Jump to content


From Wikitech

Toolforge is slowly moving towards an API-oriented model where client tools (such as those installed on bastions) contact custom Toolforge APIs to make changes instead of making them directly.

API gateway

To help decrease setup complexity for new APIs in this model, we've set up an API gateway to run in the Kubernetes cluster. The current implementation is based on Nginx with some Helm-generated configuration running in the Kubernetes cluster, which is then exposed via the HAProxy server pair.


The base endpoint is https://api.svc.[project].eqiad1.wikimedia.cloud:30003. Services are routed with subpaths, for example /jobs for the Jobs API.

For authentication we currently use client certificates issued by the Kubernetes cluster internal CA via maintain-kubeusers. This might change in the future as we evolve how the APIs are accessed and used.


The backends are configured via Helm values. The communication between the gateway and the API gateway must be encrypted via internal CA certificates issued by the api-gateway-backend-ca ClusterIssuer.

Backend services can access the authentication certificate data via the ssl-client-subject-dn header.