[WIP] Add policy support to the chart

.github/workflows/build.yaml

@@ -33,7 +33,7 @@ jobs:
         run: echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV
 
       - name: Build x86_64 container into library
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: ./Dockerfile
@@ -46,7 +46,7 @@ jobs:
             ghcr.io/${{ env.REPO_OWNER }}/faas-netes:${{ github.sha }}
 
       - name: Build multi-arch containers for validation only
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: ./Dockerfile

.github/workflows/helm.yaml

@@ -19,8 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - uses: azure/setup-helm@v1
+        uses: actions/checkout@v3
+      - uses: azure/setup-helm@v3
       - name: Helm Lint
         run: ./contrib/lint_chart.sh
 
@@ -30,7 +30,7 @@ jobs:
       - lint-chart
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - uses: lra/setup-kubeval@v1
         with:
           version: v0.16.1

.github/workflows/publish.yaml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: actions/checkout@master
       - name: Install Go
-        uses: actions/setup-go@v3.1.0
+        uses: actions/setup-go@v4.0.0
         with:
           go-version: 1.19.x
       - name: Set up QEMU
@@ -49,7 +49,7 @@ jobs:
 
 
       - name: Push containers
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           context: .
           file: ./Dockerfile

.gitignore

@@ -34,3 +34,4 @@ of_kind_portforward.pid
 jwt_key
 jwt_key.pub
 /*.pid
+*.txt

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/openfaas/license-check:0.4.1 as license-check
+FROM ghcr.io/openfaas/license-check:0.4.2 as license-check
 
 FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19 as build
 
@@ -27,7 +27,7 @@ RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
         --ldflags "-s -w \
         -X github.com/openfaas/faas-netes/version.GitCommit=${GIT_COMMIT}\
         -X github.com/openfaas/faas-netes/version.Version=${VERSION}" \
-        -a -installsuffix cgo -o faas-netes .
+        -o faas-netes .
 
 FROM --platform=${TARGETPLATFORM:-linux/amd64} alpine:3.17 as ship
 LABEL org.label-schema.license="MIT" \

Makefile

@@ -29,7 +29,7 @@ ${CODEGEN_PKG}: $(TOOLS_DIR)/code-generator.mod
 	@cd $(TOOLS_DIR) && go mod download -modfile=code-generator.mod
 
 local:
-	CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o faas-netes
+	CGO_ENABLED=0 GOOS=linux go build -o faas-netes
 
 build-docker:
 	docker build \

chart/openfaas/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 type: application
 description: OpenFaaS - Serverless Functions Made Simple
 name: openfaas
-version: 11.1.11
+version: 12.0.4
 sources:
 - https://github.com/openfaas/faas
 - https://github.com/openfaas/faas-netes

chart/openfaas/README.md

@@ -508,6 +508,7 @@ yaml) |
 | ----------------------- | ----------------------------------    | ---------------------------------------------------------- |
 | `jetstreamQueueWorker.durableName` | Durable name used by JetStream consumers | `faas-workers` |
 | `jetstreamQueueWorker.image` | Container image used for the queue-worker when the `queueMode` is `jetstream` | See [values.yaml](./values.yaml) |
+| `jetstreamQueueWorker.maxWaiting` | Configure the max waiting pulls for the queue-worker JetStream consumer. The value should be at least max_inflight * queue_worker.replicas. Note that this value can not be updated once the consumer is created. | `512` |
 | `jetstreamQueueWorker.logs.debug` | Log debug messages | `false` |
 | `jetstreamQueueWorker.logs.format` | Set the log format, supports `console` or `json` | `console` |
 | `nats.channel` | The name of the NATS Streaming channel or NATS JetStream stream to use for asynchronous function invocations | `faas-request` |
@@ -546,6 +547,7 @@ yaml) |
 | `dashboard.publicURL` | URL used to expose the dashboard. Needs to be a fully qualified domain name (FQDN) | `https://dashboard.example.com` |
 | `dashboard.replicas` | Replicas of the dashboard | `1` |
 | `dashboard.resources` | Resource limits and requests for the dashboard pods | See [values.yaml](./values.yaml) |
+| `dashboard.signingKeySecret` | Name of signing key secret for sessions. Can be left blank for development, see https://docs.openfaas.com/openfaas-pro/dashboard/ for production and staging. | `""` |
 
 ### OIDC / SSO (OpenFaaS Pro)
 

chart/openfaas/templates/NOTES.txt

@@ -8,3 +8,9 @@ To retrieve the admin password, run:
 
   echo $(kubectl -n {{ .Release.Namespace }} get secret basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode)
 {{- end }}
+
+{{- if and .Values.dashboard.enabled (not .Values.dashboard.signingKeySecret) }}
+
+Warning: The dashboard is using auto generated signing keys.
+These should only be used for development. See: https://docs.openfaas.com/openfaas-pro/dashboard/
+{{- end}}

chart/openfaas/templates/alertmanager-cfg.yaml

@@ -1,4 +1,5 @@
 {{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
+{{- if not .Values.openfaasPro }}
 {{- if .Values.alertmanager.create }}
 ---
 kind: ConfigMap
@@ -44,4 +45,5 @@ data:
               username: admin
               password_file: /var/secrets/basic-auth-password
           {{- end -}}
+{{- end }}
 {{- end }}

chart/openfaas/templates/alertmanager-dep.yaml

@@ -1,4 +1,5 @@
 {{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
+{{- if not .Values.openfaasPro }}
 {{- if .Values.alertmanager.create }}
 ---
 apiVersion: apps/v1
@@ -106,3 +107,4 @@ spec:
 {{ toYaml . | indent 8 }}
     {{- end }}
 {{- end }}
+{{- end }}

chart/openfaas/templates/alertmanager-svc.yaml

@@ -1,4 +1,5 @@
 {{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
+{{- if not .Values.openfaasPro }}
 {{- if .Values.alertmanager.create }}
 ---
 apiVersion: v1
@@ -19,4 +20,5 @@ spec:
       protocol: TCP
   selector:
     app: alertmanager
+{{- end }}
 {{- end }}

chart/openfaas/templates/autoscaler-dep.yaml

@@ -51,15 +51,17 @@ spec:
           value: "prometheus.{{ .Release.Namespace }}"
         - name: prometheus_port
           value: "9090"
-        {{- if .Values.basic_auth }}
         - name: secret_mount_path
           value: "/var/secrets/autoscaler"
+        {{- if .Values.basic_auth }}
         - name: basic_auth
-          value: "{{ .Values.basic_auth }}"
+          value: "true"
+        {{- end }}
         volumeMounts:
         - name: license
           readOnly: true
           mountPath: "/var/secrets/license"
+        {{- if .Values.basic_auth }}
         - name: auth
           readOnly: true
           mountPath: "/var/secrets/autoscaler"

chart/openfaas/templates/controller-rbac.yaml

@@ -77,6 +77,7 @@ rules:
       - "openfaas.com"
     resources:
       - "profiles"
+      - "policies"
     verbs:
       - "get"
       - "list"
@@ -198,6 +199,7 @@ rules:
       - "openfaas.com"
     resources:
       - "profiles"
+      - "policies"
     verbs:
       - "get"
       - "list"

chart/openfaas/templates/dashboard-dep.yaml

@@ -32,9 +32,11 @@ spec:
       - name: license
         secret:
           secretName: openfaas-license
+      {{- if .Values.dashboard.signingKeySecret }}
       - name: dashboard-jwt
         secret:
-          secretName: dashboard-jwt
+          secretName: {{ .Values.dashboard.signingKeySecret }}
+      {{- end }}
       containers:
       - name:  dashboard
         resources:
@@ -79,13 +81,14 @@ spec:
           readOnly: true
           mountPath: "/var/secrets/gateway"
         {{- end }}
-
         - name: license
           readOnly: true
           mountPath: "/var/secrets/license"
+        {{- if .Values.dashboard.signingKeySecret }}
         - name: dashboard-jwt
           readOnly: true
           mountPath: "/var/secrets/dashboard-jwt"
+        {{- end }}
 
     {{- with .Values.nodeSelector }}
       nodeSelector: