Skip to content

Function Builder

OpenFaaS Pro offers an API called the Pro Builder which you can run in your cluster to build container images from functions.

Note: This feature is included for OpenFaaS Pro customers.

There are many tools that you can use to build OpenFaaS container images, so why would you need the Pro Builder?

  • You want to build images via API
  • You need to build many images and other tooling makes this hard to scale
  • You want to build images within your cluster, rather than using separate external infrastructure
  • You want a more secure method than mounting a Docker socket into your container

The Pro Builder uses Buildkit, developed by the Docker community to perform fast, cached, in-cluster builds via a HTTP API and uses mTLS for encryption.

Various self-hosted, open source and managed registries are supported.


The Pro Builder is available to OpenFaaS Pro customers.

Install the builder using its helm chart.


Create a build context using the faas-cli build --shrinkwrap command:

rm -rf /tmp/functions
mkdir -p /tmp/functions

faas-cli new --lang node14 hello-world
faas-cli build --shrinkwrap -f hello-world.yml

cd build
rm -rf context
mv hello-world context

export DOCKER_USER=alexellis2
echo -n '{"image": "'$DOCKER_USER'/test-image-hello:0.1.0"}' > com.openfaas.docker.config

If you wish, you can also construct this filesystem using your own application, but it is easier to execute the faas-cli command from your own code.

Then create a tar archive of the context of the /tmp/functions/build/ directory:

tar cvf req.tar  --exclude=req.tar  .

The format will be as follows:


Now port-forward the service and invoke it:

kubectl port-forward -n openfaas \
    deploy/pro-builder 8081:8080

Generate a SHA256 HMAC signature and invoke the function passing in the X-Build-Signature header.

Invoke a build:

PAYLOAD=$(kubectl get secret -n openfaas payload-secret -o jsonpath='{.data.payload-secret}' | base64 --decode)

HMAC=$(cat req.tar | openssl dgst -sha256 -hmac $PAYLOAD | sed -e 's/^.* //')

curl -H "X-Build-Signature: sha256=$HMAC" -s -X POST --data-binary @req.tar | jq

    "v: 2021-10-20T16:48:34Z exporting to image 8.01s"
  "imageName": "",
  "status": "success"

Passing in additional build-args:

  "image": "",
  "buildArgs": {
    "BASE_IMAGE": ""

You can access the Pro Builder via your code, or an OpenFaaS function by specifying its URL and its in-cluster service name:


The Pro Builder can be scaled out, which also deploys additional replicas of Buildkit:

kubectl scale -n openfaas deploy/pro-builder \