mirrors/kube-arangodb
1
0
Fork 0
mirror of https://github.com/arangodb/kube-arangodb.git synced 2024-12-14 11:57:37 +00:00
Code Activity

[Feature] [ML] Support for deployments with JWT auth enabled (#1538)

Browse source
This commit is contained in:
Nikita Vaniasin 2023-12-20 08:56:03 +01:00 committed by GitHub
parent edf27fc4b8
commit f53311670e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 100 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -36,6 +36,7 @@
- (Improvement) (ML) BatchJob status update
- (Feature) (ML) Multi DB Settings
- (Feature) (ML) Port adjustments
- (Feature) (ML) Support for deployments with JWT auth enabled
## [1.2.35](https://github.com/arangodb/kube-arangodb/tree/1.2.35) (2023-11-06)
- (Maintenance) Update go-driver to v1.6.0, update IsNotFound() checks

14
docs/api/ArangoDeployment.V1.md
View file

@ -968,17 +968,15 @@ Default Value: `['amd64']`
### .spec.auth.jwtSecretName
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/authentication_spec.go#L40)</sup>
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/deployment/v1/authentication_spec.go#L38)</sup>
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
the JWT token used for accessing all ArangoDB servers.
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
JWT tokens to access all ArangoDB servers.
When no name is specified, it defaults to `<deployment-name>-jwt`.
To disable authentication, set this value to `None`.
If you specify a name of a `Secret`, that secret must have the token
in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random token is created
and stored in a `Secret` with given name.
Changing a JWT token results in restarting of a whole cluster.
If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
Changing secret key results in restarting of a whole cluster.
***

52
docs/api/ArangoMLExtension.V1Alpha1.md
View file

@ -1101,6 +1101,30 @@ UID keeps the information about object UID
## Status
### .status.arangoDB.jwtTokenSecret.name
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L46)</sup>
Name of the object
***
### .status.arangoDB.jwtTokenSecret.namespace
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L49)</sup>
Namespace of the object. Should default to the namespace of the parent object
***
### .status.arangoDB.jwtTokenSecret.uid
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L52)</sup>
UID keeps the information about object UID
***
### .status.arangoDB.secret.name
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L46)</sup>
@ -1133,9 +1157,33 @@ Conditions specific to the entire extension
***
### .status.metadataService.jwtTokenSecret.name
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L46)</sup>
Name of the object
***
### .status.metadataService.jwtTokenSecret.namespace
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L49)</sup>
Namespace of the object. Should default to the namespace of the parent object
***
### .status.metadataService.jwtTokenSecret.uid
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/object.go#L52)</sup>
UID keeps the information about object UID
***
### .status.metadataService.local.arangoMLFeatureStore
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L38)</sup>
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L41)</sup>
ArangoMLFeatureStoreDatabase define Database name to be used as MetadataService Backend
@ -1143,7 +1191,7 @@ ArangoMLFeatureStoreDatabase define Database name to be used as MetadataService
### .status.metadataService.local.arangoPipe
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L35)</sup>
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_status_metadata_service.go#L38)</sup>
ArangoPipeDatabase define Database name to be used as MetadataService Backend

12
pkg/apis/deployment/v1/authentication_spec.go
View file

@ -28,15 +28,13 @@ import (
// AuthenticationSpec holds authentication specific configuration settings
type AuthenticationSpec struct {
// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
// the JWT token used for accessing all ArangoDB servers.
// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
// JWT tokens to access all ArangoDB servers.
// When no name is specified, it defaults to `<deployment-name>-jwt`.
// To disable authentication, set this value to `None`.
// If you specify a name of a `Secret`, that secret must have the token
// in a data field named `token`.
// If you specify a name of a `Secret` that does not exist, a random token is created
// and stored in a `Secret` with given name.
// Changing a JWT token results in restarting of a whole cluster.
// If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
// If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
// Changing secret key results in restarting of a whole cluster.
JWTSecretName *string `json:"jwtSecretName,omitempty"`
}

12
pkg/apis/deployment/v2alpha1/authentication_spec.go
View file

@ -28,15 +28,13 @@ import (
// AuthenticationSpec holds authentication specific configuration settings
type AuthenticationSpec struct {
// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
// the JWT token used for accessing all ArangoDB servers.
// JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
// JWT tokens to access all ArangoDB servers.
// When no name is specified, it defaults to `<deployment-name>-jwt`.
// To disable authentication, set this value to `None`.
// If you specify a name of a `Secret`, that secret must have the token
// in a data field named `token`.
// If you specify a name of a `Secret` that does not exist, a random token is created
// and stored in a `Secret` with given name.
// Changing a JWT token results in restarting of a whole cluster.
// If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
// If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
// Changing secret key results in restarting of a whole cluster.
JWTSecretName *string `json:"jwtSecretName,omitempty"`
}

4
pkg/apis/ml/v1alpha1/extension_status_arangodb_ref.go
View file

@ -23,6 +23,8 @@ package v1alpha1
import sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"
type ArangoMLExtensionStatusArangoDBRef struct {
// Secret keeps the information about Secret for ArangoDB Authentication
// Secret keeps the information about ArangoDB deployment
Secret *sharedApi.Object `json:"secret,omitempty"`
// JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)
JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
}

3
pkg/apis/ml/v1alpha1/extension_status_metadata_service.go
View file

@ -28,6 +28,9 @@ type ArangoMLExtensionStatusMetadataService struct {
// Secret define the Secret specification to store all the details
Secret *sharedApi.Object `json:"secret,omitempty"`
// JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)
JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
}
type ArangoMLExtensionStatusMetadataServiceLocal struct {

10
pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go generated
View file

@ -556,6 +556,11 @@ func (in *ArangoMLExtensionStatusArangoDBRef) DeepCopyInto(out *ArangoMLExtensio
*out = new(sharedv1.Object)
(*in).DeepCopyInto(*out)
}
if in.JWTTokenSecret != nil {
in, out := &in.JWTTokenSecret, &out.JWTTokenSecret
*out = new(sharedv1.Object)
(*in).DeepCopyInto(*out)
}
return
}
@ -582,6 +587,11 @@ func (in *ArangoMLExtensionStatusMetadataService) DeepCopyInto(out *ArangoMLExte
*out = new(sharedv1.Object)
(*in).DeepCopyInto(*out)
}
if in.JWTTokenSecret != nil {
in, out := &in.JWTTokenSecret, &out.JWTTokenSecret
*out = new(sharedv1.Object)
(*in).DeepCopyInto(*out)
}
return
}

36
pkg/crd/crds/database-deployment.schema.generated.yaml
View file

@ -2067,15 +2067,13 @@ v1:
properties:
jwtSecretName:
description: |-
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
the JWT token used for accessing all ArangoDB servers.
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
JWT tokens to access all ArangoDB servers.
When no name is specified, it defaults to `<deployment-name>-jwt`.
To disable authentication, set this value to `None`.
If you specify a name of a `Secret`, that secret must have the token
in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random token is created
and stored in a `Secret` with given name.
Changing a JWT token results in restarting of a whole cluster.
If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
Changing secret key results in restarting of a whole cluster.
type: string
type: object
bootstrap:
@ -15228,15 +15226,13 @@ v1alpha:
properties:
jwtSecretName:
description: |-
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
the JWT token used for accessing all ArangoDB servers.
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
JWT tokens to access all ArangoDB servers.
When no name is specified, it defaults to `<deployment-name>-jwt`.
To disable authentication, set this value to `None`.
If you specify a name of a `Secret`, that secret must have the token
in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random token is created
and stored in a `Secret` with given name.
Changing a JWT token results in restarting of a whole cluster.
If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
Changing secret key results in restarting of a whole cluster.
type: string
type: object
bootstrap:
@ -28389,15 +28385,13 @@ v2alpha1:
properties:
jwtSecretName:
description: |-
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains
the JWT token used for accessing all ArangoDB servers.
JWTSecretName setting specifies the name of a kubernetes `Secret` that contains a secret key used for generating
JWT tokens to access all ArangoDB servers.
When no name is specified, it defaults to `<deployment-name>-jwt`.
To disable authentication, set this value to `None`.
If you specify a name of a `Secret`, that secret must have the token
in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random token is created
and stored in a `Secret` with given name.
Changing a JWT token results in restarting of a whole cluster.
If you specify a name of a `Secret`, that secret must have the key value in a data field named `token`.
If you specify a name of a `Secret` that does not exist, a random key is created and stored in a `Secret` with given name.
Changing secret key results in restarting of a whole cluster.
type: string
type: object
bootstrap:

15
pkg/util/k8sutil/secrets.go
View file

@ -295,21 +295,6 @@ func CreateTokenSecret(ctx context.Context, secrets secretv1.ModInterface, secre
return nil
}
// CreateJWTTokenFromSecret creates a JWT token
func CreateJWTTokenFromSecret(secret string, claims map[string]interface{}) (string, error) {
// Create a new token object, specifying signing method and the claims
// you would like it to contain.
token := jg.NewWithClaims(jg.SigningMethodHS256, jg.MapClaims(claims))
// Sign and get the complete encoded token as a string using the secret
signedToken, err := token.SignedString([]byte(secret))
if err != nil {
return "", errors.WithStack(err)
}
return signedToken, nil
}
// CreateJWTFromSecret creates a JWT using the secret stored in secretSecretName and stores the
// result in a new secret called tokenSecretName
func CreateJWTFromSecret(ctx context.Context, cachedSecrets secretv1.ReadInterface, secrets secretv1.ModInterface, tokenSecretName, secretSecretName string, claims map[string]interface{}, ownerRef *meta.OwnerReference) error {

3
pkg/util/tests/inspector.go
View file

@ -1,7 +1,7 @@
//
// DISCLAIMER
//
// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@ -33,6 +33,7 @@ import (
)
const FakeNamespace = "fake"
const FakeJWTSecretName = "fake-jwt-secret"
func NewInspector(t *testing.T, c kclient.Client) inspectorInterface.Inspector {
i := inspector.NewInspector(throttle.NewAlwaysThrottleComponents(), c, FakeNamespace, FakeNamespace)