Add docs for NATS authorization

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>

Author: welteki

docs/deployment/pro.md

@@ -86,6 +86,8 @@ queueMode: jetstream
 
 nats:
   streamReplication: 1
+  authorization:
+    enabled: true
 ```
 
 You can find explanations for each configuration item in the [values-pro.yaml](https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/values-pro.yaml) file on GitHub.

docs/openfaas-pro/jetstream.md

@@ -41,7 +41,7 @@ To enable JetSteam for OpenFaaS set `jetstream` as the queue mode in the values.
 ```yaml
 queueMode: jetstream
 nats:
-    streamReplication: 1
+  streamReplication: 1
 ```
 
 If the NATS pod restarts, you will lose all messages that it contains. In your development or staging environment, this shouldn't happen very often.
@@ -58,6 +58,32 @@ nats:
     port: "4222"
 ```
 
+## Authentication for NATS
+
+We recommend enabling authentication for NATS to limit the access to the NATS server.
+
+To enable authorization for NATS add the following to `nats` section in your values.yaml file.
+
+```yaml
+nats:
+  authorization:
+    enabled: true
+```
+
+We use a Helm Chart hook to generate an access token on first installation. If you are upgrading an existing OpenFaaS installation or using an external NATS cluster you will need to create the token secret manually.
+
+```sh
+# openssl is preferred to generate a random secret:
+openssl rand -base64 32 > ./nats-token
+
+kubectl create secret generic \
+    -n openfaas \
+    nats-token \
+    --from-file token=./nats-token
+```
+
+Make sure to configure the same access token through the NATS helm chart if you are running an external NATS cluster. Full instructions for external NATS are available in the [Customer Community](https://github.com/openfaas/customers/).
+
 ## Features
 
 ### Metrics and monitoring