[Bugfix] Fix JWT Secret Tail characters

Author: ajanikow

.golangci.yaml

@@ -181,6 +181,8 @@ linters-settings:
         pkg: strings
       - alias: goHttp
         pkg: net/http
+      - alias: jwt
+        pkg: github.com/golang-jwt/jwt
   gci:
     sections:
       - standard

CHANGELOG.md

@@ -17,6 +17,7 @@
 - (Maintenance) Update Envoy to v1.32.5
 - (Maintenance) Generate CRD with Schemas
 - (Feature) DebugPackage Improvements
+- (Bugfix) Align JWT Discovery
 
 ## [1.2.47](https://github.com/arangodb/kube-arangodb/tree/1.2.47) (2025-03-28)
 - (Bugfix) Use Profile Annotations

cmd/admin.go

@@ -38,7 +38,6 @@ import (
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/arangodb-helper/go-certificates"
-	"github.com/arangodb/go-driver/jwt"
 	"github.com/arangodb/go-driver/v2/connection"
 
 	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
@@ -51,6 +50,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/generic"
 	"github.com/arangodb/kube-arangodb/pkg/util/kclient"
+	"github.com/arangodb/kube-arangodb/pkg/util/token"
 )
 
 const (
@@ -405,16 +405,22 @@ func getJWTTokenFromSecrets(ctx context.Context, secrets generic.ReadClient[*cor
 	ctxChild, cancel := globals.GetGlobalTimeouts().Kubernetes().WithTimeout(ctx)
 	defer cancel()
 
-	token, err := k8sutil.GetTokenSecret(ctxChild, secrets, name)
+	secret, err := k8sutil.GetTokenSecret(ctxChild, secrets, name)
 	if err != nil {
 		return nil, errors.WithMessage(err, fmt.Sprintf("failed to get secret \"%s\"", name))
 	}
 
-	bearerToken, err := jwt.CreateArangodJwtAuthorizationHeader(token, "kube-arangodb")
+	authz, err := token.NewClaims().With(
+		token.WithDefaultClaims(),
+		token.WithServerID("kube-arangodb"),
+		token.WithAllowedPaths("/_api/version"),
+	).Sign(secret)
 	if err != nil {
 		return nil, errors.WithMessage(err, fmt.Sprintf("failed to create bearer token from secret \"%s\"", name))
 	}
 
+	bearerToken := fmt.Sprintf("bearer %s", authz)
+
 	return JWTAuthentication{key: "Authorization", value: bearerToken}, nil
 }
 

integrations/authentication/v1/cache.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2024-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ import (
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+	"github.com/arangodb/kube-arangodb/pkg/util/token"
 )
 
 const MaxSize = 128
@@ -38,9 +39,7 @@ type cache struct {
 
 	eol time.Time
 
-	signingToken []byte
-
-	validationTokens [][]byte
+	token token.Secret
 }
 
 func (i *implementation) newCache(cfg Configuration) (*cache, error) {
@@ -91,10 +90,11 @@ func (i *implementation) newCache(cfg Configuration) (*cache, error) {
 	}
 
 	cache := cache{
-		parent:           i,
-		eol:              time.Now().Add(i.cfg.TTL),
-		signingToken:     tokens[keys[0]],
-		validationTokens: data,
+		parent: i,
+		eol:    time.Now().Add(i.cfg.TTL),
+		token: token.NewSecretSet(token.NewSecret(tokens[keys[0]]), util.FormatList(data, func(a []byte) token.Secret {
+			return token.NewSecret(a)
+		})...),
 	}
 
 	return &cache, nil

integrations/authentication/v1/implementation.go

@@ -168,9 +168,13 @@ func (i *implementation) CreateToken(ctx context.Context, request *pbAuthenticat
 	}
 
 	// Token is validated, we can continue with creation
-	secret := cache.signingToken
+	secret := cache.token
 
-	signedToken, err := token.New(secret, token.NewClaims().With(token.WithDefaultClaims(), token.WithCurrentIAT(), token.WithDuration(duration), token.WithUsername(user)))
+	signedToken, err := token.NewClaims().With(
+		token.WithDefaultClaims(),
+		token.WithCurrentIAT(),
+		token.WithDuration(duration),
+		token.WithUsername(user)).Sign(secret)
 	if err != nil {
 		return nil, err
 	}
@@ -233,23 +237,25 @@ func (i *implementation) Identity(ctx context.Context, _ *pbSharedV1.Empty) (*pb
 }
 
 func (i *implementation) extractTokenDetails(cache *cache, t string) (string, time.Duration, error) {
-	// Let's check if token is signed properly
+	// Token is validated, we can continue with creation
+	secret := cache.token
 
-	p, err := token.ParseWithAny(t, cache.validationTokens...)
+	// Let's check if token is signed properly
+	p, err := secret.Validate(t)
 	if err != nil {
 		return "", 0, err
 	}
 
 	user := DefaultAdminUser
-	if v, ok := p[token.ClaimPreferredUsername]; ok {
+	if v, ok := p.Claims()[token.ClaimPreferredUsername]; ok {
 		if s, ok := v.(string); ok {
 			user = s
 		}
 	}
 
 	duration := DefaultTokenMaxTTL
 
-	if v, ok := p[token.ClaimEXP]; ok {
+	if v, ok := p.Claims()[token.ClaimEXP]; ok {
 		switch o := v.(type) {
 		case int64:
 			duration = time.Until(time.Unix(o, 0))

pkg/api/api.go

@@ -295,7 +295,7 @@ func (d *Deployment) getJWTToken() (string, bool) {
 func (d *Deployment) GetSyncServerClient(ctx context.Context, group api.ServerGroup, id string) (client.API, error) {
 	// Fetch monitoring token
 	secretName := d.GetSpec().Sync.Monitoring.GetTokenSecretName()
-	monitoringToken, err := k8sutil.GetTokenSecret(ctx, d.GetCachedStatus().Secret().V1().Read(), secretName)
+	monitoringToken, err := k8sutil.GetTokenSecretString(ctx, d.GetCachedStatus().Secret().V1().Read(), secretName)
 	if err != nil {
 		d.log.Err(err).Str("secret-name", secretName).Debug("Failed to get sync monitoring secret")
 		return nil, errors.WithStack(err)