Question: GKE use-case

[id0Sch]

Current Behaviour

i used Helm to setup the openfaas stack configured my function with

gateway: http://localhost:8001/api/v1/proxy/namespaces/default/services/gateway:8080

deployed it, but when I navigate to https://EXTERNAL_CLUSTER_IP/system/functions/FUNCTION_NAME I'm getting the following error

User "system:anonymous" cannot get path "/system/functions/FUNCTION_NAME".: "No policy matched.\nUnknown user \"system:anonymous\""

Context

I'm trying to deploy a telegram bot that uses a webhook

I'm new to kubernetes and i've had a really hard time deploying to GKE, I think we can all benefit from some more resources regarding this combo (gke+faas-nets)

Thanks!

[alexellis]

You should not navigate to that endpoint, it's not valid or viewable in a web-browser.

Can you explain what you are trying to do?

[alexellis]

We've also had people deploy to GKE including @rawkode ... David please can you comment?

[id0Sch]

Wow that was fast! 🚀

I'm trying to invoke the function. Also, the gateway UI is not functional when using kubectl proxy on GKE

[id0Sch]

@rawkode , @alexellis Im also documenting the steps I used, maybe we can expand it to a GKE tutorial or something https://gist.github.com/id0Sch/6f4d068032f9bd11f267301d1744ffdd

[alexellis]

Maybe using the helm chart would work better?

• Why is a proxy needed? We've never tried using the K8s proxy to access the gateway.

Thanks for recording your steps - if we can iterate a bit on this we can move it into the main repo. I'd like to see the vanilla use-cases worked through though:

• I thought that GKE supported a LoadBalancer?
  • Try applying the config in cloud/*.yml which sets up a LoadBalancer for ingress.
• Can't you access the gateway through the NodePort?
• Why do you need to push to the Google registry? Doesn't the Hub work on GKE?

[id0Sch]

I'm deploying to the Google registry since its private (that part worked well). not sure about the proxy, but it's the only way I got access to the dashboards (im new to kube.)

[rawkode]

Hi @id0Sch, hopefully I can help!

You've deployed using Helm I believe, which is great. I've then used kubectl -n openfaas get pods and kubectl -n openfaas port-forward gateway-pod-name 8080:8080 and browsed to the UI on http://localhost:8080

Please replace your namespace with whatever you used and the pod name

You can also use this port-forward to work with the faas-cli

[rawkode]

If you wish to make your Gateway public, you'll need to add an ingress controller in front of the Gateway service.

[rawkode]

This is my Ingress resource:

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: openfaas-gateway-ingress
  namespace: openfaas
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: removed
    http:
      paths:
        - backend:
            serviceName: gateway-external
            servicePort: 8080

[id0Sch]

@rawkode wow! so simple. About exposing the gateway, is it possible to instead expose individual functions? I saw the ingress options in the here, is that what i need? how will i then be able to invoke my functions?

Thank you so much for the rapid help!

[rawkode]

Sorry, I should note that my traefik annotation means I have the traefik chart running on my cluster. Omit that and you'll get a generic LB.

[rawkode]

I'm not sure if a single function can be exposed, but that would be awesome. @alexellis can help us both with that, hopefully :smile:

[id0Sch]

@alexellis @rawkode should this ingress resource be added to faas-netes, maybe cloud/ingress?

[rgee0]

Derek close: Original question has been answered. @id0Sch could you add detail to your final question and raise it as a new proposal issue please?

[alexellis]

Thanks for commenting @rgee0 - I think faas-netes has come on since the original issue was raised. I do wonder whether we have a potential issue when using kubectl proxy though.

@stefanprodan + @jrevillas - this is an edge case, but what are your thoughts? The gateway looks for /system/functions to list functions however the relative root for /system changes when using the kubectl proxy approach.