Move CRDs up to top level of chart

This change means that CRDs must be maintained manually
over time by openfaas operators.

It is designed to make installations without a ClusterRole
easier and to make the usage of IAM and non-IAM CRDs more
consistent.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>

chart/openfaas/templates/ingress-operator-crd.yaml → artifacts/crds/openfaas.com_functioningresses.yaml

@@ -1,6 +1,3 @@
-{{- if .Values.ingressOperator.create }}
-{{- if .Values.createCRDs }}
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -127,8 +124,3 @@ spec:
       served: true
       storage: true
       subresources: {}
-
----
-
-{{- end }}
-{{- end }}

chart/openfaas/README.md

@@ -98,7 +98,15 @@ PASSWORD=$(kubectl -n openfaas get secret basic-auth -o jsonpath="{.data.basic-a
 echo "OpenFaaS admin password: $PASSWORD"
 ```
 
-#### Deploy OpenFaaS Pro
+#### Deploy OpenFaaS Pro - OpenFaaS Standard / OpenFaaS For Enterprises
+
+It's recommended to run with a ClusterRole so that:
+
+* Prometheus can scrape node metrics for CPU-based autoscaling, and report CPU/RAM consumption usage of functions via the API.
+* The Operator can manage functions across multiple namespaces
+* The Operator can obtain accurate namespace information for the installation
+
+First:
 
 * Create the required secret with your [OpenFaaS Pro license](https://www.openfaas.com/pricing/):
 
@@ -140,15 +148,51 @@ You can also review recommended Pro values in [values-pro.yaml](values-pro.yaml)
 
 #### Installing OpenFaaS Pro without Cluster Admin access
 
-In order to install OpenFaaS Pro, you need to create at least one namespace, a Cluster Admin role and Custom Resource Definitions (CRDs), however some DevOps teams prevent business teams from getting access to Cluster Admin.
+In order to install OpenFaaS Pro you will need:
+
+* Cluster Admin access to kubectl in order to create Custom Resource Definitions (CRDs)
+* The ability to create at least two namespaces `openfaas` and `openfaas-fn`
+* The ability to create ClusterRoles for the full functionality of OpenFaaS Pro
+
+There are two options for this scenario, both of which involve separate teams performing parts of the installation. The first team is the *admin team* which has Cluster Admin access, the second team is the *application team* which has limited access to certain namespaces.
+
+1. Have your admin team perform the initial installation, including the ClusterRoles, namespaces and CRDs. Then have your application team perform upgrades to the chart. Your admin team will have to upgrade the CRDs and ClusterRoles periodically on the cluster.
+2. Have your admin team perform the initial installation of the namespaces and CRDs only. Then your application team can install the chart and maintain it over time with a Role, instead of a ClusterRole.
+
+In either case, the admin team will have to upgrade the CRDs regularly on the cluster.
+
+The following steps are for 2.
+
+If you only have administrative access, you can split the installation. Your administrative team will create the CRDs and namespaces, and instead of using a ClusterRole, you can use a Role, and accept that the product will have some functionality limited.
+
+Ask your admin team to run the following to install the namespaces and CRDs:
+
+```bash
+git clone https://github.com/openfaas/faas-netes/ --depth=1
+
+kubectl apply -f ./faas-netes/namespaces.yml
+kubectl apply -f ./faas-netes/artifacts/crds/
+```
+
+Now, your application team can install OpenFaaS with a Role instead of a ClusterRole. They will also need to pass the `--skip-crds` flag to the helm command.
 
-This option is reserved for OpenFaaS Pro customers, see the installation steps here: [Split installation instructions](https://github.com/openfaas/openfaas-pro/blob/master/split-installation.md)
+*values-role.yaml*
+
+```yaml
+clusterRole: false
+```
 
-See also:
+Next, your application team can update and upgrade OpenFaaS using the chart by adding `--skip-crds` to the `helm` command, along with `-f values-role.yaml`, for example:
 
-* Scale-down to zero (in this document)
-* [OpenFaaS Pro SSO/OIDC](https://docs.openfaas.com/openfaas-pro/sso/)
-* [OpenFaaS Pro Kafka Event Connector](https://docs.openfaas.com/openfaas-pro/kafka-events/)
+```bash
+helm repo update \
+ && helm upgrade openfaas \
+  --install openfaas/openfaas \
+  --namespace openfaas  \
+  -f values-pro.yaml \
+  -f values-role.yaml \
+  --skip-crds
+```
 
 ## Test changes for the helm chart
 
@@ -444,7 +488,6 @@ yaml) |
 | `basicAuthPlugin.resources` | Resource limits and requests for basic-auth-plugin containers | See [values.yaml](./values.yaml) |
 | `caBundleSecretName` | Name of the Kubernetes secret that contains the CA bundle for making HTTP requests for IAM (optional) | `""` |
 | `clusterRole` | Use a `ClusterRole` for the Operator or faas-netes. Set to `true` for multiple namespace, pro scaler and CPU/RAM metrics in OpenFaaS REST API | `false` |
-| `createCRDs` | Create the CRDs for OpenFaaS Functions and Profiles | `true` |
 | `exposeServices` | Expose `NodePorts/LoadBalancer`  | `true` |
 | `functionNamespace` | Functions namespace, preferred `openfaas-fn` | `openfaas-fn` |
 | `gatewayExternal.annotations` | Annotation for getaway-external service | `{}` |

chart/openfaas/crds/openfaas.com_functioningresses.yaml

@@ -0,0 +1,126 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: functioningresses.openfaas.com
+spec:
+  group: openfaas.com
+  names:
+    kind: FunctionIngress
+    listKind: FunctionIngressList
+    plural: functioningresses
+    singular: functioningress
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.domain
+          name: Domain
+          type: string
+      name: v1
+      schema:
+        openAPIV3Schema:
+          description: FunctionIngress describes an OpenFaaS function
+          type: object
+          required:
+            - spec
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: FunctionIngressSpec is the spec for a FunctionIngress resource. It must be created in the same namespace as the gateway, i.e. openfaas.
+              type: object
+              required:
+                - domain
+                - function
+              properties:
+                bypassGateway:
+                  description: BypassGateway, when true creates an Ingress record directly for the Function name without using the gateway in the hot path
+                  type: boolean
+                domain:
+                  description: Domain such as "api.example.com"
+                  type: string
+                function:
+                  description: Function such as "nodeinfo"
+                  type: string
+                functionNamespace:
+                  description: Namespace for function such as "openfaas-fn"
+                  type: string
+                ingressType:
+                  description: IngressType such as "nginx"
+                  type: string
+                path:
+                  description: Path such as "/v1/profiles/view/(.*)", or leave empty for default
+                  type: string
+                tls:
+                  description: Enable TLS via cert-manager
+                  type: object
+                  properties:
+                    enabled:
+                      type: boolean
+                    issuerRef:
+                      description: ObjectReference is a reference to an object with a given name and kind.
+                      type: object
+                      required:
+                        - name
+                      properties:
+                        kind:
+                          type: string
+                        name:
+                          type: string
+            status:
+              description: FunctionIngressStatus is the status for a FunctionIngress resource
+              type: object
+              properties:
+                conditions:
+                  type: array
+                  items:
+                    description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                    type: object
+                    required:
+                      - lastTransitionTime
+                      - message
+                      - reason
+                      - status
+                      - type
+                    properties:
+                      lastTransitionTime:
+                        description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                        type: string
+                        format: date-time
+                      message:
+                        description: message is a human readable message indicating details about the transition. This may be an empty string.
+                        type: string
+                        maxLength: 32768
+                      observedGeneration:
+                        description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                        type: integer
+                        format: int64
+                        minimum: 0
+                      reason:
+                        description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                        type: string
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      status:
+                        description: status of the condition, one of True, False, Unknown.
+                        type: string
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                      type:
+                        description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                        type: string
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+      served: true
+      storage: true
+      subresources: {}

chart/openfaas/templates/function-crd.yaml → chart/openfaas/crds/openfaas.com_functions.yaml

@@ -1,7 +1,3 @@
-{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
-{{- if .Values.operator.create }}
-{{- if .Values.createCRDs }}
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -200,7 +196,3 @@ spec:
       storage: true
       subresources:
         status: {}
-
-
-{{- end }}
-{{- end }}

chart/openfaas/templates/profile-crd.yaml → chart/openfaas/crds/openfaas.com_profiles.yaml

@@ -1,5 +1,3 @@
-{{- if .Values.createCRDs }}
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -45,7 +43,7 @@ spec:
             spec:
               description: |-
                 ProfileSpec is an openfaas api extension that can be predefined and applied
-                to functions by annotating them with `com.openfaas/profile: name1,name2`
+                to functions by annotating them with `com.openfaas.profile: name1,name2`
               type: object
               properties:
                 affinity:
@@ -1434,5 +1432,3 @@ spec:
                         type: string
       served: true
       storage: true
-
-{{- end }}

hack/update-crds.sh

@@ -14,3 +14,5 @@ fi
   schemapatch:manifests=./artifacts/crds \
   paths=./pkg/apis/... \
   output:dir=./artifacts/crds
+
+echo "Run \"cp ./artifacts/crds/* ./chart/openfaas/crds/\" to sync with the chart"