Support function authentication with OpenFaaS IAM

[welteki]

Description

If JWT authentication is enabled by setting the env variable jwt_auth: true in the stack.yml file the watchdog requires an OpenFaaS function token for request authentication.

Authentication tokens can be optioned through OpenFaaS IAM.

The watchdog verifies the token is valid and checks of an actor is authorized to invoke the function by looking at the function claim in the token and validating the permissions.

Motivation and Context

• [ ] I have raised an issue to propose this change (required)

Support IAM authentication for functions.

How Has This Been Tested?

• Unit tests were added.

• Changes have been tested by running the watchdog locally and invoking it with and without a function token. During these test the OPENFAAS_NAME and OPENFAAS_NAMESPACE env variable were changed to simulate different functions in multiple namespaces.

  fprocess="env" \
  mode="serializing" \
  jwt_auth=true \
  jwt_auth_local=true \
  jwt_auth_debug=true \
  OPENFAAS_NAMESPACE=staging \
  OPENFAAS_NAME=env \
  port=8083 ./bin/fwatchdog-amd64

• Changes have been tested E2E in cluster with the updated oidc-provider.

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• [x] My code follows the code style of this project.
• [ ] My change requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [x] I've read the CONTRIBUTION guide
• [x] I have signed-off my commits with git commit -s
• [x] I have added tests to cover my changes.
• [x] All new and existing tests passed.