Skip to main content

Authentication

The API service is protected by Istio's WasmPlugin with basic authentication scheme at the infrastructure level (meaning it's not part of the DCS code base).

Security risk

Basic authentication is simple but not insecure as long as it's used with https so it's encrypted. The DCS uses basic authentication temporarily, due to lack of other authentication methods in the company. The plan is to migrate to OAuth as soon as Okta becomes available.

The WasmPlugin is Kubernetes Custom Resource Definition included in dcs Helm chart (part of this repo). api and roadnet-manager services have separate WasmPlugin configuration which allows having different set of credentials (since roadnet-manager is operator-only tool and should not be accessible by end users).

The Helm chart accept a list of base64 encoded strings for basic auth, in the format of user:password.

Since Helm values are part of environment deployment configuration, actual credentials for each environment and service would be defined by the operator. In this case, it's in GlobalDccDeploymentK8 repository.

Adding new users

Insecure credentials store

Credentials are stored in Git repository and anyone who can access the repo, can also read credentials, including Production. The creds are base64 encoded but anyone can decode them.

Istio's WasmPlugin does not support sourcing credentials from Kubernetes secrets, and the effort of implementing authentication layer in the application or in a separate proxy like nginx may be too high.

If credentials needs to be managed securely, consider implementing different solution using other methods with a proper user store/IdP.

To add new basic auth users, add a new base64-encoded string in user:password format to api.basicAuth.credentials or roadnetManager.basicAuth.credentials Helm values and deploy.

For example, to add admin user with mySecret password, the final string would be YWRtaW46bXlTZWNyZXQ=

Removing users

To remove an existing basic auth user, simply remove the corresponding string from the Helm chart values and deploy.

Rotating user passwords

To rotate a password of an existing user, update credentials string in the Helm chart values and deploy.