Function configuration file

When you initialize a Function (with the init command), CLI creates the config.yaml file in your workspace folder. This file contains the whole Function's configuration and specification not only for the Function custom resource but also any other related resources you create for it, such as Subscriptions and APIRules.

Specification for an inline Function

See the sample config.yaml for an inline Function for which code and dependencies are stored in the Function custom resource (CR) under the spec.source and spec.deps fields. This specification also contains the definition of a sample Subscription and APIRules for the Function:

Click to copy
name: function-practical-filip5
namespace: testme
runtime: nodejs18
runtimeImageOverride: eu.gcr.io/kyma-project/function-runtime-nodejs18:v20230228-b2981e80
labels:
app: serverless-test
source:
sourceType: inline
sourcePath: /tmp/cli
sourceHandlerName: /code/handler.js
depsHandlerName: /dependencies/package.json
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 500m
memory: 500Mi
subscriptions:
- name: function-practical-filip5
typeMatching: exact
source: ""
types:
- sap.kyma.custom.demo-app.order.created.v1
apiRules:
- name: function-practical-filip5
gateway: kyma-system/kyma-gateway
service:
host: path.kyma.example.com
port: 80
rules:
- methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- HEAD
accessStrategies: []
- path: /path1/something1
methods:
- PUT
- PATCH
- DELETE
accessStrategies:
- handler: noop
- path: /path1/something2
methods:
- GET
accessStrategies:
- config:
required_scope: ["read"]
handler: oauth2_introspection
- path: /path2
methods:
- DELETE
accessStrategies:
handler: jwt
- config:
jwksUrls:
- {jwks_uri of your OpenID Connect-compliant identity provider}
trustedIssuers:
- {issuer URL of your OpenID Connect-compliant Identity provider}
env:
- name: REDIS_PASS
value: YgJUg8z6eA
- name: REDIS_PORT
value: "6379"
- name: REDIS_HOST
value: hb-redis-enterp-6541066a-edbc-422f-8bef-fafca0befea8-redis.testme.svc.cluster.local
- valueFrom:
configMapKeyRef:
Name: configmap1
Key: token-field
- valueFrom:
secretKeyRef:
Name: secret1
Key: token-field
schemaVersion: v1

Specification for a Git Function

See the sample config.yaml for a Git Function for which code and dependencies are stored in a selected Git repository:

Click to copy
name: function-practical-marcin
namespace: iteration-review
runtime: nodejs18
source:
sourceType: git
url: https://github.com/username/public-gitops.git
repository: my-repo
reference: main
baseDir: /
credentialsType: basic
credentialsSecretName: secret2

Parameters

See all parameter descriptions.

NOTE: The Default value column specifies the values that Kyma CLI sets when applying resources on a cluster, if no other values are provided.

ParameterRequiredRelated custom resourceDefault valueDescription
nameYesFunctionSpecifies the name of your Function.
namespaceNoFunctiondefaultDefines the Namespace in which the Function is created.
runtimeYesFunctionSpecifies the execution environment for your Function. The available values are nodejs16 - deprecated, nodejs18, and python39.
runtimeImageOverrideNoFunctionSpecifies the runtimes image which must be used instead of default one.
labelsNoFunctionSpecifies the Function's Pod labels.
sourceYesFunctionProvides details on the type and location of your Function's source code and dependencies.
source.sourceTypeYesFunctionDefines whether you use either inline code or a Git repository as the source of the Function's code and dependencies. It must be set either to inline or git.
source.sourcePathNoFunctionLocation of the config.yaml fileSpecifies the absolute path to the directory with the Function's source code.
source.sourceHandlerNameNoFunctionhandler.js (Node.js) or handler.py (Python)Defines the path to the file with your Function's code. Specify it if you want to store source code separately from the config.yaml. This path is a relative path to the one provided in source.sourcePath.
source.depsHandlerNameNoFunctionpackage.json (Node.js) or requirements.txt (Python)Defines the path to the file with your Function's dependencies. Specify it if you want to store dependencies separately from the config.yaml. This path is a relative path to the one provided in source.sourcePath.
source.urlNoFunctionProvides the address to the Git repository with the Function's code and dependencies. Depending on whether the repository is public or private and what authentication method is used to access it, the URL must start with the http(s), git, or ssh prefix, and end with the .git suffix.
source.repositoryNoFunctionFunction nameSpecifies the name of the Git repository.
source.referenceNoFunctionSpecifies either the branch name or the commit revision from which the Function Controller automatically fetches the changes in the Function's code and dependencies.
source.baseDirNoFunctionSpecifies the location of your code dependencies in the repository. It is recommended to keep the source files at the root of your repository (/).
source.credentialsTypeNoFunctionbasicSpecifies the content type of the Secret with credentials to the Git repository. Defines if you must authenticate to the repository with a password or token (basic), or an SSH key (key).
source.credentialsSecretNameNoFunctionSpecifies the name of the Secret with credentials to the Git repository. It is used by the Function Controller to authenticate to the Git repository to fetch the Function's source code and dependencies. This Secret must be stored in the same Namespace as the Function CR.
resourcesNoFunctionDefines CPU and memory available for the Function's Pod to use.
resources.limitsNoFunctionDefines the maximum available CPU and memory values for the Function.
resources.limits.cpuNoFunction100mDefines the maximum available CPU value for the Function.
resources.limits.memoryNoFunction128MiDefines the maximum available memory value for the Function.
resources.requestsNoFunctionDefines the minimum requested CPU and memory values for a Function.
resources.requests.cpuNoFunction50mDefines the minimum requested CPU value for the Function.
resources.requests.memoryNoFunction64MiDefines the minimum requested memory value for the Function.
subscriptionsNoSubscriptionDefines a Subscription by which the Function gets triggered to perform a business logic defined in the Function's source code.
subscriptions.nameYesSubscriptionFunction nameSpecifies the name of the Subscription custom resource. It takes the name from the Function unless you specify otherwise.
subscriptions.typeMatchingNoSubscriptionDefines the matching type (standard or exact) for event types. When it is set to exact, Eventing does not do any kind of modifications to the provided spec.types internally. In case of standard, Eventing modifies the types internally to fulfil the backend requirements. It is set to standard unless you specify otherwise.
subscriptions.sourceYesSubscriptionDefines the source of the event originated from.
subscriptions.typesYesSubscriptionDefines the list of event types used to trigger workloads.
apiRulesNoAPIRuleProvides the rules defining how your Function's Service API can be accessed.
apiRules.nameYesAPIRuleFunction nameSpecifies the name of the exposed Service. It takes the name from the Function unless you specify otherwise.
apiRules.gatewayNoAPIRulekyma-system/kyma-gatewaySpecifies the Istio Gateway.
apiRules.serviceNoAPIRuleSpecifies the name of the exposed Service.
apiRules.service.hostNoAPIRuleSpecifies the Service's communication address for inbound external traffic.
apiRules.service.portNoAPIRule80.Defines the port on which the Function's Service is exposed. This value cannot be modified.
apiRules.rulesYesAPIRuleSpecifies the array of Oathkeeper access rules.
apiRules.rules.methodsNoAPIRuleSpecifies the list of HTTP request methods available for apiRules.rules.path .
apiRules.rules.accessStrategiesYesAPIRuleSpecifies the array of Oathkeeper authenticators. The supported authenticators are oauth2_introspection, jwt, noop, and allow.
apiRules.rules.pathNoAPIRule/.*Specifies the path to the exposed Service.
apiRules.rules.path.accessStrategies.handlerYesAPIRuleallowSpecifies one of the authenticators used: oauth2_introspection, jwt, noop, or allow.
apiRules.rules.path.accessStrategies.config.NoAPIRuleDefines the handler used. It can be specified globally or per access rule.
apiRules.rules.path.accessStrategies.config.required_scopeNoAPIRuleDefines the limits that the client specifies for an access request. In turn, the authorization server issues the access token in the defined scope.
apiRules.rules.path.accessStrategies.config.jwks_urlsNoAPIRuleThe URLs where ORY Oathkeeper can retrieve JSON Web Keys from to validate the JSON Web Token.
apiRules.rules.path.accessStrategies.config.trustedIssuersNoAPIRuleSets a list of trusted token issuers.
env.nameNoFunctionSpecifies the name of the environment variable to export for the Function.
env.valueNoFunctionSpecifies the value of the environment variable to export for the Function.
env.valueFromNoFunctionSpecifies that you want the Function to use values either from a Secret or a ConfigMap. These objects must be stored in the same Namespace as the Function.
env.valueFrom.configMapKeyRefNoFunctionRefers to the values from a ConfigMap that you want to use in the Function.
env.valueFrom.configMapKeyRef.NameNoFunctionSpecifies the name of the referred ConfigMap.
env.valueFrom.configMapKeyRef.KeyNoFunctionSpecifies the key containing the referred value from the ConfigMap.
env.valueFrom.secretKeyRefNoFunctionRefers to the values from a Secret that you want to use in the Function.
env.valueFrom.secretKeyRef.NameNoFunctionSpecifies the name of the referred Secret.
env.valueFrom.secretKeyRef.KeyNoFunctionSpecifies the key containing the referred value from the Secret.
schemaVersionYesFunctionSpecifies the Subscription API version.

See the detailed descriptions of all related custom resources referred to in the config.yaml: