Skip to content

Initial OpenFaaS Python SDK #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alexellis merged 17 commits into from
Apr 27, 2026

Improve README structure and clarity

ff130c0
Select commit
Loading
Failed to load commit list.
Merged

Initial OpenFaaS Python SDK #1

Improve README structure and clarity
ff130c0
Select commit
Loading
Failed to load commit list.
reviewfn / succeeded Apr 27, 2026 in 2m 4s

AI Code Review Results

AI Pull Request Overview

Summary

  • Implements initial Python SDK for OpenFaaS with synchronous Client backed by requests library
  • Covers full OpenFaaS REST API including system info, namespaces, functions, secrets, logs, and invocation
  • Uses Pydantic v2 models for all request/response types with optional debug logging
  • Supports all standard OpenFaaS auth strategies including BasicAuth, TokenAuth, and Kubernetes service account tokens
  • Includes comprehensive authentication with OAuth 2.0 client_credentials and in-memory token caching
  • Provides 100 tests covering models, endpoints, auth, and token exchange
  • Adds CI/CD workflows for testing and publishing
  • No critical security or correctness issues found, but minor improvements recommended for robustness

Approval rating (1-10)

9 - Solid implementation with good API coverage and security practices, minor refinements needed for consistency and edge cases.

Summary per file

Summary per file
File path Summary
.github/PULL_REQUEST_TEMPLATE.md Standard PR template for contributions
.github/workflows/ci.yml CI workflow for Python 3.10-3.13 testing
.github/workflows/publish-test.yml Test publishing workflow
.github/workflows/publish.yml Production publishing workflow
.gitignore Python and build artifacts exclusions
CONTRIBUTING.md Contribution guidelines
LICENSE MIT license
README.md SDK usage documentation with auth examples
openfaas_sdk/init.py Package initialization with version export
openfaas_sdk/_transport.py HTTP transport utilities with logging
openfaas_sdk/_version.py Version string definition
openfaas_sdk/auth.py Authentication classes and token sources
openfaas_sdk/builder/init.py Builder package init
openfaas_sdk/builder/client.py Function build client with tar streaming
openfaas_sdk/builder/models.py Build request/response models
openfaas_sdk/builder/tar.py Tar creation utilities with path checks
openfaas_sdk/client.py Main Client class for OpenFaaS API calls
openfaas_sdk/exceptions.py Custom exception hierarchy
openfaas_sdk/exchange.py Token exchange logic for IAM
openfaas_sdk/models.py Pydantic models for API data
openfaas_sdk/token.py Token source protocols and implementations
openfaas_sdk/token_cache.py Thread-safe in-memory token cache
pyproject.toml Python project configuration with dependencies
tests/init.py Test package init
tests/test_auth.py Authentication strategy tests
tests/test_builder.py Builder functionality tests
tests/test_client.py Client API endpoint tests
tests/test_iam.py IAM token exchange tests
tests/test_models.py Model serialization tests
uv.lock Dependency lock file

Overall Assessment

The PR introduces a comprehensive Python SDK for OpenFaaS that accurately implements the REST API with strong authentication support and good test coverage. The code is well-structured, follows Python best practices, and aligns with OpenFaaS patterns seen in the Golang SDK. No major correctness or security issues were identified, making it production-ready. Minor improvements in error handling consistency, memory efficiency for large builds, and documentation clarity would enhance robustness without blocking merge.

Detailed Review

Detailed Review

Core SDK Files (openfaas_sdk/*.py)

  • Major: Inconsistent error handling in token sources (ClientCredentialsTokenSource vs. TokenAuth)
    openfaas_sdk/auth.py (lines 272-277, 140-143): ClientCredentialsTokenSource raises a generic RuntimeError for non-2xx responses, while TokenAuth (via exchange) parses OAuth errors for 400s. This inconsistency could confuse users expecting uniform OAuth error handling. In OpenFaaS, client_credentials responses are often OAuth-compliant—consider parsing OAuthError here for consistency with Golang SDK patterns.

  • Minor: Potential timezone ambiguity in log filtering
    openfaas_sdk/client.py (lines 367-368): since.isoformat() assumes the datetime is UTC-aware; if naive, it omits timezone info, which may not match OpenFaaS expectations (logs are typically UTC). This could cause silent filtering failures. Align with K8s patterns by ensuring UTC or documenting the requirement.

  • Minor: Redundant dict copy in invocation headers
    openfaas_sdk/client.py (lines 498-499, 472-473): In _invoke, merged_headers = dict(headers) is redundant since headers is already a dict. In invoke_function_async, merged_headers is passed correctly, but the copy adds unnecessary overhead for large header sets.

  • Info: Thread safety in client instance
    openfaas_sdk/client.py: The Client class uses instance variables like _token_cache without locks, but since clients are typically single-threaded per session (like Go's http.Client), this is acceptable. No races observed.

Authentication & Token Files (openfaas_sdk/auth.py, openfaas_sdk/token*.py, openfaas_sdk/exchange.py)

  • Info: Secure token handling
    No issues—tokens are cached in memory only, redacted in logs, and re-read from disk for service account rotation. Aligns well with K8s projected volume patterns.

  • Minor: Session lifecycle in ClientCredentialsTokenSource
    openfaas_sdk/auth.py (lines 266-272): If _http_client is provided, it's reused without ownership checks, which is fine but could lead to leaks if callers forget to close. Consistent with requests.Session usage in Go clients.

Builder Files (openfaas_sdk/builder/*.py)

  • Info: HMAC signing is secure
    openfaas_sdk/builder/client.py (lines 125-130): SHA256 digest on full tar body prevents tampering, matching OpenFaaS Pro security patterns.

  • Major: Potential memory issue for large builds
    openfaas_sdk/builder/client.py (lines 116-117): Reads entire tar file into memory (body = fh.read()) before POSTing. For large builds (e.g., multi-GB images), this could OOM. Consider streaming or chunking for performance, though acceptable for typical OpenFaaS use.

  • Minor: Unhandled JSON parsing in streaming
    openfaas_sdk/builder/client.py (lines 105-106): json.loads(line) in build_stream raises if invalid JSON, unlike log parsing which skips failures. Could crash on malformed builder output—add try/except for robustness.

Models & Exceptions (openfaas_sdk/models.py, openfaas_sdk/exceptions.py)

  • Info: Good alignment with OpenFaaS APIs
    CamelCase aliases match OpenFaaS JSON schemas. to_api_dict correctly excludes None values.

  • Minor: Exception response storage
    openfaas_sdk/exceptions.py (lines 37-38): APIStatusError stores the full requests.Response, which is memory-efficient but could be large. Consistent with Go error patterns.

Configuration & Docs (pyproject.toml, README.md, .github/, etc.)

  • Info: Dependency versions
    pyproject.toml: Pins pydantic>=2.0.0, requests>=2.20.0—good for stability, but consider upper bounds to avoid breaking changes in future.

  • Minor: README example inconsistency
    README.md (line 110): Mentions token_mount_path env var, but code defaults to /var/secrets/tokens. Clarify in docs to avoid confusion.

  • Info: CI coverage
    .github/workflows/ci.yml: Tests across Python 3.10-3.13, good. No integration tests for real OpenFaaS endpoints—consider adding for regression prevention.

Tests (tests/*.py)

  • Info: Comprehensive coverage
    Tests cover auth, models, client, builder, and IAM flows. Mocks are thorough, but no concurrency tests for token caching—add to catch race regressions.

  • Minor: Test for log parsing edge cases
    tests/test_client.py (lines 250-257): Tests log streaming but not invalid JSON lines. Add cases to ensure skips work as expected.

Overall Patterns & Regressions

  • Consistency with OpenFaaS: Code mirrors Go SDK in API fidelity (e.g., function invocation URLs, namespace labels). Error hierarchy (OpenFaaSError) is Pythonic but analogous to Go's error wrapping.
  • Potential Regressions: No breaking changes, but the builder's memory usage could regress for large builds. IAM auth flows are solid, unlikely to break existing K8s integrations.
  • Performance: Efficient—streams logs, caches tokens, uses requests.Session pooling. No wasteful operations.
  • Security: Strong—auth headers redacted, HMAC for builder, path traversal checks in tar creation.

No issues require blocking the PR, but addressing the majors/minors would improve robustness. The SDK is production-ready and consistent with OpenFaaS principles.

AI agent details.

Agent processing time: 2m0.229s
Environment preparation time: 3.815s
Total time from webhook: 2m14.014s
View more details on reviewfn