This is being added because multiple namespaces can now be used
on Kubernetes. By listing namespaces, a client such as the UI
or CLI can then enumerate the namespaces to find functions
which may span across more than one namespace.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
Allows alerts to trigger functions to scale when they
also have an optional namespace set.
Tested e2e with Kubernetes 1.15 and a non-default namespace.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
When coupled with the latest version of faas-netes, the gateway
can now invoke, query and deploy functions into alternative
namespaces.
Tested e2e by creating a namespace "fn" and deploying, then
invoking a function deployed there and in the default namespace.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
This patch enables the use-case for multiple namepsaces by
allowing a dot to be used in the function name.
dep has been run to update OpenFaaS projects and also to
prune unused files.
Tested by doing a build.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
**What**
- Pass the writetimeout to the logs handler to set the context timeout
of the log stream.
Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>
**What**
- Implement log handler method that will hijack the connection and clear
timeouts to allow long lived streams
- Proxies requests to the logs provider and returns the response
unmodified
Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>
This commit moves the OpenFaaS gateway from using in-process
basic-auth for everything to use an external auth URL instead.
When auth is not enable, this functionality is not added to the
handlers and behaves as before. When enabled, the configured
plugin with authenticate requests.
Tested on Docker Swarm with positive and negative tests.
Signed-off-by: Alex Ellis <alexellis2@gmail.com>
This commit adds changes to run metrics server in a separate method and
also removed port 8082 from exposed port a/c to review comments.
It also uses a smaller static timeout value for new server.
Signed-off-by: Vivek Singh <vivekkmr45@yahoo.in>
This commit runs a new HTTPServer on port 8082 in a goroutine to serve
/metrics endpoint on a different port.
This also update the configurations and compose files.
Fixes: #1081
Signed-off-by: Vivek Singh <vivekkmr45@yahoo.in>
- max_conns / idle / per host are now read from env-vars and have
defaults set to 1024 for both values
- logging / metrics are collected in the client transaction
rather than via defer (this may impact throughput)
- function cache moved to use RWMutex to try to improve latency
around locking when updating cache
- logging message added to show latency in running GetReplicas
because this was observed to increase in a linear fashion under
high concurrency
- changes tested against 3-node bare-metal 1.13 K8s cluster
with kubeadm
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
- re-vendor queue-worker for publisher via 0.6.0
- bump queue-worker version to 0.6.0 in docker-compose.yml for
AMD64
- use new naming for NATS of nats -> NATS in variables where
required
- add default reconnect of 60 times, 2 seconds apart.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
**What**
- Protect the `/system/alert` endpoint when basic auth is enabled
- Update the alert manager config to send the basic auth credentials
- Bump the gateway version
Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>
- instruments async handler for report and for queueing async
requests
- make MustRegister only ever run once to prevent sync issues
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
- this change is needed for Docker Swarm which may give an error
when several concurrent requests come in to scale a deployment.
Tested on Docker Swarm before/after with the hey tool and figlet
scaled down to zero replicas.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
- extracting this package means it can be used in other components
such as the asynchronous nats-queue-worker which may need to
invoke functions which are scaled down to zero replicas.
Ref: https://github.com/openfaas/nats-queue-worker/issues/32
Tested on Docker Swarm for scaling up, already scaled and not
found error.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
- The path clipping / transforming behaviour must be turned-off
when we are not using direct_functions as is used in
faas-nomad and faas-ecs. This will need a change in each provider
to strip paths, but fixes a 404 error these users will see if they
upgrade to 0.9.2 or newer. 0.9.3 will have a this fix meaning
the whole un-edited path is passed to the provider when
direct_functions is set to false.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
This commit adds basic authentication for `/system/async-report`
endpoint.
It also adds basic-auth secrets to `queue-worker` service which will be
used for gateway calls to `/system/async-report`.
Signed-off-by: Vivek Singh <vivekkmr45@yahoo.in>
The basic-auth middleware and credentials-loading code has been
moved into the faas-provider project. This has now been brought
back into the faas project via vendoring.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
Code-review/refactoring for #843. Closes#843.
FaaSHandlers has had info and query handlers added to its list
of types for consistency.
Secrets added to queue-worker component ready for next PR.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
This changeset enables passing the basic auth credentials
to all /system/ calls to allow upstream providers to
perform authorization checks independent of the gateway.
This is essential for some providers, like Swarm, where
the system is accessible on the same network, and not
protected via the gateway
Signed-off-by: Burton Rheutan <rheutan7@gmail.com>
This reviews the code and fixes up suggestions made by team for
the HTTP paths PR #789.
- Removed feature-flag (this is backwards-compatible, so I see
no value in adding the flag)
- There was a URL transform happening for calls proxied to the
back end, I changed this for the nil-transform - i.e. it does not
change anything in the URL
- Introduced variables to describe the regex indicies used in
the URL trimming.
Tested with Docker Swarm with a ruby-microservice, with
system calls and with function calls using the UI.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
Previously, only the query string of the URL was passed through the Gateway.
With this change, the entire path requested by the client is passed through as well as the query string.
While fwatchdog already supported passing the path through, in practice this would not happen
since the Gateway would have swallowed it before forwarding the request to the watchdog.
With this change, the path portion after the function name is added to the Http_Path environment
variable, provided that cgiHeaders are enabled. This is similar to the of-watchdog equivalent.
Signed-off-by: Thomas E Lackey <telackey@bozemanpass.com>
This change exposes the gateway metrics with an exporter which
implements the Collector interface of prometheus.
This change Fixes#697
Signed-off-by: Ken Fukuyama <kenfdev@gmail.com>
- exposes scale-function endpoint for use with faas-idler, this
is protected by auth when enabled.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
Existing code has been used for scaling up and querying replicas.
This meant the new code was deleted and there is less duplication
now.
The cache store a whole query response rather than just the
available replica count and the tests were updated. This has been
tested with Docker swarm and the image:
openfaas/gateway:scale-17-07-2018
This feature now needs the env-var of scale_from_zero to be enabled
in order to turn on the scaling behaviour.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
This disables the scaling proxy by default since it is not the
default user-experience and is still under refinement.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
This change allows functions to be "idled" or scaled to zero
replicas and then be invoked later on. There is a penalty to
scaling up - the API gateway proxy will block until the function
is ready.
A cache is included to off-set the calls to upstream API to check
on readiness along with unit tests.
Testing via scaling to zero replicas and then invoking function.
On Swarm I observed 3 seconds on an Intel Nuc i5 for scaling back
from zero replicas.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
This change enables secrets to be read from any mount on disk
rather than hard-coding a certain location which suits Swarm or
K8s. The default value if not specified will look in the Swarm
location of /run/secrets/
README.md (docs) updated and set to off by default.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
Fixes https://github.com/openfaas/faas/issues/687 allowing the
gateway to handle the responsibility of basic auth for when it is
in use.
To enable set basic_auth env-var to true and then mount two
secrets or plaintext files under /var/secrets/
basic_auth_user, basic_auth_password
Tested with faas-cli list/deploy and with Safari browser.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
Routeless proxy allowed no HTTP path to be given when a Header
X-Function: name was given. This has been deprecated - I am
unaware of any usage of the feature.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
Forwarded requests were being logged in the function metrics and
I saw this when doing some testing on auto-scaling with K8s.
This change removes the call to the Prometheus notifier for any
calls which are forwarded to the provider and retains them for the
functions.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
This commit replaces occurences of http method strings with the
corresponding consts from the http package.
*Note* UPDATE is not strictly speaking a valid method and as such isn't
part of the http package (should be a PUT or PATCH?)
Signed-off-by: John McCabe <john@johnmccabe.net>
Adds a pair of configuration options for performance tuning. The
gateway can now invoke functions directly and can bypass the
provider. See updated table in README.md for configuration values.
BaseURLResolver is added with unit tests that decouples resolving
upstream URL from the reverse proxy client code.
- SingleHostBaseURLResolver resolves a single upstream host
- FunctionAsHostBaseURLResolver resolves host based upon conventions
within the URL of the request to a function for direct access
Tested with Kubernetes (faas-netes) and faas-swarm through UI, CLI
calling system endpoints and functions directly.
Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
