feat(compute): add Functions serverless enhancement#625
feat(compute): add Functions serverless enhancement#625
Conversation
Add enhancement documentation for the Functions serverless compute capability. ## Summary Functions provides serverless compute with: - Sub-50ms cold starts via Unikraft unikernels - True scale-to-zero with automatic scaling - Multi-language support (Go, Node.js, Python, Rust) - Gateway API integration for HTTP routing ## Architecture - Functions builds on Workload (generates Workload resources) - Unikraft runtime integrated at Workload layer - Direct access to consumer projects (no federation) - Service Connect for private cross-control-plane connectivity ## C4 Diagrams - architecture-context: System context showing Functions, Workload, Gateway - architecture-control-plane: Cross-control-plane architecture - architecture-service-connect: Private connectivity via Service Connect Includes shared datum-theme.puml for consistent diagram styling. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add section describing future Service Connect capability for Functions to access consumer resources (databases, APIs, caches) via Consumer Service Publications. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
scotwells
requested review from
bmertens-datum,
drewr,
jacobsmith928 and
zachsmith1
Refines the Functions serverless enhancement to be more accessible and product-focused. Key improvements: - Clearer architecture diagrams showing how Functions connects to Registry, Build, Workload, and Gateway services - New Developer Experience section describing deployment workflows and management capabilities - Future Work section outlining planned features like cron triggers, region selection, and canary deploys - Simplified language throughout, removing technical jargon in favor of user-focused descriptions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Refined the Functions enhancement to make it clearer and more complete:
|
|
Great! From a use-case perspective I have seen functions used for service monitoring, synthetic probes as well. |
|
@mksinghtx thanks for the feedback! Answers quoted below.
Good point. I believe those use-cases would fall under the future work with cron / event based triggers. The current scope is HTTP-only.
By this, do you mean controlling number of replicas / CPU / Memory usage?
I'd expect network policies within a VPC to also apply to service connections so you can control what's allowed to access the function. Since the function is actually deployed on infrastructure with the service's control plane in a separate VPC, it won't have any connectivity to the consumer's control plane. I expect our service connect capability would have some method of exposing a consumer's service to the function.
Functions will not be routable publicly. Users can reference a function as a route on a Gateway to expose the function to the internet. You'd be able to use all of the existing security features of our gateway to gate access to this route (Basic Auth, OIDC, IP Allow / Deny lists, etc). |
|
I'm also thinking that we reduce the scope of this to only support Javascript / Python for the MVP. Golang / Rust will require the platform to compile code into executables before running. That's a more complex pipeline with more things that can go wrong, more error messages to surface clearly, and more edge cases to handle. |
yes, And network resources
By finer-granularity I meant security policy(AWS terminology) rather than network policies. On Service connect it can be modeled like private link with a endpoint service and endpoint(AWS terminology).
So ok assume that only references will be allowed. In that case I was thinking more like whether in addition to users who can reference functions - if applications then will user delegation for an app be allowed and then in that case will app registration be static - with a secret or more like Client metadata based registration or DCR. The more interesting case is where an autonomous agent references this route where static registration does not really work! More an auth question I guess as we build those enhancements |
- Add Security section explaining Gateway-based access control - Add Function Identity to Future Work roadmap - Reorganize document to lead with user-focused sections (Developer Experience, User Stories, Security) before architecture details - Address PR feedback from @mksinghtx Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Restructure the document to present user-focused content before technical implementation details. Developer Experience, User Stories, Security, and Artifact Discovery now appear in the Proposal section, giving readers context on what Functions does before diving into how it works. Technical architecture (Workload integration, Unikraft runtime, Control Plane, Service Connect) moves to a new Design Details section for readers who want implementation specifics. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a Connectivity subsection explaining the two ways developers can reach their functions: public access via Gateway for external users, and private access via Service Connect for internal services. This helps developers understand when to use each approach. Also update gateway references to clarify that projects can have multiple gateways. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Internally we'd set resource caps on CPU / Memory / Network that can be consumed per function. I don't think we'd give users too much control over this with functions because the idea with functions is providing an abstracted infrastructure interface. Users who need more control over CPU / Memory / Network would just create workloads directly with their resource requirements.
Service connect will be similar to AWS Private Link, GCP's Private Service Connect, and Azure's Private Link concepts. Our network policies will have similar behavior to security groups where you can configure tag-based / identity rules rather than just IP-based.
This is a great forward-looking question. The current scope assumes Gateway handles auth for public access, but you're right that static secrets don't fit well for dynamic agents or app-to-function calls. This feels like it belongs in the Auth/IAM enhancement space—things like workload identity, dynamic client registration, or token exchange for service-to-service auth. I'll flag this as a dependency to consider as those capabilities develop. |
jacobsmith928
left a comment
jacobsmith928
left a comment
There was a problem hiding this comment.
LGTM, thanks for your deep dive on this @scotwells
jacobsmith928
left a comment
jacobsmith928
left a comment
There was a problem hiding this comment.
I meant to approve on my last review
drewr
left a comment
drewr
left a comment
There was a problem hiding this comment.
Thanks for this @scotwells. I didn't see anything that stood out to me as a concern at this stage. I like the control plane separation. Looking forward to diving more into how auth will work.
|
@drewr @jacobsmith928 did you see my comment on reducing initial scope to just JavaScript / python? Looking to get feedback there. |
|
@scotwells yes that seems like a good place to start vis a vis: |
I saw it. Hard to judge yet without seeing the effort required to add support per language. I am curious how Rust or Go complicates things. I know they're compiled but all languages will require some kind of build, whether that's Languages aside, I'm envisioning something like how a GitHub Action creates a GitHub Pages deployment (something we'd love to have for datum-cloud/cloudvalid.com#9, eg). Deploying a static site should be easy with this. We may want to specify it in the user stories? |
The biggest friction point is it requires you to compile an image and push it to a registry. Since Javascript / Python are interpreted languages you can just load the files into the runtime and execute the script. For an MVP, I'd target commonly used dependencies be automatically included in the JS / Python runtime to make it possible for people to easily manage functions via the UI. If they want custom dependencies for more advanced use-cases, I think that's a secondary phase where we have a build process. Mainly trying to avoid having to create a build a pipeline for the first phase.
This seems like something separate than functions to me. I'd dump the rendered HTML / CSS / JS assets into an S3 bucket and use it as the origin. |
4 participants
Summary
This enhancement introduces Functions, a serverless compute capability that makes it easy for developers to deploy code without managing infrastructure.
Note
I'd recommend reading the rendered view of the markdown document.
What developers get
Common use cases
Architecture highlights
Functions builds on the existing Workload primitive, so it inherits all the platform's battle-tested compute infrastructure. Private connectivity via Service Connect means traffic between your apps and functions never touches the public internet.
What's included