Avoid providing memory limit if not set explicitly

Signed-off-by: Nitishkumar Singh <nitishkumarsingh71@gmail.com>

.github/ISSUE_TEMPLATE.md

@@ -1,3 +1,7 @@
+## Due diligence
+
+Before you for help or support, make sure that you've [consulted the faasd manual "Serverless For Everyone Else"](https://openfaas.gumroad.com/l/serverless-for-everyone-else).
+
 <!--- Provide a general summary of the issue in the Title above -->
 
 ## Expected Behaviour

.github/workflows/build.yaml

@@ -12,7 +12,7 @@ jobs:
       GO111MODULE: off
     strategy:
       matrix:
-        go-version: [1.16.x]
+        go-version: [1.17.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/publish.yaml

@@ -9,7 +9,7 @@ jobs:
   publish:
     strategy:
       matrix:
-        go-version: [ 1.16.x ]
+        go-version: [ 1.17.x ]
         os: [ ubuntu-latest ]
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -1,5 +1,6 @@
 # faasd - a lightweight & portable faas engine
 
+[![Sponsor this](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/openfaas)](https://github.com/sponsors/openfaas)
 [![Build Status](https://github.com/openfaas/faasd/workflows/build/badge.svg?branch=master)](https://github.com/openfaas/faasd/actions)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![OpenFaaS](https://img.shields.io/badge/openfaas-serverless-blue.svg)](https://www.openfaas.com)
@@ -44,7 +45,7 @@ Additional resources:
 
 Most importantly, it's easy to manage so you can set it up and leave it alone to run your functions.
 
-![demo](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=small)
+[![demo](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=medium)](https://www.youtube.com/watch?v=WX1tZoSXy8E)
 
 > Demo of faasd running asynchronous functions
 
@@ -166,4 +167,6 @@ For completed features, WIP and upcoming roadmap see:
 
 See [ROADMAP.md](docs/ROADMAP.md)
 
+Want to build a patch without setting up a complete development environment? See [docs/PATCHES.md](docs/PATCHES.md)
+
 Are you looking to hack on faasd? Follow the [developer instructions](docs/DEV.md) for a manual installation, or use the `hack/install.sh` script and pick up from there.

cloud-config.txt

@@ -10,17 +10,7 @@ packages:
  - git
 
 runcmd:
-- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.5.4/containerd-1.5.4-linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
-- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service | tee /etc/systemd/system/containerd.service
-- systemctl daemon-reload && systemctl start containerd
-- systemctl enable containerd
-- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
-- mkdir -p /opt/cni/bin
-- curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz | tar -xz -C /opt/cni/bin
-- mkdir -p /go/src/github.com/openfaas/
-- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.12.5 https://github.com/openfaas/faasd
-- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.12.5/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
-- cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
+- curl -sfL https://raw.githubusercontent.com/openfaas/faasd/master/hack/install.sh | sh -s -
 - systemctl status -l containerd --no-pager
 - journalctl -u faasd-provider --no-pager
 - systemctl status -l faasd-provider --no-pager

cmd/install.go

@@ -109,7 +109,16 @@ func binExists(folder, name string) error {
 	}
 	return nil
 }
+func ensureSecretsDir(folder string) error {
+	if _, err := os.Stat(folder); err != nil {
+		err = os.MkdirAll(folder, secretDirPermission)
+		if err != nil {
+			return err
+		}
+	}
 
+	return nil
+}
 func ensureWorkingDir(folder string) error {
 	if _, err := os.Stat(folder); err != nil {
 		err = os.MkdirAll(folder, workingDirectoryPermission)

cmd/provider.go

@@ -1,8 +1,8 @@
 package cmd
 
 import (
-	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -14,6 +14,7 @@ import (
 	"github.com/openfaas/faas-provider/logs"
 	"github.com/openfaas/faas-provider/proxy"
 	"github.com/openfaas/faas-provider/types"
+	faasd "github.com/openfaas/faasd/pkg"
 	"github.com/openfaas/faasd/pkg/cninetwork"
 	faasdlogs "github.com/openfaas/faasd/pkg/logs"
 	"github.com/openfaas/faasd/pkg/provider/config"
@@ -21,6 +22,8 @@ import (
 	"github.com/spf13/cobra"
 )
 
+const secretDirPermission = 0755
+
 func makeProviderCmd() *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "provider",
@@ -82,20 +85,25 @@ func makeProviderCmd() *cobra.Command {
 
 		invokeResolver := handlers.NewInvokeResolver(client)
 
-		userSecretPath := path.Join(wd, "secrets")
+		baseUserSecretsPath := path.Join(wd, "secrets")
+		if err := moveSecretsToDefaultNamespaceSecrets(
+			baseUserSecretsPath,
+			faasd.DefaultFunctionNamespace); err != nil {
+			return err
+		}
 
 		bootstrapHandlers := types.FaaSHandlers{
 			FunctionProxy:        proxy.NewHandlerFunc(*config, invokeResolver),
 			DeleteHandler:        handlers.MakeDeleteHandler(client, cni),
-			DeployHandler:        handlers.MakeDeployHandler(client, cni, userSecretPath, alwaysPull),
+			DeployHandler:        handlers.MakeDeployHandler(client, cni, baseUserSecretsPath, alwaysPull),
 			FunctionReader:       handlers.MakeReadHandler(client),
 			ReplicaReader:        handlers.MakeReplicaReaderHandler(client),
 			ReplicaUpdater:       handlers.MakeReplicaUpdateHandler(client, cni),
-			UpdateHandler:        handlers.MakeUpdateHandler(client, cni, userSecretPath, alwaysPull),
+			UpdateHandler:        handlers.MakeUpdateHandler(client, cni, baseUserSecretsPath, alwaysPull),
 			HealthHandler:        func(w http.ResponseWriter, r *http.Request) {},
 			InfoHandler:          handlers.MakeInfoHandler(Version, GitCommit),
-			ListNamespaceHandler: listNamespaces(),
-			SecretHandler:        handlers.MakeSecretHandler(client, userSecretPath),
+			ListNamespaceHandler: handlers.MakeNamespacesLister(client),
+			SecretHandler:        handlers.MakeSecretHandler(client.NamespaceService(), baseUserSecretsPath),
 			LogHandler:           logs.NewLogHandlerFunc(faasdlogs.New(), config.ReadTimeout),
 		}
 
@@ -107,10 +115,62 @@ func makeProviderCmd() *cobra.Command {
 	return command
 }
 
-func listNamespaces() func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		list := []string{""}
-		out, _ := json.Marshal(list)
-		w.Write(out)
+/*
+* Mutiple namespace support was added after release 0.13.0
+* Function will help users to migrate on multiple namespace support of faasd
+ */
+func moveSecretsToDefaultNamespaceSecrets(baseSecretPath string, defaultNamespace string) error {
+	newSecretPath := path.Join(baseSecretPath, defaultNamespace)
+
+	err := ensureSecretsDir(newSecretPath)
+	if err != nil {
+		return err
 	}
+
+	files, err := ioutil.ReadDir(baseSecretPath)
+	if err != nil {
+		return err
+	}
+
+	for _, f := range files {
+		if !f.IsDir() {
+
+			newPath := path.Join(newSecretPath, f.Name())
+
+			// A non-nil error means the file wasn't found in the
+			// destination path
+			if _, err := os.Stat(newPath); err != nil {
+				oldPath := path.Join(baseSecretPath, f.Name())
+
+				if err := copyFile(oldPath, newPath); err != nil {
+					return err
+				}
+
+				log.Printf("[Migration] Copied %s to %s", oldPath, newPath)
+			}
+		}
+	}
+
+	return nil
+}
+
+func copyFile(src, dst string) error {
+	inputFile, err := os.Open(src)
+	if err != nil {
+		return fmt.Errorf("opening %s failed %w", src, err)
+	}
+	defer inputFile.Close()
+
+	outputFile, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_APPEND, secretDirPermission)
+	if err != nil {
+		return fmt.Errorf("opening %s failed %w", dst, err)
+	}
+	defer outputFile.Close()
+
+	// Changed from os.Rename due to issue in #201
+	if _, err := io.Copy(outputFile, inputFile); err != nil {
+		return fmt.Errorf("writing into %s failed %w", outputFile.Name(), err)
+	}
+
+	return nil
 }

docker-compose.yaml

@@ -20,28 +20,43 @@ services:
 
   nats:
     image: docker.io/library/nats-streaming:0.22.0
+# nobody
+    user: "65534"
     command:
       - "/nats-streaming-server"
       - "-m"
       - "8222"
-      - "--store=memory"
+      - "--store=file"
+      - "--dir=/nats"
       - "--cluster_id=faas-cluster"
+    volumes:
+# Data directory
+      - type: bind
+        source: ./nats
+        target: /nats
     # ports:
     #    - "127.0.0.1:8222:8222"
 
   prometheus:
     image: docker.io/prom/prometheus:v2.14.0
+# nobody
+    user: "65534"
     volumes:
+# Config directory
       - type: bind
         source: ./prometheus.yml
         target: /etc/prometheus/prometheus.yml
+# Data directory
+      - type: bind
+        source: ./prometheus
+        target: /prometheus
     cap_add:
       - CAP_NET_RAW
     ports:
        - "127.0.0.1:9090:9090"
 
   gateway:
-    image: ghcr.io/openfaas/gateway:0.21.0
+    image: ghcr.io/openfaas/gateway:0.21.3
     environment:
       - basic_auth=true
       - functions_provider_url=http://faasd-provider:8081/

docs/DEV.md

@@ -1,7 +1,11 @@
-## Instructions for hacking on faasd itself
+## Instructions for building and testing faasd locally
 
 > Note: if you're just wanting to try out faasd, then it's likely that you're on the wrong page. This is a detailed set of instructions for those wanting to contribute or customise faasd. Feel free to go back to the homepage and pick a tutorial instead.
 
+Do you want to help the community test a pull request?
+
+See these instructions instead: [Testing patches](/docs/PATCHES.md)
+
 ### Pre-reqs
 
 > It's recommended that you do not install Docker on the same host as faasd, since 1) they may both use different versions of containerd and 2) docker's networking rules can disrupt faasd's networking. When using faasd - make your faasd server a faasd server, and build container image on your laptop or in a CI pipeline.
@@ -233,7 +237,7 @@ export SUFFIX="-armhf"
 export SUFFIX="-arm64"
 
 # Then download
-curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.12.5/faasd$SUFFIX" \
+curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd$SUFFIX" \
     -o "/tmp/faasd" \
     && chmod +x "/tmp/faasd" 
 sudo mv /tmp/faasd /usr/local/bin/

docs/MULTIPASS.md

@@ -27,111 +27,112 @@ It took me about 2-3 minutes to run through everything after installing multipas
 
 * Get my cloud-config.txt file
 
-```sh
-curl -sSLO https://raw.githubusercontent.com/openfaas/faasd/master/cloud-config.txt
-```
-
-* Update the SSH key to match your own, edit `cloud-config.txt`:
-
-Replace the 2nd line with the contents of `~/.ssh/id_rsa.pub`:
-
-```
-ssh_authorized_keys:
-  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Q/aUYUr3P1XKVucnO9mlWxOjJm+K01lHJR90MkHC9zbfTqlp8P7C3J26zKAuzHXOeF+VFxETRr6YedQKW9zp5oP7sN+F2gr/pO7GV3VmOqHMV7uKfyUQfq7H1aVzLfCcI7FwN2Zekv3yB7kj35pbsMa1Za58aF6oHRctZU6UWgXXbRxP+B04DoVU7jTstQ4GMoOCaqYhgPHyjEAS3DW0kkPW6HzsvJHkxvVcVlZ/wNJa1Ie/yGpzOzWIN0Ol0t2QT/RSWOhfzO1A2P0XbPuZ04NmriBonO9zR7T1fMNmmtTuK7WazKjQT3inmYRAqU6pe8wfX8WIWNV7OowUjUsv alex@alexr.local
-```
+    ```sh
+    curl -sSLO https://raw.githubusercontent.com/openfaas/faasd/master/cloud-config.txt
+    ```
 
 * Boot the VM 
 
-```sh
-multipass launch --cloud-init cloud-config.txt  --name faasd
-```
+    The `cloud-config.txt` contains an ssh key to allow your local machine to access the VM. However, this must be updated with your local ssh key. 
+    This command will update the key with your local public key value and start the VM.
+
+    ```sh
+    sed "s/ssh-rsa.*/$(cat $HOME/.ssh/id_*.pub)/" cloud-config.txt | multipass launch --name faasd --cloud-init -
+    ```
+
+    This can also be done manually, just replace the 2nd line of the `cloud-config.txt` with the coPntents of your public ssh key, usually either `~/.ssh/id_rsa.pub` or `~/.ssh/id_ed25519.pub`
+
+    ```
+    ssh_authorized_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Q/aUYUr3P1XKVucnO9mlWxOjJm+K01lHJR90MkHC9zbfTqlp8P7C3J26zKAuzHXOeF+VFxETRr6YedQKW9zp5oP7sN+F2gr/pO7GV3VmOqHMV7uKfyUQfq7H1aVzLfCcI7FwN2Zekv3yB7kj35pbsMa1Za58aF6oHRctZU6UWgXXbRxP+B04DoVU7jTstQ4GMoOCaqYhgPHyjEAS3DW0kkPW6HzsvJHkxvVcVlZ/wNJa1Ie/yGpzOzWIN0Ol0t2QT/RSWOhfzO1A2P0XbPuZ04NmriBonO9zR7T1fMNmmtTuK7WazKjQT3inmYRAqU6pe8wfX8WIWNV7OowUjUsv alex@alexr.local
+    ```
 
 * Get the VM's IP and connect with `ssh`
 
-```sh
-multipass info faasd
-Name:           faasd
-State:          Running
-IPv4:           192.168.64.14
-Release:        Ubuntu 18.04.3 LTS
-Image hash:     a720c34066dc (Ubuntu 18.04 LTS)
-Load:           0.79 0.19 0.06
-Disk usage:     1.1G out of 4.7G
-Memory usage:   145.6M out of 985.7M
-```
+    ```sh
+    multipass info faasd
+    Name:           faasd
+    State:          Running
+    IPv4:           192.168.64.14
+    Release:        Ubuntu 18.04.3 LTS
+    Image hash:     a720c34066dc (Ubuntu 18.04 LTS)
+    Load:           0.79 0.19 0.06
+    Disk usage:     1.1G out of 4.7G
+    Memory usage:   145.6M out of 985.7M
+    ```
 
-Set the variable `IP`:
+    Set the variable `IP`:
 
-```
-export IP="192.168.64.14"
-```
+    ```
+    export IP="192.168.64.14"
+    ```
 
-You can also try to use `jq` to get the IP into a variable:
+    You can also try to use `jq` to get the IP into a variable:
 
-```sh
-export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
-```
+    ```sh
+    export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
+    ```
 
-Connect to the IP listed:
+    Connect to the IP listed:
 
-```sh
-ssh ubuntu@$IP
-```
+    ```sh
+    ssh ubuntu@$IP
+    ```
 
-Log out once you know it works.
+    Log out once you know it works.
 
 * Let's capture the authentication password into a file for use with `faas-cli`
 
-```
-ssh ubuntu@$IP "sudo cat /var/lib/faasd/secrets/basic-auth-password" > basic-auth-password
-```
+    ```
+    ssh ubuntu@$IP "sudo cat /var/lib/faasd/secrets/basic-auth-password" > basic-auth-password
+    ```
 
 ## Try faasd (OpenFaaS)
 
 * Login from your laptop (the host)
 
-```
-export OPENFAAS_URL=http://$IP:8080
-cat basic-auth-password | faas-cli login -s
-```
+    ```
+    export OPENFAAS_URL=http://$IP:8080
+    cat basic-auth-password | faas-cli login -s
+    ```
 
 * Deploy a function and invoke it
 
-```
-faas-cli store deploy figlet --env write_timeout=1s
-echo "faasd" | faas-cli invoke figlet
+    ```
+    faas-cli store deploy figlet --env write_timeout=1s
+    echo "faasd" | faas-cli invoke figlet
 
-faas-cli describe figlet
+    faas-cli describe figlet
 
-# Run async
-curl -i -d "faasd-async" $OPENFAAS_URL/async-function/figlet
+    # Run async
+    curl -i -d "faasd-async" $OPENFAAS_URL/async-function/figlet
 
-# Run async with a callback
+    # Run async with a callback
 
-curl -i -d "faasd-async" -H "X-Callback-Url: http://some-request-bin.com/path" $OPENFAAS_URL/async-function/figlet
-```
+    curl -i -d "faasd-async" -H "X-Callback-Url: http://some-request-bin.com/path" $OPENFAAS_URL/async-function/figlet
+    ```
 
-You can also checkout the other store functions: `faas-cli store list`
+    You can also checkout the other store functions: `faas-cli store list`
 
 * Try the UI
 
-Head over to the UI from your laptop and remember that your password is in the `basic-auth-password` file. The username is `admin`:
+    Head over to the UI from your laptop and remember that your password is in the `basic-auth-password` file. The username is `admin`:
 
-```
-echo http://$IP:8080
-```
+    ```
+    echo http://$IP:8080
+    ```
 
 * Stop/start the instance
 
-```sh
-multipass stop faasd
-```
+    ```sh
+    multipass stop faasd
+    ```
 
 * Delete, if you want to:
 
-```
-multipass delete --purge faasd
-```
+    ```
+    multipass delete --purge faasd
+    ```
 
 You now have a faasd appliance on your Mac. You can also use this cloud-init file with public cloud like AWS or DigitalOcean.
 

docs/PATCHES.md

@@ -0,0 +1,88 @@
+## Instructions for testing a patch for faasd
+
+### Launch a virtual machine
+
+You can use any kind of Linux virtual machine, Ubuntu 20.04 is recommended.
+
+Launch a cloud VM or use [Multipass](https://multipass.run), which is free to use an can be run locally. A Raspberry Pi 3 or 4 could also be used, but will need you to run `make dist` to cross compile a valid binary.
+
+### Copy over your SSH key
+
+Your SSH key will be used, so that you can copy a new faasd binary over to the host.
+
+```bash
+multipass launch \
+  --mem 4G \
+  -c 2 \
+  -n faasd
+
+# Then access its shell
+multipass shell faasd
+
+# Edit .ssh/authorized_keys
+
+# Add .ssh/id_rsa.pub from your host and save the file
+```
+
+### Install faasd on the VM
+
+You start off with the upstream version of faasd on the host, then add the new version over the top later on.
+
+```bash
+cd /tmp/
+git clone https://github.com/openfaas/faasd --depth=1
+cd faasd/hack
+./install.sh
+
+# Run the login command given to you at the end of the script
+```
+
+Get the multipass IP address:
+
+```bash
+export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
+```
+
+### Build a new faasd binary with the patch
+
+Check out faasd on your local computer
+
+```bash
+git clone https://github.com/openfaas/faasd
+cd faasd
+
+gh pr checkout #PR_NUMBER_HERE
+
+GOOS=linux go build
+
+# You can also run "make dist" which is slower, but includes
+# a version and binaries for other platforms such as the Raspberry Pi
+```
+
+### Copy it over to the VM
+
+Now build a new faasd binary and copy it to the VM:
+
+```bash
+scp faasd ubuntu@$IP:~/
+```
+
+Now deploy the new version on the VM:
+
+```bash
+killall -9 faasd-linux; killall -9 faasd-linux ; mv ./faasd-linux /usr/local/bin/faasd
+```
+
+### Check it worked and test that patch
+
+Now run a command with `faas-cli` such as:
+
+* `faas-cli list`
+* `faas-cli version`
+
+See the testing instructions on the PR and run through those steps.
+
+Post your results on GitHub to assist the creator of the pull request.
+
+You can see how to get the logs for various components using the [eBook Serverless For Everyone Else](https://gumroad.com/l/serverless-for-everyone-else), or by consulting the [DEV.md](/docs/DEV.md) guide.
+

docs/ROADMAP.md

@@ -75,10 +75,10 @@ sudo systemctl restart faasd
 
 Should have:
 
-* [ ] Resolve core services from functions by populating/sharing `/etc/hosts` between `faasd` and `faasd-provider`
-* [ ] Docs or examples on how to use the various connectors and connector-sdk
+* [ ] Offer a recommendation or implement a strategy for faasd replication/HA
 * [ ] Monitor and restart any of the core components at runtime if the container stops
-* [ ] Asynchronous deletion instead of synchronous
+* [ ] Asynchronous function deletion instead of synchronous
+* [ ] Asynchronous function start-up instead of synchronous
 
 Nice to Have:
 
@@ -89,6 +89,8 @@ Nice to Have:
 
 ### Completed
 
+* [x] Docs or examples on how to use the various event connectors (Yes in the eBook)
+* [x] Resolve core services from functions by populating/sharing `/etc/hosts` between `faasd` and `faasd-provider`
 * [x] Provide a cloud-init configuration for faasd bootstrap
 * [x] Configure core services from a docker-compose.yaml file
 * [x] Store and fetch logs from the journal

docs/bootstrap/.terraform.lock.hcl

@@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.11.0"
+  constraints = "2.11.0"
+  hashes = [
+    "h1:/qAnTOSP5KeZkF7wqLai34SKAs7aefulcUA3I8R7rRg=",
+    "h1:PbXtjUfvxwmkycJ0Y9Dyn66Arrpk5L8/P381SXMx2O0=",
+    "h1:lXLX9tmuxV7azTHd0xB0FAVrxyfBtotIz5LEJp8YUk0=",
+    "zh:2191adc79bdfdb3b733e0619e4f391ae91c1631c5dafda42dab561d943651fa4",
+    "zh:21a4f67e42dcdc10fbd7f8579247594844d09a469a3a54862d565913e4d6121d",
+    "zh:557d98325fafcf2db91ea6d92f65373a48c4e995a1a7aeb57009661fee675250",
+    "zh:68c0238cafc37433627e288fcd2c7e14f4f0afdd50b4f265d8d1f1addab6f19f",
+    "zh:7e6d69720734455eb1c69880f049650276089b7fa09085e130d224abaeec887a",
+    "zh:95bd93a696ec050c1cb5e724498fd12b1d69760d01e97c869be3252025691434",
+    "zh:b1b075049e33aa08c032f41a497351c9894f16287a4449032d8b805bc6dcb596",
+    "zh:ba91aa853372c828f808c09dbab2a5bc9493a7cf93210d1487f9637b2cac8ca4",
+    "zh:bc43d27dfe014266697c2ac259f4311300391aa6aa7c5d23e382fe296df938d5",
+    "zh:d3a04d2c76bfc1f46a117b1af7870a97353319ee8f924a37fe77861519f59525",
+    "zh:d3da997c05a653df6cabb912c6c05ceb6bf77219b699f04daf44fd795c81c6ed",
+    "zh:edd0659021b6634acf0f581d1be1985a81fcd1182e3ccb43de6eac6c43be9ab4",
+    "zh:f588ace57b6c35d509ecaa7136e6a8049d227b0674104a1f958359b84862d8e3",
+    "zh:f894ed195a3b9ebbfa1ba7c5d71be06df3a96d783ff064d22dd693ace34d638e",
+    "zh:fb6b0d4b111fafdcb3bb9a7dbab88e2110a6ce6324de64ecf62933ee8b651ccf",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=",
+    "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}

docs/bootstrap/README.md

@@ -5,11 +5,18 @@
 3) Clone this gist using the URL from the address bar
 4) Run `terraform init`
 5) Run `terraform apply -var="do_token=$(cat $HOME/digitalocean-access-token)"`
-6) View the output for the login command and gateway URL i.e.
+6) View the output for the gateway URL
 
 ```
 gateway_url = http://178.128.39.201:8080/
+```
+7) View the output for sensitive data via `terraform output` command
+
+```bash
+terraform output login_cmd
 login_cmd = faas-cli login -g http://178.128.39.201:8080/ -p rvIU49CEcFcHmqxj
+
+terraform output password
 password = rvIU49CEcFcHmqxj
 ```
 

docs/bootstrap/cloud-config.tpl

@@ -1,8 +1,4 @@
 #cloud-config
-ssh_authorized_keys:
-## Note: Replace with your own public key
-  - ${ssh_key}
-
 package_update: true
 
 packages:
@@ -20,8 +16,8 @@ runcmd:
 - mkdir -p /var/lib/faasd/secrets/
 - echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
 - echo admin > /var/lib/faasd/secrets/basic-auth-user
-- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.12.5 https://github.com/openfaas/faasd
-- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.12.5/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
+- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.13.0 https://github.com/openfaas/faasd
+- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
 - cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
 - systemctl status -l containerd --no-pager
 - journalctl -u faasd-provider --no-pager

docs/bootstrap/digitalocean-terraform/.terraform.lock.hcl

@@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.11.0"
+  constraints = "2.11.0"
+  hashes = [
+    "h1:/qAnTOSP5KeZkF7wqLai34SKAs7aefulcUA3I8R7rRg=",
+    "h1:PbXtjUfvxwmkycJ0Y9Dyn66Arrpk5L8/P381SXMx2O0=",
+    "h1:lXLX9tmuxV7azTHd0xB0FAVrxyfBtotIz5LEJp8YUk0=",
+    "zh:2191adc79bdfdb3b733e0619e4f391ae91c1631c5dafda42dab561d943651fa4",
+    "zh:21a4f67e42dcdc10fbd7f8579247594844d09a469a3a54862d565913e4d6121d",
+    "zh:557d98325fafcf2db91ea6d92f65373a48c4e995a1a7aeb57009661fee675250",
+    "zh:68c0238cafc37433627e288fcd2c7e14f4f0afdd50b4f265d8d1f1addab6f19f",
+    "zh:7e6d69720734455eb1c69880f049650276089b7fa09085e130d224abaeec887a",
+    "zh:95bd93a696ec050c1cb5e724498fd12b1d69760d01e97c869be3252025691434",
+    "zh:b1b075049e33aa08c032f41a497351c9894f16287a4449032d8b805bc6dcb596",
+    "zh:ba91aa853372c828f808c09dbab2a5bc9493a7cf93210d1487f9637b2cac8ca4",
+    "zh:bc43d27dfe014266697c2ac259f4311300391aa6aa7c5d23e382fe296df938d5",
+    "zh:d3a04d2c76bfc1f46a117b1af7870a97353319ee8f924a37fe77861519f59525",
+    "zh:d3da997c05a653df6cabb912c6c05ceb6bf77219b699f04daf44fd795c81c6ed",
+    "zh:edd0659021b6634acf0f581d1be1985a81fcd1182e3ccb43de6eac6c43be9ab4",
+    "zh:f588ace57b6c35d509ecaa7136e6a8049d227b0674104a1f958359b84862d8e3",
+    "zh:f894ed195a3b9ebbfa1ba7c5d71be06df3a96d783ff064d22dd693ace34d638e",
+    "zh:fb6b0d4b111fafdcb3bb9a7dbab88e2110a6ce6324de64ecf62933ee8b651ccf",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=",
+    "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}

docs/bootstrap/digitalocean-terraform/README.md

@@ -27,10 +27,20 @@
 ```
 droplet_ip = 178.128.39.201
 gateway_url = https://faasd.example.com/
-login_cmd = faas-cli login -g https://faasd.example.com/ -p rvIU49CEcFcHmqxj
+```
+
+8) View the output for sensitive data via `terraform output` command
+
+```bash
+terraform output login_cmd
+login_cmd = faas-cli login -g http://178.128.39.201:8080/ -p rvIU49CEcFcHmqxj
+
+terraform output password
 password = rvIU49CEcFcHmqxj
 ```
-8) Use your browser to access the OpenFaaS interface
+
+
+9) Use your browser to access the OpenFaaS interface
 
 Note that the user-data may take a couple of minutes to come up since it will be pulling in various components and preparing the machine. 
 Also take into consideration the DNS propagation time for the new DNS record.

docs/bootstrap/digitalocean-terraform/cloud-config.tpl

@@ -1,7 +1,4 @@
 #cloud-config
-ssh_authorized_keys:
-  - ${ssh_key}
-
 groups:
   - caddy
 
@@ -41,8 +38,8 @@ runcmd:
 - mkdir -p /var/lib/faasd/secrets/
 - echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
 - echo admin > /var/lib/faasd/secrets/basic-auth-user
-- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.12.5 https://github.com/openfaas/faasd
-- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.12.5/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
+- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.13.0 https://github.com/openfaas/faasd
+- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
 - cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
 - systemctl status -l containerd --no-pager
 - journalctl -u faasd-provider --no-pager

docs/bootstrap/digitalocean-terraform/main.tf

@@ -1,5 +1,11 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 1.0.4"
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.11.0"
+    }
+  }
 }
 
 variable "do_token" {
@@ -10,7 +16,7 @@ variable "do_domain" {
 }
 variable "do_subdomain" {
   description = "Your public subdomain"
-  default = "faasd"
+  default     = "faasd"
 }
 variable "letsencrypt_email" {
   description = "Email used to order a certificate from Letsencrypt"
@@ -32,41 +38,44 @@ provider "digitalocean" {
   token = var.do_token
 }
 
-data "local_file" "ssh_key"{
-  filename = pathexpand(var.ssh_key_file)
-}
-
 resource "random_password" "password" {
-  length = 16
-  special = true
+  length           = 16
+  special          = true
   override_special = "_-#"
 }
 
 data "template_file" "cloud_init" {
-  template = "${file("cloud-config.tpl")}"
-    vars = {
-      gw_password=random_password.password.result,
-      ssh_key=data.local_file.ssh_key.content,
-      faasd_domain_name="${var.do_subdomain}.${var.do_domain}"
-      letsencrypt_email=var.letsencrypt_email
-    }
+  template = file("cloud-config.tpl")
+  vars = {
+    gw_password       = random_password.password.result,
+    faasd_domain_name = "${var.do_subdomain}.${var.do_domain}"
+    letsencrypt_email = var.letsencrypt_email
+  }
+}
+
+resource "digitalocean_ssh_key" "faasd_ssh_key" {
+  name       = "ssh-key"
+  public_key = file(var.ssh_key_file)
 }
 
 resource "digitalocean_droplet" "faasd" {
-  region = var.do_region
-  image  = "ubuntu-18-04-x64"
-  name   = "faasd"
-  size = "s-1vcpu-1gb"
+  region    = var.do_region
+  image     = "ubuntu-18-04-x64"
+  name      = "faasd"
+  size      = "s-1vcpu-1gb"
   user_data = data.template_file.cloud_init.rendered
+  ssh_keys = [
+    digitalocean_ssh_key.faasd_ssh_key.id
+  ]
 }
 
 resource "digitalocean_record" "faasd" {
   domain = var.do_domain
   type   = "A"
-  name   = "faasd"
+  name   = var.do_subdomain
   value  = digitalocean_droplet.faasd.ipv4_address
   # Only creates record if do_create_record is true
-  count  = var.do_create_record == true ? 1 : 0
+  count = var.do_create_record == true ? 1 : 0
 }
 
 output "droplet_ip" {
@@ -78,9 +87,11 @@ output "gateway_url" {
 }
 
 output "password" {
-    value = random_password.password.result
+  value     = random_password.password.result
+  sensitive = true
 }
 
 output "login_cmd" {
-  value = "faas-cli login -g https://${var.do_subdomain}.${var.do_domain}/ -p ${random_password.password.result}"
+  value     = "faas-cli login -g https://${var.do_subdomain}.${var.do_domain}/ -p ${random_password.password.result}"
+  sensitive = true
 }

docs/bootstrap/main.tf

@@ -1,5 +1,11 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 1.0.4"
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.11.0"
+    }
+  }
 }
 
 variable "do_token" {}
@@ -14,21 +20,21 @@ provider "digitalocean" {
 }
 
 resource "random_password" "password" {
-  length = 16
-  special = true
+  length           = 16
+  special          = true
   override_special = "_-#"
 }
 
-data "local_file" "ssh_key"{
-  filename = pathexpand(var.ssh_key_file)
+data "template_file" "cloud_init" {
+  template = file("cloud-config.tpl")
+  vars = {
+    gw_password = random_password.password.result
+  }
 }
 
-data "template_file" "cloud_init" {
-  template = "${file("cloud-config.tpl")}"
-    vars = {
-      gw_password=random_password.password.result,
-      ssh_key=data.local_file.ssh_key.content,
-    }
+resource "digitalocean_ssh_key" "faasd_ssh_key" {
+  name       = "ssh-key"
+  public_key = file(var.ssh_key_file)
 }
 
 resource "digitalocean_droplet" "faasd" {
@@ -38,12 +44,16 @@ resource "digitalocean_droplet" "faasd" {
   name   = "faasd"
   # Plans: https://developers.digitalocean.com/documentation/changelog/api-v2/new-size-slugs-for-droplet-plan-changes/
   #size   = "512mb"
-  size = "s-1vcpu-1gb"
+  size      = "s-1vcpu-1gb"
   user_data = data.template_file.cloud_init.rendered
+  ssh_keys = [
+    digitalocean_ssh_key.faasd_ssh_key.id
+  ]
 }
 
 output "password" {
-    value = random_password.password.result
+  value     = random_password.password.result
+  sensitive = true
 }
 
 output "gateway_url" {
@@ -51,6 +61,7 @@ output "gateway_url" {
 }
 
 output "login_cmd" {
-  value = "faas-cli login -g http://${digitalocean_droplet.faasd.ipv4_address}:8080/ -p ${random_password.password.result}"
+  value     = "faas-cli login -g http://${digitalocean_droplet.faasd.ipv4_address}:8080/ -p ${random_password.password.result}"
+  sensitive = true
 }
 

hack/build-containerd-arm64.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
+
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi
+
+export GOPATH=$HOME/go/
+export PATH=$PATH:/usr/local/go/bin/
+
+go version
+
+echo "Building containerd"
+
+mkdir -p $GOPATH/src/github.com/containerd
+cd $GOPATH/src/github.com/containerd
+git clone https://github.com/containerd/containerd
+
+cd containerd
+git fetch origin --tags
+git checkout v1.5.4
+
+make
+sudo make install
+
+sudo containerd --version

hack/build-containerd-armhf.sh

@@ -1,12 +1,20 @@
 #!/bin/bash
 
-export ARCH="armv6l"
-echo "Downloading Go"
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
 
-curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
-sudo rm -rf /usr/local/go/
-sudo mkdir -p /usr/local/go/
-sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi
 
 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/

hack/build-containerd.sh

@@ -1,12 +1,21 @@
 #!/bin/bash
 
-export ARCH="amd64"
-echo "Downloading Go"
 
-curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
-sudo rm -rf /usr/local/go/
-sudo mkdir -p /usr/local/go/
-sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
+
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi
 
 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/

hack/faasd-provider.service

@@ -5,6 +5,7 @@ Description=faasd-provider
 MemoryLimit=500M
 Environment="secret_mount_path={{.SecretMountPath}}"
 Environment="basic_auth=true"
+Environment="hosts_dir=/var/lib/faasd"
 ExecStart=/usr/local/bin/faasd provider
 Restart=on-failure
 RestartSec=10s

hack/install.sh

@@ -39,6 +39,10 @@ has_apt_get() {
   [ -n "$(command -v apt-get)" ]
 }
 
+has_pacman() {
+  [ -n "$(command -v pacman)" ]
+}
+
 install_required_packages() {
   if $(has_apt_get); then
     $SUDO apt-get update -y
@@ -46,8 +50,11 @@ install_required_packages() {
   elif $(has_yum); then
     $SUDO yum check-update -y
     $SUDO yum install -y curl runc
+  elif $(has_pacman); then
+    $SUDO pacman -Syy
+    $SUDO pacman -Sy curl runc bridge-utils
   else
-    fatal "Could not find apt-get or yum. Cannot install dependencies on this OS."
+    fatal "Could not find apt-get, yum, or pacman. Cannot install dependencies on this OS."
     exit 1
   fi
 }

pkg/constants.go

@@ -1,11 +1,14 @@
 package pkg
 
 const (
-	// FunctionNamespace is the default containerd namespace functions are created
-	FunctionNamespace = "openfaas-fn"
+	// DefaultFunctionNamespace is the default containerd namespace functions are created
+	DefaultFunctionNamespace = "openfaas-fn"
 
-	// faasdNamespace is the containerd namespace services are created
-	faasdNamespace = "openfaas"
+	// NamespaceLabel indicates that a namespace is managed by faasd
+	NamespaceLabel = "openfaas"
+
+	// FaasdNamespace is the containerd namespace services are created
+	FaasdNamespace = "openfaas"
 
 	faasServicesPullAlways = false
 

pkg/logs/requestor.go

@@ -71,7 +71,7 @@ func buildCmd(ctx context.Context, req logs.Request) *exec.Cmd {
 
 	namespace := req.Namespace
 	if namespace == "" {
-		namespace = faasd.FunctionNamespace
+		namespace = faasd.DefaultFunctionNamespace
 	}
 
 	// find the description of the fields here

pkg/provider/handlers/delete.go

@@ -13,7 +13,6 @@ import (
 	gocni "github.com/containerd/go-cni"
 	"github.com/openfaas/faas/gateway/requests"
 
-	faasd "github.com/openfaas/faasd/pkg"
 	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 )
@@ -41,9 +40,23 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			return
 		}
 
+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		name := req.FunctionName
 
-		function, err := GetFunction(client, name)
+		function, err := GetFunction(client, name, lookupNamespace)
 		if err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Delete] %s\n", msg)
@@ -51,7 +64,7 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			return
 		}
 
-		ctx := namespaces.WithNamespace(context.Background(), faasd.FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), lookupNamespace)
 
 		// TODO: this needs to still happen if the task is paused
 		if function.replicas != 0 {

pkg/provider/handlers/deploy.go

@@ -20,7 +20,6 @@ import (
 	"github.com/docker/distribution/reference"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/openfaas/faas-provider/types"
-	faasd "github.com/openfaas/faasd/pkg"
 	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 	"github.com/pkg/errors"
@@ -52,15 +51,32 @@ func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}
 
-		err = validateSecrets(secretMountPath, req.Secrets)
+		namespace := getRequestNamespace(req.Namespace)
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		namespaceSecretMountPath := getNamespaceSecretMountPath(secretMountPath, namespace)
+		err = validateSecrets(namespaceSecretMountPath, req.Secrets)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
 		}
 
 		name := req.Service
-		ctx := namespaces.WithNamespace(context.Background(), faasd.FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)
 
-		deployErr := deploy(ctx, req, client, cni, secretMountPath, alwaysPull)
+		deployErr := deploy(ctx, req, client, cni, namespaceSecretMountPath, alwaysPull)
 		if deployErr != nil {
 			log.Printf("[Deploy] error deploying %s, error: %s\n", name, deployErr)
 			http.Error(w, deployErr.Error(), http.StatusBadRequest)
@@ -110,7 +126,7 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container
 	}
 
 	envs := prepareEnv(req.EnvProcess, req.EnvVars)
-	mounts := getMounts()
+	mounts := getOSMounts()
 
 	for _, secret := range req.Secrets {
 		mounts = append(mounts, specs.Mount{
@@ -125,7 +141,7 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container
 
 	labels, err := buildLabels(&req)
 	if err != nil {
-		return fmt.Errorf("Unable to apply labels to conatiner: %s, error: %s", name, err)
+		return fmt.Errorf("unable to apply labels to container: %s, error: %w", name, err)
 	}
 
 	var memory *specs.LinuxMemory
@@ -156,7 +172,7 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container
 	)
 
 	if err != nil {
-		return fmt.Errorf("unable to create container: %s, error: %s", name, err)
+		return fmt.Errorf("unable to create container: %s, error: %w", name, err)
 	}
 
 	return createTask(ctx, client, container, cni)
@@ -194,7 +210,7 @@ func createTask(ctx context.Context, client *containerd.Client, container contai
 	task, taskErr := container.NewTask(ctx, cio.BinaryIO("/usr/local/bin/faasd", nil))
 
 	if taskErr != nil {
-		return fmt.Errorf("unable to start task: %s, error: %s", name, taskErr)
+		return fmt.Errorf("unable to start task: %s, error: %w", name, taskErr)
 	}
 
 	log.Printf("Container ID: %s\tTask ID %s:\tTask PID: %d\t\n", name, task.ID(), task.Pid())
@@ -246,20 +262,28 @@ func prepareEnv(envProcess string, reqEnvVars map[string]string) []string {
 	return envs
 }
 
-func getMounts() []specs.Mount {
-	wd, _ := os.Getwd()
+// getOSMounts provides a mount for os-specific files such
+// as the hosts file and resolv.conf
+func getOSMounts() []specs.Mount {
+	// Prior to hosts_dir env-var, this value was set to
+	// os.Getwd()
+	hostsDir := "/var/lib/faasd"
+	if v, ok := os.LookupEnv("hosts_dir"); ok && len(v) > 0 {
+		hostsDir = v
+	}
+
 	mounts := []specs.Mount{}
 	mounts = append(mounts, specs.Mount{
 		Destination: "/etc/resolv.conf",
 		Type:        "bind",
-		Source:      path.Join(wd, "resolv.conf"),
+		Source:      path.Join(hostsDir, "resolv.conf"),
 		Options:     []string{"rbind", "ro"},
 	})
 
 	mounts = append(mounts, specs.Mount{
 		Destination: "/etc/hosts",
 		Type:        "bind",
-		Source:      path.Join(wd, "hosts"),
+		Source:      path.Join(hostsDir, "hosts"),
 		Options:     []string{"rbind", "ro"},
 	})
 	return mounts

pkg/provider/handlers/deploy_test.go

@@ -53,7 +53,7 @@ func Test_BuildLabels_WithAnnotations(t *testing.T) {
 			}
 
 			if !reflect.DeepEqual(val, tc.result) {
-				t.Errorf("Got: %s, expected %s", val, tc.result)
+				t.Errorf("Want: %s, got: %s", val, tc.result)
 			}
 		})
 	}

pkg/provider/handlers/functions.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -11,9 +12,9 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
-	"github.com/openfaas/faasd/pkg/cninetwork"
-
+	"github.com/openfaas/faasd/pkg"
 	faasd "github.com/openfaas/faasd/pkg"
+	"github.com/openfaas/faasd/pkg/cninetwork"
 )
 
 type Function struct {
@@ -28,12 +29,24 @@ type Function struct {
 	secrets     []string
 	envVars     map[string]string
 	envProcess  string
+	memoryLimit int64
 	createdAt   time.Time
 }
 
 // ListFunctions returns a map of all functions with running tasks on namespace
-func ListFunctions(client *containerd.Client) (map[string]*Function, error) {
-	ctx := namespaces.WithNamespace(context.Background(), faasd.FunctionNamespace)
+func ListFunctions(client *containerd.Client, namespace string) (map[string]*Function, error) {
+
+	// Check if namespace exists, and it has the openfaas label
+	valid, err := validNamespace(client.NamespaceService(), namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	if !valid {
+		return nil, errors.New("namespace not valid")
+	}
+
+	ctx := namespaces.WithNamespace(context.Background(), namespace)
 	functions := make(map[string]*Function)
 
 	containers, err := client.Containers(ctx)
@@ -43,7 +56,7 @@ func ListFunctions(client *containerd.Client) (map[string]*Function, error) {
 
 	for _, c := range containers {
 		name := c.ID()
-		f, err := GetFunction(client, name)
+		f, err := GetFunction(client, name, namespace)
 		if err != nil {
 			log.Printf("error getting function %s: ", name)
 			return functions, err
@@ -55,13 +68,13 @@ func ListFunctions(client *containerd.Client) (map[string]*Function, error) {
 }
 
 // GetFunction returns a function that matches name
-func GetFunction(client *containerd.Client, name string) (Function, error) {
-	ctx := namespaces.WithNamespace(context.Background(), faasd.FunctionNamespace)
+func GetFunction(client *containerd.Client, name string, namespace string) (Function, error) {
+	ctx := namespaces.WithNamespace(context.Background(), namespace)
 	fn := Function{}
 
 	c, err := client.LoadContainer(ctx, name)
 	if err != nil {
-		return Function{}, fmt.Errorf("unable to find function: %s, error %s", name, err)
+		return Function{}, fmt.Errorf("unable to find function: %s, error %w", name, err)
 	}
 
 	image, err := c.Image(ctx)
@@ -73,26 +86,26 @@ func GetFunction(client *containerd.Client, name string) (Function, error) {
 	allLabels, labelErr := c.Labels(ctx)
 
 	if labelErr != nil {
-		log.Printf("cannot list container %s labels: %s", containerName, labelErr.Error())
+		log.Printf("cannot list container %s labels: %s", containerName, labelErr)
 	}
 
 	labels, annotations := buildLabelsAndAnnotations(allLabels)
 
 	spec, err := c.Spec(ctx)
 	if err != nil {
-		return Function{}, fmt.Errorf("unable to load function spec for reading secrets: %s, error %s", name, err)
+		return Function{}, fmt.Errorf("unable to load function %s error: %w", name, err)
 	}
 
 	info, err := c.Info(ctx)
 	if err != nil {
-		return Function{}, fmt.Errorf("can't load info for: %s, error %s", name, err)
+		return Function{}, fmt.Errorf("can't load info for: %s, error %w", name, err)
 	}
 
 	envVars, envProcess := readEnvFromProcessEnv(spec.Process.Env)
 	secrets := readSecretsFromMounts(spec.Mounts)
 
 	fn.name = containerName
-	fn.namespace = faasd.FunctionNamespace
+	fn.namespace = namespace
 	fn.image = image.Name()
 	fn.labels = labels
 	fn.annotations = annotations
@@ -100,6 +113,7 @@ func GetFunction(client *containerd.Client, name string) (Function, error) {
 	fn.envVars = envVars
 	fn.envProcess = envProcess
 	fn.createdAt = info.CreatedAt
+	fn.memoryLimit = readMemoryLimitFromSpec(spec)
 
 	replicas := 0
 	task, err := c.Task(ctx, nil)
@@ -107,7 +121,7 @@ func GetFunction(client *containerd.Client, name string) (Function, error) {
 		// Task for container exists
 		svc, err := task.Status(ctx)
 		if err != nil {
-			return Function{}, fmt.Errorf("unable to get task status for container: %s %s", name, err)
+			return Function{}, fmt.Errorf("unable to get task status for container: %s %w", name, err)
 		}
 
 		if svc.Status == "running" {
@@ -181,3 +195,48 @@ func buildLabelsAndAnnotations(ctrLabels map[string]string) (map[string]string,
 
 	return labels, annotations
 }
+
+func ListNamespaces(client *containerd.Client) []string {
+	set := []string{}
+	store := client.NamespaceService()
+	namespaces, err := store.List(context.Background())
+	if err != nil {
+		log.Printf("Error listing namespaces: %s", err.Error())
+		set = append(set, faasd.DefaultFunctionNamespace)
+		return set
+	}
+
+	for _, namespace := range namespaces {
+		labels, err := store.Labels(context.Background(), namespace)
+		if err != nil {
+			log.Printf("Error listing label for namespace %s: %s", namespace, err.Error())
+			continue
+		}
+
+		if _, found := labels[pkg.NamespaceLabel]; found {
+			set = append(set, namespace)
+		}
+
+		if !findNamespace(faasd.DefaultFunctionNamespace, set) {
+			set = append(set, faasd.DefaultFunctionNamespace)
+		}
+	}
+
+	return set
+}
+
+func findNamespace(target string, items []string) bool {
+	for _, n := range items {
+		if n == target {
+			return true
+		}
+	}
+	return false
+}
+
+func readMemoryLimitFromSpec(spec *specs.Spec) int64 {
+	if spec.Linux == nil || spec.Linux.Resources == nil || spec.Linux.Resources.Memory == nil || spec.Linux.Resources.Memory.Limit == nil {
+		return 0
+	}
+	return *spec.Linux.Resources.Memory.Limit
+}

pkg/provider/handlers/functions_test.go

@@ -2,9 +2,10 @@ package handlers
 
 import (
 	"fmt"
-	"github.com/opencontainers/runtime-spec/specs-go"
 	"reflect"
 	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
 func Test_BuildLabelsAndAnnotationsFromServiceSpec_Annotations(t *testing.T) {
@@ -31,56 +32,102 @@ func Test_BuildLabelsAndAnnotationsFromServiceSpec_Annotations(t *testing.T) {
 }
 
 func Test_SplitMountToSecrets(t *testing.T) {
-	type test struct {
-		Name     string
-		Input    []specs.Mount
-		Expected []string
+	type testCase struct {
+		Name  string
+		Input []specs.Mount
+		Want  []string
 	}
-	tests := []test{
-		{Name: "No matching openfaas secrets", Input: []specs.Mount{{Destination: "/foo/"}}, Expected: []string{}},
-		{Name: "Nil mounts", Input: nil, Expected: []string{}},
-		{Name: "No Mounts", Input: []specs.Mount{{Destination: "/foo/"}}, Expected: []string{}},
-		{Name: "One Mounts IS secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}}, Expected: []string{"secret1"}},
-		{Name: "Multiple Mounts 1 secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/some/other/path"}}, Expected: []string{"secret1"}},
-		{Name: "Multiple Mounts all secrets", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/var/openfaas/secrets/secret2"}}, Expected: []string{"secret1", "secret2"}},
+	tests := []testCase{
+		{Name: "No matching openfaas secrets", Input: []specs.Mount{{Destination: "/foo/"}}, Want: []string{}},
+		{Name: "Nil mounts", Input: nil, Want: []string{}},
+		{Name: "No Mounts", Input: []specs.Mount{{Destination: "/foo/"}}, Want: []string{}},
+		{Name: "One Mounts IS secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}}, Want: []string{"secret1"}},
+		{Name: "Multiple Mounts 1 secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/some/other/path"}}, Want: []string{"secret1"}},
+		{Name: "Multiple Mounts all secrets", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/var/openfaas/secrets/secret2"}}, Want: []string{"secret1", "secret2"}},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.Name, func(t *testing.T) {
 			got := readSecretsFromMounts(tc.Input)
-			if !reflect.DeepEqual(got, tc.Expected) {
-				t.Fatalf("expected %s, got %s", tc.Expected, got)
+			if !reflect.DeepEqual(got, tc.Want) {
+				t.Fatalf("Want %s, got %s", tc.Want, got)
 			}
 		})
 	}
 }
 
 func Test_ProcessEnvToEnvVars(t *testing.T) {
-	type test struct {
+	type testCase struct {
 		Name     string
 		Input    []string
-		Expected map[string]string
+		Want     map[string]string
 		fprocess string
 	}
-	tests := []test{
-		{Name: "No matching EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py"}, Expected: make(map[string]string), fprocess: "python index.py"},
-		{Name: "No EnvVars", Input: []string{}, Expected: make(map[string]string), fprocess: ""},
-		{Name: "One EnvVar", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py", "env=this"}, Expected: map[string]string{"env": "this"}, fprocess: "python index.py"},
-		{Name: "Multiple EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "this=that", "env=var", "fprocess=python index.py"}, Expected: map[string]string{"this": "that", "env": "var"}, fprocess: "python index.py"},
-		{Name: "Nil EnvVars", Input: nil, Expected: make(map[string]string)},
+	tests := []testCase{
+		{Name: "No matching EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py"}, Want: make(map[string]string), fprocess: "python index.py"},
+		{Name: "No EnvVars", Input: []string{}, Want: make(map[string]string), fprocess: ""},
+		{Name: "One EnvVar", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py", "env=this"}, Want: map[string]string{"env": "this"}, fprocess: "python index.py"},
+		{Name: "Multiple EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "this=that", "env=var", "fprocess=python index.py"}, Want: map[string]string{"this": "that", "env": "var"}, fprocess: "python index.py"},
+		{Name: "Nil EnvVars", Input: nil, Want: make(map[string]string)},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.Name, func(t *testing.T) {
 			got, fprocess := readEnvFromProcessEnv(tc.Input)
-			if !reflect.DeepEqual(got, tc.Expected) {
-				t.Fatalf("expected: %s, got: %s", tc.Expected, got)
+			if !reflect.DeepEqual(got, tc.Want) {
+				t.Fatalf("Want: %s, got: %s", tc.Want, got)
 			}
 
 			if fprocess != tc.fprocess {
-				t.Fatalf("expected fprocess: %s, got: %s", tc.fprocess, got)
+				t.Fatalf("Want fprocess: %s, got: %s", tc.fprocess, got)
 
 			}
 		})
 	}
 }
+
+func Test_findNamespace(t *testing.T) {
+	type testCase struct {
+		Name            string
+		foundNamespaces []string
+		namespace       string
+		Want            bool
+	}
+	tests := []testCase{
+		{Name: "Namespace Found", namespace: "fn", foundNamespaces: []string{"fn", "openfaas-fn"}, Want: true},
+		{Name: "namespace Not Found", namespace: "fn", foundNamespaces: []string{"openfaas-fn"}, Want: false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := findNamespace(tc.namespace, tc.foundNamespaces)
+			if got != tc.Want {
+				t.Fatalf("Want %t, got %t", tc.Want, got)
+			}
+		})
+	}
+}
+
+func Test_readMemoryLimitFromSpec(t *testing.T) {
+	type testCase struct {
+		Name string
+		Spec *specs.Spec
+		Want int64
+	}
+	testLimit := int64(64)
+	tests := []testCase{
+		{Name: "specs.Linux not found", Spec: &specs.Spec{Linux: nil}, Want: int64(0)},
+		{Name: "specs.LinuxResource not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: nil}}, Want: int64(0)},
+		{Name: "specs.LinuxMemory not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: nil}}}, Want: int64(0)},
+		{Name: "specs.LinuxMemory.Limit not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: &specs.LinuxMemory{Limit: nil}}}}, Want: int64(0)},
+		{Name: "Memory limit set as Want", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: &specs.LinuxMemory{Limit: &testLimit}}}}, Want: int64(64)},
+	}
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := readMemoryLimitFromSpec(tc.Spec)
+			if got != tc.Want {
+				t.Fatalf("Want %d, got %d", tc.Want, got)
+			}
+		})
+	}
+}

pkg/provider/handlers/invoke_resolver.go

@@ -4,8 +4,10 @@ import (
 	"fmt"
 	"log"
 	"net/url"
+	"strings"
 
 	"github.com/containerd/containerd"
+	faasd "github.com/openfaas/faasd/pkg"
 )
 
 const watchdogPort = 8080
@@ -19,11 +21,18 @@ func NewInvokeResolver(client *containerd.Client) *InvokeResolver {
 }
 
 func (i *InvokeResolver) Resolve(functionName string) (url.URL, error) {
-	log.Printf("Resolve: %q\n", functionName)
+	actualFunctionName := functionName
+	log.Printf("Resolve: %q\n", actualFunctionName)
 
-	function, err := GetFunction(i.client, functionName)
+	namespace := getNamespace(functionName, faasd.DefaultFunctionNamespace)
+
+	if strings.Contains(functionName, ".") {
+		actualFunctionName = strings.TrimSuffix(functionName, "."+namespace)
+	}
+
+	function, err := GetFunction(i.client, actualFunctionName, namespace)
 	if err != nil {
-		return url.URL{}, fmt.Errorf("%s not found", functionName)
+		return url.URL{}, fmt.Errorf("%s not found", actualFunctionName)
 	}
 
 	serviceIP := function.IP
@@ -37,3 +46,11 @@ func (i *InvokeResolver) Resolve(functionName string) (url.URL, error) {
 
 	return *urlRes, nil
 }
+
+func getNamespace(name, defaultNamespace string) string {
+	namespace := defaultNamespace
+	if strings.Contains(name, ".") {
+		namespace = name[strings.LastIndexAny(name, ".")+1:]
+	}
+	return namespace
+}

pkg/provider/handlers/namespaces.go

@@ -0,0 +1,18 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/containerd/containerd"
+)
+
+func MakeNamespacesLister(client *containerd.Client) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		list := ListNamespaces(client)
+		body, _ := json.Marshal(list)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		w.Write(body)
+	}
+}

pkg/provider/handlers/read.go

@@ -5,6 +5,8 @@ import (
 	"log"
 	"net/http"
 
+	"k8s.io/apimachinery/pkg/api/resource"
+
 	"github.com/containerd/containerd"
 	"github.com/openfaas/faas-provider/types"
 )
@@ -13,8 +15,21 @@ func MakeReadHandler(client *containerd.Client) func(w http.ResponseWriter, r *h
 
 	return func(w http.ResponseWriter, r *http.Request) {
 
+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		res := []types.FunctionStatus{}
-		fns, err := ListFunctions(client)
+		fns, err := ListFunctions(client, lookupNamespace)
 		if err != nil {
 			log.Printf("[Read] error listing functions. Error: %s\n", err)
 			http.Error(w, err.Error(), http.StatusBadRequest)
@@ -24,7 +39,8 @@ func MakeReadHandler(client *containerd.Client) func(w http.ResponseWriter, r *h
 		for _, fn := range fns {
 			annotations := &fn.annotations
 			labels := &fn.labels
-			res = append(res, types.FunctionStatus{
+			memory := resource.NewQuantity(fn.memoryLimit, resource.BinarySI)
+			status := types.FunctionStatus{
 				Name:        fn.name,
 				Image:       fn.image,
 				Replicas:    uint64(fn.replicas),
@@ -35,7 +51,16 @@ func MakeReadHandler(client *containerd.Client) func(w http.ResponseWriter, r *h
 				EnvVars:     fn.envVars,
 				EnvProcess:  fn.envProcess,
 				CreatedAt:   fn.createdAt,
-			})
+			}
+
+			// Do not remove below memory check for 0
+			// Memory limit should not be included in status until set explicitly
+			limit := &types.FunctionResources{Memory: memory.String()}
+			if limit.Memory != "0" {
+				status.Limits = limit
+			}
+
+			res = append(res, status)
 		}
 
 		body, _ := json.Marshal(res)

pkg/provider/handlers/replicas.go

@@ -14,8 +14,21 @@ func MakeReplicaReaderHandler(client *containerd.Client) func(w http.ResponseWri
 	return func(w http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 		functionName := vars["name"]
+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
 
-		if f, err := GetFunction(client, functionName); err == nil {
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		if f, err := GetFunction(client, functionName, lookupNamespace); err == nil {
 			found := types.FunctionStatus{
 				Name:              functionName,
 				AvailableReplicas: uint64(f.replicas),

pkg/provider/handlers/scale.go

@@ -13,7 +13,6 @@ import (
 	gocni "github.com/containerd/go-cni"
 
 	"github.com/openfaas/faas-provider/types"
-	faasd "github.com/openfaas/faasd/pkg"
 )
 
 func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w http.ResponseWriter, r *http.Request) {
@@ -40,16 +39,30 @@ func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w h
 			return
 		}
 
+		namespace := getRequestNamespace(readNamespaceFromQuery(r))
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		name := req.ServiceName
 
-		if _, err := GetFunction(client, name); err != nil {
+		if _, err := GetFunction(client, name, namespace); err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Scale] %s\n", msg)
 			http.Error(w, msg, http.StatusNotFound)
 			return
 		}
 
-		ctx := namespaces.WithNamespace(context.Background(), faasd.FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)
 
 		ctr, ctrErr := client.LoadContainer(ctx, name)
 		if ctrErr != nil {

pkg/provider/handlers/secret.go

@@ -10,13 +10,14 @@ import (
 	"path"
 	"strings"
 
-	"github.com/containerd/containerd"
 	"github.com/openfaas/faas-provider/types"
+	provider "github.com/openfaas/faasd/pkg/provider"
 )
 
 const secretFilePermission = 0644
+const secretDirPermission = 0755
 
-func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.ResponseWriter, r *http.Request) {
+func MakeSecretHandler(store provider.Labeller, mountPath string) func(w http.ResponseWriter, r *http.Request) {
 
 	err := os.MkdirAll(mountPath, secretFilePermission)
 	if err != nil {
@@ -30,13 +31,13 @@ func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.Respo
 
 		switch r.Method {
 		case http.MethodGet:
-			listSecrets(c, w, r, mountPath)
+			listSecrets(store, w, r, mountPath)
 		case http.MethodPost:
-			createSecret(c, w, r, mountPath)
+			createSecret(w, r, mountPath)
 		case http.MethodPut:
-			createSecret(c, w, r, mountPath)
+			createSecret(w, r, mountPath)
 		case http.MethodDelete:
-			deleteSecret(c, w, r, mountPath)
+			deleteSecret(w, r, mountPath)
 		default:
 			w.WriteHeader(http.StatusBadRequest)
 			return
@@ -45,23 +46,46 @@ func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.Respo
 	}
 }
 
-func listSecrets(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
-	files, err := ioutil.ReadDir(mountPath)
+func listSecrets(store provider.Labeller, w http.ResponseWriter, r *http.Request, mountPath string) {
+
+	lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+	// Check if namespace exists, and it has the openfaas label
+	valid, err := validNamespace(store, lookupNamespace)
 	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !valid {
+		http.Error(w, "namespace not valid", http.StatusBadRequest)
+		return
+	}
+
+	mountPath = getNamespaceSecretMountPath(mountPath, lookupNamespace)
+
+	files, err := os.ReadDir(mountPath)
+	if os.IsNotExist(err) {
+		bytesOut, _ := json.Marshal([]types.Secret{})
+		w.Write(bytesOut)
+		return
+	}
+
+	if err != nil {
+		fmt.Printf("Error Occured: %s \n", err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
 	secrets := []types.Secret{}
 	for _, f := range files {
-		secrets = append(secrets, types.Secret{Name: f.Name()})
+		secrets = append(secrets, types.Secret{Name: f.Name(), Namespace: lookupNamespace})
 	}
 
 	bytesOut, _ := json.Marshal(secrets)
 	w.Write(bytesOut)
 }
 
-func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
+func createSecret(w http.ResponseWriter, r *http.Request, mountPath string) {
 	secret, err := parseSecret(r)
 	if err != nil {
 		log.Printf("[secret] error %s", err.Error())
@@ -69,7 +93,30 @@ func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request,
 		return
 	}
 
-	err = ioutil.WriteFile(path.Join(mountPath, secret.Name), []byte(secret.Value), secretFilePermission)
+	err = validateSecret(secret)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	log.Printf("[secret] is valid: %q", secret.Name)
+	namespace := getRequestNamespace(secret.Namespace)
+	mountPath = getNamespaceSecretMountPath(mountPath, namespace)
+
+	err = os.MkdirAll(mountPath, secretDirPermission)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	data := secret.RawValue
+	if len(data) == 0 {
+		data = []byte(secret.Value)
+	}
+
+	err = ioutil.WriteFile(path.Join(mountPath, secret.Name), data, secretFilePermission)
 
 	if err != nil {
 		log.Printf("[secret] error %s", err.Error())
@@ -78,7 +125,7 @@ func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request,
 	}
 }
 
-func deleteSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
+func deleteSecret(w http.ResponseWriter, r *http.Request, mountPath string) {
 	secret, err := parseSecret(r)
 	if err != nil {
 		log.Printf("[secret] error %s", err.Error())
@@ -86,6 +133,9 @@ func deleteSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request,
 		return
 	}
 
+	namespace := getRequestNamespace(readNamespaceFromQuery(r))
+	mountPath = getNamespaceSecretMountPath(mountPath, namespace)
+
 	err = os.Remove(path.Join(mountPath, secret.Name))
 
 	if err != nil {
@@ -107,10 +157,6 @@ func parseSecret(r *http.Request) (types.Secret, error) {
 		return secret, err
 	}
 
-	if isTraversal(secret.Name) {
-		return secret, fmt.Errorf(traverseErrorSt)
-	}
-
 	return secret, err
 }
 
@@ -120,3 +166,13 @@ func isTraversal(name string) bool {
 	return strings.Contains(name, fmt.Sprintf("%s", string(os.PathSeparator))) ||
 		strings.Contains(name, "..")
 }
+
+func validateSecret(secret types.Secret) error {
+	if strings.TrimSpace(secret.Name) == "" {
+		return fmt.Errorf("non-empty name is required")
+	}
+	if isTraversal(secret.Name) {
+		return fmt.Errorf(traverseErrorSt)
+	}
+	return nil
+}

pkg/provider/handlers/secret_test.go

@@ -1,63 +1,252 @@
 package handlers
 
 import (
-	"bytes"
 	"encoding/json"
+	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/openfaas/faas-provider/types"
+	"github.com/openfaas/faasd/pkg"
+	provider "github.com/openfaas/faasd/pkg/provider"
 )
 
-func Test_parseSecretValidName(t *testing.T) {
+func Test_parseSecret(t *testing.T) {
+	cases := []struct {
+		name      string
+		payload   string
+		expError  string
+		expSecret types.Secret
+	}{
+		{
+			name:      "no error when name is valid without extention and with no traversal",
+			payload:   `{"name": "authorized_keys", "value": "foo"}`,
+			expSecret: types.Secret{Name: "authorized_keys", Value: "foo"},
+		},
+		{
+			name:      "no error when name is valid and parses RawValue correctly",
+			payload:   `{"name": "authorized_keys", "rawValue": "YmFy"}`,
+			expSecret: types.Secret{Name: "authorized_keys", RawValue: []byte("bar")},
+		},
+		{
+			name:      "no error when name is valid with dot and with no traversal",
+			payload:   `{"name": "authorized.keys", "value": "foo"}`,
+			expSecret: types.Secret{Name: "authorized.keys", Value: "foo"},
+		},
+	}
 
-	s := types.Secret{Name: "authorized_keys"}
-	body, _ := json.Marshal(s)
-	reader := bytes.NewReader(body)
-	r := httptest.NewRequest(http.MethodPost, "/", reader)
-	_, err := parseSecret(r)
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			reader := strings.NewReader(tc.payload)
+			r := httptest.NewRequest(http.MethodPost, "/", reader)
+			secret, err := parseSecret(r)
+			if err != nil && tc.expError == "" {
+				t.Fatalf("unexpected error: %s", err)
+				return
+			}
 
+			if tc.expError != "" {
+				if err == nil {
+					t.Fatalf("expected error: %s, got nil", tc.expError)
+				}
+				if err.Error() != tc.expError {
+					t.Fatalf("expected error: %s, got: %s", tc.expError, err)
+				}
+
+				return
+			}
+
+			if !reflect.DeepEqual(secret, tc.expSecret) {
+				t.Fatalf("expected secret: %+v, got: %+v", tc.expSecret, secret)
+			}
+		})
+	}
+}
+
+func TestSecretCreation(t *testing.T) {
+	mountPath, err := os.MkdirTemp("", "test_secret_creation")
 	if err != nil {
-		t.Fatalf("secret name is valid with no traversal characters")
+		t.Fatalf("unexpected error while creating temp directory: %s", err)
+	}
+
+	defer os.RemoveAll(mountPath)
+
+	handler := MakeSecretHandler(nil, mountPath)
+
+	cases := []struct {
+		name       string
+		verb       string
+		payload    string
+		status     int
+		secretPath string
+		secret     string
+		err        string
+	}{
+		{
+			name:    "returns error when the name contains a traversal",
+			verb:    http.MethodPost,
+			payload: `{"name": "/root/.ssh/authorized_keys", "value": "foo"}`,
+			status:  http.StatusBadRequest,
+			err:     "directory traversal found in name\n",
+		},
+		{
+			name:    "returns error when the name contains a traversal",
+			verb:    http.MethodPost,
+			payload: `{"name": "..", "value": "foo"}`,
+			status:  http.StatusBadRequest,
+			err:     "directory traversal found in name\n",
+		},
+		{
+			name:    "empty request returns a validation error",
+			verb:    http.MethodPost,
+			payload: `{}`,
+			status:  http.StatusBadRequest,
+			err:     "non-empty name is required\n",
+		},
+		{
+			name:       "can create secret from string",
+			verb:       http.MethodPost,
+			payload:    `{"name": "foo", "value": "bar"}`,
+			status:     http.StatusOK,
+			secretPath: "/openfaas-fn/foo",
+			secret:     "bar",
+		},
+		{
+			name:       "can create secret from raw value",
+			verb:       http.MethodPost,
+			payload:    `{"name": "foo", "rawValue": "YmFy"}`,
+			status:     http.StatusOK,
+			secretPath: "/openfaas-fn/foo",
+			secret:     "bar",
+		},
+		{
+			name:       "can create secret in non-default namespace from raw value",
+			verb:       http.MethodPost,
+			payload:    `{"name": "pity", "rawValue": "dGhlIGZvbw==", "namespace": "a-team"}`,
+			status:     http.StatusOK,
+			secretPath: "/a-team/pity",
+			secret:     "the foo",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest(tc.verb, "http://example.com/foo", strings.NewReader(tc.payload))
+			w := httptest.NewRecorder()
+
+			handler(w, req)
+
+			resp := w.Result()
+			if resp.StatusCode != tc.status {
+				t.Logf("response body: %s", w.Body.String())
+				t.Fatalf("expected status: %d, got: %d", tc.status, resp.StatusCode)
+			}
+
+			if resp.StatusCode != http.StatusOK && w.Body.String() != tc.err {
+				t.Fatalf("expected error message: %q, got %q", tc.err, w.Body.String())
+
+			}
+
+			if tc.secretPath != "" {
+				data, err := os.ReadFile(filepath.Join(mountPath, tc.secretPath))
+				if err != nil {
+					t.Fatalf("can not read the secret from disk: %s", err)
+				}
+
+				if string(data) != tc.secret {
+					t.Fatalf("expected secret value: %s, got %s", tc.secret, string(data))
+				}
+			}
+		})
 	}
 }
 
-func Test_parseSecretValidNameWithDot(t *testing.T) {
-
-	s := types.Secret{Name: "authorized.keys"}
-	body, _ := json.Marshal(s)
-	reader := bytes.NewReader(body)
-	r := httptest.NewRequest(http.MethodPost, "/", reader)
-	_, err := parseSecret(r)
-
+func TestListSecrets(t *testing.T) {
+	mountPath, err := os.MkdirTemp("", "test_secret_creation")
 	if err != nil {
-		t.Fatalf("secret name is valid with no traversal characters")
-	}
-}
-
-func Test_parseSecretWithTraversalWithSlash(t *testing.T) {
-
-	s := types.Secret{Name: "/root/.ssh/authorized_keys"}
-	body, _ := json.Marshal(s)
-	reader := bytes.NewReader(body)
-	r := httptest.NewRequest(http.MethodPost, "/", reader)
-	_, err := parseSecret(r)
-
-	if err == nil {
-		t.Fatalf("secret name should fail due to path traversal")
-	}
-}
-
-func Test_parseSecretWithTraversalWithDoubleDot(t *testing.T) {
-
-	s := types.Secret{Name: ".."}
-	body, _ := json.Marshal(s)
-	reader := bytes.NewReader(body)
-	r := httptest.NewRequest(http.MethodPost, "/", reader)
-	_, err := parseSecret(r)
-
-	if err == nil {
-		t.Fatalf("secret name should fail due to path traversal")
+		t.Fatalf("unexpected error while creating temp directory: %s", err)
+	}
+
+	defer os.RemoveAll(mountPath)
+
+	cases := []struct {
+		name       string
+		verb       string
+		namespace  string
+		labels     map[string]string
+		status     int
+		secretPath string
+		secret     string
+		err        string
+		expected   []types.Secret
+	}{
+		{
+			name:       "Get empty secret list for default namespace having no secret",
+			verb:       http.MethodGet,
+			status:     http.StatusOK,
+			secretPath: "/test-fn/foo",
+			secret:     "bar",
+			expected:   make([]types.Secret, 0),
+		},
+		{
+			name:       "Get empty secret list for non-default namespace having no secret",
+			verb:       http.MethodGet,
+			status:     http.StatusOK,
+			secretPath: "/test-fn/foo",
+			secret:     "bar",
+			expected:   make([]types.Secret, 0),
+			namespace:  "other-ns",
+			labels: map[string]string{
+				pkg.NamespaceLabel: "true",
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			labelStore := provider.NewFakeLabeller(tc.labels)
+
+			handler := MakeSecretHandler(labelStore, mountPath)
+
+			path := "http://example.com/foo"
+			if len(tc.namespace) > 0 {
+				path = path + fmt.Sprintf("?namespace=%s", tc.namespace)
+			}
+			req := httptest.NewRequest(tc.verb, path, nil)
+			w := httptest.NewRecorder()
+
+			handler(w, req)
+
+			resp := w.Result()
+			if resp.StatusCode != tc.status {
+				t.Fatalf("want status: %d, but got: %d", tc.status, resp.StatusCode)
+			}
+
+			if resp.StatusCode != http.StatusOK && w.Body.String() != tc.err {
+				t.Fatalf("want error message: %q, but got %q", tc.err, w.Body.String())
+			}
+
+			body, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("can't read response of list %v", err)
+			}
+
+			var res []types.Secret
+			err = json.Unmarshal(body, &res)
+
+			if err != nil {
+				t.Fatalf("unable to unmarshal %q, error: %v", string(body), err)
+			}
+
+			if !reflect.DeepEqual(res, tc.expected) {
+				t.Fatalf("want response: %v, but got: %v", tc.expected, res)
+			}
+		})
 	}
 }

pkg/provider/handlers/update.go

@@ -13,7 +13,6 @@ import (
 	gocni "github.com/containerd/go-cni"
 	"github.com/openfaas/faas-provider/types"
 
-	faasd "github.com/openfaas/faasd/pkg"
 	"github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 )
@@ -41,8 +40,23 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}
 		name := req.Service
+		namespace := getRequestNamespace(req.Namespace)
 
-		function, err := GetFunction(client, name)
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		namespaceSecretMountPath := getNamespaceSecretMountPath(secretMountPath, namespace)
+
+		function, err := GetFunction(client, name, namespace)
 		if err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Update] %s\n", msg)
@@ -50,12 +64,12 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}
 
-		err = validateSecrets(secretMountPath, req.Secrets)
+		err = validateSecrets(namespaceSecretMountPath, req.Secrets)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 		}
 
-		ctx := namespaces.WithNamespace(context.Background(), faasd.FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)
 
 		if _, err := prepull(ctx, req, client, alwaysPull); err != nil {
 			log.Printf("[Update] error with pre-pull: %s, %s\n", name, err)
@@ -78,7 +92,7 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 		// The pull has already been done in prepull, so we can force this pull to "false"
 		pull := false
 
-		if err := deploy(ctx, req, client, cni, secretMountPath, pull); err != nil {
+		if err := deploy(ctx, req, client, cni, namespaceSecretMountPath, pull); err != nil {
 			log.Printf("[Update] error deploying %s, error: %s\n", name, err)
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return

pkg/provider/handlers/utils.go

@@ -0,0 +1,47 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"path"
+
+	"github.com/openfaas/faasd/pkg"
+	faasd "github.com/openfaas/faasd/pkg"
+	provider "github.com/openfaas/faasd/pkg/provider"
+)
+
+func getRequestNamespace(namespace string) string {
+
+	if len(namespace) > 0 {
+		return namespace
+	}
+	return faasd.DefaultFunctionNamespace
+}
+
+func readNamespaceFromQuery(r *http.Request) string {
+	q := r.URL.Query()
+	return q.Get("namespace")
+}
+
+func getNamespaceSecretMountPath(userSecretPath string, namespace string) string {
+	return path.Join(userSecretPath, namespace)
+}
+
+// validNamespace indicates whether the namespace is eligable to be
+// used for OpenFaaS functions.
+func validNamespace(store provider.Labeller, namespace string) (bool, error) {
+	if namespace == faasd.DefaultFunctionNamespace {
+		return true, nil
+	}
+
+	labels, err := store.Labels(context.Background(), namespace)
+	if err != nil {
+		return false, err
+	}
+
+	if value, found := labels[pkg.NamespaceLabel]; found && value == "true" {
+		return true, nil
+	}
+
+	return false, nil
+}

pkg/provider/handlers/utils_test.go

@@ -0,0 +1,75 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	faasd "github.com/openfaas/faasd/pkg"
+)
+
+func Test_getRequestNamespace(t *testing.T) {
+	tables := []struct {
+		name              string
+		requestNamespace  string
+		expectedNamespace string
+	}{
+		{name: "RequestNamespace is not provided", requestNamespace: "", expectedNamespace: faasd.DefaultFunctionNamespace},
+		{name: "RequestNamespace is provided", requestNamespace: "user-namespace", expectedNamespace: "user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+			actualNamespace := getRequestNamespace(tc.requestNamespace)
+			if actualNamespace != tc.expectedNamespace {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedNamespace)
+			}
+		})
+	}
+}
+
+func Test_getNamespaceSecretMountPath(t *testing.T) {
+	userSecretPath := "/var/openfaas/secrets"
+	tables := []struct {
+		name               string
+		requestNamespace   string
+		expectedSecretPath string
+	}{
+		{name: "Default Namespace is provided", requestNamespace: faasd.DefaultFunctionNamespace, expectedSecretPath: "/var/openfaas/secrets/" + faasd.DefaultFunctionNamespace},
+		{name: "User Namespace is provided", requestNamespace: "user-namespace", expectedSecretPath: "/var/openfaas/secrets/user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+			actualNamespace := getNamespaceSecretMountPath(userSecretPath, tc.requestNamespace)
+			if actualNamespace != tc.expectedSecretPath {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedSecretPath)
+			}
+		})
+	}
+}
+
+func Test_readNamespaceFromQuery(t *testing.T) {
+	tables := []struct {
+		name              string
+		queryNamespace    string
+		expectedNamespace string
+	}{
+		{name: "No Namespace is provided", queryNamespace: "", expectedNamespace: ""},
+		{name: "User Namespace is provided", queryNamespace: "user-namespace", expectedNamespace: "user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+
+			url := fmt.Sprintf("/test?namespace=%s", tc.queryNamespace)
+			r := httptest.NewRequest(http.MethodGet, url, nil)
+
+			actualNamespace := readNamespaceFromQuery(r)
+			if actualNamespace != tc.expectedNamespace {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedNamespace)
+			}
+		})
+	}
+}

pkg/provider/labeller.go

@@ -0,0 +1,25 @@
+package provider
+
+import "context"
+
+// Labeller can return labels for a namespace from containerd.
+type Labeller interface {
+	Labels(ctx context.Context, namespace string) (map[string]string, error)
+}
+
+//
+// FakeLabeller can be used to fake labels applied on namespace to mark
+// them valid/invalid for openfaas functions
+type FakeLabeller struct {
+	labels map[string]string
+}
+
+func NewFakeLabeller(labels map[string]string) Labeller {
+	return &FakeLabeller{
+		labels: labels,
+	}
+}
+
+func (s *FakeLabeller) Labels(ctx context.Context, namespace string) (map[string]string, error) {
+	return s.labels, nil
+}

pkg/service/service.go

@@ -33,7 +33,7 @@ func Remove(ctx context.Context, client *containerd.Client, name string) error {
 			if errdefs.IsNotFound(err) {
 				taskFound = false
 			} else {
-				return fmt.Errorf("unable to get task %s: ", err)
+				return fmt.Errorf("unable to get task %w: ", err)
 			}
 		}
 
@@ -47,12 +47,12 @@ func Remove(ctx context.Context, client *containerd.Client, name string) error {
 
 			log.Printf("Need to kill task: %s\n", name)
 			if err = killTask(ctx, t); err != nil {
-				return fmt.Errorf("error killing task %s, %s, %s", container.ID(), name, err)
+				return fmt.Errorf("error killing task %s, %s, %w", container.ID(), name, err)
 			}
 		}
 
 		if err := container.Delete(ctx, containerd.WithSnapshotCleanup); err != nil {
-			return fmt.Errorf("error deleting container %s, %s, %s", container.ID(), name, err)
+			return fmt.Errorf("error deleting container %s, %s, %w", container.ID(), name, err)
 		}
 
 	} else {
@@ -79,9 +79,10 @@ func killTask(ctx context.Context, task containerd.Task) error {
 		if task != nil {
 			wait, err := task.Wait(ctx)
 			if err != nil {
-				err = fmt.Errorf("error waiting on task: %s", err)
+				log.Printf("error waiting on task: %s", err)
 				return
 			}
+
 			if err := task.Kill(ctx, unix.SIGTERM, containerd.WithKillAll); err != nil {
 				log.Printf("error killing container task: %s", err)
 			}

pkg/supervisor.go

@@ -8,6 +8,8 @@ import (
 	"os"
 	"path"
 	"sort"
+	"strconv"
+	"strings"
 
 	"github.com/alexellis/k3sup/pkg/env"
 	"github.com/compose-spec/compose-go/loader"
@@ -26,7 +28,8 @@ import (
 )
 
 const (
-	workingDirectoryPermission = 0644
+	// workingDirectoryPermission user read/write/execute, group and others: read-only
+	workingDirectoryPermission = 0744
 )
 
 type Service struct {
@@ -79,7 +82,7 @@ func NewSupervisor(sock string) (*Supervisor, error) {
 }
 
 func (s *Supervisor) Start(svcs []Service) error {
-	ctx := namespaces.WithNamespace(context.Background(), faasdNamespace)
+	ctx := namespaces.WithNamespace(context.Background(), FaasdNamespace)
 
 	wd, _ := os.Getwd()
 
@@ -145,6 +148,28 @@ func (s *Supervisor) Start(svcs []Service) error {
 					Type:        "bind",
 					Options:     []string{"rbind", "rw"},
 				})
+
+				// Only create directories, not files.
+				// Some files don't have a suffix, such as secrets.
+				if len(path.Ext(mnt.Src)) == 0 &&
+					!strings.HasPrefix(mnt.Src, "/var/lib/faasd/secrets/") {
+					// src is already prefixed with wd from an earlier step
+					src := mnt.Src
+					fmt.Printf("Creating local directory: %s\n", src)
+					if err := os.MkdirAll(src, workingDirectoryPermission); err != nil {
+						if !errors.Is(os.ErrExist, err) {
+							fmt.Printf("Unable to create: %s, %s\n", src, err)
+						}
+					}
+					if len(svc.User) > 0 {
+						uid, err := strconv.Atoi(svc.User)
+						if err == nil {
+							if err := os.Chown(src, uid, -1); err != nil {
+								fmt.Printf("Unable to chown: %s to %d, error: %s\n", src, uid, err)
+							}
+						}
+					}
+				}
 			}
 		}
 
@@ -243,7 +268,7 @@ func (s *Supervisor) Close() {
 }
 
 func (s *Supervisor) Remove(svcs []Service) error {
-	ctx := namespaces.WithNamespace(context.Background(), faasdNamespace)
+	ctx := namespaces.WithNamespace(context.Background(), FaasdNamespace)
 
 	for _, svc := range svcs {
 		err := cninetwork.DeleteCNINetwork(ctx, s.cni, s.client, svc.Name)