Deploying OpenFaaS on Kubernetes — Azure AKS (OpenFaaS on AKS 1/2)
Check out Part 2 of this post, which is about how to enable SSL ingress: https://medium.com/@ericstoekl/openfaas-on-azure-aks-with-ssl-ingress-openfaas-on-aks-part-2-2-e9f2db9db387
Today we’ll be deploying OpenFaaS on Azure AKS. Microsoft has created a managed Kubernetes service on the Azure cloud platform called AKS, which allows you to easily deploy publicly available Kubernetes clusters without worrying about (or even paying for) master nodes. This post will give step-by-step instructions for deploying OpenFaaS on AKS, giving you a resilient OpenFaaS deployment, and showing you the best practices along the way.
If you are interested in deploying OpenFaaS on AWS, check out my blog post here: https://medium.com/@ericstoekl/deploying-openfaas-on-kubernetes-aws-259ec9515e3c
The high level overview is:
- Create a Resource Group, Service Principal, and AKS Cluster
- Get command line access to your cluster
- Initialize Helm on your cluster
- Deploy OpenFaaS with Helm
- (Optional) Secure ingress to OpenFaaS with username/password
Let’s get started.
1. Provision resources on Azure
First we’ll need to go to the Azure Web Portal to create the first resource we need — a Resource Group. Click the Plus Sign on the top left of the web portal once you are logged in, and create a new Resource Group.
Next you can run the following command to create the AKS cluster directly from the Azure Cloud Shell. Open the shell up in the Web Portal, and use the following command to create your cluster
az aks create -g <YOUR_RG> -n <NEW_AKS_CLUSTER_NAME> --generate-ssh-keys --node-vm-size Standard_A2_v2 --node-count 1 --kubernetes-version 1.8.1
Use the name of the Resource Group you just created for <YOUR_RG>
, and use any unique name for <NEW_AKS_CLUSTER_NAME>
. Use the flag --generate-ssh-keys
, which will create the file for you (in your AZ Cloud Shell Environment) and link it to your AKS cluster.
I like to use Standard_A2_v2
as the VM size because it’s the cheapest non-burstable instance I could find, but you can use something larger or go cheaper with “B”-instances. I recommend using K8s version 1.8.1, but you can experiment. You can increase the count of nodes, but 1 is enough to run OpenFaaS.
2. Get Command-Line Access to Your Cluster
Next we will need to be able to run kubectl
commands against your cluster, so we will use the Azure CLI tool to add our AKS cluster to our KubeConfig file. This sounds complicated, but it’s just running one command:
az aks get-credentials -g <YOUR_RG> -n <YOUR_AKS_CLUSTER_NAME>
If all goes well, you should see something like this:
Merged "eric-aks1" as current context in /home/eric/.kube/config
Run kubectl get all -n kube-system
to make sure that you have access to your AKS cluster. If you see something like this screenshot, congrats, the hardest part is now done!
3. Initialize Helm on your cluster
The first step is to make sure you have Helm installed on your local machine. Helm is a deployment manager for Kubernetes. OpenFaaS offers Helm charts to make deploying much easier.
Once Helm is installed, initialize the AKS cluster with the Helm server container which is called tiller
. To achieve this, run this command in your Azure Cloud Shell:
$ helm init --upgrade
Now run kubectl get pods -n kube-system
and make sure that the tiller
pod is at 1/1
and Running status before moving on to the next step.
4. Deploy OpenFaaS with Helm
Wow, almost done! Now we get to the really fun part — actually setting up OpenFaaS on our AKS cluster.
Clone the official faas-netes
repo from github, which is the Kubernetes backend for OpenFaaS. Don’t worry because the Azure Cloud Shell has git
installed already.
$ git clone https://github.com/openfaas/faas-netes
$ cd faas-netes
Finally, run these commands to deploy OpenFaaS on your AKS cluster:
$ kubectl create ns openfaas
$ kubectl create ns openfaas-fn
$ helm upgrade --install --namespace openfaas --set functionNamespace=openfaas-fn --set async=true --set rbac=false --set serviceType=LoadBalancer openfaas chart/openfaas
If all goes well, you should be able to run kubectl get all -n openfaas
and see something like this after a minute or two:
Note that the gateway-external
and prometheus-external
services may have a <pending>
External IP for a while. I have found that this IP can take 10 minutes or more to show up.
Once it does show up, take the External IP specified for the gateway-external
service and navigate to it in your web browser with port 8080. You should see the OpenFaaS Web Portal, from which you can easily deploy functions from the built-in OpenFaaS Store.
5. (Optional) Secure ingress to OpenFaaS with username/password
If you plan to use OpenFaaS in production you will need to enable TLS and Basic Authentication on the API Gateway to protect it from bad actors. If you want to get deeper into OpenFaaS Authentication, check out Stefan’s blog post here about securing OpenFaaS on GKE. For now, follow these steps to enable Basic Authentication (without TLS) using the Caddy reverse proxy server.
First go to your Azure Cloud Shell and use the following kubectl
command to create a username and password:
kubectl -n openfaas create secret generic basic-auth \
--from-literal=user=<YOUR_USERNAME> \
--from-literal=password=<YOUR_PASSWORD>
Next, use the following command to apply Caddy, which is used here as an Ingress Controller for our deployment:
kubectl apply -f https://github.com/stefanprodan/openfaas-gke/releases/download/v0.2/openfaas-auth.yaml
Wait a few minutes, then run the following command to get your Caddy IP.
kubectl -n openfaas describe service caddy-lb | grep Ingress | awk '{ print $NF }'
You can use this IP with port 80 to log in to your cluster like so:
Note that you can now also access your deployment using the faas-cli command line tool, after you login using the following command. (This tool is not installed by default on the Azure Cloud Shell)
faas login -u <YOUR_USERNAME> -p <YOUR_PASSWORD> --gateway 52.179.97.66
Enabling SSL
Follow this link to Part 2 of this post, which is about enabling SSL.
Cleaning up
If you messed up somewhere along the line with the Helm deployment, or if you just want to try something different, you can run the following command to delete the OpenFaaS deployment only (without destroying the AKS cluster):
helm delete --purge openfaas
When you are done with your cluster, delete it by deleting the whole Resource Group that contains your AKS cluster.
Conclusion
If you made it this far and now have a working deployment of OpenFaaS on AKS — congratulations! Try out a bunch of functions from the store, or use the OpenFaaS CLI Tool to build your own functions and deploy them. All you have to do to point the CLI tool at your AKS cluster is specify the flag--gateway=http://<gateway-external-ip>:8080
in all the commands you use. For example, to list all functions in you cluster, use faas-cli ls --gateway=http://<gateway-external-ip>:8080
.