Add helm chart for Amazon SNS connector

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Makefile

@@ -87,7 +87,8 @@ verify-charts:
 	arkade chart verify --verbose=$(VERBOSE) -f ./chart/pro-builder/values.yaml && \
 	arkade chart verify --verbose=$(VERBOSE) -f ./chart/sqs-connector/values.yaml && \
 	arkade chart verify --verbose=$(VERBOSE) -f ./chart/postgres-connector/values.yaml && \
-	arkade chart verify --verbose=$(VERBOSE) -f ./chart/queue-worker/values.yaml
+	arkade chart verify --verbose=$(VERBOSE) -f ./chart/queue-worker/values.yaml && \
+	arkade chart verify --verbose=$(VERBOSE) -f ./chart/sns-connector/values.yaml
 
 charts-only:
 	@cd chart && \
@@ -99,7 +100,8 @@ charts-only:
 		helm package pro-builder/ && \
 		helm package sqs-connector/ && \
 		helm package postgres-connector/ && \
-		helm package queue-worker/
+		helm package queue-worker/ && \
+		helm package sns-connector/
 	mv chart/*.tgz docs/
 	helm repo index docs --url https://openfaas.github.io/faas-netes/ --merge ./docs/index.yaml
 	./contrib/create-static-manifest.sh

chart/sns-connector/.gitignore

+/values-ae.yaml

chart/sns-connector/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/sns-connector/Chart.yaml

+apiVersion: v1
+description: Invoke functions from an AWS SNS messages.
+name: sns-connector
+version: 0.0.1
+sources:
+- https://github.com/openfaas/faas-netes
+home: https://www.openfaas.com
+icon: https://raw.githubusercontent.com/openfaas/media/master/OpenFaaS_logo_stacked_opaque.png
+keywords:
+- openfaaspro
+- faas
+- serverless
+- sns
+- events
+maintainers:
+- name: alexellis
+  email: alex@openfaas.com

chart/sns-connector/README.md

+# OpenFaaS Pro SQS Connector
+
+The SNS connector can be used to invoke functions from an AWS SNS messages.
+
+See also: [Trigger functions from AWS SNS messages](https://docs.openfaas.com/openfaas-pro/sns-events/)
+
+## Prerequisites
+
+- Purchase a license
+
+  You will need an OpenFaaS License
+
+  Contact us to find out more [openfaas.com/pricing](https://www.openfaas.com/pricing)
+
+- Install OpenFaaS
+
+  You must have a working OpenFaaS installed.
+
+## Configure your secrets
+
+- Create the required secret with your OpenFaaS Pro license code:
+
+```bash
+$ kubectl create secret generic \
+    -n openfaas \
+    openfaas-license \
+    --from-file license=$HOME/.openfaas/LICENSE
+```
+
+- Create an AWS credentials secret:
+
+```bash
+$ kubectl create secret generic -n openfaas \
+  aws-sns-credentials --from-file aws-sns-credentials=$HOME/sns-credentials.txt
+```
+
+You can configure permissions using a dedicated IAM user. The user needs a policy that grants access to the `Subscribe` and `ConfirmSubscription` actions. Optionally you can also limit the topics it has access to. For more information see: [Using identity-based policies with Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html)
+
+## Configure ingress
+
+To receive http calls from AWS SNS the callback url has to be publicly accessible.
+
+The below instructions show how to set up Ingress with a TLS certificate using Ingress Nginx. You can also use any other ingress-controller, inlets-pro or an Istio Gateway. Reach out to us if you need a hand.
+
+Install [cert-manager](https://cert-manager.io/docs/), which is used to manage TLS certificates.
+
+You can use Helm, or [arkade](https://github.com/alexellis/arkade):
+
+```bash
+arkade install cert-manager
+```
+
+Install ingress-nginx using arkade or Helm:
+
+```bash
+arkade install ingress-nginx
+```
+
+Create an ACME certificate issuer:
+
+```bash
+export EMAIL="mail@example.com"
+
+cat > issuer-prod.yaml <<EOF
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+  namespace: openfaas
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: $EMAIL
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+EOF
+```
+
+```bash
+kubectl apply -f issuer-prod.yaml
+```
+
+Create an ingress record for the sns-connector:
+
+```bash
+export DOMAIN="sns.example.com"
+
+cat > ingress.yaml <<EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sns-connector
+  namespace: openfaas
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: letsencrypt-prod
+  labels:
+    app: sns-connector
+spec:
+  tls:
+  - hosts:
+    - $DOMAIN
+    secretName: sns-connector-cert
+  rules:
+  - host: $DOMAIN
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sns-connector
+            port:
+              number: 8080
+EOF
+```
+
+Apply the Ingress resource:
+
+```bash
+kubectl apply -f ingress.yaml
+```
+
+## Configure values.yaml
+
+```yaml
+
+# Public callback URL for subscriptions
+callbackURL: "http://sns.example.com/callback"
+
+# SNS topic ARN
+topicARN: "arn:aws:sns:us-east-1:123456789012:of-event"
+
+# AWS shared credentials file:
+awsCredentialsSecret: aws-sns-credentials
+
+awsRegion: us-east-1
+```
+
+## Install the chart
+
+- Add the OpenFaaS chart repo and deploy the `sns-connector` chart. We recommend installing it in the same namespace as the rest of OpenFaaS
+
+```sh
+$ helm repo add openfaas https://openfaas.github.io/faas-netes/
+$ helm upgrade sns-connector openfaas/sns-connector \
+    --install \
+    --namespace openfaas
+```
+
+> The above command will also update your helm repo to pull in any new releases.
+
+## Install a development version
+
+```sh
+$ helm upgrade sns-connector ./chart/sns-connector \
+    --install \
+    --namespace openfaas
+    -f ./values.yaml
+```
+
+## Configuration
+
+Additional sns-connector options in `values.yaml`.
+
+| Parameter                | Description                                                                            | Default                        |
+| ------------------------ | -------------------------------------------------------------------------------------- | ------------------------------ |
+| `callbackURL` | Public callback URL for subscriptions | `""` |
+| `topicARN` | Amazon SNS topic ARN | `""` |
+| `awsCredentialsSecret` | Kubernetes secret for the AWS shared credentials file | `aws-sns-credentials` |
+| `awsRegion` | The AWS region | `eu-west-1` | 
+| `asyncInvocation`        | For long running or slow functions, offload to asychronous function invocations and carry on processing the stream | `false`   |
+| `upstreamTimeout`        | Maximum timeout for upstream function call, must be a Go formatted duration string.    | `2m`                          |
+| `rebuildInterval`        | Interval for rebuilding function to topic map, must be a Go formatted duration string. | `30s`                           |
+| `gatewayURL`             | The URL for the API gateway.                                                           | `http://gateway.openfaas:8080` |
+| `printResponse`          | Output the response of calling a function in the logs.                                 | `true`                         |
+| `printResponseBody`      | Output to the logs the response body when calling a function.                          | `false`                        |
+| `printRequestBody`       | Output to the logs the request body when calling a function.                           | `false`                        |
+| `fullnameOverride`       | Override the name value used for the Connector Deployment object.                      | ``                             |
+| `contentType`            | Set a HTTP Content Type during function invocation.                                    | `""`                           |
+| `resources`              | Resources requests and limits configuration                               | `requests.memory: "64Mi"`                  |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. See `values.yaml` for the default configuration.
+
+## Removing the sns-connector
+
+All control plane components can be cleaned up with helm:
+
+```sh
+$ helm uninstall -n openfaas sns-connector
+```

chart/sns-connector/templates/NOTES.txt

+Thanks for installing the sns-connector. Please follow the instructions below to get you started.
+
+You can watch the Connector logs to see it invoke your functions:
+
+$ kubectl logs -n {{ .Release.Namespace }} deploy/sns-connector -f
+

chart/sns-connector/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "connector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "connector.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "connector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+

chart/sns-connector/templates/deployment.yml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ template "connector.name" . }}
+    component: sns-connector
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ template "connector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+    app.kubernetes.io/component: sns-connector
+    app.kubernetes.io/part-of: openfaas
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "connector.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: {{ template "connector.name" . }}
+      component: sns-connector
+
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "false"
+      labels:
+        app: {{ template "connector.name" . }}
+        component: sns-connector
+    spec:
+      volumes:
+        - name: openfaas-license
+          secret:
+            secretName: openfaas-license
+      {{- if .Values.basic_auth }}
+        - name: auth
+          secret:
+            secretName: basic-auth
+      {{- end }}
+      {{- if .Values.awsCredentialsSecret }}
+        - name: aws-credentials
+          secret:
+            secretName: {{ .Values.awsCredentialsSecret }}
+      {{- end}}
+      containers:
+        - name: connector
+          image: {{ .Values.image }}
+          command:
+            - "/usr/bin/connector"
+            - "-license-file=/var/secrets/license/license"
+            - "-callback-url={{ .Values.callbackURL }}/"
+            - "-arn={{.Values.topicARN }}"
+            - "-port 8080"
+          env:
+            - name: gateway_url
+              value: {{ .Values.gatewayURL | quote }}
+            - name: print_response
+              value: {{ .Values.printResponse | quote }}
+            - name: print_response_body
+              value: {{ .Values.printResponseBody | quote }}
+            - name: print_request_body
+              value: {{ .Values.printRequestBody | quote }}
+            - name: asynchronous_invocation
+              value: {{ .Values.asyncInvocation | quote }}
+            {{- if .Values.basic_auth }}
+            - name: basic_auth
+              value: "true"
+            - name: secret_mount_path
+              value: "/var/secrets"
+            {{- end }}
+            {{- if .Values.upstreamTimeout }}
+            - name: upstream_timeout
+              value: {{ .Values.upstreamTimeout | quote }}
+            {{- end }}
+            {{- if .Values.rebuildInterval }}
+            - name: rebuild_interval
+              value: {{ .Values.rebuildInterval | quote }}
+            {{- end }}
+            - name: content_type
+              value: {{ .Values.contentType | quote }}
+            {{- if .Values.awsCredentialsSecret }}
+            - name: AWS_SHARED_CREDENTIALS_FILE
+              value: /var/secrets/aws-credentials/{{ .Values.awsCredentialsSecret }}
+            {{- end }}
+            {{- if .Values.awsRegion }}
+            - name: AWS_REGION
+              value: {{ .Values.awsRegion }}
+            {{- end }}
+          resources:
+            {{- .Values.resources | toYaml | nindent 12 }}
+          volumeMounts:
+            - name: openfaas-license
+              readOnly: true
+              mountPath: "/var/secrets/license"
+          {{- if .Values.basic_auth }}
+            - name: auth
+              readOnly: true
+              mountPath: "/var/secrets"
+          {{- end }}
+          {{- if .Values.awsCredentialsSecret }}
+            - name: aws-credentials
+              readOnly: true
+              mountPath: "/var/secrets/aws-credentials"
+          {{- end }}
+
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}

chart/sns-connector/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ template "connector.name" . }}
+    component: sns-connector
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "connector.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: sns-connector
\ No newline at end of file

chart/sns-connector/values.yaml

+# The Kafka connector is an OpenFaaS Pro feature
+#
+# Purchase a license at https://openfaas.com/support/
+
+# You will need to create a license named "openfaas-license" - see the
+# chart README for detailed instructions.
+
+image: ghcr.io/openfaasltd/sns-connector:0.0.1
+
+replicas: 1
+
+# Public callback URL for subscriptions
+callbackURL: "https://"
+
+# SNS topic ARN
+topicARN: "arn:aws:sns:"
+
+# AWS shared credentials file:
+# The format is the standard ini-type AWS file format.
+#
+# kubectl create secret generic -n openfaas \
+#   aws-sns-credentials --from-file aws-sns-credentials=$HOME/sns-credentials.txt
+awsCredentialsSecret: aws-sns-credentials
+
+awsRegion: eu-west-1
+
+# Max timeout for a function
+upstreamTimeout: 30s
+
+# interval for rebuilding the map of functions and topics
+rebuildInterval: 30s
+
+# Use with slow consumers or long running functions
+asyncInvocation: false
+
+# HTTP content-type for invoking functions
+contentType: text/plain
+
+# Print the data read from the SQS queue before invoking functions
+# Do not use in production
+printRequestBody: false
+
+# Print the HTTP status of invoked functions
+printResponse: true
+
+# Print the data received from invoked functions
+# Do not use in production
+printResponseBody: false
+
+# Gateway URL to access API and for invocations
+gatewayURL: http://gateway.openfaas:8080
+
+# Basic auth for the gateway
+basic_auth: true
+
+resources:
+  requests:
+    memory: "64Mi"
+    cpu: "100m"
+  # limits:
+  #   memory: "256Mi"
+  #   cpu: "100m"
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}