Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docs for NATS authorization #379

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions docs/deployment/pro.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ queueMode: jetstream

nats:
streamReplication: 1
authorization:
enabled: true
```

welteki marked this conversation as resolved.
Show resolved Hide resolved
You can find explanations for each configuration item in the [values-pro.yaml](https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/values-pro.yaml) file on GitHub.
Expand All @@ -105,6 +107,22 @@ kubectl create secret generic \
--from-file license=$HOME/.openfaas/LICENSE
```

The recommended values.yaml file enables NATS authentication. If you are upgrading from OpenFaaS CE or enabling NATS authentication for the first time on an existing installation an authorization token secret should be created.

If this is your first time installing OpenFaaS Pro you can ignore this step. The Helm Chart will generate the secret automatically.

Create a secret for the NATS authorization token:

```sh
# openssl is preferred to generate a random secret:
openssl rand -base64 32 > ./nats-token

kubectl create secret generic \
-n openfaas \
nats-token \
--from-file token=./nats-token
```

Add the OpenFaaS helm chart repo:

```sh
Expand Down
34 changes: 33 additions & 1 deletion docs/openfaas-pro/jetstream.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ To enable JetSteam for OpenFaaS set `jetstream` as the queue mode in the values.
```yaml
queueMode: jetstream
nats:
streamReplication: 1
streamReplication: 1
```

If the NATS pod restarts, you will lose all messages that it contains. In your development or staging environment, this shouldn't happen very often.
Expand All @@ -58,6 +58,38 @@ nats:
port: "4222"
```

## NATS Authentication

We recommend enabling authentication for NATS to limit the access to the NATS server.

To enable authorization for NATS add the following to `nats` section in your values.yaml file.

```yaml
nats:
authorization:
enabled: true
# Generate the NATS authorization token on first installation.
generateToken: true
```

welteki marked this conversation as resolved.
Show resolved Hide resolved
A Helm Chart `pre-install` hook is used to generate an access token on first installation. If you are upgrading an existing OpenFaaS installation or using an external NATS cluster you will need to create the token secret manually.

```sh
# openssl is preferred to generate a random secret:
openssl rand -base64 32 > ./nats-token

kubectl create secret generic \
-n openfaas \
nats-token \
--from-file token=./nats-token
```

Installations using an external NATS cluster should also set `nats.authorization.generateToken` to `false`. This prevents the Chart from overriding the secret on installation.

Use the `nats-token` value to configure the access token through the NATS helm chart if you are running an external NATS cluster.

Full instructions for external NATS are available in the [Customer Community](https://github.com/openfaas/customers/).

## Features

### Metrics and monitoring
Expand Down