Add RBAC for endpoint slices for functions and leases for LeaderElection

chart/openfaas/README.md

@@ -495,6 +495,8 @@ yaml) |
 | `operator.image` | Container image used for the openfaas-operator | See [values.yaml](./values.yaml) |
 | `operator.kubeClientQPS` | QPS rate-limit for the Kubernetes client, (OpenFaaS for Enterprises) | `""` (defaults to 100) |
 | `operator.kubeClientBurst` | Burst rate-limit for the Kubernetes client (OpenFaaS for Enterprises) | `""` (defaults to 250) |
+| `operator.reconcileWorkers` | Number of reconciliation workers to run to convert Function CRs into Deployments | `1` |
+| `operator.leaderElection.enabled`| When set to true, only one replica of the operator within the gateway pod will perform reconciliation | `false` |
 
 ### Functions
 

chart/openfaas/templates/controller-rbac.yaml

@@ -90,14 +90,14 @@ rules:
       - "get"
       - "list"
       - "watch"
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - create
-      - update
-      - delete
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["create", "delete", "update"]
+{{- if .Values.openfaasPro }}
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -167,17 +167,14 @@ rules:
       - update
       - patch
       - delete
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - pods/log
-      - namespaces
-      - endpoints
-    verbs:
-      - get
-      - list
-      - watch
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+{{- if .Values.openfaasPro }}
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

chart/openfaas/templates/gateway-dep.yaml

@@ -220,6 +220,8 @@ spec:
           - -operator=true
           - "-license-file=/var/secrets/license/license"
         env:
+          - name: reconcile_workers
+            value: {{ .Values.operator.reconcileWorkers | quote }}
           - name: port
             value: "8081"
           - name: function_namespace
@@ -260,6 +262,18 @@ spec:
             value: "{{ .Values.operator.kubeClientQPS }}"
           - name: kube_client_burst
             value: "{{ .Values.operator.kubeClientBurst }}"
+          - name: reconcile_qps
+            value: "{{ .Values.operator.reconcileQPS }}"
+          - name: reconcile_burst
+            value: "{{ .Values.operator.reconcileBurst }}"
+          {{ if .Values.operator.leaderElection.enabled }}
+          - name: leader_election
+            value: "true"
+          {{- end }}
+          {{- if eq (or .Values.operator.pprof false) true }}
+          - name: pprof
+            value: {{ .Values.operator.pprof | quote }}
+          {{- end }}
           {{- if .Values.iam.enabled }}
           - name: issuer_key_path
             value: "/var/secrets/issuer-key/issuer.key"

chart/openfaas/templates/operator-rbac.yaml

@@ -41,12 +41,26 @@ rules:
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get",  "create"]
+{{- if .Values.operator.leaderElection.enabled }}
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: [ "update", "patch", "delete", "watch"]
+{{- end }}
 - apiGroups: ["apps", "extensions"]
   resources: ["deployments"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# TODO: AE - remove endpoints from RBAC now that operator uses EndpointSlices
 - apiGroups: [""]
   resources: ["pods", "pods/log", "namespaces", "endpoints"]
   verbs: ["get", "list", "watch"]
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["get", "list", "watch"]
+# AE: For leader election
+# PATCH may not be required?
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -132,6 +146,9 @@ rules:
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["extensions", "apps"]
     resources: ["deployments"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
@@ -141,6 +158,12 @@ rules:
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get",  "create"]
+{{- if .Values.operator.leaderElection.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: [ "update", "patch", "delete", "watch"]
+{{- end }}
+# TODO: AE - remove endpoints from RBAC now that operator uses EndpointSlices
   - apiGroups: [""]
     resources: ["pods", "pods/log", "namespaces", "endpoints"]
     verbs: ["get", "list", "watch"]
@@ -151,6 +174,11 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# AE: For leader election
+# PATCH may not be required?
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

chart/openfaas/values-pro.yaml

@@ -41,7 +41,7 @@ clusterRole: true
 # you can create a HPA rule to scale on CPU, but you must not scale beyond
 # what's been purchased.
 gateway:
-  replicas: 3
+  replicas: 1
 # Required gateway configuration for Istio
   # directFunctions: true
   # probeFunctions: true

chart/openfaas/values.yaml

@@ -28,7 +28,7 @@ queueMode: ""                # Set to `jetstream` to run the async system backed
 psp: false
 
 # image pull policy for openfaas components, can change to `IfNotPresent` for an air-gapped environment
-openfaasImagePullPolicy: "Always"
+openfaasImagePullPolicy: "IfNotPresent"
 
 functions:
   imagePullPolicy: "Always"    # Image pull policy for deployed functions, for OpenFaaS Pro you can also set: IfNotPresent and Never.
@@ -94,10 +94,20 @@ gateway:
 operator:
   image: ghcr.io/openfaasltd/faas-netes:0.4.23
   create: false
+  # Unnecessary when running a single replica of the gateway
+  leaderElection:
+    enabled: false
+  reconcileWorkers: 2
   resources:
     requests:
       memory: "120Mi"
       cpu: "50m"
+  # When set to true, pprof will be enabled, and the 
+  # service "faas-provider" will gain an extra port to
+  # expose the pprof endpoint, this cannot be used in production
+  # since it may bypass authentication, and should only be used
+  # for debugging purposes
+  pprof: false
 
   # For OpenFaaS for Enterprises, these numbers can be set higher,
   # if experiencing rate limiting due to a large number of functions