Page MenuHomePhabricator

Decouple Toolforge API gateway authentication from Kubernetes certificates
Open, Needs TriagePublic



The Toolforge API gateway is responsible for authenticating and routing API requests to control Toolforge tools. Right now the authentication part is implemented via client certificates signed by the Kubernetes cluster client CA. This works okay for now, but blocks implementing some new features or improvements. For that reason we need to implement a new authentication system for various API clients to use.


Here are some use cases which we should account for when designing the new system:

  • Credentials for single tools, like the current ones provisioned for each tool's NFS home directory
  • Credentials which can access all tools maintained by a single user, for example for Terraform or some other locally installed CLI tool
  • Striker should have credentials which can access all tools
  • The credentials should have some security features built in, like limiting which APIs a credential can be used with and tracking when it is used.


The API gateway is currently implemented with Nginx, which supports using an external API server to authenticate API requests. It's also possible to switch to using something like Envoy which has built-in support for other authentication methods like OAuth.

To me it also seems we need some service that is responsible for issuing and revoking those credentials and tracking their usage. I'm not sure if that service should be Striker or if we should build a new service for that.