Getting started - trouble when following commands in README.md

[deinspanjer]

I'm trying to get faas-flow-tower up and running locally, using Mac OSX with the Docker for Mac kubernetes stack.

Docker 19.03.5 k8s 1.14.8 faas cli 0.11.0 faas gateway 0.18.7 faas provider faas-netes 0.9.15

When I try to run faas deploy, I get an error with the list-flow-functions stating that the secret "basic-auth-user" is not found. I also found that the pods for dot-generator and faas-flow-dashboard are not deployed due to an ImagePull error, and metrics seems to be flapping.

[s8sg]

When I try to run faas deploy, I get an error with the list-flow-functions stating that the secret "basic-auth-user" is not found.

"basic-auth-user" is usually setup when you created the OpenFaaS environment, does your OpenFaaS gateway has authentication. ?
If not please set the basic_auth: false in the conf.yml. and comment the below line in stack.yml

secrets:
      - basic-auth-user
      - basic-auth-password

I also found that the pods for dot-generator and faas-flow-dashboard are not deployed due to an ImagePull error, and metrics seems to be flapping

I'll push the latest images for dot-generator and faas-flow-dashboard. Not sure what you mean by flapping

[s8sg]

I have pushed the latest images, please give it another try

[deinspanjer]

By flapping, I mean k8s is spinning up a new pod, then a minute or so later, it errors out and terminates.

I believe I have a couple of problems.

1. I might not have set up enough of the faas-flow environment. I'm doing another clean install, and this time also installing the chart from faas-flow-infra
2. It seems that faas or faas-flow is having trouble finding function images when I do a build and deploy. I tried running even the basic greet example, and it had the same problem, but when I tagged it with my docker hub username and pushed a copy of it up, it was able to run.

Maybe there is something special about the kubernetes environment in Docker for Mac that doesn't allow it to see locally built docker images?

[deinspanjer]

I found this stackoverflow question https://stackoverflow.com/questions/50739405/docker-for-mac-kubernetes-reference-local-image which lead me to https://docs.openfaas.com/deployment/kubernetes/#set-a-custom-imagepullpolicy Setting the image pull policy to IfNotPresent fixed my problem.

[deinspanjer]

Argh. So the image pull policy fixed my problem with some pods not being started, but the error about basic-auth-user not being found is still happening for the list-flow-functions.

I see a secret named basic-auth in the namespace openfaas which has data with both keys, basic-auth-password and basic-auth-user. Maybe there is some additional namespace issue going on here?

I had to change the provider name in the stack.yml from "faas" to "openfaas" because that apparently has changed.

Could it be that list-flow-functions which is getting installed in the namespace openfaas-fn can't access the secret in the openfaas namespace?

[s8sg]

Secret are shared across only to the pod within the namespace. I guess you are right, in that case you need to create it in openfaas namespace

[s8sg]

Alternatively can you try with

labels:
      openfaas-cloud: "1"
      role: openfaas-system
      com.openfaas.scale.zero: false

This is how its done in Openfaas Cloud list function: https://github.com/openfaas/openfaas-cloud/blob/master/stack.yml#L171

I guess here

role: openfaas-system

does the trick

[deinspanjer]

Well, using the environment and stack as it was, I tried adding the secret to the openfaas-fn namespace, and a deploy still gave the same error. I tried adding the role to the labels as suggested and did a build and deploy, but still no change.

Next I'll try tearing down the whole environment and reinstalling again. This time, I'll use the same namespace for both the openfaas system and the functions, contrary to what the getting started guide says.

[s8sg]

I tried adding the secret to the openfaas-fn namespace, and a deploy still gave the same error

Is the error in pod log or at openFaaS deployment ? Can you share the error log

[s8sg]

Next I'll try tearing down the whole environment and reinstalling again. This time, I'll use the same namespace for both the openfaas system and the functions, contrary to what the getting started guide says.

It should not be this complex. The namespace is separated for a reason, so I'll try to avoid this approach

[deinspanjer]

Is the error in pod log or at openFaaS deployment ? Can you share the error log

Deploying: list-flow-functions.
WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates.

Unexpected status: 400, message: unable to fetch secrets: secrets "basic-auth-user" not found

Deploying: dot-generator. WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates.

Deployed. 202 Accepted. URL: http://127.0.0.1:8080/function/dot-generator

Function 'list-flow-functions' failed to deploy with status code: 400

[deinspanjer]

Well, with my clean build where functions are also deployed into the openfaas namespace, I was able to get that function to install by editing the stack.yml and changing the secrets from

- basic-auth-user
- basic-auth-password

to just

- basic-auth

This seems to be because the secret that is created by the helm chart for openfaas / faas-netes creates the secret with the name basic-auth that has two data entries rather than two separate secrets. I'm not sure if that same solution will work using the role change, but I'll try that out in a bit.

[s8sg]

@deinspanjer Thank you for investigating on this. I'm wondering why openfaas-cloud hasn't changed it, or is it something on the pipeline. @alexellis might be helpful. Let me know what you find out with the role change

[alexellis]

It looks like somewhere you've confused the secret name between Swarm and k8s. The original config appears to be hard coded to use the Swarm names and then your user has updated his file to use the correct name for Kubernetes.

I don't know if you use Kubernetes to test your project, but if you don't then this might explain it.

[s8sg]

Thanks Alex. You're right, there has been a shortage of testing in Kubernets. I'm relatively a latecomer to Kubernets and trying to overcome it. Luckily openfaas community is very resourceful 🙂

[s8sg]

The original config appears to be hard coded to use the Swarm names and then your user has updated his file to use the correct name for Kubernetes.

Can you please direct me to the document for this please

[alexellis]

Sure, here you are - the deployment artifacts.

https://github.com/openfaas/faas/blob/master/docker-compose.yml#L228

https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/templates/gateway-dep.yaml#L34

Whilst you only use Swarm, we mostly only use Kubernetes.

You'll need to figure out how to provide two configurations for your users, perhaps one or the other would be the best default?

The easiest way to install OpenFaaS is with k3sup btw - https://docs.openfaas.com/deployment/kubernetes/#a-deploy-with-k3sup-fastest-option

Alex

[s8sg]

I recently setup a helm chart for deploying default resources for Faas-flow Infra components : https://github.com/s8sg/faas-flow-infra

I'm changing the defaults to K8s as well 😉 Wish me luck

I don't see the k8's configuration for the OpenFaaS Cloud though in these docs

[alexellis]

OpenFaaS Cloud is no different, it's just a normal installation, why are we talking about OpenFaaS Cloud though? I thought faas-flow was for OF?

[alexellis]

You can set it up all manually, but we've spent a lot of time in the community developing automation, take a look: https://github.com/openfaas-incubator/ofc-bootstrap, it'll probably save you a lot of time. And for without TLS/auth: https://blog.alexellis.io/openfaas-cloud-for-development/

[s8sg]

The reason is list-flow-function is same as OpenFaaS Cloud's list-function, this is how the stack.yml looks for the OpenFaaS cloud https://github.com/openfaas/openfaas-cloud/blob/master/stack.yml#L171

I was referencing that for Faas-Flow:list-flow-function as this how it looks for Faas-flow-tower https://github.com/s8sg/faas-flow-tower/blob/master/stack.yml#L17

For OpenFaaS cloud, Does someone needs to modify this default stack.yml when deploying in Kubernets ? If so my question is which documents mention that ?

The reason I'm asking because I don't wanna diverge form a convention/practice the community is already using and copy paste the same approach here

[s8sg]

It looks like somewhere you've confused the secret name between Swarm and k8s. The original config appears to be hard coded to use the Swarm names and then your user has updated his file to use the correct name for Kubernetes.

The stack file in ofc-bootstrap also uses the same secrets name https://github.com/openfaas-incubator/ofc-bootstrap/blob/master/templates/stack.yml#L181

 list-functions:
    lang: go
    handler: ./list-functions
    image: functions/list-functions:0.4.8
    labels:
      openfaas-cloud: "1"
      role: openfaas-system
      com.openfaas.scale.zero: false
    environment:
      write_debug: true
      read_debug: true
    environment_file:
      - gateway_config.yml
    secrets:
      - basic-auth-user
      - basic-auth-password

am I missing something ?

[alexellis]

Sorry, I don't have time to debug this for you, I'm sure you'll figure it out, but note that the secrets you are looking at here, are not the basic auth secrets for OpenFaaS, they are additional secrets for the functions.

[s8sg]

but note that the secrets you are looking at here, are not the basic auth secrets for OpenFaaS, they are additional secrets for the functions.

The list-function use this secret to authenticate at the gateway. So if I understand correctly, user supposed to create the secret by themselves, which would make total sense.

[s8sg]

@deinspanjer

The problem here is that we were expecting the secrets to be there by default. That works for swarm because it doesn't have namespaces, but not for Kubernets. So for k8's we need to create the secrets seperately on openfaas-fn.

The steps would be

export OPENFAAS_USER=<>
export OPENFAAS_PASS=<>
kubectl create secret generic -n openfaas-fn \
 basic-auth-user --from-literal basic-auth-user="$OPENFAAS_USER"
kubectl create secret generic -n openfaas-fn \
 basic-auth-password --from-literal basic-auth-password="$OPENFAAS_PASS"

I'll update the README.md

later stage I'll add a configuration file and a script which automates the process

Thanks for finding the issue and reporting it.

[s8sg]

@pasdam instead of changing the secret name to basic-auth in list-flow-functpion we can alternatively create two separate secrets. Anyhow we need to create the secret in the openfaas-fn namespace, this way the same secrets can be used for swarm