v1.18.0

Features

Major theme of this release is support for multiple namespaces/multitenancy in Fission.

Fission CLI Changes

Fission CLI now communicates with Kubernetes API server directly. We have removed the dependency on Fission controller.

This gives few benefits for the Fission users

  • You can use Kubernetes RBAC to control access to Fission resources. Refer RBAC Permissions for Fission CLI for detailed info.
  • Fission CLI can be used with any Kubernetes cluster Fission installed.
  • Enhanced security during Fission CLI communication

Fission CLI has been updated to support multiple namespaces. We have added/modified/deprecated couple of CLI options. Please refer to Fission CLI Reference for a couple of more details.

  • We have introduced two global flags --namespace and --all-namespace to specify the namespace for the Fission resources.
  • One spec file can be used to apply resources in different namespaces.

Fission Logs CLI now works with Kubernetes, you don’t need to set up influxdb to use this feature.

Introduced new flag --imagepullsecret to pull an image from a private registry for container function.

Fission Core Changes

Multiple Namespaces Support in Helm Chart

We have major changes in Helm chart please do not skip this section.

  • Fission installation by default supports a single namespace defaultNamespace when installed. If you want to enable multiple namespaces, please set it via additionalFissionNamespaces in Helm values. Please check PR #2539 for details.
  • You can also have multiple Fission installations on the same cluster within different namespaces.
  • We are creating separate service accounts for each Fission service now and assign specific roles to them.

Fission now supports multiple namespaces. This means that you can create functions, packages, triggers, etc. in different namespaces. This is a major feature that enables Fission to be used in a multi-tenant environment.

Webhook Server Addition

We have added a new webhook server to Fission. This webhook server is responsible for validating Fission resources. We have moved most of the validations from Fission controller and Fission CLI to webhook server. This gives us more flexibility to add more validations in the future. By default, we create a self-signed certificate for the webhook server. You can provide your own certificate via webhook section in Helm values or use cert-manager to create a certificate.

Legacy behaviour of default namespace

Earlier when you used to create functions and environments in the defaultNamespace mentioned via Helm Chart, Fission used to function create resources in the functionNamespace and builderNamespace. Where as for other namespaces, Fission used to create resources in the same namespace. We have changed this behavior now. Fission will create resources in the same namespace for all namespaces. If you want older behavior, you have to set functionNamespace and builderNamespace to fission-function and fission-builder respectively. By default, these values are empty in 1.18.0 release.

Security Context Enabled by Default

We have enabled security context by default in Helm chart. This will run Fission services with non-root user. You can disable it via securityContext.enabled in Helm values.

Removal of ClusterRole and ClusterRoleBinding

We have removed ClusterRole and ClusterRoleBinding from Fission installation. We are using Role and RoleBinding now, across Fission installation now. So all get permissions to operate on Fission resources in the specific namespace. We have also refactored lots of RBAC permissions across Helm chart to make Fission more secure.

Deprecation

Controller Deprecation

We have deprecated Fission controller and disabled it by default. You can enable it via controller.enabled in Helm values.

We plan to remove Fission controller in the next release.

HTTP Trigger Deprecation

  • HTTPTrigger/Route creation from Fission CLI is deprecated. Use fission route create instead. PR #2171
  • We have deprecated Spec.Method in HTTPTrigger since 1.13.0, please use Spec.Methods instead.

Removed

Azure Storage Queue and Nats traditional connector

With the addition of KEDA connectors, we have removed the following connectors type fission.

Prometheus chart dependency

We have removed the prometheus dependency because it’s not required by default by fission. If you want to use canary functions or checkout fission metrics, we recommend using prometheus-community/prometheus or prometheus-community/kube-prometheus-stack.

Opentracing support removed

With addition of OpenTelemetry, we have removed OpenTracing instrumentation. Since OpenTelemetry is a superset of OpenTracing, we recommend using OpenTelemetry for tracing.

Changelog

  • deb3523 update chart version to 1.18.0 #2687
  • 0635a6a remove .* suffix after Dockerfile #2685
  • a9d5542 update vulnerable dependencies #2684
  • 496e4e3 feat(cli): provide imagepullsecret option for container as function #2680
  • 6667d7e fix: nil panic for the latestDepl.Name if not return in the for cycle #2682
  • 922cb34 Change cron syntax to standard format #2678
  • fcf4fd2 fix: add missing imagePullSecrets sections to pods #2675
  • 69470a6 Fix issue with updating timetrigger without –cron flag #2677
  • 8df4fd0e Allow service account check to run only once at start of executor #2673
  • 275cfb55 Update chart version 1.18.0-rc2 #2671
  • 3e25f474 Remove singleDefaultNamespace field from helm chart #2670
  • d52c6021 Create role and rolebinding for event-fetcher in multiple namespaces #2669
  • 16cbb87e Create role/role binding/service account required for builder/function pods #2667
  • 5fae7653 Use client generator to generate all k8s clients and add respective client-go metrics #2668
  • 31f4f8c5 Remove otel handler per function handler in router #2664
  • 3ae17429 Executor user informer factory in executors in place of informers #2666
  • d16de59e Pass prometheus dump path and port to analyzer script #2665
  • 61d98152 Update go dependencies #2663
  • 300739c0 Remove service account/role binding/role permissions from Fission services #2655
  • 94eead86 change archive location for integration-test-old job #2662
  • 612206b0 test job with old namespace support to ensure backward compatibility of fission #2654
  • 985d94b5 Consume podspec patch directly on executor/builder mounts #2661
  • 4dde3c95 Fix namespace resolution with DEFAULT_NAMESPACE and other parameters set #2659
  • 9ccd2a41 Generate kubernetes roles in fission-function and fission-builder namespace #2656
  • e9fd13b6 Remove cluster roles for all Fission service accounts #2629
  • ee623d31 Check pods events via infomer in user configured namespaces #2653
  • 9612baec Upgrade skaffold to v2 manifest #2633
  • 691feaa8 K8s informer to work with specific namespaces for executor #2651
  • 6bf0c412 K8s informer to work with specific namespaces for builder manager #2649
  • 9eb7acf0 wait in testcase until server starts #2648
  • e015d6d6 add version info in fission support #2645
  • 918214c0 K8s informer to work with specific namespaces for logger #2647
  • 526b5f0b Deployments to work with specific namespaces instead of all namespaces #2635
  • 0aec9e13 Enable security context by default #2644
  • 8a3d8a47 Optimize Kafka Client in Kafka Connector #2630
  • 38d38092 Update golangci-lint version to v1.50.1 #2642
  • 1e0641d5 Removed call to InfluxDB via controller proxy #2638
  • f11902e8 Backup prometheus data from CI run #2636
  • 8db3d006 Move build cache key operation from goroutine #2641
  • 92453908 Capture trace_id in builder logs #2640
  • 28daccb3 Capture trace_id in storage service logs #2639
  • 31639774 Handle logs from all pods in function and error condition in fission fn log command #2634
  • 82d066b7 Add sync triggers debounce #2631
  • 9c4fc4a3 remove controller check #2632
  • 68286fe4 Track all Go tools version in tools package #2628
  • d559628f add validation to avoid cross ns config and functions #2627
  • 4cbe6a70 Get logs from Pods using Kubernetes API for function log command #2623
  • 6d117ad4 Allow empty namespace for fission function and builder #2621
  • 70a0afd6 use namespace flag from global options for watch command #2622
  • d2f201b7 Add Controller enable/disable flag in Helm Charts #2620
  • 3b2a86a8 Run canary config server separate from controller #2617
  • 9a07d7d9 Add validation/mutating webhook server for Fission custom resources #2608
  • 31dfc3e4 Convert ClusterRoles to Roles for all components for multiple namespaces #2584
  • 66897cb9 Delete builder service associated with environment name #2616
  • 57d3a80f Allow different namespaces in CI for fission-function and fission-builder #2609
  • fa037166 Add Fission version API to router for CLI consumption #2612
  • 32bd874a List fission resources in specific namespace instead of all namespace #2604
  • b71a36dc Use Kubernetes Client instead of Controller APIs from CLI #2605
  • 261bf249 Use informer for environment handling in buildermanager with multiple namespaces #2603
  • 6af53807 Monitor specific namespaces for configmap/secret updates #2598
  • f37e9e6f Use informer for kube watcher handling with multiple namespace support #2594
  • b9fa6ca2 Use informer for time trigger handling with multiple namespace support #2593
  • c33842c9 Run package informer in go routine for multiple namespaces in buildermanager #2592
  • 9ff9a6e0 newdeploy executor to work with specific namespaces #2590
  • a64fcc3f use controller-runtime signals #2589
  • 47cbbef0 List Fission resource for specific namespace in executor reaper #2587
  • dbd21531 Fission failed to list resources if namespace flag is not provided #2585
  • 2bd005c3 Refactor code generator for deepcopy files #2580
  • 3a9e5ab6 Error if rolebinding exists with different role reference in namespace #2579
  • ee790b3e Update chart version to v1.18.0-rc1 #2576
  • 7eeb3ead Role and RoleBinding for fission-fetcher and fission-builder for user configured namespaces #2574
  • 827baea9 Allow namespace configuration for different CRD resources in Fission #2539
  • facd14de mprove warning/verbose messages around namespace in Fission CLI #2572
  • 8d65b062 Extract out permissions for fission.io components per-component #2570
  • d933f0ba Skip CI if label added to PR #2571
  • f2b79092 Remove unwanted permissions from Fission components #2568
  • 8fe62b75 Grant CustomResourcedefintion read permission to specific components #2567
  • b9513868 add namespace param for fn and env #2556
  • 0739aca9 Separate service accounts for each fission component #2560
  • 18225db2 Delete greetings.yml #2563
  • 8008a542 Update deps #2558
  • 3fa0f4bd Ensuring passing context across fission #2555
  • a8a81ef5 Remove --force option from upgrade strategy in skaffold.yaml #2557
  • 1102999b Add ability to configure object reaper interval for different executor types #2543
  • da50c375 feat: add the fn annotations to newdeploy function based deployment #2554
  • e87c84ee Capture context from cobra CLI and pass forward #2551
  • d0339594 changes to inject of otelhttp transport in executor #2552
  • b19d18c8 Enable promlinter and enhance exposed metrics. #2550

References