Add docs for NATS authorization

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
openfaas · Aug 2, 2024 · e3977be · e3977be
1 parent e236ae7
commit e3977be
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/docs/deployment/pro.md b/docs/deployment/pro.md
@@ -86,6 +86,8 @@ queueMode: jetstream
 
 nats:
   streamReplication: 1
+  authorization:
+    enabled: true
 ```
 
 You can find explanations for each configuration item in the [values-pro.yaml](https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/values-pro.yaml) file on GitHub.
@@ -105,6 +107,22 @@ kubectl create secret generic \
   --from-file license=$HOME/.openfaas/LICENSE
 ```
 
+The recommended values.yaml file enables NATS authentication. If you are upgrading from OpenFaaS CE or enabling NATS authentication for the first time on an existing installation an authorization token secret should be created.
+
+If this is your first time installing OpenFaaS Pro you can ignore this step. The Helm Chart will generate the secret automatically.
+
+Create a secret for the NATS authorization token:
+
+```sh
+# openssl is preferred to generate a random secret:
+openssl rand -base64 32 > ./nats-token
+
+kubectl create secret generic \
+    -n openfaas \
+    nats-token \
+    --from-file token=./nats-token
+```
+
 Add the OpenFaaS helm chart repo:
 
 ```sh

diff --git a/docs/openfaas-pro/jetstream.md b/docs/openfaas-pro/jetstream.md
@@ -41,7 +41,7 @@ To enable JetSteam for OpenFaaS set `jetstream` as the queue mode in the values.
 ```yaml
 queueMode: jetstream
 nats:
-    streamReplication: 1
+  streamReplication: 1
 ```
 
 If the NATS pod restarts, you will lose all messages that it contains. In your development or staging environment, this shouldn't happen very often.
@@ -58,6 +58,38 @@ nats:
     port: "4222"
 ```
 
+## NATS Authentication
+
+We recommend enabling authentication for NATS to limit the access to the NATS server.
+
+To enable authorization for NATS add the following to `nats` section in your values.yaml file.
+
+```yaml
+nats:
+  authorization:
+    enabled: true
+    # Generate the NATS authorization token on first installation.
+    generateToken: true
+```
+
+A Helm Chart `pre-install` hook is used to generate an access token on first installation. If you are upgrading an existing OpenFaaS installation or using an external NATS cluster you will need to create the token secret manually.
+
+```sh
+# openssl is preferred to generate a random secret:
+openssl rand -base64 32 > ./nats-token
+
+kubectl create secret generic \
+    -n openfaas \
+    nats-token \
+    --from-file token=./nats-token
+```
+
+Installations using an external NATS cluster should also set `nats.authorization.generateToken` to `false`. This prevents the Chart from overriding the secret on installation.
+
+Use the `nats-token` value to configure the access token through the NATS helm chart if you are running an external NATS cluster.
+
+Full instructions for external NATS are available in the [Customer Community](https://github.com/openfaas/customers/).
+
 ## Features
 
 ### Metrics and monitoring