Support authorization for NATS

welteki · welteki · commit e7f9560351ed · 2024-08-01T16:36:07.000+02:00
Allow users to enable authorization for NATS to prevent unauthenticated
access from function or other components.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) &lt;han@openfaas.com&gt;
diff --git a/chart/openfaas/README.md b/chart/openfaas/README.md
@@ -562,6 +562,9 @@ yaml) |
 | `jetstreamQueueWorker.maxWaiting` | Configure the max waiting pulls for the queue-worker JetStream consumer. The value should be at least max_inflight * queue_worker.replicas. Note that this value can not be updated once the consumer is created. | `512` |
 | `jetstreamQueueWorker.logs.debug` | Log debug messages | `false` |
 | `jetstreamQueueWorker.logs.format` | Set the log format, supports `console` or `json` | `console` |
+| `nats.authorization.enabled` | Enable authorization for NATS | `false` |
+| `nats.authorization.generateToken` | Generate the NATS authorization token on first installation. | `true` |
+| `nats.authorization.tokenSecret` | Secret resource that will be used to read the NATS authorization secret | `nats-token` |
 | `nats.channel` | The name of the NATS Streaming channel or NATS JetStream stream to use for asynchronous function invocations | `faas-request` |
 | `nats.external.clusterName` | The name of the externally-managed NATS Streaming server | `""` |
 | `nats.external.enabled` | Whether to use an externally-managed NATS Streaming server | `false` |
diff --git a/chart/openfaas/templates/event-worker-dep.yaml b/chart/openfaas/templates/event-worker-dep.yaml
@@ -33,6 +33,11 @@ spec:
         secret:
           secretName: {{.Values.eventSubscription.endpointSecret}}
       {{- end }}
+      {{- if .Values.nats.authorization.enabled }}
+      - name: nats-token
+        secret:
+          secretName: nats-token
+      {{- end }}
       containers:
       - name:  event-worker
         resources:
@@ -45,6 +50,9 @@ spec:
           {{- if .Values.eventSubscription.endpointSecret }}
           - "-webhook-secret-file=/var/secrets/webhook-secret/webhook-secret"
           {{- end}}
+          {{- if .Values.nats.authorization.enabled }}
+          - -nats-token-file=/var/secrets/nats_token/token
+          {{- end }}
         env:
         {{- if .Values.nats.external.enabled }}
         - name: nats_host
@@ -80,6 +88,11 @@ spec:
           readOnly: true
           mountPath: "/var/secrets/webhook-secret"
         {{- end }}
+        {{- if .Values.nats.authorization.enabled }}
+        - name: nats-token
+          readOnly: true
+          mountPath: "/var/secrets/nats_token"
+        {{- end }}   
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
diff --git a/chart/openfaas/templates/gateway-dep.yaml b/chart/openfaas/templates/gateway-dep.yaml
@@ -6,6 +6,9 @@
   {{- fail "enabling 'operator.create' is only supported for OpenFaaS Pro" }}
 {{- end }}
 
+{{- $jetstreamEnabled := and .Values.async (eq .Values.queueMode "jetstream") }}
+{{- $natsRequired := or $jetstreamEnabled .Values.eventSubscription.metering.enabled .Values.eventSubscription.auditing.enabled }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -41,6 +44,11 @@ spec:
         secret:
           secretName: issuer-key
       {{- end}}
+      {{- if and $natsRequired .Values.nats.authorization.enabled }}
+      - name: nats-token
+        secret:
+          secretName: nats-token
+      {{- end }}
       # - name: faas-auth
       #   projected:
       #     sources:
@@ -76,6 +84,9 @@ spec:
         {{- if .Values.openfaasPro }}
           - "-license-file=/var/secrets/license/license"
         {{- end }}
+        {{- if and $natsRequired .Values.nats.authorization.enabled }}
+          - -nats-token-file=/var/secrets/nats_token/token
+        {{- end }}
         {{- if .Values.securityContext }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
@@ -218,6 +229,11 @@ spec:
           readOnly: true
           mountPath: "/var/secrets/license"
         {{- end }}
+        {{- if and $natsRequired .Values.nats.authorization.enabled }}
+        - name: nats-token
+          readOnly: true
+          mountPath: "/var/secrets/nats_token"
+        {{- end }}
         ports:
         - name: http
           containerPort: 8080
@@ -235,6 +251,9 @@ spec:
           - ./faas-netes
           - -operator=true
           - "-license-file=/var/secrets/license/license"
+          {{- if and $natsRequired .Values.nats.authorization.enabled }}
+          - -nats-token-file=/var/secrets/nats_token/token
+          {{- end }}
         env:
           - name: reconcile_workers
             value: {{ .Values.operator.reconcileWorkers | quote }}
@@ -345,6 +364,11 @@ spec:
           readOnly: true
           mountPath: "/var/secrets"
         {{- end }}
+        {{- if and $natsRequired .Values.nats.authorization.enabled }}
+        - name: nats-token
+          readOnly: true
+          mountPath: "/var/secrets/nats_token"
+        {{- end }}
 
       {{- else }}
       - name: faas-netes
@@ -367,6 +391,9 @@ spec:
         {{- if or .Values.openfaasPro .Values.oem }}
           - "-license-file=/var/secrets/license/license"
         {{- end }}
+        {{- if and $natsRequired .Values.nats.authorization.enabled }}
+          - -nats-token-file=/var/secrets/nats_token/token
+        {{- end }}
         env:
         - name: port
           value: "8081"
@@ -455,6 +482,11 @@ spec:
           readOnly: true
           mountPath: "/var/secrets"
         {{- end }}
+        {{- if and $natsRequired .Values.nats.authorization.enabled }}
+        - name: nats-token
+          readOnly: true
+          mountPath: "/var/secrets/nats_token"
+        {{- end }}
         - mountPath: /tmp
           name: faas-netes-temp-volume
         ports:
diff --git a/chart/openfaas/templates/jetstream-queueworker-dep.yaml b/chart/openfaas/templates/jetstream-queueworker-dep.yaml
@@ -29,6 +29,11 @@ spec:
         secret:
           secretName: openfaas-license
       {{- end }}
+      {{- if .Values.nats.authorization.enabled }}
+      - name: nats-token
+        secret:
+          secretName: nats-token
+      {{- end }}
       containers:
       - name:  queue-worker
         resources:
@@ -49,6 +54,9 @@ spec:
           {{- if .Values.jetstreamQueueWorker.pprof }}
           - "-pprof=true"
           {{- end }}
+          {{- if .Values.nats.authorization.enabled }}
+          - -nats-token-file=/var/secrets/nats_token/token
+          {{- end }}
         env:
         {{- if .Values.nats.external.enabled }}
         - name: nats_host
@@ -111,6 +119,11 @@ spec:
           readOnly: true
           mountPath: "/var/secrets/license"
         {{- end }}
+        {{- if .Values.nats.authorization.enabled }}
+        - name: nats-token
+          readOnly: true
+          mountPath: "/var/secrets/nats_token"
+        {{- end }}        
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
diff --git a/chart/openfaas/templates/nats-dep.yaml b/chart/openfaas/templates/nats-dep.yaml
@@ -41,6 +41,9 @@ spec:
         args:
           {{- if eq .Values.queueMode "jetstream" }}
           - --js
+          {{- if .Values.nats.authorization.enabled }}
+          - --auth=$(AUTH_TOKEN)
+          {{- end }}
           {{- else}}
           - --store
           - memory
@@ -51,6 +54,14 @@ spec:
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
         {{- end }}
+        env:
+        {{- if and (eq .Values.queueMode "jetstream") .Values.nats.authorization.enabled }}
+        - name: AUTH_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: nats-token
+              key: token
+        {{- end }}
         volumeMounts:
         - mountPath: /tmp/nats
           name: nats-data
diff --git a/chart/openfaas/templates/nats-token.yaml b/chart/openfaas/templates/nats-token.yaml
@@ -0,0 +1,18 @@
+{{- if and .Values.nats.authorization.enabled .Values.nats.authorization.generateToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nats-token
+  namespace: {{ .Release.namespace | quote }}
+  labels:
+    app: {{ template "openfaas.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: queue-worker
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+data:
+  # kubectl -n openfaas get secret nats-token -o jsonpath="{.data.token}" | base64 --decode
+  token: {{ randAlphaNum 12 | b64enc | quote }}
+{{- end }}
diff --git a/chart/openfaas/values-pro.yaml b/chart/openfaas/values-pro.yaml
@@ -79,6 +79,8 @@ queueMode: jetstream
 # See https://github.com/openfaas/openfaas-pro/blob/master/jetstream.md
 nats:
   streamReplication: 1
+  authorization:
+    enabled: true
 
  # For timeouts longer than 60 seconds see:
  # https://docs.openfaas.com/tutorials/expanded-timeouts/
diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml
@@ -381,6 +381,13 @@ nats:
     port: ""
   # The version of NATS Core used with OpenFaaS Pro and JetStream
   image: nats:2.10.18
+  authorization:
+    enabled: false
+    # Generate the authorization token for NATS on first install.
+    # Set to false if you are creating the token manually.
+    generateToken: true
+    # Secret resource that will be used to read the NATS authorization secret.
+    tokenSecret: nats-token 
   resources:
     requests:
       memory: "120Mi"
