Toolforge is slowly moving towards an API-oriented model where client tools (such as those installed on bastions) contact custom Toolforge APIs to make changes instead of making them directly.
To help decrease setup complexity for new APIs in this model, we've set up an API gateway to run in the Kubernetes cluster. The current implementation is based on Nginx with some Helm-generated configuration running in the Kubernetes cluster, which is then exposed via the HAProxy server pair.
The base endpoint is
https://api.svc.[project].eqiad1.wikimedia.cloud:30003. Services are routed with subpaths, for example
/jobs for the Jobs API.
For authentication we currently use client certificates issued by the Kubernetes cluster internal CA via maintain-kubeusers. This might change in the future as we evolve how the APIs are accessed and used.
The backends are configured via Helm values. The communication between the gateway and the API gateway must be encrypted via internal CA certificates issued by the
Backend services can access the authentication certificate data via the