diff --git a/deps/github.com/arangodb/go-driver/jwt/jwt.go b/deps/github.com/arangodb/go-driver/jwt/jwt.go index 3e328dd90..f406aa7e4 100644 --- a/deps/github.com/arangodb/go-driver/jwt/jwt.go +++ b/deps/github.com/arangodb/go-driver/jwt/jwt.go @@ -54,3 +54,29 @@ func CreateArangodJwtAuthorizationHeader(jwtSecret, serverID string) (string, er return "bearer " + signedToken, nil } + +// CreateArangodJwtAuthorizationHeaderAllowedPaths calculates a JWT authorization header, for authorization +// of a request to an arangod server, based on the given secret. +// If the secret is empty, nothing is done. +// Use the result of this function as input for driver.RawAuthentication. +// Additionally allowed paths can be specified +func CreateArangodJwtAuthorizationHeaderAllowedPaths(jwtSecret, serverID string, paths []string) (string, error) { + if jwtSecret == "" || serverID == "" { + return "", nil + } + // Create a new token object, specifying signing method and the claims + // you would like it to contain. + token := jg.NewWithClaims(jg.SigningMethodHS256, jg.MapClaims{ + "iss": issArangod, + "server_id": serverID, + "allowed_paths": paths, + }) + + // Sign and get the complete encoded token as a string using the secret + signedToken, err := token.SignedString([]byte(jwtSecret)) + if err != nil { + return "", driver.WithStack(err) + } + + return "bearer " + signedToken, nil +} diff --git a/pkg/deployment/resources/pod_creator.go b/pkg/deployment/resources/pod_creator.go index b4741d328..e48a8e802 100644 --- a/pkg/deployment/resources/pod_creator.go +++ b/pkg/deployment/resources/pod_creator.go @@ -348,7 +348,7 @@ func (r *Resources) createLivenessProbe(spec api.DeploymentSpec, group api.Serve if err != nil { return nil, maskAny(err) } - authorization, err = jwt.CreateArangodJwtAuthorizationHeader(secretData, "kube-arangodb") + authorization, err = jwt.CreateArangodJwtAuthorizationHeaderAllowedPaths(secretData, "kube-arangodb", []string{"/_api/version"}) if err != nil { return nil, maskAny(err) } @@ -382,7 +382,7 @@ func (r *Resources) createLivenessProbe(spec api.DeploymentSpec, group api.Serve if err != nil { return nil, maskAny(err) } - authorization, err = jwt.CreateArangodJwtAuthorizationHeader(secretData, "kube-arangodb") + authorization, err = jwt.CreateArangodJwtAuthorizationHeaderAllowedPaths(secretData, "kube-arangodb", []string{"/_api/version"}) if err != nil { return nil, maskAny(err) } @@ -416,33 +416,35 @@ func (r *Resources) createReadinessProbe(spec api.DeploymentSpec, group api.Serv return nil, nil } + localPath := "/_api/version" + switch spec.GetMode() { + case api.DeploymentModeActiveFailover: + localPath = "/_admin/echo" + } + + // /_admin/server/availability is the way to go, it is available since 3.3.9 + if version.CompareTo("3.3.9") >= 0 { + localPath = "/_admin/server/availability" + } + authorization := "" if spec.IsAuthenticated() { secretData, err := r.getJWTSecret(spec) if err != nil { return nil, maskAny(err) } - authorization, err = jwt.CreateArangodJwtAuthorizationHeader(secretData, "kube-arangodb") + authorization, err = jwt.CreateArangodJwtAuthorizationHeaderAllowedPaths(secretData, "kube-arangodb", []string{localPath}) if err != nil { return nil, maskAny(err) } } probeCfg := &k8sutil.HTTPProbeConfig{ - LocalPath: "/_api/version", + LocalPath: localPath, Secure: spec.IsSecure(), Authorization: authorization, InitialDelaySeconds: 2, PeriodSeconds: 2, } - switch spec.GetMode() { - case api.DeploymentModeActiveFailover: - probeCfg.LocalPath = "/_admin/echo" - } - - // /_admin/server/availability is the way to go, it is available since 3.3.9 - if version.CompareTo("3.3.9") >= 0 { - probeCfg.LocalPath = "/_admin/server/availability" - } return probeCfg, nil }