a single command, it was because I wanted to make the whole process less painful and repetitive, and to guard users from the many breaking changes we've seen in cert-manager over the course of the last 12 months.

I think I achieved that aim, but make up your own mind. Compare the following with the single line we typed in above:

Interest in OpenFaaS and arkade is growing rapidly, so for me it's even more important that users have easy access to TLS certificates to encrypt their traffic.

If you'd like to see new "apps" (helm charts) supported in arkade, then let me know on the GitHub repository https://get-arkade.dev and add your ⭐️ to show support.

Keep on learning:

Connect with the community on Slack

Alex Ellis

Read more posts by this author.

Subscribe to Alex Ellis' Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!