Add stark warning about disabling basic auth to helm chart

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
openfaas · Jul 4, 2024 · 21a98cc · 21a98cc
1 parent fd43436
commit 21a98cc
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/chart/openfaas/templates/NOTES.txt b/chart/openfaas/templates/NOTES.txt
@@ -14,3 +14,17 @@ To retrieve the admin password, run:
 Warning: The dashboard is using auto generated signing keys.
 These should only be used for development. See: https://docs.openfaas.com/openfaas-pro/dashboard/
 {{- end}}
+
+{{- if not .Values.basic_auth }}
+
+====================================================================================
+
+WARNING: Basic Auth .basic_auth has been set to false!
+
+This should never be disabled because it makes the OpenFaaS API vulnerable to attack
+from functions, and any other workload within the cluster.
+
+This is a breach of all applicable warranties, and no technical support will be given.
+
+====================================================================================
+{{- end }}
diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml
@@ -12,13 +12,17 @@ oem: false
 httpProbe: true               # Setting to true will use HTTP for readiness and liveness probe on the OpenFaaS core components
 
 # set clusterRole: true for:
-## Multiple-namespaces
 ## CPU/RAM metrics in OpenFaaS API
+## Multiple-namespace support
 clusterRole: false
 
-createCRDs: true              # Set to false if applying CRDs in another way
+createCRDs: true              # Creates the Function/Profile CRDs, set to false if you are managing CRDs in another way
+
+# basic_auth must never be disabled, and is required for all OpenFaaS components.
+# There is no good reason to disable this, and it causes a severe security risk.
+# The configuration option remains for backwards-compatability.
+basic_auth: true              # Authentication for core components, always set to true
 
-basic_auth: true              # Authentication for core components, no good reason to disable this
 rbac: true                    # Kubernetes RBAC, no good reason to disable this
 generateBasicAuth: true       # Set to false if applying credentials separately from the chart, otherwise set to true