[Feature] Use Authorized communication (#625)

ajanikow · web-flow · commit e7dc3dc38aac · 2020-09-04T21:29:52.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Change Log
 
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
+- Always use JWT Authorized requests in internal communication
 - Add Operator Maintenance Management feature
 
 ## [1.0.6](https://github.com/arangodb/kube-arangodb/tree/1.0.6) (2020-08-19)
diff --git a/pkg/deployment/client_cache.go b/pkg/deployment/client_cache.go
@@ -107,6 +107,10 @@ func (cc *clientCache) Get(ctx context.Context, group api.ServerGroup, id string
 	return cc.get(ctx, group, id)
 }
 
+func (cc clientCache) GetAuth() conn.Auth {
+	return cc.factory.GetAuth()
+}
+
 func (cc *clientCache) getDatabaseClient() (driver.Client, error) {
 	if c := cc.databaseClient; c != nil {
 		return c, nil
diff --git a/pkg/deployment/context_impl.go b/pkg/deployment/context_impl.go
@@ -31,6 +31,8 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/arangodb/kube-arangodb/pkg/util/arangod/conn"
+
 	"github.com/arangodb/kube-arangodb/pkg/operator/scope"
 
 	monitoringClient "github.com/coreos/prometheus-operator/pkg/client/versioned/typed/monitoring/v1"
@@ -199,6 +201,11 @@ func (d *Deployment) GetServerClient(ctx context.Context, group api.ServerGroup,
 	return c, nil
 }
 
+// GetAuthentication return authentication for members
+func (d *Deployment) GetAuthentication() conn.Auth {
+	return d.clientCache.factory.GetAuth()
+}
+
 // GetAgencyClients returns a client connection for every agency member.
 // If the given predicate is not nil, only agents are included where the given predicate returns true.
 func (d *Deployment) GetAgencyClients(ctx context.Context, predicate func(id string) bool) ([]driver.Connection, error) {
diff --git a/pkg/deployment/reconcile/context.go b/pkg/deployment/reconcile/context.go
@@ -25,6 +25,8 @@ package reconcile
 import (
 	"context"
 
+	"github.com/arangodb/kube-arangodb/pkg/util/arangod/conn"
+
 	"github.com/arangodb/kube-arangodb/pkg/deployment/resources/inspector"
 
 	backupApi "github.com/arangodb/kube-arangodb/pkg/apis/backup/v1"
@@ -116,4 +118,6 @@ type Context interface {
 	GetBackup(backup string) (*backupApi.ArangoBackup, error)
 	// GetName receives deployment name
 	GetName() string
+	// GetAuthentication return authentication for members
+	GetAuthentication() conn.Auth
 }
diff --git a/pkg/deployment/reconcile/plan_builder_context.go b/pkg/deployment/reconcile/plan_builder_context.go
@@ -25,6 +25,8 @@ package reconcile
 import (
 	"context"
 
+	"github.com/arangodb/kube-arangodb/pkg/util/arangod/conn"
+
 	"github.com/arangodb/go-driver/agency"
 
 	"github.com/arangodb/kube-arangodb/pkg/deployment/resources/inspector"
@@ -65,6 +67,8 @@ type PlanBuilderContext interface {
 	GetDatabaseClient(ctx context.Context) (driver.Client, error)
 	// GetServerClient returns a cached client for a specific server.
 	GetServerClient(ctx context.Context, group api.ServerGroup, id string) (driver.Client, error)
+	// GetAuthentication return authentication for members
+	GetAuthentication() conn.Auth
 	// SecretsInterface return secret interface
 	SecretsInterface() k8sutil.SecretInterface
 	// GetBackup receives information about a backup resource
diff --git a/pkg/deployment/reconcile/plan_builder_test.go b/pkg/deployment/reconcile/plan_builder_test.go
@@ -28,6 +28,8 @@ import (
 	"io/ioutil"
 	"testing"
 
+	"github.com/arangodb/kube-arangodb/pkg/util/arangod/conn"
+
 	monitoring "github.com/coreos/prometheus-operator/pkg/apis/monitoring/v1"
 
 	"github.com/pkg/errors"
@@ -64,6 +66,12 @@ type testContext struct {
 	RecordedEvent    *k8sutil.Event
 }
 
+func (c *testContext) GetAuthentication() conn.Auth {
+	return func() (authentication driver.Authentication, err error) {
+		return nil, nil
+	}
+}
+
 func (c *testContext) RenderPodForMember(cachedStatus inspector.Inspector, spec api.DeploymentSpec, status api.DeploymentStatus, memberID string, imageInfo api.ImageInfo) (*core.Pod, error) {
 	panic("implement me")
 }
diff --git a/pkg/deployment/reconcile/plan_builder_tls.go b/pkg/deployment/reconcile/plan_builder_tls.go
@@ -32,6 +32,8 @@ import (
 	"reflect"
 	"time"
 
+	"github.com/arangodb/go-driver"
+
 	"github.com/arangodb/kube-arangodb/pkg/deployment/features"
 
 	"github.com/arangodb/kube-arangodb/pkg/deployment/client"
@@ -399,7 +401,7 @@ func createKeyfileRenewalPlanMode(
 	return mode
 }
 
-func checkServerValidCertRequest(ctx context.Context, apiObject k8sutil.APIObject, group api.ServerGroup, member api.MemberStatus, ca resources.Certificates) (*tls.ConnectionState, error) {
+func checkServerValidCertRequest(ctx context.Context, context PlanBuilderContext, apiObject k8sutil.APIObject, group api.ServerGroup, member api.MemberStatus, ca resources.Certificates) (*tls.ConnectionState, error) {
 	endpoint := fmt.Sprintf("https://%s:%d", k8sutil.CreatePodDNSName(apiObject, group.AsRole(), member.ID), k8sutil.ArangoPort)
 
 	tlsConfig := &tls.Config{
@@ -408,7 +410,23 @@ func checkServerValidCertRequest(ctx context.Context, apiObject k8sutil.APIObjec
 	transport := &http.Transport{TLSClientConfig: tlsConfig}
 	client := &http.Client{Transport: transport, Timeout: time.Second}
 
-	resp, err := client.Get(endpoint)
+	auth, err := context.GetAuthentication()()
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if auth != nil && auth.Type() == driver.AuthenticationTypeRaw {
+		if h := auth.Get("value"); h != "" {
+			req.Header.Add("Authorization", h)
+		}
+	}
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -437,7 +455,7 @@ func keyfileRenewalRequired(ctx context.Context,
 		return false, false
 	}
 
-	res, err := checkServerValidCertRequest(ctx, apiObject, group, member, ca)
+	res, err := checkServerValidCertRequest(ctx, context, apiObject, group, member, ca)
 	if err != nil {
 		switch v := err.(type) {
 		case *url.Error:
diff --git a/pkg/deployment/resources/pod_termination.go b/pkg/deployment/resources/pod_termination.go
@@ -218,6 +218,7 @@ func (r *Resources) prepareDBServerPodTermination(ctx context.Context, log zerol
 				}
 			}
 		}
+		return maskAny(err)
 	}
 	cleanedOut, err := cluster.IsCleanedOut(ctx, memberStatus.ID)
 	if err != nil {
diff --git a/pkg/util/arangod/conn/factory.go b/pkg/util/arangod/conn/factory.go
@@ -37,6 +37,8 @@ type Factory interface {
 
 	Client(hosts ...string) (driver.Client, error)
 	Agency(hosts ...string) (agency.Agency, error)
+
+	GetAuth() Auth
 }
 
 func NewFactory(auth Auth, config Config) Factory {
@@ -51,6 +53,10 @@ type factory struct {
 	config Config
 }
 
+func (f factory) GetAuth() Auth {
+	return f.auth
+}
+
 func (f factory) AgencyConnection(hosts ...string) (driver.Connection, error) {
 	cfg, err := f.config()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -218,6 +218,7 @@ func (r *Resources) prepareDBServerPodTermination(ctx context.Context, log zerol`
`218`	`218`	`}`
`219`	`219`	`}`
`220`	`220`	`}`
	`221`	`+ return maskAny(err)`
`221`	`222`	`}`
`222`	`223`	`cleanedOut, err := cluster.IsCleanedOut(ctx, memberStatus.ID)`
`223`	`224`	`if err != nil {`