{"id":16927633,"url":"https://github.com/dirien/stackit-faasd","last_synced_at":"2025-03-21T02:15:35.319Z","repository":{"id":49889996,"uuid":"367302316","full_name":"dirien/stackit-faasd","owner":"dirien","description":"STACKIT opinionated faasd installation","archived":false,"fork":false,"pushed_at":"2021-06-08T20:50:40.000Z","size":265,"stargazers_count":5,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-18T06:44:06.355Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dirien.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-14T08:42:02.000Z","updated_at":"2022-04-26T04:51:25.000Z","dependencies_parsed_at":"2022-08-27T00:30:32.323Z","dependency_job_id":null,"html_url":"https://github.com/dirien/stackit-faasd","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fstackit-faasd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fstackit-faasd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fstackit-faasd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fstackit-faasd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dirien","download_url":"https://codeload.github.com/dirien/stackit-faasd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244722747,"owners_count":20499154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T20:34:44.382Z","updated_at":"2025-03-21T02:15:35.294Z","avatar_url":"https://github.com/dirien.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# STACKIT - Faasd\n\n![FaasD](img/img.png)\n\nThis is my take on installing faasd on [STACKIT](https://stackit.de/en/).\n\nSTACKIT is the digital brand of Schwarz IT and therefore part of the IT organisation of one of the world’s largest retail groups.\nSchwarz consists of the well-known brands Lidl and Kaufland, as well as Schwarz Produktion and waste and recycling management companies.\n\nThe installation consist from following components:\n\n- STACKIT OpenStack (https://www.openstack.org/)\n- Terraform (https://www.terraform.io/)\n- Pulumi (https://pulumi.com)  \n- Azure Object Storage (https://www.terraform.io/docs/language/settings/backends/azurerm.html)\n- cloud-init (https://cloudinit.readthedocs.io)\n- containerd (https://containerd.io/)\n- envoy (https://www.envoyproxy.io/)\n- cni (https://github.com/containernetworking/cni)\n- faasd (https://github.com/openfaas/faasd)\n- certbot (https://certbot.eff.org/)\n- ansible (https://www.ansible.com/)\n\n# STACKIT OpenStack\n\n![FaasD](img/stackit.png)\n\nAt the moment, STACKIT Cloud is only available for internal use. If you are interested to use STACKIT as an early adopter, feel free to contact us (info@stackit.de).\nLong story short, I just created the UAT to access the OpenStack API. And we download the `xxx-openrc.sh` file from the OpenStack UI. \n\n# Azure Object Storage\n\nThis step is completely optional, I just did not want to save the Terraform/Pulumi states in Git or store them on my local file system.\n\nAfter creating the container storage on Azure, don't forget to export the `ARM_ACCESS_KEY`\n\n    export ARM_ACCESS_KEY=xxxx\n\nOr for Pulumi\n\n    export AZURE_STORAGE_ACCOUNT=xxx\n    export AZURE_STORAGE_KEY=yyy\n\n# Terraform\n\nRead the OpenStack credentials in via:\n\n    source xxx-openrc.sh\n\n## variables\n\nPlease adapt the `variables.tf` for the values you need. In `datasource.tf`, I reference the floating-ip network.\n\n## SSH key\n\nCreate in the faasd a folder called ssh. Change into the folder and create the ssh key via:\n\n    ssh-keygen -t rsa -f ./faasd\n\n## Pulumi\n\nInstall the cli\n\n    brew install pulumi\n\nLog into your backend, here we use Azure\n    \n    pulumi login azblob://\u003cname\u003e   \n\nAfter you can deploy the Stack with\n\n    pulumi preview\n\n    pulumi up\n\n    pulumi destroy\n\n## Terraform\n\n### Terraform HCL\nAfter this you can execute the terraform commands as usual:\n\n    terraform init\n\n    terraform plan\n\n    terraform apply\n\nThis should create the whole infrastructure.\n\nYou should see following output:\n\n    faasd-private = \"xx.xxx.xx.xx\"\n    faasd-public = \"yy.yy.yy.yy\"\n\nTake this ip, and create an A record in your domain.\n\n### Terraform-CDK (Go)\n\nChange into the `cdk` folder.\n\nInstall with Homebrew:\n\nAttention: Only `version \u003e= 0.4.1` is working due to a bug 👉 [#763](https://github.com/hashicorp/terraform-cdk/issues/763)\n\n    $ brew install cdktf\n\nRun `cdktf get` to generate the bindings for the providers. By default the generated Go code will be output to the generated subdirectory.\n\nYou can now deploy your CDK for Terraform application using the `cdktf deploy` command.\n\n    cdktf deploy\n\nYou can destroy the application by running `cdktf destroy`.\n\n    cdktf destroy\n\n# cloud-init\n\nIn the `main.tf` we have the cloud-init file.\n\n```\n  #cloud-config\n  users:\n    - default\n\n  package_update: true\n\n  packages:\n    - apt-transport-https\n    - ca-certificates\n    - curl\n    - gnupg-agent\n    - software-properties-common\n    - runc\n\n  # Enable ipv4 forwarding, required on CIS hardened machines\n  write_files:\n    - path: /etc/sysctl.d/enabled_ipv4_forwarding.conf\n      content: |\n        net.ipv4.conf.all.forwarding=1\n    - path: /etc/systemd/system/envoy.service\n      content: |\n        [Unit]\n        Description=envoy\n        Documentation=https://www.envoyproxy.io/docs\n\n        [Service]\n        Type=simple\n        ExecStart=/usr/bin/envoy -c /app/envoy/front-envoy.yaml\n        Restart=on-failure\n        RestartSec=5\n\n        [Install]\n        WantedBy=multi-user.target\n\n  runcmd:\n    - curl -sL 'https://getenvoy.io/gpg' | apt-key add -\n    - apt-key fingerprint 6FF974DB | grep \"5270 CEAC\"\n    - add-apt-repository \"deb [arch=amd64] https://dl.bintray.com/tetrate/getenvoy-deb $(lsb_release -cs) stable\"\n    - apt update -y\n    - apt install -y getenvoy-envoy\n\n    - curl -sLSf https://github.com/containerd/containerd/releases/download/v1.5.1/containerd-1.5.1-linux-amd64.tar.gz \u003e /tmp/containerd.tar.gz \u0026\u0026 tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1\n    - curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.1/containerd.service | tee /etc/systemd/system/containerd.service\n    - systemctl daemon-reload \u0026\u0026 systemctl start containerd\n    - systemctl enable containerd\n\n    - mkdir -p /opt/cni/bin\n    - curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz | tar -xz -C /opt/cni/bin\n\n    - mkdir -p /go/src/github.com/openfaas/\n    - cd /go/src/github.com/openfaas/ \u0026\u0026 git clone --depth 1 --branch 0.11.4 https://github.com/openfaas/faasd\n    - curl -fSLs \"https://github.com/openfaas/faasd/releases/download/0.11.4/faasd\" --output \"/usr/local/bin/faasd\" \u0026\u0026 chmod a+x \"/usr/local/bin/faasd\"\n    - cd /go/src/github.com/openfaas/faasd/ \u0026\u0026 /usr/local/bin/faasd install\n    - systemctl status -l containerd --no-pager\n    - journalctl -u faasd-provider --no-pager\n    - systemctl status -l faasd-provider --no-pager\n    - systemctl status -l faasd --no-pager\n    - curl -sSLf https://cli.openfaas.com | sh\n    - sleep 60 \u0026\u0026 journalctl -u faasd --no-pager\n    - cat /var/lib/faasd/secrets/basic-auth-password | /usr/local/bin/faas-cli login --password-stdin\n\n```\nThis is the place, where the heavy lifting is going on. We start installing `envoy`, `containerd`, `cni` and `faasd` there.\n\n# certbot\n\nI used the certbot, to create the `Let's Encrypt` certifiacte for the envoy proxy. Just used the \n\n    certbot certonly --manual --preferred-challenges=dns --work-dir $PWD --logs-dir $PWD --config-dir $PWD\n\n# ansible\n\nAt the end I use ansible, to encrypt the certs via \n\n    ansible-vault encrypt fullchain.pem \n\n    ansible-vault encrypt privkey.pem \n\nKeep this password safe, as you will need it during execution of the playbook.\n\nAlso, I deliver the envoy config `front-envoy.yaml` and start the `envoy` service. \n\nDo not forget to add your public ip address into the `hosts.yaml` file. Execute the playbook with following command:\n\n    ansible-playbook --ask-vault-pass --private-key ssh/faasd -i ansible/hosts.yaml ansible/playbook.yaml\n\nAs we use ansible-vault, we need to provide the password. \n\n#the end?\n\nIf everything goes well, you should see with your DNS following page:\n\n![faasd](img/faasd.png)\n\n# the missing parts\n\n+ monitoring\n+ logging\n+ better automation","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdirien%2Fstackit-faasd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdirien%2Fstackit-faasd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdirien%2Fstackit-faasd/lists"}