arangodb · neunhoef · Apr 4, 2019 · Apr 4, 2019
diff --git a/deps/github.com/arangodb/go-driver/jwt/jwt.go b/deps/github.com/arangodb/go-driver/jwt/jwt.go
@@ -54,3 +54,29 @@ func CreateArangodJwtAuthorizationHeader(jwtSecret, serverID string) (string, er
 
 	return "bearer " + signedToken, nil
 }
+
+// CreateArangodJwtAuthorizationHeaderAllowedPaths calculates a JWT authorization header, for authorization
+// of a request to an arangod server, based on the given secret.
+// If the secret is empty, nothing is done.
+// Use the result of this function as input for driver.RawAuthentication.
+// Additionally allowed paths can be specified
+func CreateArangodJwtAuthorizationHeaderAllowedPaths(jwtSecret, serverID string, paths []string) (string, error) {
+	if jwtSecret == "" || serverID == "" {
+		return "", nil
+	}
+	// Create a new token object, specifying signing method and the claims
+	// you would like it to contain.
+	token := jg.NewWithClaims(jg.SigningMethodHS256, jg.MapClaims{
+		"iss":           issArangod,
+		"server_id":     serverID,
+		"allowed_paths": paths,
+	})
+
+	// Sign and get the complete encoded token as a string using the secret
+	signedToken, err := token.SignedString([]byte(jwtSecret))
+	if err != nil {
+		return "", driver.WithStack(err)
+	}
+
+	return "bearer " + signedToken, nil
+}
diff --git a/pkg/deployment/resources/pod_creator.go b/pkg/deployment/resources/pod_creator.go
@@ -348,7 +348,7 @@ func (r *Resources) createLivenessProbe(spec api.DeploymentSpec, group api.Serve
 			if err != nil {
 				return nil, maskAny(err)
 			}
-			authorization, err = jwt.CreateArangodJwtAuthorizationHeader(secretData, "kube-arangodb")
+			authorization, err = jwt.CreateArangodJwtAuthorizationHeaderAllowedPaths(secretData, "kube-arangodb", []string{"/_api/version"})
 			if err != nil {
 				return nil, maskAny(err)
 			}
@@ -382,7 +382,7 @@ func (r *Resources) createLivenessProbe(spec api.DeploymentSpec, group api.Serve
 			if err != nil {
 				return nil, maskAny(err)
 			}
-			authorization, err = jwt.CreateArangodJwtAuthorizationHeader(secretData, "kube-arangodb")
+			authorization, err = jwt.CreateArangodJwtAuthorizationHeaderAllowedPaths(secretData, "kube-arangodb", []string{"/_api/version"})
 			if err != nil {
 				return nil, maskAny(err)
 			}
@@ -416,33 +416,35 @@ func (r *Resources) createReadinessProbe(spec api.DeploymentSpec, group api.Serv
 		return nil, nil
 	}
 
+	localPath := "/_api/version"
+	switch spec.GetMode() {
+	case api.DeploymentModeActiveFailover:
+		localPath = "/_admin/echo"
+	}
+
+	// /_admin/server/availability is the way to go, it is available since 3.3.9
+	if version.CompareTo("3.3.9") >= 0 {
+		localPath = "/_admin/server/availability"
+	}
+
 	authorization := ""
 	if spec.IsAuthenticated() {
 		secretData, err := r.getJWTSecret(spec)
 		if err != nil {
 			return nil, maskAny(err)
 		}
-		authorization, err = jwt.CreateArangodJwtAuthorizationHeader(secretData, "kube-arangodb")
+		authorization, err = jwt.CreateArangodJwtAuthorizationHeaderAllowedPaths(secretData, "kube-arangodb", []string{localPath})
 		if err != nil {
 			return nil, maskAny(err)
 		}
 	}
 	probeCfg := &k8sutil.HTTPProbeConfig{
-		LocalPath:           "/_api/version",
+		LocalPath:           localPath,
 		Secure:              spec.IsSecure(),
 		Authorization:       authorization,
 		InitialDelaySeconds: 2,
 		PeriodSeconds:       2,
 	}
-	switch spec.GetMode() {
-	case api.DeploymentModeActiveFailover:
-		probeCfg.LocalPath = "/_admin/echo"
-	}
-
-	// /_admin/server/availability is the way to go, it is available since 3.3.9
-	if version.CompareTo("3.3.9") >= 0 {
-		probeCfg.LocalPath = "/_admin/server/availability"
-	}
 
 	return probeCfg, nil
 }