Document queue-worker callback URL whitelist

[welteki]

Description

Update the Async and Queue-Worker pages to add documentation for the new queue-worker feature that restricts async callback URLs to trusted endpoints.

Motivation and Context

Document new queue-worker feature that allows restricting async callback URLs to trusted endpoints only.

How Has This Been Tested?

Built the site locally with Docker to verify rendering and link correctness.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have raised an issue to propose this change (required)
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have signed-off my commits with git commit -s

[reviewfn]

AI Pull Request Overview

Disclaimer: This review was generated by automated AI and may contain errors. Do not trust its outputs without human verification.

Summary

• Documents the new async callback URL restriction from the async reference page.
• Adds a cross-link from the JetStream page to the new callback URL restriction section.
• The changed content is documentation-only.
• The new examples are concise and use the existing Helm values style.
• One publish-quality issue remains around edition/scope clarity for readers using non-Pro queue-workers.

Approval rating (1-10)

7/10. Useful documentation addition, but the async reference should make the Pro/Enterprise scope explicit before merge.

Summary per file

Summary per file

File path	Summary
docs/reference/async.md	Adds callback URL allow-list guidance and examples; promotes async subheadings.
docs/openfaas-pro/jetstream.md	Adds a short callback URL restriction section linking to async docs.

Overall Assessment

The PR adds reader-facing documentation for restricting async callback destinations and places it in the right conceptual area. The main gap is that the general async reference now recommends a queueWorkerPro setting without clearly saying this feature/configuration is for the Pro/Enterprise queue-worker path. That can send CE readers toward a Helm value that may not apply to their installation.

Detailed Review

Detailed Review

Findings

Severity	File	Issue
Medium	docs/reference/async.md:91	The new guidance is in the general async reference and recommends queueWorkerPro.allowedCallbackURLs, but it does not state that this is a Pro/Enterprise queue-worker configuration. The page already distinguishes CE/Pro behavior elsewhere, and CE users reading the production recommendation at line 57 may assume this is available in their deployment. Add a short scope sentence before the values snippet, for example: For OpenFaaS Pro and Enterprise installations using the Pro queue-worker, configure this with queueWorkerPro.allowedCallbackURLs in the OpenFaaS Helm chart. If CE also supports this, use the CE values key instead or document both keys explicitly.

Content review

No blocking findings beyond the scope clarity issue above.

The title and PR description match the documentation changes: both files focus on callback URL restrictions for async processing.

The opening pointer in docs/reference/async.md gives readers an early security cue before showing callback examples, which is the right placement.

The examples are short enough to be usable, but the section would be clearer if the first sentence established the product edition before introducing the Helm key.

The JetStream addition is appropriately brief and works as a navigation aid rather than duplicating the async reference content.

AI agent details.

Agent processing time: 2m36.843s
Environment preparation time: 12.135s
Total time from webhook: 2m57.637s