From 21a98cc44d3bfe3ff375127dfcd52c0222ef66ea Mon Sep 17 00:00:00 2001 From: "Alex Ellis (OpenFaaS Ltd)" Date: Thu, 4 Jul 2024 09:16:11 +0100 Subject: [PATCH] Add stark warning about disabling basic auth to helm chart Signed-off-by: Alex Ellis (OpenFaaS Ltd) --- chart/openfaas/templates/NOTES.txt | 14 ++++++++++++++ chart/openfaas/values.yaml | 10 +++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/chart/openfaas/templates/NOTES.txt b/chart/openfaas/templates/NOTES.txt index a1709139b..9b0448772 100644 --- a/chart/openfaas/templates/NOTES.txt +++ b/chart/openfaas/templates/NOTES.txt @@ -14,3 +14,17 @@ To retrieve the admin password, run: Warning: The dashboard is using auto generated signing keys. These should only be used for development. See: https://docs.openfaas.com/openfaas-pro/dashboard/ {{- end}} + +{{- if not .Values.basic_auth }} + +==================================================================================== + +WARNING: Basic Auth .basic_auth has been set to false! + +This should never be disabled because it makes the OpenFaaS API vulnerable to attack +from functions, and any other workload within the cluster. + +This is a breach of all applicable warranties, and no technical support will be given. + +==================================================================================== +{{- end }} diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml index 3f0a47180..9ab631a38 100644 --- a/chart/openfaas/values.yaml +++ b/chart/openfaas/values.yaml @@ -12,13 +12,17 @@ oem: false httpProbe: true # Setting to true will use HTTP for readiness and liveness probe on the OpenFaaS core components # set clusterRole: true for: -## Multiple-namespaces ## CPU/RAM metrics in OpenFaaS API +## Multiple-namespace support clusterRole: false -createCRDs: true # Set to false if applying CRDs in another way +createCRDs: true # Creates the Function/Profile CRDs, set to false if you are managing CRDs in another way + +# basic_auth must never be disabled, and is required for all OpenFaaS components. +# There is no good reason to disable this, and it causes a severe security risk. +# The configuration option remains for backwards-compatability. +basic_auth: true # Authentication for core components, always set to true -basic_auth: true # Authentication for core components, no good reason to disable this rbac: true # Kubernetes RBAC, no good reason to disable this generateBasicAuth: true # Set to false if applying credentials separately from the chart, otherwise set to true