Page MenuHomePhabricator
Create Task
Maniphest T332478

Decouple Toolforge API gateway authentication from Kubernetes certificates
Open, HighPublic
Actions

Description

The Toolforge API gateway is responsible for authenticating and routing API requests to control Toolforge tools. Right now the authentication part is implemented via client certificates signed by the Kubernetes cluster client CA. This works okay for now, but blocks implementing some new features or improvements. For that reason we need to implement a new authentication system for various API clients to use.

Proposal

There is a draft here: https://wikitech.wikimedia.org/wiki/User:Taavi/EnhancementProposals/Toolforge_API_authentication_decoupling_MVP

Related Objects
Search...

Event Timeline

taavi created this task.Mar 18 2023, 3:05 PM
taavi updated the task description. (Show Details)Jun 24 2023, 1:27 PM
taavi updated the task description. (Show Details)Jul 18 2023, 9:29 AM
Don-vip awarded a token.Mar 30 2024, 6:50 PM
Don-vip subscribed.
Addshore subscribed.Apr 11 2025, 4:03 PM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptApr 11 2025, 4:03 PM
dcaro subscribed.Apr 16 2025, 2:20 PM

Somehow I missed this, we re-took this discussion here T363983: [toolforge] Investigate authentication, leaning on using idp/CAS instead of oauth, at least for starters (same auth as horizon)

dcaro added a comment.Apr 16 2025, 2:22 PM

@taavi should I close this as duplicate? Or do you want to refresh/extend the oauth+dedicated auth server specific proposal?

dcaro triaged this task as High priority.Apr 16 2025, 2:22 PM
taavi mentioned this in T394035: Decision request - Tool account management and Striker.May 19 2025, 10:57 AM
taavi added a comment.May 19 2025, 11:04 AM
In T332478#10747989, @dcaro wrote:

@taavi should I close this as duplicate? Or do you want to refresh/extend the oauth+dedicated auth server specific proposal?

I'm planning to come up with a refreshed proposal here.

taavi updated the task description. (Show Details)May 19 2025, 1:17 PM
dcaro added a comment.May 20 2025, 8:14 AM

The related task with some pre-work done is T363983: [toolforge] Investigate authentication

DamianZaremba mentioned this in T408321: [builds] What are the current best practices for CI?.Oct 26 2025, 1:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits