Skip to content

functions-dev/func-operator

BranchesTags

Repository files navigation

func-operator

GitHub release Go Report Card Go Version License CI

A Kubernetes operator for managing middleware updates for serverless functions deployed with the func CLI. This operator monitors deployed functions and automatically rebuilds them when outdated middleware is detected, ensuring functions stay up-to-date with the latest middleware versions.

Prerequisites

Installation

Install the Operator

Deploy the operator to your cluster:

kubectl apply -f https://github.com/functions-dev/func-operator/releases/latest/download/func-operator.yaml

Usage

Register a Function for Middleware Management

Create a Function custom resource to register an existing function for middleware monitoring and updates:

apiVersion: functions.dev/v1alpha1
kind: Function
metadata:
  name: my-function
  namespace: default
spec:
  repository:
    url: https://github.com/your-org/your-function.git
    authSecretRef:
      name: git-credentials
  registry:
    authSecretRef:
      name: registry-credentials

Apply the resource:

kubectl apply -f function.yaml

Note: This registers an existing function with the operator for middleware management. To initially deploy a function, use the func CLI directly:

func deploy --path <function-path> --registry <registry-path>

Registry Authentication

For private registries, create a secret with registry credentials:

apiVersion: v1
kind: Secret
metadata:
  name: registry-credentials
  namespace: default
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <base64-encoded-docker-config>

Or use kubectl:

kubectl create secret docker-registry registry-credentials \
  --docker-server=<registry-url> \
  --docker-username=<username> \
  --docker-password=<password> \
  --docker-email=<email>

Git Authentication

For private Git repositories, create a secret with the Git credentials:

apiVersion: v1
kind: Secret
metadata:
  name: git-credentials
  namespace: default
data:
  token: <base64-encoded-access-token>

or

apiVersion: v1
kind: Secret
metadata:
  name: git-credentials
  namespace: default
data:
  username: <base64-encoded-username>
  password: <base64-encoded-password>

Then reference it in the Function under .spec.repository.authSecretRef.name

apiVersion: functions.dev/v1alpha1
kind: Function
metadata:
  name: my-function
  namespace: default
spec:
  repository:
    url: https://github.com/your-org/your-function.git
    authSecretRef:
      name: git-credentials

SSH Key Authentication

For SSH-based repository access, create a secret with the SSH private key:

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-credentials
  namespace: default
data:
  sshPrivateKey: <base64-encoded-private-key>

Optional fields:

  • sshPrivateKeyPassword: Passphrase for encrypted private keys
  • known_hosts: SSH known_hosts file content for host key verification. If omitted, host key checking is skipped.
apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-credentials
  namespace: default
data:
  sshPrivateKey: <base64-encoded-private-key>
  sshPrivateKeyPassword: <base64-encoded-passphrase>
  known_hosts: <base64-encoded-known-hosts>

Reference it in the Function with an SSH repository URL:

apiVersion: functions.dev/v1alpha1
kind: Function
metadata:
  name: my-function
  namespace: default
spec:
  repository:
    url: git@github.com:your-org/your-function.git
    authSecretRef:
      name: git-ssh-credentials

For public repositories accessible over SSH, no secret is needed:

apiVersion: functions.dev/v1alpha1
kind: Function
metadata:
  name: my-function
  namespace: default
spec:
  repository:
    url: git@github.com:your-org/your-function.git

Both SCP-style URLs (git@host:path) and standard SSH URLs (ssh://git@host/path) are supported.

Check Function Status

The Function CRD has the short name func, so you can use kubectl get func instead of kubectl get function.

Get an overview of all functions including their middleware version and pending rebuild status:

kubectl get func

View the full status of a specific function:

kubectl get func my-function -o yaml

The status will include:

  • Function name and conditions
  • Git information (branch, commit, last checked time)
  • Deployment details (image, runtime, build time, deployer)
  • Middleware status (current and available versions, auto-update settings, pending rebuild status)
  • Service status (URL and readiness)

Advanced Use Cases

Functions in Monorepos

For functions located in a subdirectory of a repository (e.g., in a monorepo), use the repository.path field to specify the path to your function:

apiVersion: functions.dev/v1alpha1
kind: Function
metadata:
  name: my-function
  namespace: default
spec:
  repository:
    url: https://github.com/your-org/your-monorepo.git
    path: functions/my-function
    authSecretRef:
      name: git-credentials
  registry:
    authSecretRef:
      name: registry-credentials

The operator will clone the repository and use the specified path as the function root directory.

Triggering a Reconciliation

The operator normally reconciles a Function when its spec changes. To trigger a reconciliation manually, add any annotation with the functions.knative.dev/ prefix:

kubectl annotate function my-function functions.knative.dev/reconcile=true

The operator will reconcile the Function and automatically remove the annotation afterwards.

Configuring Automatic Middleware Updates

The operators main responsibility it to rebuild functions when outdated middleware is detected. Anyhow this behavior can be enabled/disabled at two levels:

Operator-Level Default

Configure the operator-wide default by editing the func-operator-controller-config ConfigMap in the operators namespace (func-operator-system by default):

apiVersion: v1
kind: ConfigMap
metadata:
  name: func-operator-controller-config
  namespace: func-operator-system
data:
  autoUpdateMiddleware: "true"  # or "false" to disable by default

Per-Function Override

Individual functions can override the operator default using the autoUpdateMiddleware field:

apiVersion: functions.dev/v1alpha1
kind: Function
metadata:
  name: my-function
  namespace: default
spec:
  repository:
    url: https://github.com/your-org/your-function.git
  autoUpdateMiddleware: false  # Disable middleware updates for this function

Precedence: Function-level settings always take priority over the operator default.

Contributing

See CONTRIBUTING.md for development setup, testing, and contribution guidelines.

API Reference

Function Spec

Field Type Required Description
repository.url string Yes URL of the Git repository. Supports HTTPS, HTTP, SSH (ssh://), and SCP-style (git@host:path)
repository.branch string No Branch of the repository
repository.path string No Path to the function inside the repository. Defaults to "."
repository.authSecretRef object No Reference to the auth secret for private repository authentication
registry.authSecretRef object No Reference to the secret containing credentials for registry authentication
autoUpdateMiddleware boolean No Defines if the operator should rebuild when outdated middleware is detected. When not specified, defaults to the operator-wide setting in the func-operator-controller-config ConfigMap (default: true). Function-level setting takes precedence over operator default

Function Status

Field Type Description
name string Function name from metadata
conditions array Status conditions (see below)
git.resolvedBranch string Git branch that is being monitored
git.observedCommit string Latest Git commit SHA observed
git.lastChecked timestamp Last time the repository was checked
deployment.image string Container image of the deployed function
deployment.imageBuilt timestamp When the current image was built
deployment.deployer string Tool/method used to deploy the function (e.g., "func")
deployment.runtime string Detected function runtime
middleware.current string Current middleware version in use
middleware.available string Latest available middleware version
middleware.autoUpdate.enabled boolean Whether automatic middleware updates are enabled
middleware.autoUpdate.source string Source of the autoUpdate setting ("function" or "operator")
middleware.pendingRebuild boolean Whether a rebuild is pending due to outdated middleware
middleware.lastRebuild timestamp Last time the function was rebuilt for middleware updates
service.url string URL of the function's service
service.ready string Whether the function's service is ready (e.g., "true", "false", "UNKNOWN")

Status Conditions

Condition Description
Ready Summary condition that is True when all other conditions are True
SourceReady Git source was cloned and function metadata was read successfully
Deployed Function is deployed
MiddlewareUpToDate Middleware is on the latest version (or intentionally skipped)
ServiceReady Underlying service of the function is ready to serve traffic

Uninstallation

Remove the operator and CRDs:

# Undeploy operator
make undeploy

# Uninstall CRDs
make uninstall

About

A Kubernetes operator for managing middleware updates for Knative Functions

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 5

v0.2.1 Latest
Apr 28, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages