Add RBAC for endpoint slices for functions

EndpointSlices are more efficient than Endpoints at scale. Both editions of OpenFaaS Pro will gain support, and CE will continue to use Endpoints. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
openfaas · Oct 17, 2023 · 8c93467 · 8c93467
1 parent 9b66b7e
commit 8c93467
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 2 deletions.
diff --git a/chart/openfaas/templates/controller-rbac.yaml b/chart/openfaas/templates/controller-rbac.yaml
@@ -98,6 +98,9 @@ rules:
       - create
       - update
       - delete
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -178,6 +181,9 @@ rules:
       - get
       - list
       - watch
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

diff --git a/chart/openfaas/templates/gateway-dep.yaml b/chart/openfaas/templates/gateway-dep.yaml
@@ -220,6 +220,8 @@ spec:
           - -operator=true
           - "-license-file=/var/secrets/license/license"
         env:
+          - name: reconcile_workers
+            value: "2"
           - name: port
             value: "8081"
           - name: function_namespace

diff --git a/chart/openfaas/templates/operator-rbac.yaml b/chart/openfaas/templates/operator-rbac.yaml
@@ -47,6 +47,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "pods/log", "namespaces", "endpoints"]
   verbs: ["get", "list", "watch"]
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -132,6 +135,10 @@ rules:
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]
+#  Add discovery for endpointslices
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["extensions", "apps"]
     resources: ["deployments"]
     verbs: ["get", "list", "watch", "create", "delete", "update"]

diff --git a/chart/openfaas/values-pro.yaml b/chart/openfaas/values-pro.yaml
@@ -41,7 +41,7 @@ clusterRole: true
 # you can create a HPA rule to scale on CPU, but you must not scale beyond
 # what's been purchased.
 gateway:
-  replicas: 3
+  replicas: 1
 # Required gateway configuration for Istio
   # directFunctions: true
   # probeFunctions: true

diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml
@@ -28,7 +28,7 @@ queueMode: ""                # Set to `jetstream` to run the async system backed
 psp: false
 
 # image pull policy for openfaas components, can change to `IfNotPresent` for an air-gapped environment
-openfaasImagePullPolicy: "Always"
+openfaasImagePullPolicy: "IfNotPresent"
 
 functions:
   imagePullPolicy: "Always"    # Image pull policy for deployed functions, for OpenFaaS Pro you can also set: IfNotPresent and Never.