OpenFaaS CE updates

Config for: TerminationGracePeriod, custom ServiceAccounts
and HTTP probe configuration, runtimeClass moves into
OpenFaaS Pro.

As per the docs, OpenFaaS CE is for open source developers.
OpenFaaS Pro is for profit-seeking companies.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>

Author: alexellis

pkg/controller/deployment.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"strings"
-	"time"
 
 	"github.com/google/go-cmp/cmp"
 	faasv1 "github.com/openfaas/faas-netes/pkg/apis/openfaas/v1"
@@ -48,34 +47,6 @@ func newDeployment(
 
 	annotations := makeAnnotations(function)
 
-	var serviceAccount string
-
-	if function.Spec.Annotations != nil {
-		annotations := *function.Spec.Annotations
-		if val, ok := annotations["com.openfaas.serviceaccount"]; ok && len(val) > 0 {
-			serviceAccount = val
-		}
-	}
-
-	// add 2s jitter to avoid a race condition between write_timeout and grace period
-	jitter := time.Second * 2
-	terminationGracePeriod := time.Second*30 + jitter
-
-	if function.Spec.Environment != nil {
-		e := *function.Spec.Environment
-		if v, ok := e["write_timeout"]; ok && len(v) > 0 {
-			period, err := time.ParseDuration(v)
-			if err != nil {
-				glog.Warningf("Function %s failed to parse write_timeout: %s",
-					function.Spec.Name, err.Error())
-			}
-
-			terminationGracePeriod = period + jitter
-		}
-	}
-
-	terminationGracePeriodSeconds := int64(terminationGracePeriod.Seconds())
-
 	allowPrivilegeEscalation := false
 
 	deploymentSpec := &appsv1.Deployment{
@@ -119,8 +90,7 @@ func newDeployment(
 					Annotations: annotations,
 				},
 				Spec: corev1.PodSpec{
-					NodeSelector:                  nodeSelector,
-					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
+					NodeSelector: nodeSelector,
 					Containers: []corev1.Container{
 						{
 							Name:  function.Spec.Name,
@@ -143,10 +113,6 @@ func newDeployment(
 		},
 	}
 
-	if len(serviceAccount) > 0 {
-		deploymentSpec.Spec.Template.Spec.ServiceAccountName = serviceAccount
-	}
-
 	factory.ConfigureReadOnlyRootFilesystem(function, deploymentSpec)
 	factory.ConfigureContainerUserID(deploymentSpec)
 

pkg/controller/deployment_test.go

@@ -10,117 +10,46 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 )
 
-func Test_GracePeriodFromWriteTimeout(t *testing.T) {
-
-	scenarios := []struct {
-		name        string
-		wantSeconds int64
-		envs        map[string]string
-	}{
-		{"grace period is the default", 32, map[string]string{}},
-		{"grace period is set from write_timeout", 62, map[string]string{"write_timeout": "60s"}},
-	}
-
-	for _, s := range scenarios {
-		t.Run(s.name, func(t *testing.T) {
-
-			want := int64(s.wantSeconds)
-			function := &faasv1.Function{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "alpine",
-				},
-				Spec: faasv1.FunctionSpec{
-					Name:                   "alpine",
-					Image:                  "ghcr.io/openfaas/alpine:latest",
-					Annotations:            &map[string]string{},
-					ReadOnlyRootFilesystem: true,
-					Environment:            &s.envs},
-			}
-
-			factory := NewFunctionFactory(fake.NewSimpleClientset(),
-				k8s.DeploymentConfig{
-					HTTPProbe:      false,
-					SetNonRootUser: true,
-					LivenessProbe: &k8s.ProbeConfig{
-						PeriodSeconds:       1,
-						TimeoutSeconds:      3,
-						InitialDelaySeconds: 0,
-					},
-					ReadinessProbe: &k8s.ProbeConfig{
-						PeriodSeconds:       1,
-						TimeoutSeconds:      3,
-						InitialDelaySeconds: 0,
-					},
-				})
-
-			secrets := map[string]*corev1.Secret{}
-
-			deployment := newDeployment(function, nil, secrets, factory)
-			got := deployment.Spec.Template.Spec.TerminationGracePeriodSeconds
-			if got == nil {
-				t.Errorf("TerminationGracePeriodSeconds not set, but want %d", want)
-				t.Fail()
-				return
-			}
-
-			if want != *got {
-				t.Errorf("TerminationGracePeriodSeconds want %d, but got %d", want, got)
-				t.Fail()
-			}
-		})
-	}
-}
-
-func Test_newDeployment_withHTTPProbe(t *testing.T) {
+func Test_newDeployment(t *testing.T) {
 	function := &faasv1.Function{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "kubesec",
 		},
 		Spec: faasv1.FunctionSpec{
-			Name:  "kubesec",
-			Image: "docker.io/kubesec/kubesec",
-			Annotations: &map[string]string{
-				"com.openfaas.serviceaccount": "kubesec",
-			},
+			Name:                   "kubesec",
+			Image:                  "docker.io/kubesec/kubesec",
+			Annotations:            &map[string]string{},
 			ReadOnlyRootFilesystem: true,
 		},
 	}
-	k8sConfig := k8s.DeploymentConfig{
-		HTTPProbe:      true,
-		SetNonRootUser: true,
-		LivenessProbe: &k8s.ProbeConfig{
-			PeriodSeconds:       1,
-			TimeoutSeconds:      3,
-			InitialDelaySeconds: 0,
-		},
-		ReadinessProbe: &k8s.ProbeConfig{
-			PeriodSeconds:       1,
-			TimeoutSeconds:      3,
-			InitialDelaySeconds: 0,
-		},
-	}
-	factory := NewFunctionFactory(fake.NewSimpleClientset(), k8sConfig)
+
+	factory := NewFunctionFactory(fake.NewSimpleClientset(),
+		k8s.DeploymentConfig{
+			HTTPProbe:      true,
+			SetNonRootUser: true,
+			LivenessProbe: &k8s.ProbeConfig{
+				PeriodSeconds:       1,
+				TimeoutSeconds:      3,
+				InitialDelaySeconds: 0,
+			},
+			ReadinessProbe: &k8s.ProbeConfig{
+				PeriodSeconds:       1,
+				TimeoutSeconds:      3,
+				InitialDelaySeconds: 0,
+			},
+		})
 
 	secrets := map[string]*corev1.Secret{}
 
 	deployment := newDeployment(function, nil, secrets, factory)
 
-	if deployment.Spec.Template.Spec.ServiceAccountName != "kubesec" {
-		t.Errorf("ServiceAccountName should be %s", "kubesec")
-		t.Fail()
-	}
-
-	if deployment.Spec.Template.Spec.Containers[0].ReadinessProbe.HTTPGet == nil {
-		t.Fatalf("ReadinessProbe's HTTPGet should not be nil")
-	}
-
 	if deployment.Spec.Template.Spec.Containers[0].ReadinessProbe.HTTPGet.Path != "/_/health" {
 		t.Errorf("Readiness probe should have HTTPGet handler set to %s", "/_/health")
 		t.Fail()
 	}
 
-	if deployment.Spec.Template.Spec.Containers[0].LivenessProbe.InitialDelaySeconds != k8sConfig.ReadinessProbe.InitialDelaySeconds {
-		t.Errorf("Liveness probe should have initial delay seconds set to %s", "2m")
+	if deployment.Spec.Template.Spec.Containers[0].LivenessProbe.InitialDelaySeconds != 0 {
+		t.Errorf("Liveness probe should have initial delay seconds set to %s", "0")
 		t.Fail()
 	}
 
@@ -141,11 +70,9 @@ func Test_newDeployment_withExecProbe(t *testing.T) {
 			Name: "kubesec",
 		},
 		Spec: faasv1.FunctionSpec{
-			Name:  "kubesec",
-			Image: "docker.io/kubesec/kubesec",
-			Annotations: &map[string]string{
-				"com.openfaas.serviceaccount": "kubesec",
-			},
+			Name:                   "kubesec",
+			Image:                  "docker.io/kubesec/kubesec",
+			Annotations:            &map[string]string{},
 			ReadOnlyRootFilesystem: true,
 		},
 	}
@@ -170,11 +97,6 @@ func Test_newDeployment_withExecProbe(t *testing.T) {
 
 	deployment := newDeployment(function, nil, secrets, factory)
 
-	if deployment.Spec.Template.Spec.ServiceAccountName != "kubesec" {
-		t.Errorf("ServiceAccountName should be %s", "kubesec")
-		t.Fail()
-	}
-
 	if deployment.Spec.Template.Spec.Containers[0].ReadinessProbe.HTTPGet != nil {
 		t.Fatalf("ReadinessProbe's HTTPGet should be nil due to exec probe")
 	}

pkg/handlers/deploy.go

@@ -14,7 +14,6 @@ import (
 	"sort"
 	"strconv"
 	"strings"
-	"time"
 
 	"github.com/openfaas/faas-netes/pkg/k8s"
 
@@ -25,7 +24,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	glog "k8s.io/klog"
 )
 
 // initialReplicasCount how many replicas to start of creating for a function
@@ -160,23 +158,11 @@ func makeDeploymentSpec(request types.FunctionDeployment, existingSecrets map[st
 
 	annotations := buildAnnotations(request)
 
-	var serviceAccount string
-
-	if request.Annotations != nil {
-		annotations := *request.Annotations
-		if val, ok := annotations["com.openfaas.serviceaccount"]; ok && len(val) > 0 {
-			serviceAccount = val
-		}
-	}
-
 	probes, err := factory.MakeProbes(request)
 	if err != nil {
 		return nil, err
 	}
 
-	terminationGracePeriodSeconds :=
-		getTerminationGracePeriodSeconds(request.EnvVars, request.Service)
-
 	enableServiceLinks := false
 	allowPrivilegeEscalation := false
 
@@ -216,9 +202,7 @@ func makeDeploymentSpec(request types.FunctionDeployment, existingSecrets map[st
 					Annotations: annotations,
 				},
 				Spec: apiv1.PodSpec{
-					NodeSelector:                  nodeSelector,
-					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
-
+					NodeSelector: nodeSelector,
 					Containers: []apiv1.Container{
 						{
 							Name:  request.Service,
@@ -241,9 +225,8 @@ func makeDeploymentSpec(request types.FunctionDeployment, existingSecrets map[st
 							},
 						},
 					},
-					ServiceAccountName: serviceAccount,
-					RestartPolicy:      corev1.RestartPolicyAlways,
-					DNSPolicy:          corev1.DNSClusterFirst,
+					RestartPolicy: corev1.RestartPolicyAlways,
+					DNSPolicy:     corev1.DNSClusterFirst,
 					// EnableServiceLinks injects ENV vars about every other service within
 					// the namespace.
 					EnableServiceLinks: &enableServiceLinks,
@@ -262,26 +245,6 @@ func makeDeploymentSpec(request types.FunctionDeployment, existingSecrets map[st
 	return deploymentSpec, nil
 }
 
-func getTerminationGracePeriodSeconds(envVars map[string]string, name string) int64 {
-	// add 2s jitter to avoid a race condition between write_timeout and grace period
-	jitter := time.Second * 2
-	terminationGracePeriod := time.Second*30 + jitter
-
-	if envVars != nil {
-		if v, ok := envVars["write_timeout"]; ok && len(v) > 0 {
-			period, err := time.ParseDuration(v)
-			if err != nil {
-				glog.Warningf("Function %s failed to parse write_timeout: %s",
-					name, err.Error())
-			}
-
-			terminationGracePeriod = period + jitter
-		}
-	}
-
-	return int64(terminationGracePeriod.Seconds())
-}
-
 func makeServiceSpec(request types.FunctionDeployment, factory k8s.FunctionFactory) *corev1.Service {
 
 	serviceSpec := &corev1.Service{

pkg/handlers/deploy_test.go

@@ -13,46 +13,6 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 )
 
-func Test_GracePeriodFromWriteTimeout(t *testing.T) {
-
-	scenarios := []struct {
-		name        string
-		wantSeconds int64
-		envs        map[string]string
-	}{
-		{"grace period is the default", 32, map[string]string{}},
-		{"grace period is set from write_timeout", 62, map[string]string{"write_timeout": "60s"}},
-	}
-
-	for _, s := range scenarios {
-		t.Run(s.name, func(t *testing.T) {
-			request := types.FunctionDeployment{Service: "testfunc", Image: "ghcr.io/openfaas/alpine:latest"}
-			factory := k8s.NewFunctionFactory(fake.NewSimpleClientset(), k8s.DeploymentConfig{
-				LivenessProbe:  &k8s.ProbeConfig{},
-				ReadinessProbe: &k8s.ProbeConfig{},
-				SetNonRootUser: false,
-			}, nil)
-
-			request.EnvVars = s.envs
-			deployment, err := makeDeploymentSpec(request, map[string]*apiv1.Secret{}, factory)
-			if err != nil {
-				t.Errorf("unexpected makeDeploymentSpec error: %s", err.Error())
-			}
-			want := s.wantSeconds
-			got := deployment.Spec.Template.Spec.TerminationGracePeriodSeconds
-
-			if got == nil {
-				t.Fatalf("want: %d, got: nil", want)
-			}
-
-			if *got != want {
-				t.Errorf("TerminationGracePeriodSeconds want: %d, got: %d", want, *got)
-			}
-
-		})
-	}
-}
-
 func Test_buildAnnotations_Empty_In_CreateRequest(t *testing.T) {
 	request := types.FunctionDeployment{}
 

pkg/handlers/update.go

@@ -137,17 +137,6 @@ func updateDeploymentSpec(
 
 		deployment.Spec.Template.Spec.Containers[0].Resources = *resources
 
-		var serviceAccount string
-
-		if request.Annotations != nil {
-			annotations := *request.Annotations
-			if val, ok := annotations["com.openfaas.serviceaccount"]; ok && len(val) > 0 {
-				serviceAccount = val
-			}
-		}
-
-		deployment.Spec.Template.Spec.ServiceAccountName = serviceAccount
-
 		secrets := k8s.NewSecretsClient(factory.Client)
 		existingSecrets, err := secrets.GetSecrets(functionNamespace, request.Secrets)
 		if err != nil {
@@ -168,11 +157,6 @@ func updateDeploymentSpec(
 		deployment.Spec.Template.Spec.Containers[0].LivenessProbe = probes.Liveness
 		deployment.Spec.Template.Spec.Containers[0].ReadinessProbe = probes.Readiness
 
-		terminationGracePeriodSeconds :=
-			getTerminationGracePeriodSeconds(request.EnvVars, request.Service)
-
-		deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &terminationGracePeriodSeconds
-
 		// compare the annotations from args to the cache copy of the deployment annotations
 		// at this point we have already updated the annotations to the new value, if we
 		// compare to that it will produce an empty list