From e7f9560351edd9aac394da1648db662d83a60703 Mon Sep 17 00:00:00 2001 From: "Han Verstraete (OpenFaaS Ltd)" Date: Thu, 1 Aug 2024 12:43:27 +0200 Subject: [PATCH] Support authorization for NATS Allow users to enable authorization for NATS to prevent unauthenticated access from function or other components. Signed-off-by: Han Verstraete (OpenFaaS Ltd) --- chart/openfaas/README.md | 3 ++ .../openfaas/templates/event-worker-dep.yaml | 13 ++++++++ chart/openfaas/templates/gateway-dep.yaml | 32 +++++++++++++++++++ .../templates/jetstream-queueworker-dep.yaml | 13 ++++++++ chart/openfaas/templates/nats-dep.yaml | 11 +++++++ chart/openfaas/templates/nats-token.yaml | 18 +++++++++++ chart/openfaas/values-pro.yaml | 2 ++ chart/openfaas/values.yaml | 7 ++++ 8 files changed, 99 insertions(+) create mode 100644 chart/openfaas/templates/nats-token.yaml diff --git a/chart/openfaas/README.md b/chart/openfaas/README.md index a627eaa25..f7cb58fa1 100644 --- a/chart/openfaas/README.md +++ b/chart/openfaas/README.md @@ -562,6 +562,9 @@ yaml) | | `jetstreamQueueWorker.maxWaiting` | Configure the max waiting pulls for the queue-worker JetStream consumer. The value should be at least max_inflight * queue_worker.replicas. Note that this value can not be updated once the consumer is created. | `512` | | `jetstreamQueueWorker.logs.debug` | Log debug messages | `false` | | `jetstreamQueueWorker.logs.format` | Set the log format, supports `console` or `json` | `console` | +| `nats.authorization.enabled` | Enable authorization for NATS | `false` | +| `nats.authorization.generateToken` | Generate the NATS authorization token on first installation. | `true` | +| `nats.authorization.tokenSecret` | Secret resource that will be used to read the NATS authorization secret | `nats-token` | | `nats.channel` | The name of the NATS Streaming channel or NATS JetStream stream to use for asynchronous function invocations | `faas-request` | | `nats.external.clusterName` | The name of the externally-managed NATS Streaming server | `""` | | `nats.external.enabled` | Whether to use an externally-managed NATS Streaming server | `false` | diff --git a/chart/openfaas/templates/event-worker-dep.yaml b/chart/openfaas/templates/event-worker-dep.yaml index 8392a45fb..c00e8bfc5 100644 --- a/chart/openfaas/templates/event-worker-dep.yaml +++ b/chart/openfaas/templates/event-worker-dep.yaml @@ -33,6 +33,11 @@ spec: secret: secretName: {{.Values.eventSubscription.endpointSecret}} {{- end }} + {{- if .Values.nats.authorization.enabled }} + - name: nats-token + secret: + secretName: nats-token + {{- end }} containers: - name: event-worker resources: @@ -45,6 +50,9 @@ spec: {{- if .Values.eventSubscription.endpointSecret }} - "-webhook-secret-file=/var/secrets/webhook-secret/webhook-secret" {{- end}} + {{- if .Values.nats.authorization.enabled }} + - -nats-token-file=/var/secrets/nats_token/token + {{- end }} env: {{- if .Values.nats.external.enabled }} - name: nats_host @@ -80,6 +88,11 @@ spec: readOnly: true mountPath: "/var/secrets/webhook-secret" {{- end }} + {{- if .Values.nats.authorization.enabled }} + - name: nats-token + readOnly: true + mountPath: "/var/secrets/nats_token" + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/chart/openfaas/templates/gateway-dep.yaml b/chart/openfaas/templates/gateway-dep.yaml index 8aae98595..57a3be617 100644 --- a/chart/openfaas/templates/gateway-dep.yaml +++ b/chart/openfaas/templates/gateway-dep.yaml @@ -6,6 +6,9 @@ {{- fail "enabling 'operator.create' is only supported for OpenFaaS Pro" }} {{- end }} +{{- $jetstreamEnabled := and .Values.async (eq .Values.queueMode "jetstream") }} +{{- $natsRequired := or $jetstreamEnabled .Values.eventSubscription.metering.enabled .Values.eventSubscription.auditing.enabled }} + apiVersion: apps/v1 kind: Deployment metadata: @@ -41,6 +44,11 @@ spec: secret: secretName: issuer-key {{- end}} + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - name: nats-token + secret: + secretName: nats-token + {{- end }} # - name: faas-auth # projected: # sources: @@ -76,6 +84,9 @@ spec: {{- if .Values.openfaasPro }} - "-license-file=/var/secrets/license/license" {{- end }} + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - -nats-token-file=/var/secrets/nats_token/token + {{- end }} {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} @@ -218,6 +229,11 @@ spec: readOnly: true mountPath: "/var/secrets/license" {{- end }} + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - name: nats-token + readOnly: true + mountPath: "/var/secrets/nats_token" + {{- end }} ports: - name: http containerPort: 8080 @@ -235,6 +251,9 @@ spec: - ./faas-netes - -operator=true - "-license-file=/var/secrets/license/license" + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - -nats-token-file=/var/secrets/nats_token/token + {{- end }} env: - name: reconcile_workers value: {{ .Values.operator.reconcileWorkers | quote }} @@ -345,6 +364,11 @@ spec: readOnly: true mountPath: "/var/secrets" {{- end }} + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - name: nats-token + readOnly: true + mountPath: "/var/secrets/nats_token" + {{- end }} {{- else }} - name: faas-netes @@ -367,6 +391,9 @@ spec: {{- if or .Values.openfaasPro .Values.oem }} - "-license-file=/var/secrets/license/license" {{- end }} + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - -nats-token-file=/var/secrets/nats_token/token + {{- end }} env: - name: port value: "8081" @@ -455,6 +482,11 @@ spec: readOnly: true mountPath: "/var/secrets" {{- end }} + {{- if and $natsRequired .Values.nats.authorization.enabled }} + - name: nats-token + readOnly: true + mountPath: "/var/secrets/nats_token" + {{- end }} - mountPath: /tmp name: faas-netes-temp-volume ports: diff --git a/chart/openfaas/templates/jetstream-queueworker-dep.yaml b/chart/openfaas/templates/jetstream-queueworker-dep.yaml index e147980a8..b2929aac2 100644 --- a/chart/openfaas/templates/jetstream-queueworker-dep.yaml +++ b/chart/openfaas/templates/jetstream-queueworker-dep.yaml @@ -29,6 +29,11 @@ spec: secret: secretName: openfaas-license {{- end }} + {{- if .Values.nats.authorization.enabled }} + - name: nats-token + secret: + secretName: nats-token + {{- end }} containers: - name: queue-worker resources: @@ -49,6 +54,9 @@ spec: {{- if .Values.jetstreamQueueWorker.pprof }} - "-pprof=true" {{- end }} + {{- if .Values.nats.authorization.enabled }} + - -nats-token-file=/var/secrets/nats_token/token + {{- end }} env: {{- if .Values.nats.external.enabled }} - name: nats_host @@ -111,6 +119,11 @@ spec: readOnly: true mountPath: "/var/secrets/license" {{- end }} + {{- if .Values.nats.authorization.enabled }} + - name: nats-token + readOnly: true + mountPath: "/var/secrets/nats_token" + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/chart/openfaas/templates/nats-dep.yaml b/chart/openfaas/templates/nats-dep.yaml index 5456499f5..acb2f60c8 100644 --- a/chart/openfaas/templates/nats-dep.yaml +++ b/chart/openfaas/templates/nats-dep.yaml @@ -41,6 +41,9 @@ spec: args: {{- if eq .Values.queueMode "jetstream" }} - --js + {{- if .Values.nats.authorization.enabled }} + - --auth=$(AUTH_TOKEN) + {{- end }} {{- else}} - --store - memory @@ -51,6 +54,14 @@ spec: securityContext: {{- toYaml .Values.securityContext | nindent 10 }} {{- end }} + env: + {{- if and (eq .Values.queueMode "jetstream") .Values.nats.authorization.enabled }} + - name: AUTH_TOKEN + valueFrom: + secretKeyRef: + name: nats-token + key: token + {{- end }} volumeMounts: - mountPath: /tmp/nats name: nats-data diff --git a/chart/openfaas/templates/nats-token.yaml b/chart/openfaas/templates/nats-token.yaml new file mode 100644 index 000000000..01848c83c --- /dev/null +++ b/chart/openfaas/templates/nats-token.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.nats.authorization.enabled .Values.nats.authorization.generateToken }} +apiVersion: v1 +kind: Secret +metadata: + name: nats-token + namespace: {{ .Release.namespace | quote }} + labels: + app: {{ template "openfaas.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: queue-worker + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": "pre-install" +data: + # kubectl -n openfaas get secret nats-token -o jsonpath="{.data.token}" | base64 --decode + token: {{ randAlphaNum 12 | b64enc | quote }} +{{- end }} diff --git a/chart/openfaas/values-pro.yaml b/chart/openfaas/values-pro.yaml index aabeb46d1..a6593adc5 100644 --- a/chart/openfaas/values-pro.yaml +++ b/chart/openfaas/values-pro.yaml @@ -79,6 +79,8 @@ queueMode: jetstream # See https://github.com/openfaas/openfaas-pro/blob/master/jetstream.md nats: streamReplication: 1 + authorization: + enabled: true # For timeouts longer than 60 seconds see: # https://docs.openfaas.com/tutorials/expanded-timeouts/ diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml index d83f31361..265ee4a1b 100644 --- a/chart/openfaas/values.yaml +++ b/chart/openfaas/values.yaml @@ -381,6 +381,13 @@ nats: port: "" # The version of NATS Core used with OpenFaaS Pro and JetStream image: nats:2.10.18 + authorization: + enabled: false + # Generate the authorization token for NATS on first install. + # Set to false if you are creating the token manually. + generateToken: true + # Secret resource that will be used to read the NATS authorization secret. + tokenSecret: nats-token resources: requests: memory: "120Mi"