Deploying OpenFaaS on Kubernetes — Azure AKS (OpenFaaS on AKS 1/2)

Check out Part 2 of this post, which is about how to enable SSL ingress: https://medium.com/@ericstoekl/openfaas-on-azure-aks-with-ssl-ingress-openfaas-on-aks-part-2-2-e9f2db9db387

Today we’ll be deploying OpenFaaS on Azure AKS. Microsoft has created a managed Kubernetes service on the Azure cloud platform called AKS, which allows you to easily deploy publicly available Kubernetes clusters without worrying about (or even paying for) master nodes. This post will give step-by-step instructions for deploying OpenFaaS on AKS, giving you a resilient OpenFaaS deployment, and showing you the best practices along the way.

If you are interested in deploying OpenFaaS on AWS, check out my blog post here: https://medium.com/@ericstoekl/deploying-openfaas-on-kubernetes-aws-259ec9515e3c

The high level overview is:

  1. Create a Resource Group, Service Principal, and AKS Cluster
  2. Get command line access to your cluster
  3. Initialize Helm on your cluster
  4. Deploy OpenFaaS with Helm
  5. (Optional) Secure ingress to OpenFaaS with username/password

Let’s get started.

1. Provision resources on Azure

First we’ll need to go to the Azure Web Portal to create the first resource we need — a Resource Group. Click the Plus Sign on the top left of the web portal once you are logged in, and create a new Resource Group.

Note — I will be using East US for this demonstration. According to Microsoft, West Europe and Central US are also available.

Next you can run the following command to create the AKS cluster directly from the Azure Cloud Shell. Open the shell up in the Web Portal, and use the following command to create your cluster

az aks create -g <YOUR_RG> -n <NEW_AKS_CLUSTER_NAME> --generate-ssh-keys --node-vm-size Standard_A2_v2 --node-count 1 --kubernetes-version 1.8.1

Use the name of the Resource Group you just created for <YOUR_RG>, and use any unique name for <NEW_AKS_CLUSTER_NAME>. Use the flag --generate-ssh-keys , which will create the file for you (in your AZ Cloud Shell Environment) and link it to your AKS cluster.

I like to use Standard_A2_v2 as the VM size because it’s the cheapest non-burstable instance I could find, but you can use something larger or go cheaper with “B”-instances. I recommend using K8s version 1.8.1, but you can experiment. You can increase the count of nodes, but 1 is enough to run OpenFaaS.

2. Get Command-Line Access to Your Cluster

Next we will need to be able to run kubectl commands against your cluster, so we will use the Azure CLI tool to add our AKS cluster to our KubeConfig file. This sounds complicated, but it’s just running one command:

az aks get-credentials -g <YOUR_RG> -n <YOUR_AKS_CLUSTER_NAME>

If all goes well, you should see something like this:

Merged "eric-aks1" as current context in /home/eric/.kube/config

Run kubectl get all -n kube-system to make sure that you have access to your AKS cluster. If you see something like this screenshot, congrats, the hardest part is now done!

Note — it may take a few minutes before all your pods are at 100% replication status, and are all “Running”. Give it some time until you are at 100% before continuing.

3. Initialize Helm on your cluster

The first step is to make sure you have Helm installed on your local machine. Helm is a deployment manager for Kubernetes. OpenFaaS offers Helm charts to make deploying much easier.

Once Helm is installed, initialize the AKS cluster with the Helm server container which is called tiller . To achieve this, run this command in your Azure Cloud Shell:

$ helm init --upgrade

Now run kubectl get pods -n kube-system and make sure that the tiller pod is at 1/1 and Running status before moving on to the next step.

4. Deploy OpenFaaS with Helm

Wow, almost done! Now we get to the really fun part — actually setting up OpenFaaS on our AKS cluster.

Clone the official faas-netes repo from github, which is the Kubernetes backend for OpenFaaS. Don’t worry because the Azure Cloud Shell has git installed already.

$ git clone https://github.com/openfaas/faas-netes 
$ cd faas-netes

Finally, run these commands to deploy OpenFaaS on your AKS cluster:

$ kubectl create ns openfaas
$ kubectl create ns openfaas-fn

$ helm upgrade --install --namespace openfaas --set functionNamespace=openfaas-fn --set async=true --set rbac=false --set serviceType=LoadBalancer openfaas chart/openfaas

If all goes well, you should be able to run kubectl get all -n openfaas and see something like this after a minute or two:

Note that the gateway-external and prometheus-external services may have a <pending> External IP for a while. I have found that this IP can take 10 minutes or more to show up.

Once it does show up, take the External IP specified for the gateway-external service and navigate to it in your web browser with port 8080. You should see the OpenFaaS Web Portal, from which you can easily deploy functions from the built-in OpenFaaS Store.

Here I have deployed “figlet” from the OpenFaaS Store on my OpenFaaS-On-AKS Deployment.

5. (Optional) Secure ingress to OpenFaaS with username/password

If you plan to use OpenFaaS in production you will need to enable TLS and Basic Authentication on the API Gateway to protect it from bad actors. If you want to get deeper into OpenFaaS Authentication, check out Stefan’s blog post here about securing OpenFaaS on GKE. For now, follow these steps to enable Basic Authentication (without TLS) using the Caddy reverse proxy server.

First go to your Azure Cloud Shell and use the following kubectl command to create a username and password:

kubectl -n openfaas create secret generic basic-auth \
--from-literal=user=<YOUR_USERNAME> \
--from-literal=password=<YOUR_PASSWORD>

Next, use the following command to apply Caddy, which is used here as an Ingress Controller for our deployment:

kubectl apply -f https://github.com/stefanprodan/openfaas-gke/releases/download/v0.2/openfaas-auth.yaml

Wait a few minutes, then run the following command to get your Caddy IP.

kubectl -n openfaas describe service caddy-lb | grep Ingress | awk '{ print $NF }'

You can use this IP with port 80 to log in to your cluster like so:

Note that this does not enable TLS — there are a few extra steps for that which Stefan’s blog post can give more guidance on. https://stefanprodan.com/2017/openfaas-kubernetes-ingress-ssl-gke/

Note that you can now also access your deployment using the faas-cli command line tool, after you login using the following command. (This tool is not installed by default on the Azure Cloud Shell)

faas login -u <YOUR_USERNAME> -p <YOUR_PASSWORD> --gateway 52.179.97.66

Enabling SSL

Follow this link to Part 2 of this post, which is about enabling SSL.

https://medium.com/@ericstoekl/openfaas-on-azure-aks-with-ssl-ingress-openfaas-on-aks-part-2-2-e9f2db9db387

Cleaning up

If you messed up somewhere along the line with the Helm deployment, or if you just want to try something different, you can run the following command to delete the OpenFaaS deployment only (without destroying the AKS cluster):

helm delete --purge openfaas

When you are done with your cluster, delete it by deleting the whole Resource Group that contains your AKS cluster.

Conclusion

If you made it this far and now have a working deployment of OpenFaaS on AKS — congratulations! Try out a bunch of functions from the store, or use the OpenFaaS CLI Tool to build your own functions and deploy them. All you have to do to point the CLI tool at your AKS cluster is specify the flag--gateway=http://<gateway-external-ip>:8080 in all the commands you use. For example, to list all functions in you cluster, use faas-cli ls --gateway=http://<gateway-external-ip>:8080.

Like what you read? Give Eric Stoekl a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.