stackbuilders · dbalseiro · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
@@ -23,10 +23,17 @@ pkg/
   buildpacks/           # Pack/Cloud Native Buildpacks builder (in container)
   s2i/                  # Source-to-Image builder (in container)
   oci/                  # Direct OCI image builder (on host)
+  builders/             # Builder coordination utilities
+  docker/               # Docker client, image pushing
 
   knative/              # Knative Serving deployer
+  deployer/             # Deployment coordination
   k8s/                  # Kubernetes utilities
+  operator/             # Knative func-operator integration
+  keda/                 # KEDA autoscaler support
 
+  config/               # User/global configuration
+  scaffolding/          # Project scaffolding logic
   pipelines/tekton/     # Remote builds via Tekton
   mcp/                  # AI agent integration (MCP server)
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -33,6 +33,8 @@ When a new Function is created, a few files are placed in the new Function's dir
 
 The source of these templates is `./templates`; a directory subdivided by language and template name.
 For example, the Go HTTP template is located in `./templates/go/http`.
+Some languages (Go, Python) also have scaffolding templates under `./templates/<lang>/scaffolding/`
+with `instanced-*` and `static-*` variants used for service-oriented project generation.
 The client library and CLI are self-contained
 by encoding this directory as a ZIP byte array in the `./generate/zz_filesystem_generated.go` file.
 Therefore, any updates to templates require re-generating this file.
@@ -41,6 +43,7 @@ When changes are made to files in the `./templates` directory,
 regenerate `./generate/zz_filesystem_generated.go` by running `make generate/zz_filesystem_generated.go`.
 It is also important to run the unit tests of the template modified.
 For example, to run the unit tests of the Go templates, use `make test-go`.
+To lint scaffolding templates, use `make check-go` (or the equivalent for other languages).
 For a list of available make targets, use `make help`.
 
 ## Integration Testing

diff --git a/Dockerfile.podman-next b/Dockerfile.podman-next
@@ -10,7 +10,7 @@ unqualified-search-registries = ["docker.io", "quay.io", "registry.fedoraproject
 short-name-mode="permissive"
 
 [[registry]]
-location="localhost:50000"
+location="registry.localtest.me"
 insecure=true
 EOF
 

diff --git a/cmd/build.go b/cmd/build.go
@@ -448,7 +448,7 @@ func (c buildConfig) clientOptions() ([]fn.Option, error) {
 	}
 
 	t := newTransport(c.RegistryInsecure)
-	creds := newCredentialsProvider(config.Dir(), t, c.RegistryAuthfile)
+	creds := newCredentialsProvider(config.Dir(), t, c.RegistryAuthfile, c.RegistryInsecure)
 
 	switch c.Builder {
 	case builders.Host:
@@ -470,7 +470,8 @@ func (c buildConfig) clientOptions() ([]fn.Option, error) {
 			fn.WithPusher(docker.NewPusher(
 				docker.WithCredentialsProvider(creds),
 				docker.WithTransport(t),
-				docker.WithVerbose(c.Verbose))))
+				docker.WithVerbose(c.Verbose),
+				docker.WithInsecure(c.RegistryInsecure))))
 	case builders.S2I:
 		o = append(o,
 			fn.WithScaffolder(s2i.NewScaffolder(c.Verbose)),
@@ -480,7 +481,8 @@ func (c buildConfig) clientOptions() ([]fn.Option, error) {
 			fn.WithPusher(docker.NewPusher(
 				docker.WithCredentialsProvider(creds),
 				docker.WithTransport(t),
-				docker.WithVerbose(c.Verbose))))
+				docker.WithVerbose(c.Verbose),
+				docker.WithInsecure(c.RegistryInsecure))))
 	default:
 		return o, builders.ErrUnknownBuilder{Name: c.Builder, Known: KnownBuilders()}
 	}

diff --git a/cmd/client.go b/cmd/client.go
@@ -18,6 +18,7 @@ import (
 	"knative.dev/func/pkg/k8s"
 	"knative.dev/func/pkg/knative"
 	"knative.dev/func/pkg/oci"
+	"knative.dev/func/pkg/operator"
 	"knative.dev/func/pkg/pipelines/tekton"
 )
 
@@ -59,9 +60,9 @@ func NewTestClient(options ...fn.Option) ClientFactory {
 // 'Verbose' indicates the system should write out a higher amount of logging.
 func NewClient(cfg ClientConfig, options ...fn.Option) (*fn.Client, func()) {
 	var (
-		t  = newTransport(cfg.InsecureSkipVerify)        // may provide a custom impl which proxies
-		c  = newCredentialsProvider(config.Dir(), t, "") // for accessing registries
-		d  = newKnativeDeployer(cfg.Verbose)             // default deployer (can be overridden via options)
+		t  = newTransport(cfg.InsecureSkipVerify)                                // may provide a custom impl which proxies
+		c  = newCredentialsProvider(config.Dir(), t, "", cfg.InsecureSkipVerify) // for accessing registries
+		d  = newKnativeDeployer(cfg.Verbose)                                     // default deployer (can be overridden via options)
 		pp = newTektonPipelinesProvider(c, cfg.Verbose, t)
 		o  = []fn.Option{ // standard (shared) options for all commands
 			fn.WithVerbose(cfg.Verbose),
@@ -81,7 +82,9 @@ func NewClient(cfg ClientConfig, options ...fn.Option) (*fn.Client, func()) {
 			fn.WithPusher(docker.NewPusher(
 				docker.WithCredentialsProvider(c),
 				docker.WithTransport(t),
-				docker.WithVerbose(cfg.Verbose))),
+				docker.WithVerbose(cfg.Verbose),
+				docker.WithInsecure(cfg.InsecureSkipVerify))),
+			fn.WithSyncer(operator.NewSyncer(operator.WithCredentialsProvider(c))),
 		}
 	)
 
@@ -110,10 +113,10 @@ func newTransport(insecureSkipVerify bool) fnhttp.RoundTripCloser {
 // has cluster-flavor specific additional credential loaders to take advantage
 // of features or configuration nuances of cluster variants.
 // If authFilePath is provided (non-empty), it will be used as the primary auth file.
-func newCredentialsProvider(configPath string, t http.RoundTripper, authFilePath string) oci.CredentialsProvider {
+// When insecure is true, credential verification uses plain HTTP instead of HTTPS.
+func newCredentialsProvider(configPath string, t http.RoundTripper, authFilePath string, insecure bool) oci.CredentialsProvider {
 	additionalLoaders := append(k8s.GetOpenShiftDockerCredentialLoaders(), k8s.GetGoogleCredentialLoader()...)
 	additionalLoaders = append(additionalLoaders, k8s.GetECRCredentialLoader()...)
-	additionalLoaders = append(additionalLoaders, k8s.GetACRCredentialLoader()...)
 
 	additionalLoaders = append(additionalLoaders,
 		func(registry string) (oci.Credentials, error) {
@@ -131,11 +134,15 @@ func newCredentialsProvider(configPath string, t http.RoundTripper, authFilePath
 		},
 	)
 
+	contextLoaders := k8s.GetACRCredentialLoader()
+
 	options := []creds.Opt{
 		creds.WithPromptForCredentials(prompt.NewPromptForCredentials(os.Stdin, os.Stdout, os.Stderr)),
 		creds.WithPromptForCredentialStore(prompt.NewPromptForCredentialStore()),
 		creds.WithTransport(t),
+		creds.WithInsecure(insecure),
 		creds.WithAdditionalCredentialLoaders(additionalLoaders...),
+		creds.WithContextCredentialLoaders(contextLoaders...),
 	}
 
 	// If a custom auth file path is provided, use it

diff --git a/cmd/deploy.go b/cmd/deploy.go
@@ -131,10 +131,10 @@ EXAMPLES
 		SuggestFor: []string{"delpoy", "deplyo"},
 		PreRunE: bindEnv("build", "build-timestamp", "builder", "builder-image",
 			"base-image", "confirm", "domain", "env", "git-branch", "git-dir",
-			"git-url", "image", "image-pull-secret", "namespace", "path", "platform",
-			"push", "pvc-size", "service-account", "deployer", "registry",
-			"registry-insecure", "registry-authfile", "remote", "username", "password",
-			"token", "verbose", "remote-storage-class"),
+			"git-url", "image", "image-pull-secret", "management-disabled", "namespace", "path", "platform", "push", "pvc-size",
+			"service-account", "deployer", "registry", "registry-insecure",
+			"registry-authfile", "remote", "username", "password", "token", "verbose",
+			"remote-storage-class"),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runDeploy(cmd, newClient)
 		},
@@ -216,6 +216,8 @@ EXAMPLES
 	cmd.Flags().StringP("token", "", "",
 		"Token to use when pushing to the registry. ($FUNC_TOKEN)")
 	cmd.Flags().BoolP("build-timestamp", "", false, "Use the actual time as the created time for the docker image. This is only useful for buildpacks builder.")
+	cmd.Flags().Bool("management-disabled", f.Deploy.ManagementDisabled,
+		"Disable operator management of this function ($FUNC_MANAGEMENT_DISABLED)")
 	cmd.Flags().StringP("namespace", "n", defaultNamespace(f, false),
 		"Deploy into a specific namespace. Will use the function's current namespace by default if already deployed, and the currently active context if it can be determined. ($FUNC_NAMESPACE)")
 
@@ -555,6 +557,9 @@ type deployConfig struct {
 	// Timestamp the built container with the current date and time.
 	// This is currently only supported by the Pack builder.
 	Timestamp bool
+
+	// ManagementDisabled disables automatic Function CR sync after deploy.
+	ManagementDisabled bool
 }
 
 // newDeployConfig creates a buildConfig populated from command flags and
@@ -576,6 +581,7 @@ func newDeployConfig(cmd *cobra.Command) deployConfig {
 		ServiceAccountName: viper.GetString("service-account"),
 		ImagePullSecret:    viper.GetString("image-pull-secret"),
 		Deployer:           viper.GetString("deployer"),
+		ManagementDisabled: viper.GetBool("management-disabled"),
 	}
 	// NOTE: .Env should be viper.GetStringSlice, but this returns unparsed
 	// results and appears to be an open issue since 2017:
@@ -612,6 +618,7 @@ func (c deployConfig) Configure(f fn.Function) (fn.Function, error) {
 	f.Deploy.ServiceAccountName = c.ServiceAccountName
 	f.Deploy.ImagePullSecret = c.ImagePullSecret
 	f.Deploy.Deployer = c.Deployer
+	f.Deploy.ManagementDisabled = c.ManagementDisabled
 	f.Local.Remote = c.Remote
 
 	// PVCSize
@@ -791,7 +798,7 @@ func (c deployConfig) clientOptions() ([]fn.Option, error) {
 	}
 
 	t := newTransport(c.RegistryInsecure)
-	creds := newCredentialsProvider(config.Dir(), t, c.RegistryAuthfile)
+	creds := newCredentialsProvider(config.Dir(), t, c.RegistryAuthfile, c.RegistryInsecure)
 
 	// Override the pipelines provider to use custom credentials
 	// This is needed for remote builds (deploy --remote)

diff --git a/cmd/invoke.go b/cmd/invoke.go
@@ -106,7 +106,7 @@ EXAMPLES
 			"onvoke", "unvoke", "knvoke", "imvoke", "ihvoke", "ibvoke"},
 		PreRunE: bindEnv("path", "format", "target", "id", "source", "type",
 			"data", "content-type", "request-type", "file", "insecure",
-			"confirm", "verbose"),
+			"confirm", "verbose", "extension"),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runInvoke(cmd, args, newClient)
 		},
@@ -129,6 +129,7 @@ EXAMPLES
 	cmd.Flags().StringP("data", "", fn.DefaultInvokeData, "Data to send in the request. ($FUNC_DATA)")
 	cmd.Flags().StringP("file", "", "", "Path to a file to use as data. Overrides --data flag and should be sent with a correct --content-type. ($FUNC_FILE)")
 	cmd.Flags().BoolP("insecure", "i", false, "Allow insecure server connections when using SSL. ($FUNC_INSECURE)")
+	cmd.Flags().StringSliceP("extension", "e", nil, "Extensions as key=value pairs. Can be repeated. cloudevents only ($FUNC_EXTENSION)")
 	addConfirmFlag(cmd, cfg.Confirm)
 	addPathFlag(cmd)
 	addVerboseFlag(cmd, cfg.Verbose)
@@ -165,6 +166,20 @@ func runInvoke(cmd *cobra.Command, _ []string, newClient ClientFactory) (err err
 		return fmt.Errorf("no function found in current directory.\nYou need to be inside a function directory to invoke it.\n\nTry this:\n  func create --language go myfunction    Create a new function\n  cd myfunction                          Go into the function directory\n  func invoke                            Now you can invoke it\n\nOr if you have an existing function:\n  cd path/to/your/function              Go to your function directory\n  func invoke                           Invoke the function")
 	}
 
+	// If extensions were provided, ensure the format is cloudevent, otherwise return an error.
+	if len(cfg.Extensions) > 0 {
+		effectiveFormat := cfg.Format
+		if effectiveFormat == "" {
+			effectiveFormat = f.Invoke
+		}
+		if effectiveFormat != "cloudevent" {
+			return fmt.Errorf("--extension (-e) is only valid with cloudevents")
+		}
+		if effectiveFormat != "" && effectiveFormat != "cloudevent" {
+			return fmt.Errorf("--extension flag is only valid with cloudevent format")
+		}
+	}
+
 	// Client instance from env vars, flags, args and user prompts (if --confirm)
 	client, done := newClient(ClientConfig{Verbose: cfg.Verbose, InsecureSkipVerify: cfg.Insecure})
 	defer done()
@@ -179,6 +194,7 @@ func runInvoke(cmd *cobra.Command, _ []string, newClient ClientFactory) (err err
 		RequestType: strings.ToUpper(cfg.RequestType),
 		Data:        cfg.Data,
 		Format:      cfg.Format,
+		Extensions:  cfg.extensionsMap(),
 	}
 
 	// If --file was specified, use its content for message data
@@ -239,6 +255,7 @@ type invokeConfig struct {
 	Confirm     bool
 	Verbose     bool
 	Insecure    bool
+	Extensions  []string
 }
 
 func newInvokeConfig() (cfg invokeConfig, err error) {
@@ -256,6 +273,7 @@ func newInvokeConfig() (cfg invokeConfig, err error) {
 		Confirm:     viper.GetBool("confirm"),
 		Verbose:     viper.GetBool("verbose"),
 		Insecure:    viper.GetBool("insecure"),
+		Extensions:  viper.GetStringSlice("extension"),
 	}
 
 	// If file was passed, read it in as data
@@ -293,9 +311,21 @@ func newInvokeConfig() (cfg invokeConfig, err error) {
 	fmt.Printf("Content Type: %v\n", cfg.ContentType)
 	fmt.Printf("File: %v\n", cfg.File)
 	fmt.Printf("Insecure: %v\n", cfg.Insecure)
+	fmt.Printf("Extensions: %v\n", cfg.Extensions)
 	return
 }
 
+func (c invokeConfig) extensionsMap() map[string]string {
+	extensionsMap := make(map[string]string)
+	for _, ext := range c.Extensions {
+		parts := strings.SplitN(ext, "=", 2)
+		if len(parts) == 2 {
+			extensionsMap[parts[0]] = parts[1]
+		}
+	}
+	return extensionsMap
+}
+
 func (c invokeConfig) prompt() (invokeConfig, error) {
 	var qs []*survey.Question