Provision faasd 0.8.1 on DigitalOcean with Terraform 0.12.0 with TLS support

README.md

Bootstrap faasd with TLS support on Digitalocean

1. Sign up to DigitalOcean

2. Download Terraform

3. Clone this gist using the URL from the address bar

4. Run terraform init

5. Configure terraform variables as needed by updating the main.tfvars file:

   Variable	Description	Default
   do_token	Digitalocean API token	None
   do_domain	Public domain used for the faasd gateway	None
   letsencrypt_email	Email used by when ordering TLS certificate from Letsencrypt	""
   do_create_record	When set to true, a new DNS record will be created. This works only if your domain (do_domain) is managed by Digitalocean	false
   do_region	Digitalocean region for creating the droplet	fra1
   ssh_key_file	Path to public SSH key file	~/.ssh/id_rsa.pub

Environment variables can also be used to set terraform variables when running the terraform apply command using the format TF_VAR_name.

6. Run terraform apply

   1. Add -var-file=main.tfvars if you have set the variables in main.tfvars.
   2. OR use environment variables for setting the terraform variables when running the apply command

7. View the output for the login command and gateway URL i.e.

droplet_ip = 178.128.39.201
gateway_url = https://faasd.example.com/
login_cmd = faas-cli login -g https://faasd.example.com/ -p rvIU49CEcFcHmqxj
password = rvIU49CEcFcHmqxj

8. Use your browser to access the OpenFaaS interface

Note that the user-data may take a couple of minutes to come up since it will be pulling in various components and preparing the machine. Also take into consideration the DNS propagation time for the new DNS record.

A single host with 1GB of RAM will be deployed for you, to remove at a later date simply use terraform destroy.

cloud-config.tpl

#cloud-config
ssh_authorized_keys:
  - ${ssh_key}

groups:
  - caddy

users:
  - name: caddy
    gecos: Caddy web server
    primary_group: caddy
    groups: caddy
    shell: /usr/sbin/nologin
    homedir: /var/lib/caddy

write_files:
- content: |
    {
      email ${letsencrypt_email}
    }

    ${faasd_domain_name} {
      reverse_proxy 127.0.0.1:8080
    }

  path: /etc/caddy/Caddyfile

package_update: true

packages:
 - runc

runcmd:
- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.3.2/containerd-1.3.2.linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.3.2/containerd.service | tee /etc/systemd/system/containerd.service
- systemctl daemon-reload && systemctl start containerd
- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
- mkdir -p /opt/cni/bin
- curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz | tar -xz -C /opt/cni/bin
- mkdir -p /go/src/github.com/openfaas/
- mkdir -p /var/lib/faasd/secrets/
- echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
- echo admin > /var/lib/faasd/secrets/basic-auth-user
- cd /go/src/github.com/openfaas/ && git clone https://github.com/openfaas/faasd
- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.8.1/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
- cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
- systemctl status -l containerd --no-pager
- journalctl -u faasd-provider --no-pager
- systemctl status -l faasd-provider --no-pager
- systemctl status -l faasd --no-pager
- curl -sSLf https://cli.openfaas.com | sh
- sleep 5 && journalctl -u faasd --no-pager
- wget https://github.com/caddyserver/caddy/releases/download/v2.0.0-rc.2/caddy_2.0.0-rc.2_linux_amd64.tar.gz -O /tmp/caddy.tar.gz && tar -zxvf /tmp/caddy.tar.gz -C /usr/bin/ caddy
- wget https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service -O /etc/systemd/system/caddy.service
- systemctl daemon-reload
- systemctl enable caddy
- systemctl start caddy

main.tf

terraform {
  required_version = ">= 0.12"
}

variable "do_token" {
  description = "Digitalocean API token"
}
variable "do_domain" {
  description = "Domain used for "
}
variable "letsencrypt_email" {
  description = "Email used to order a certificate from Letsencrypt"
}
variable "do_create_record" {
  default     = false
  description = "Whether to create a DNS record on Digitalocean"
}
variable "do_region" {
  default     = "fra1"
  description = "The Digitalocean region where the faasd droplet will be created."
}
variable "ssh_key_file" {
  default     = "~/.ssh/id_rsa.pub"
  description = "Path to the SSH public key file"
}

provider "digitalocean" {
  token = var.do_token
}

data "local_file" "ssh_key"{
  filename = pathexpand(var.ssh_key_file)
}

resource "random_password" "password" {
  length = 16
  special = true
  override_special = "_-#"
}

data "template_file" "cloud_init" {
  template = "${file("cloud-config.tpl")}"
    vars = {
      gw_password=random_password.password.result,
      ssh_key=data.local_file.ssh_key.content,
      faasd_domain_name="faasd.${var.do_domain}"
      letsencrypt_email=var.letsencrypt_email
    }
}

resource "digitalocean_droplet" "faasd" {
  region = var.do_region
  image  = "ubuntu-18-04-x64"
  name   = "faasd"
  size = "s-1vcpu-1gb"
  user_data = data.template_file.cloud_init.rendered
}

resource "digitalocean_record" "faasd" {
  domain = var.do_domain
  type   = "A"
  name   = "faasd"
  value  = digitalocean_droplet.faasd.ipv4_address
  # Only creates record if do_create_record is true
  count  = var.do_create_record == true ? 1 : 0
}

output "droplet_ip" {
  value = digitalocean_droplet.faasd.ipv4_address
}

output "gateway_url" {
  value = "https://faasd.${var.do_domain}/"
}

output "password" {
    value = random_password.password.result
}

output "login_cmd" {
  value = "faas-cli login -g https://faasd.${var.do_domain}/ -p ${random_password.password.result}"
}

main.tfvars

do_token          = ""
do_domain         = ""
letsencrypt_email = ""