Authentication
The API service is protected by Istio's WasmPlugin with basic authentication scheme at the infrastructure level (meaning it's not part of the DCS code base).
Basic authentication is simple but not insecure as long as it's used with https so it's encrypted. The DCS uses basic authentication temporarily, due to lack of other authentication methods in the company. The plan is to migrate to OAuth as soon as Okta becomes available.
The WasmPlugin is Kubernetes Custom Resource Definition included in dcs Helm
chart (part of this repo). api
and roadnet-manager
services have separate
WasmPlugin configuration which allows having different set of credentials (since
roadnet-manager
is operator-only tool and should not be accessible by end
users).
The Helm chart accept a list of base64 encoded strings for basic auth, in the
format of user:password
.
Since Helm values are part of environment deployment configuration, actual credentials for each environment and service would be defined by the operator. In this case, it's in GlobalDccDeploymentK8 repository.
Adding new users
Credentials are stored in Git repository and anyone who can access the repo, can also read credentials, including Production. The creds are base64 encoded but anyone can decode them.
Istio's WasmPlugin does not support sourcing credentials from Kubernetes secrets, and the effort of implementing authentication layer in the application or in a separate proxy like nginx may be too high.
If credentials needs to be managed securely, consider implementing different solution using other methods with a proper user store/IdP.
To add new basic auth users, add a new base64-encoded string in user:password
format to api.basicAuth.credentials
or roadnetManager.basicAuth.credentials
Helm values and deploy.
For example, to add admin
user with mySecret
password, the final string
would be YWRtaW46bXlTZWNyZXQ=
Removing users
To remove an existing basic auth user, simply remove the corresponding string from the Helm chart values and deploy.
Rotating user passwords
To rotate a password of an existing user, update credentials string in the Helm chart values and deploy.