[Bugfix] Fix JWT Secret Tail characters

Author: ajanikow

CHANGELOG.md

@@ -16,6 +16,7 @@
 - (Feature) (Platform) Login & Logout Endpoints
 - (Feature) (Platform) OpenID Integration
 - (Maintenance) Operator Labeling Skip
+- (Bugfix) Align JWT Discovery
 
 ## [1.2.48](https://github.com/arangodb/kube-arangodb/tree/1.2.48) (2025-05-08)
 - (Maintenance) Extend Documentation

cmd/admin.go

@@ -38,7 +38,6 @@ import (
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/arangodb-helper/go-certificates"
-	"github.com/arangodb/go-driver/jwt"
 	"github.com/arangodb/go-driver/v2/connection"
 
 	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
@@ -51,6 +50,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/generic"
 	"github.com/arangodb/kube-arangodb/pkg/util/kclient"
+	"github.com/arangodb/kube-arangodb/pkg/util/token"
 )
 
 const (
@@ -405,16 +405,22 @@ func getJWTTokenFromSecrets(ctx context.Context, secrets generic.ReadClient[*cor
 	ctxChild, cancel := globals.GetGlobalTimeouts().Kubernetes().WithTimeout(ctx)
 	defer cancel()
 
-	token, err := k8sutil.GetTokenSecret(ctxChild, secrets, name)
+	secret, err := k8sutil.GetTokenSecret(ctxChild, secrets, name)
 	if err != nil {
 		return nil, errors.WithMessage(err, fmt.Sprintf("failed to get secret \"%s\"", name))
 	}
 
-	bearerToken, err := jwt.CreateArangodJwtAuthorizationHeader(token, "kube-arangodb")
+	authz, err := token.NewClaims().With(
+		token.WithDefaultClaims(),
+		token.WithServerID("kube-arangodb"),
+		token.WithAllowedPaths("/_api/version"),
+	).Sign(secret)
 	if err != nil {
 		return nil, errors.WithMessage(err, fmt.Sprintf("failed to create bearer token from secret \"%s\"", name))
 	}
 
+	bearerToken := fmt.Sprintf("bearer %s", authz)
+
 	return JWTAuthentication{key: "Authorization", value: bearerToken}, nil
 }
 

integrations/authentication/v1/cache.go

@@ -29,18 +29,13 @@ import (
 	"time"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/token"
 )
 
 const MaxSize = 128
 
-type tokens struct {
-	signingToken []byte
-
-	validationTokens [][]byte
-}
-
-func newCache(cfg Configuration) func(ctx context.Context) (*tokens, time.Duration, error) {
-	return func(ctx context.Context) (*tokens, time.Duration, error) {
+func newCache(cfg Configuration) func(ctx context.Context) (token.Secret, time.Duration, error) {
+	return func(ctx context.Context) (token.Secret, time.Duration, error) {
 		files, err := os.ReadDir(cfg.Path)
 		if err != nil {
 			return nil, 0, err
@@ -87,9 +82,8 @@ func newCache(cfg Configuration) func(ctx context.Context) (*tokens, time.Durati
 			data[id] = ts[keys[id]]
 		}
 
-		return &tokens{
-			signingToken:     ts[keys[0]],
-			validationTokens: data,
-		}, cfg.TTL, nil
+		return token.NewSecretSet(token.NewSecret(ts[keys[0]]), util.FormatList(data, func(a []byte) token.Secret {
+			return token.NewSecret(a)
+		})...), cfg.TTL, nil
 	}
 }

integrations/authentication/v1/implementation.go

@@ -91,7 +91,7 @@ type implementation struct {
 	cfg Configuration
 
 	userClient cache.Object[arangodb.Requests]
-	cache      cache.Object[*tokens]
+	cache      cache.Object[token.Secret]
 }
 
 func (i *implementation) Name() string {
@@ -189,16 +189,12 @@ func (i *implementation) CreateToken(ctx context.Context, request *pbAuthenticat
 		duration = v
 	}
 
-	// Token is validated, we can continue with creation
-	secret := cache.signingToken
-
-	signedToken, err := token.New(secret,
-		token.NewClaims().With(token.WithDefaultClaims(),
-			token.WithCurrentIAT(),
-			token.WithDuration(duration),
-			token.WithUsername(user),
-			token.WithRoles(request.GetRoles()...)),
-	)
+	signedToken, err := token.NewClaims().With(
+		token.WithDefaultClaims(),
+		token.WithCurrentIAT(),
+		token.WithDuration(duration),
+		token.WithUsername(user),
+		token.WithRoles(request.GetRoles()...)).Sign(cache)
 	if err != nil {
 		return nil, err
 	}
@@ -346,24 +342,25 @@ func (i *implementation) Logout(ctx context.Context, req *pbAuthenticationV1.Log
 	return &pbSharedV1.Empty{}, nil
 }
 
-func (i *implementation) extractTokenDetails(cache *tokens, t string) (string, []string, time.Duration, error) {
+func (i *implementation) extractTokenDetails(cache token.Secret, t string) (string, []string, time.Duration, error) {
 	// Let's check if token is signed properly
-
-	p, err := token.ParseWithAny(t, cache.validationTokens...)
+	p, err := cache.Validate(t)
 	if err != nil {
 		return "", nil, 0, err
 	}
 
 	user := DefaultAdminUser
-	if v, ok := p[token.ClaimPreferredUsername]; ok {
+	if v, ok := p.Claims()[token.ClaimPreferredUsername]; ok {
 		if s, ok := v.(string); ok {
 			user = s
 		}
 	}
 
 	duration := DefaultTokenMaxTTL
 
-	if v, ok := p[token.ClaimEXP]; ok {
+	claims := p.Claims()
+
+	if v, ok := claims[token.ClaimEXP]; ok {
 		switch o := v.(type) {
 		case int64:
 			duration = time.Until(time.Unix(o, 0))
@@ -374,7 +371,7 @@ func (i *implementation) extractTokenDetails(cache *tokens, t string) (string, [
 
 	var roles []string
 
-	if v, ok := p[token.ClaimRoles]; ok {
+	if v, ok := claims[token.ClaimRoles]; ok {
 		switch o := v.(type) {
 		case []string:
 			roles = o

pkg/api/api.go

@@ -295,7 +295,7 @@ func (d *Deployment) getJWTToken() (string, bool) {
 func (d *Deployment) GetSyncServerClient(ctx context.Context, group api.ServerGroup, id string) (client.API, error) {
 	// Fetch monitoring token
 	secretName := d.GetSpec().Sync.Monitoring.GetTokenSecretName()
-	monitoringToken, err := k8sutil.GetTokenSecret(ctx, d.GetCachedStatus().Secret().V1().Read(), secretName)
+	monitoringToken, err := k8sutil.GetTokenSecretString(ctx, d.GetCachedStatus().Secret().V1().Read(), secretName)
 	if err != nil {
 		d.log.Err(err).Str("secret-name", secretName).Debug("Failed to get sync monitoring secret")
 		return nil, errors.WithStack(err)

pkg/api/auth.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -227,7 +227,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -316,7 +316,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -420,7 +420,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -521,7 +521,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -622,7 +622,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -726,7 +726,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -825,7 +825,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -931,7 +931,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -1047,7 +1047,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -1161,7 +1161,7 @@ func TestEnsurePod_Sync_Master(t *testing.T) {
 
 				testCase.createTestPodData(deployment, api.ServerGroupSyncMasters, firstSyncMaster)
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -1272,7 +1272,7 @@ func TestEnsurePod_Sync_Worker(t *testing.T) {
 				testCase.createTestPodData(deployment, api.ServerGroupSyncWorkers, firstSyncWorker)
 
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)
@@ -1367,7 +1367,7 @@ func TestEnsurePod_Sync_Worker(t *testing.T) {
 				testCase.createTestPodData(deployment, api.ServerGroupSyncWorkers, firstSyncWorker)
 
 				name := testCase.ArangoDeployment.Spec.Sync.Monitoring.GetTokenSecretName()
-				auth, err := k8sutil.GetTokenSecret(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
+				auth, err := k8sutil.GetTokenSecretString(context.Background(), deployment.GetCachedStatus().Secret().V1().Read(), name)
 				require.NoError(t, err)
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe("", true, "bearer "+auth, shared.ServerPortName)