[Feature] Ensure token in JWT exists (#593)

Author: ajanikow

pkg/deployment/reconcile/action_jwt_set_active.go

@@ -26,6 +26,8 @@ import (
 	"context"
 	"encoding/base64"
 
+	"github.com/arangodb/kube-arangodb/pkg/util/constants"
+
 	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
 	"github.com/arangodb/kube-arangodb/pkg/deployment/patch"
 	"github.com/arangodb/kube-arangodb/pkg/deployment/pod"
@@ -85,8 +87,9 @@ func (a *jwtSetActiveAction) Start(ctx context.Context) (bool, error) {
 	}
 
 	activeKeyData, active := f.Data[pod.ActiveJWTKey]
+	tokenKeyData, token := f.Data[constants.SecretKeyToken]
 
-	if util.SHA256(activeKeyData) == toActiveChecksum {
+	if util.SHA256(activeKeyData) == toActiveChecksum && util.SHA256(activeKeyData) == util.SHA256(tokenKeyData) {
 		a.log.Info().Msgf("Desired JWT is already active")
 		return true, nil
 	}
@@ -99,6 +102,13 @@ func (a *jwtSetActiveAction) Start(ctx context.Context) (bool, error) {
 		p.ItemReplace(path, base64.StdEncoding.EncodeToString(toActiveData))
 	}
 
+	path = patch.NewPath("data", constants.SecretKeyToken)
+	if !token {
+		p.ItemAdd(path, base64.StdEncoding.EncodeToString(toActiveData))
+	} else {
+		p.ItemReplace(path, base64.StdEncoding.EncodeToString(toActiveData))
+	}
+
 	patch, err := p.Marshal()
 	if err != nil {
 		a.log.Error().Err(err).Msgf("Unable to encrypt patch")

pkg/deployment/reconcile/action_jwt_status_update.go

@@ -152,7 +152,7 @@ func (a *jwtStatusUpdateAction) Start(ctx context.Context) (bool, error) {
 		var keys []string
 
 		for key := range f.Data {
-			if key == pod.ActiveJWTKey || key == activeKeyShort {
+			if key == pod.ActiveJWTKey || key == activeKeyShort || key == constants.SecretKeyToken {
 				continue
 			}
 

pkg/deployment/reconcile/plan_builder_jwt.go

@@ -78,6 +78,11 @@ func createJWTKeyUpdate(ctx context.Context,
 		return addJWTPropagatedPlanAction(status, api.NewAction(api.ActionTypeJWTSetActive, api.ServerGroupUnknown, "", "Set active key").AddParam(checksum, jwtSha))
 	}
 
+	tokenKey, ok := folder.Data[constants.SecretKeyToken]
+	if !ok || util.SHA256(activeKey) != util.SHA256(tokenKey) {
+		return addJWTPropagatedPlanAction(status, api.NewAction(api.ActionTypeJWTSetActive, api.ServerGroupUnknown, "", "Set active key and add token field").AddParam(checksum, jwtSha))
+	}
+
 	plan, failed := areJWTTokensUpToDate(ctx, log, apiObject, spec, status, cachedStatus, context, folder)
 	if len(plan) > 0 {
 		return plan
@@ -93,7 +98,7 @@ func createJWTKeyUpdate(ctx context.Context,
 	}
 
 	for key := range folder.Data {
-		if key == pod.ActiveJWTKey {
+		if key == pod.ActiveJWTKey || key == constants.SecretKeyToken {
 			continue
 		}
 
@@ -184,7 +189,7 @@ func createJWTStatusUpdateRequired(ctx context.Context,
 	var keys []string
 
 	for key := range f.Data {
-		if key == pod.ActiveJWTKey || key == activeKeyShort {
+		if key == pod.ActiveJWTKey || key == activeKeyShort || key == constants.SecretKeyToken {
 			continue
 		}
 
@@ -309,7 +314,7 @@ func isMemberJWTTokenInvalid(ctx context.Context, c client.Client, data map[stri
 
 func compareJWTKeys(e client.Entries, keys map[string][]byte) bool {
 	for k := range keys {
-		if k == pod.ActiveJWTKey {
+		if k == pod.ActiveJWTKey || k == constants.SecretKeyToken {
 			continue
 		}
 

pkg/deployment/resources/secrets.go

@@ -205,6 +205,7 @@ func (r *Resources) ensureTokenSecretFolder(cachedStatus inspector.Inspector, se
 	if err := r.createSecretWithMod(secrets, folderSecretName, func(s *core.Secret) {
 		s.Data[util.SHA256(token)] = token
 		s.Data[pod.ActiveJWTKey] = token
+		s.Data[constants.SecretKeyToken] = token
 	}); err != nil {
 		return err
 	}