Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support authorization for NATS #1218

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

welteki
Copy link
Member

@welteki welteki commented Aug 1, 2024

Description

Allow users to enable authorization for NATS.

New chart options:

Parameter Description Default
nats.authorization.enabled Enable authorization for NATS false
nats.authorization.generateToken Generate the NATS authorization token on first installation. true
nats.authorization.tokenSecret Secret resource that will be used to read the NATS authorization secret nats-token

New OpenFaaS installations can enable NATS authorization simply by setting nats.authorization.enabled.

To enable authorization for an existing installation users will need to create the nats-token secret manually before they update the OpenFaaS deployment with nats.authorization.enabled=true.

# openssl is preferred to generate a random secret:
openssl rand -base64 32 > ./nats-token

kubectl create secret generic \
    -n openfaas \
    nats-token \
    --from-file token=./nats-token

Users that are using external NATS also need to create the secret manually and enable authorization on the external NATS deployment.

Why is this needed?

  • I have raised an issue to propose this change (required)

Support authentication for NATS to prevent unauthenticated access from functions or other components.

Who is this for?

What company is this for? Are you listed in the ADOPTERS.md file?

How Has This Been Tested?

Verified all components connecting to NATS (gateway, queue-worker, event-worker) could be deployed with and without authentication enabled.

Verified the NATS token secret is created on helm install when nats.authorization.generateToken is true.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • [ x I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Allow users to enable authorization for NATS to prevent unauthenticated
access from function or other components.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant