From 4b033f0b85e3b4e9176e91e4fe9b615897920bbe Mon Sep 17 00:00:00 2001 From: "Han Verstraete (OpenFaaS Ltd)" Date: Thu, 1 Aug 2024 17:47:29 +0200 Subject: [PATCH] Add docs for NATS authorization Signed-off-by: Han Verstraete (OpenFaaS Ltd) --- docs/deployment/pro.md | 2 ++ docs/openfaas-pro/jetstream.md | 28 +++++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/deployment/pro.md b/docs/deployment/pro.md index 9a0bfd1..c79cd0e 100644 --- a/docs/deployment/pro.md +++ b/docs/deployment/pro.md @@ -86,6 +86,8 @@ queueMode: jetstream nats: streamReplication: 1 + authorization: + enabled: true ``` You can find explanations for each configuration item in the [values-pro.yaml](https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/values-pro.yaml) file on GitHub. diff --git a/docs/openfaas-pro/jetstream.md b/docs/openfaas-pro/jetstream.md index 8ce2961..b26c9a1 100644 --- a/docs/openfaas-pro/jetstream.md +++ b/docs/openfaas-pro/jetstream.md @@ -41,7 +41,7 @@ To enable JetSteam for OpenFaaS set `jetstream` as the queue mode in the values. ```yaml queueMode: jetstream nats: - streamReplication: 1 + streamReplication: 1 ``` If the NATS pod restarts, you will lose all messages that it contains. In your development or staging environment, this shouldn't happen very often. @@ -58,6 +58,32 @@ nats: port: "4222" ``` +## Authentication for NATS + +We recommend enabling authentication for NATS to limit the access to the NATS server. + +To enable authorization for NATS add the following to `nats` section in your values.yaml file. + +```yaml +nats: + authorization: + enabled: true +``` + +We use a Helm Chart hook to generate an access token on first installation. If you are upgrading an existing OpenFaaS installation or using an external NATS cluster you will need to create the token secret manually. + +```sh +# openssl is preferred to generate a random secret: +openssl rand -base64 32 > ./nats-token + +kubectl create secret generic \ + -n openfaas \ + nats-token \ + --from-file token=./nats-token +``` + +Make sure to configure the same access token through the NATS helm chart if you are running an external NATS cluster. Full instructions for external NATS are available in the [Customer Community](https://github.com/openfaas/customers/). + ## Features ### Metrics and monitoring