[Feature] [ML] Support for deployments with JWT auth enabled (#1538)

nikita-vanyasin · web-flow · commit f53311670ee0 · 2023-12-20T08:56:03.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -36,6 +36,7 @@
 - (Improvement) (ML) BatchJob status update
 - (Feature) (ML) Multi DB Settings
 - (Feature) (ML) Port adjustments
+- (Feature) (ML) Support for deployments with JWT auth enabled
 
 ## [1.2.35](https://github.com/arangodb/kube-arangodb/tree/1.2.35) (2023-11-06)
 - (Maintenance) Update go-driver to v1.6.0, update IsNotFound() checks
diff --git a/docs/api/ArangoDeployment.V1.md b/docs/api/ArangoDeployment.V1.md
@@ -968,17 +968,15 @@ Default Value: `['amd64']`
 
 ### .spec.auth.jwtSecretName
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/authentication_spec.go#L40)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/authentication_spec.go#L38)</sup>
 
-JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
-the JWT token used for accessing all ArangoDB servers.
+JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
+JWT tokens to access all ArangoDB servers.
 When no name is specified, it defaults to `<deployment-name>-jwt`.
 To disable authentication, set this value to `None`.
-If you specify a name of a `Secret`, that secret must have the token
-in a data field named `token`.
-If you specify a name of a `Secret` that does not exist, a random token is created
-and stored in a `Secret` with given name.
-Changing a JWT token results in restarting of a whole cluster.
+If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
+If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
+Changing secret key results in restarting of a whole cluster.
 
 ***
 
diff --git a/docs/api/ArangoMLExtension.V1Alpha1.md b/docs/api/ArangoMLExtension.V1Alpha1.md
@@ -1101,6 +1101,30 @@ UID keeps the information about object UID
 
 ## Status
 
+### .status.arangoDB.jwtTokenSecret.name
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L46)</sup>
+
+Name of the object
+
+***
+
+### .status.arangoDB.jwtTokenSecret.namespace
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L49)</sup>
+
+Namespace of the object. Should default to the namespace of the parent object
+
+***
+
+### .status.arangoDB.jwtTokenSecret.uid
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L52)</sup>
+
+UID keeps the information about object UID
+
+***
+
 ### .status.arangoDB.secret.name
 
 Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L46)</sup>
@@ -1133,17 +1157,41 @@ Conditions specific to the entire extension
 
 ***
 
+### .status.metadataService.jwtTokenSecret.name
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L46)</sup>
+
+Name of the object
+
+***
+
+### .status.metadataService.jwtTokenSecret.namespace
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L49)</sup>
+
+Namespace of the object. Should default to the namespace of the parent object
+
+***
+
+### .status.metadataService.jwtTokenSecret.uid
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L52)</sup>
+
+UID keeps the information about object UID
+
+***
+
 ### .status.metadataService.local.arangoMLFeatureStore
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L38)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L41)</sup>
 
 ArangoMLFeatureStoreDatabase define Database name to be used as MetadataService Backend
 
 ***
 
 ### .status.metadataService.local.arangoPipe
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L35)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L38)</sup>
 
 ArangoPipeDatabase define Database name to be used as MetadataService Backend
 
diff --git a/pkg/apis/deployment/v1/authentication_spec.go b/pkg/apis/deployment/v1/authentication_spec.go
@@ -28,15 +28,13 @@ import (
 
 // AuthenticationSpec holds authentication specific configuration settings
 type AuthenticationSpec struct {
-	// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
-	// the JWT token used for accessing all ArangoDB servers.
+	// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
+	// JWT tokens to access all ArangoDB servers.
 	// When no name is specified, it defaults to `<deployment-name>-jwt`.
 	// To disable authentication, set this value to `None`.
-	// If you specify a name of a `Secret`, that secret must have the token
-	// in a data field named `token`.
-	// If you specify a name of a `Secret` that does not exist, a random token is created
-	// and stored in a `Secret` with given name.
-	// Changing a JWT token results in restarting of a whole cluster.
+	// If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
+	// If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
+	// Changing secret key results in restarting of a whole cluster.
 	JWTSecretName *string `json:"jwtSecretName,omitempty"`
 }
 
diff --git a/pkg/apis/deployment/v2alpha1/authentication_spec.go b/pkg/apis/deployment/v2alpha1/authentication_spec.go
@@ -28,15 +28,13 @@ import (
 
 // AuthenticationSpec holds authentication specific configuration settings
 type AuthenticationSpec struct {
-	// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
-	// the JWT token used for accessing all ArangoDB servers.
+	// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
+	// JWT tokens to access all ArangoDB servers.
 	// When no name is specified, it defaults to `<deployment-name>-jwt`.
 	// To disable authentication, set this value to `None`.
-	// If you specify a name of a `Secret`, that secret must have the token
-	// in a data field named `token`.
-	// If you specify a name of a `Secret` that does not exist, a random token is created
-	// and stored in a `Secret` with given name.
-	// Changing a JWT token results in restarting of a whole cluster.
+	// If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
+	// If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
+	// Changing secret key results in restarting of a whole cluster.
 	JWTSecretName *string `json:"jwtSecretName,omitempty"`
 }
 
diff --git a/pkg/apis/ml/v1alpha1/extension_status_arangodb_ref.go b/pkg/apis/ml/v1alpha1/extension_status_arangodb_ref.go
@@ -23,6 +23,8 @@ package v1alpha1
 import sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"
 
 type ArangoMLExtensionStatusArangoDBRef struct {
-	// Secret keeps the information about Secret for ArangoDB Authentication
+	// Secret keeps the information about ArangoDB deployment
 	Secret *sharedApi.Object `json:"secret,omitempty"`
+	// JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)
+	JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
 }
diff --git a/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go b/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go
@@ -28,6 +28,9 @@ type ArangoMLExtensionStatusMetadataService struct {
 
 	// Secret define the Secret specification to store all the details
 	Secret *sharedApi.Object `json:"secret,omitempty"`
+
+	// JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)
+	JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
 }
 
 type ArangoMLExtensionStatusMetadataServiceLocal struct {
diff --git a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/crd/crds/database-deployment.schema.generated.yaml b/pkg/crd/crds/database-deployment.schema.generated.yaml
@@ -2067,15 +2067,13 @@ v1:
             properties:
               jwtSecretName:
                 description: |-
-                  JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
-                  the JWT token used for accessing all ArangoDB servers.
+                  JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
+                  JWT tokens to access all ArangoDB servers.
                   When no name is specified, it defaults to `<deployment-name>-jwt`.
                   To disable authentication, set this value to `None`.
-                  If you specify a name of a `Secret`, that secret must have the token
-                  in a data field named `token`.
-                  If you specify a name of a `Secret` that does not exist, a random token is created
-                  and stored in a `Secret` with given name.
-                  Changing a JWT token results in restarting of a whole cluster.
+                  If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
+                  If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
+                  Changing secret key results in restarting of a whole cluster.
                 type: string
             type: object
           bootstrap:
@@ -15228,15 +15226,13 @@ v1alpha:
             properties:
               jwtSecretName:
                 description: |-
-                  JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
-                  the JWT token used for accessing all ArangoDB servers.
+                  JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
+                  JWT tokens to access all ArangoDB servers.
                   When no name is specified, it defaults to `<deployment-name>-jwt`.
                   To disable authentication, set this value to `None`.
-                  If you specify a name of a `Secret`, that secret must have the token
-                  in a data field named `token`.
-                  If you specify a name of a `Secret` that does not exist, a random token is created
-                  and stored in a `Secret` with given name.
-                  Changing a JWT token results in restarting of a whole cluster.
+                  If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
+                  If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
+                  Changing secret key results in restarting of a whole cluster.
                 type: string
             type: object
           bootstrap:
@@ -28389,15 +28385,13 @@ v2alpha1:
             properties:
               jwtSecretName:
                 description: |-
-                  JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
-                  the JWT token used for accessing all ArangoDB servers.
+                  JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
+                  JWT tokens to access all ArangoDB servers.
                   When no name is specified, it defaults to `<deployment-name>-jwt`.
                   To disable authentication, set this value to `None`.
-                  If you specify a name of a `Secret`, that secret must have the token
-                  in a data field named `token`.
-                  If you specify a name of a `Secret` that does not exist, a random token is created
-                  and stored in a `Secret` with given name.
-                  Changing a JWT token results in restarting of a whole cluster.
+                  If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
+                  If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
+                  Changing secret key results in restarting of a whole cluster.
                 type: string
             type: object
           bootstrap:
diff --git a/pkg/util/k8sutil/secrets.go b/pkg/util/k8sutil/secrets.go
@@ -295,21 +295,6 @@ func CreateTokenSecret(ctx context.Context, secrets secretv1.ModInterface, secre
 	return nil
 }
 
-// CreateJWTTokenFromSecret creates a JWT token
-func CreateJWTTokenFromSecret(secret string, claims map[string]interface{}) (string, error) {
-	// Create a new token object, specifying signing method and the claims
-	// you would like it to contain.
-	token := jg.NewWithClaims(jg.SigningMethodHS256, jg.MapClaims(claims))
-
-	// Sign and get the complete encoded token as a string using the secret
-	signedToken, err := token.SignedString([]byte(secret))
-	if err != nil {
-		return "", errors.WithStack(err)
-	}
-
-	return signedToken, nil
-}
-
 // CreateJWTFromSecret creates a JWT using the secret stored in secretSecretName and stores the
 // result in a new secret called tokenSecretName
 func CreateJWTFromSecret(ctx context.Context, cachedSecrets secretv1.ReadInterface, secrets secretv1.ModInterface, tokenSecretName, secretSecretName string, claims map[string]interface{}, ownerRef *meta.OwnerReference) error {
diff --git a/pkg/util/tests/inspector.go b/pkg/util/tests/inspector.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@ import (
 )
 
 const FakeNamespace = "fake"
+const FakeJWTSecretName = "fake-jwt-secret"
 
 func NewInspector(t *testing.T, c kclient.Client) inspectorInterface.Inspector {
 	i := inspector.NewInspector(throttle.NewAlwaysThrottleComponents(), c, FakeNamespace, FakeNamespace)

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ package v1alpha1`
`23`	`23`	`import sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"`
`24`	`24`
`25`	`25`	`type ArangoMLExtensionStatusArangoDBRef struct {`
`26`		`- // Secret keeps the information about Secret for ArangoDB Authentication`
	`26`	`+ // Secret keeps the information about ArangoDB deployment`
`27`	`27`	Secret *sharedApi.Object `json:"secret,omitempty"`
	`28`	`+ // JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)`
	`29`	+ JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
`28`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,9 @@ type ArangoMLExtensionStatusMetadataService struct {`
`28`	`28`
`29`	`29`	`// Secret define the Secret specification to store all the details`
`30`	`30`	Secret *sharedApi.Object `json:"secret,omitempty"`
	`31`	`+`
	`32`	`+ // JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)`
	`33`	+ JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
`31`	`34`	`}`
`32`	`35`
`33`	`36`	`type ArangoMLExtensionStatusMetadataServiceLocal struct {`