arangodb · ajanikow · Apr 8, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -143,6 +143,18 @@ linters-settings:
         pkg: github.com/arangodb/kube-arangodb/pkg/util/k8sutil/tls
       - alias: pbEnvoyAuthV3
         pkg: github.com/envoyproxy/go-control-plane/envoy/service/auth/v3
+      - alias: pbEnvoyBootstrapV3
+        pkg: github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3
+      - alias: pbEnvoyClusterV3
+        pkg: github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3
+      - alias: pbEnvoyCoreV3
+        pkg: github.com/envoyproxy/go-control-plane/envoy/config/core/v3
+      - alias: pbEnvoyEndpointV3
+        pkg: github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3
+      - alias: pbEnvoyListenerV3
+        pkg: github.com/envoyproxy/go-control-plane/envoy/config/listener/v3
+      - alias: pbEnvoyRouteV3
+        pkg: github.com/envoyproxy/go-control-plane/envoy/config/route/v3
       - alias: apps
         pkg: k8s.io/api/apps/v1
       - alias: batch

diff --git a/docs/api/ArangoDeployment.V1.md b/docs/api/ArangoDeployment.V1.md
@@ -3092,14 +3092,34 @@ Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.
 
 ***
 
+### .spec.gateway.cookiesSupport
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.47/pkg/apis/deployment/v1/deployment_spec_gateway.go#L49)</sup>
+
+CookiesSupport defines if Cookie based authentication via `X-ArangoDB-Token-JWT`
+
+Default Value: `true`
+
+***
+
+### .spec.gateway.defaultTargetAuthentication
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.47/pkg/apis/deployment/v1/deployment_spec_gateway.go#L53)</sup>
+
+DefaultTargetAuthentication defines if default endpoints check authentication via envoy (Cookie and Header based auth)
+
+Default Value: `true`
+
+***
+
 ### .spec.gateway.dynamic
 
 Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.47/pkg/apis/deployment/v1/deployment_spec_gateway.go#L41)</sup>
 
 Dynamic setting enables/disables support dynamic configuration of the gateway in the cluster.
 When enabled, gateway config will be reloaded by ConfigMap live updates.
 
-Default Value: `false`
+Default Value: `true`
 
 ***
 
@@ -3125,7 +3145,7 @@ By default, the image is determined by the operator.
 
 ### .spec.gateway.timeout
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.47/pkg/apis/deployment/v1/deployment_spec_gateway.go#L50)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.47/pkg/apis/deployment/v1/deployment_spec_gateway.go#L58)</sup>
 
 Timeout defines default timeout for the upstream actions (if not overridden)
 

diff --git a/docs/cli/arangodb_operator_integration.md b/docs/cli/arangodb_operator_integration.md
@@ -44,6 +44,8 @@ Flags:
       --integration.config.v1.internal                              Defones if Internal access to service config.v1 is enabled (Env: INTEGRATION_CONFIG_V1_INTERNAL) (default true)
       --integration.config.v1.module strings                        Module in the reference <name>=<abs path> (Env: INTEGRATION_CONFIG_V1_MODULE)
       --integration.envoy.auth.v3                                   Enable EnvoyAuthV3 Integration Service (Env: INTEGRATION_ENVOY_AUTH_V3)
+      --integration.envoy.auth.v3.extensions.cookie.jwt             Defines if Cookie JWT extension is enabled (Env: INTEGRATION_ENVOY_AUTH_V3_EXTENSIONS_COOKIE_JWT) (default true)
+      --integration.envoy.auth.v3.extensions.jwt                    Defines if JWT extension is enabled (Env: INTEGRATION_ENVOY_AUTH_V3_EXTENSIONS_JWT) (default true)
       --integration.envoy.auth.v3.external                          Defones if External access to service envoy.auth.v3 is enabled (Env: INTEGRATION_ENVOY_AUTH_V3_EXTERNAL)
       --integration.envoy.auth.v3.internal                          Defones if Internal access to service envoy.auth.v3 is enabled (Env: INTEGRATION_ENVOY_AUTH_V3_INTERNAL) (default true)
       --integration.scheduler.v1                                    SchedulerV1 Integration (Env: INTEGRATION_SCHEDULER_V1)

diff --git a/integrations/envoy/auth/v3/adb_helper.go b/integrations/envoy/auth/v3/adb_helper.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2024-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ import (
 
 	pbAuthenticationV1 "github.com/arangodb/kube-arangodb/integrations/authentication/v1/definition"
 	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/cache"
 )
 
 const (
@@ -39,7 +40,12 @@ const (
 func NewADBHelper(client pbAuthenticationV1.AuthenticationV1Client) ADBHelper {
 	return &adbHelper{
 		client: client,
-		cache:  map[string]adbHelperToken{},
+		cache: cache.NewCache(func(ctx context.Context, in string) (*pbAuthenticationV1.CreateTokenResponse, error) {
+			return client.CreateToken(ctx, &pbAuthenticationV1.CreateTokenRequest{
+				Lifetime: durationpb.New(DefaultLifetime),
+				User:     util.NewType(in),
+			})
+		}, DefaultTTL),
 	}
 }
 
@@ -48,14 +54,9 @@ type ADBHelper interface {
 	Token(ctx context.Context, resp *AuthResponse) (string, bool, error)
 }
 
-type adbHelperToken struct {
-	TTL   time.Time
-	Token string
-}
-
 type adbHelper struct {
 	lock  sync.Mutex
-	cache map[string]adbHelperToken
+	cache cache.Cache[string, *pbAuthenticationV1.CreateTokenResponse]
 
 	client pbAuthenticationV1.AuthenticationV1Client
 }
@@ -69,31 +70,12 @@ func (a *adbHelper) Token(ctx context.Context, resp *AuthResponse) (string, bool
 		return "", false, nil
 	}
 
-	v, ok := a.cache[resp.Username]
-	if ok {
-		// We received token
-		if time.Now().Before(v.TTL) {
-			return v.Token, true, nil
-		}
-		// Token has been expired
-		delete(a.cache, resp.Username)
-	}
-
-	// We did not receive token, create one
-	auth, err := a.client.CreateToken(ctx, &pbAuthenticationV1.CreateTokenRequest{
-		Lifetime: durationpb.New(DefaultLifetime),
-		User:     util.NewType(resp.Username),
-	})
+	token, err := a.cache.Get(ctx, resp.Username)
 	if err != nil {
 		return "", false, err
 	}
 
-	a.cache[resp.Username] = adbHelperToken{
-		TTL:   time.Now().Add(DefaultTTL),
-		Token: auth.GetToken(),
-	}
-
-	return auth.GetToken(), true, nil
+	return token.GetToken(), true, nil
 }
 
 func (a *adbHelper) Validate(ctx context.Context, token string) (*AuthResponse, error) {
@@ -112,6 +94,7 @@ func (a *adbHelper) Validate(ctx context.Context, token string) (*AuthResponse,
 		if det := resp.GetDetails(); det != nil {
 			return &AuthResponse{
 				Username: det.GetUser(),
+				Token:    util.NewType(token),
 			}, nil
 		}
 	}

diff --git a/integrations/envoy/auth/v3/check.go b/integrations/envoy/auth/v3/check.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2024-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -23,11 +23,18 @@ package v3
 import (
 	"context"
 
+	pbEnvoyCoreV3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 )
 
 type AuthResponse struct {
 	Username string
+
+	Token *string
+
+	CustomResponse *pbEnvoyAuthV3.CheckResponse
+
+	Headers []*pbEnvoyCoreV3.HeaderValueOption
 }
 
 type AuthRequestFunc func(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest, current *AuthResponse) (*AuthResponse, error)

diff --git a/integrations/envoy/auth/v3/check_adb_jwt_cookie.go b/integrations/envoy/auth/v3/check_adb_jwt_cookie.go
@@ -0,0 +1,73 @@
+//
+// DISCLAIMER
+//
+// Copyright 2025 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v3
+
+import (
+	"context"
+	goHttp "net/http"
+
+	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+)
+
+const JWTAuthorizationCookieName = "X-ArangoDB-Token-JWT"
+
+func (i *impl) checkADBJWTCookie(ctx context.Context, request *pbEnvoyAuthV3.CheckRequest, current *AuthResponse) (*AuthResponse, error) {
+	if current != nil {
+		// Already authenticated
+		return current, nil
+	}
+
+	rawCookies := request.GetAttributes().GetRequest().GetHttp().GetHeaders()["cookie"]
+	// Convert raw cookie string into map of http cookies
+	header := goHttp.Header{}
+	header.Add("Cookie", rawCookies)
+	req := goHttp.Request{Header: header}
+	cookies := req.Cookies()
+
+	for _, cookie := range cookies {
+		if cookie != nil {
+			if cookie.Valid() != nil {
+				continue
+			}
+			if cookie.Name == JWTAuthorizationCookieName {
+				resp, err := i.helper.Validate(ctx, cookie.Value)
+				if err != nil {
+					logger.Err(err).Warn("Auth failure")
+					return nil, nil
+				}
+
+				if resp == nil {
+					return nil, nil
+
+				resp.Headers = filterCookiesHeader(cookies, func(cookie *goHttp.Cookie) bool {
+					return cookie.Valid() != nil
+				}, func(cookie *goHttp.Cookie) bool {
+					return cookie.Name == JWTAuthorizationCookieName
+				})
+
+				return resp, nil
+			}
+		}
+	}
+
+	return nil, nil
+}
diff --git a/integrations/envoy/auth/v3/configuration.go b/integrations/envoy/auth/v3/configuration.go
@@ -0,0 +1,34 @@
+//
+// DISCLAIMER
+//
+// Copyright 2025 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v3
+
+import pbAuthenticationV1 "github.com/arangodb/kube-arangodb/integrations/authentication/v1/definition"
+
+type Configuration struct {
+	AuthClient pbAuthenticationV1.AuthenticationV1Client
+
+	Extensions ConfigurationExtensions
+}
+
+type ConfigurationExtensions struct {
+	JWT       bool
+	CookieJWT bool
+}
diff --git a/integrations/envoy/auth/v3/consts.go b/integrations/envoy/auth/v3/consts.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+// Copyright 2024-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -37,4 +37,7 @@ const (
 
 	AuthUsernameHeader      = "arangodb-platform-user"
 	AuthAuthenticatedHeader = "arangodb-platform-authenticated"
+
+	AuthorizationHeader = "Authorization"
+	CookieHeader        = "Cookie"
 )
diff --git a/integrations/envoy/auth/v3/cookies.go b/integrations/envoy/auth/v3/cookies.go
@@ -0,0 +1,67 @@
+//
+// DISCLAIMER
+//
+// Copyright 2025 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v3
+
+import (
+	goHttp "net/http"
+
+	pbEnvoyCoreV3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+)
+
+func filterCookiesHeader(cookies []*goHttp.Cookie, filter ...func(cookie *goHttp.Cookie) bool) []*pbEnvoyCoreV3.HeaderValueOption {
+	if len(cookies) == 0 {
+		return nil
+	}
+
+	filteredCookies := util.FilterList(cookies, util.MultiFilterList(filter...))
+
+	if len(filteredCookies) == 0 {
+		return nil
+	}
+
+	cookieStrings := util.FormatList(filteredCookies, func(a *goHttp.Cookie) string {
+		return a.String()
+	})
+
+	var r []*pbEnvoyCoreV3.HeaderValueOption
+
+	r = append(r, &pbEnvoyCoreV3.HeaderValueOption{
+		Header: &pbEnvoyCoreV3.HeaderValue{
+			Key: CookieHeader,
+		},
+		AppendAction:   pbEnvoyCoreV3.HeaderValueOption_OVERWRITE_IF_EXISTS,
+		KeepEmptyValue: false,
+	})
+
+	for _, v := range cookieStrings {
+		r = append(r, &pbEnvoyCoreV3.HeaderValueOption{
+			Header: &pbEnvoyCoreV3.HeaderValue{
+				Key:   CookieHeader,
+				Value: v,
+			},
+			AppendAction: pbEnvoyCoreV3.HeaderValueOption_APPEND_IF_EXISTS_OR_ADD,
+		})
+	}
+
+	return r
+}