Skip to main content
Skip table of contents

Bootstrapping API keys for Kubernetes

API keys are the default method to authenticate with DCT. This is done by including the key in the HTTP Authorization request header with type apk.

API keys are long-live tokens and as a result, do not automatically expire in the future. They remain valid until they are deleted or destroyed from DCT.

A cURL example using an example key of 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3 would appear as:

NONE 
curl --header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3'

cURL (like web browsers and other HTTP clients) will not connect to DCT over HTTPS unless a valid TLS certificate has been configured for the Nginx server. If this configuration step has not been performed yet and the risk is comprehended, you may disable the check in the HTTP client. For instance, this can done with cURL using the --insecure flag.

The cURL version must be 7.43 or higher.

Bootstrap first API key

There is a special process to bootstrap the creation of the first API key. This first API key should only be used to create another key and then promptly deleted, since the bootstrap API will appear in the logs. This process can be repeated as many times as needed, for example, in a case where existing API keys are lost or have been deleted. 

Once the application is started, edit the values.yaml file and modify the following lines, to set the apiKeyCreate to the string value true. Toggle this value to create/seed bootstrap API key:

ACTIONSCRIPT3 
apiKeyCreate: true

Upgrade DCT with:

ACTIONSCRIPT3 
helm upgrade dct-services <directory path of the extracted chart>

If the values.yaml file needs to be overridden from outside, then use: 

ACTIONSCRIPT3 
helm upgrade dct-services -f <path_to_values.yaml> <directory path of the extracted chart>

You will see the following output in the logs for the gateway pod (the key will be different from this example):

ACTIONSCRIPT3 
NEWLY GENERATED API KEY: 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3

Logs for a gateway pod can be accessed using:

ACTIONSCRIPT3 
kubectl logs <gateway-pod-name> -n dct-services

gateway-pod-name will be of the format gateway-xxx and can be found using the following command: 

ACTIONSCRIPT3 
kubectl get pods -n dct-services

Copy the API Key, it can now be used to authenticate with DCT. Remember that the API Key value must be prefixed with APK. An example cURL command with the above API Key appears as follows:

ACTIONSCRIPT3 
curl --header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3'

Edit the values.yaml file to set the apiKeyCreate environment variable value back to false and upgrade DCT again with:  

ACTIONSCRIPT3 
helm upgrade dct-services <directory path of the extracted chart>

If the values.yaml file needs to be overridden from outside, then use: 

ACTIONSCRIPT3 
helm upgrade dct-services -f <path_to_values.yaml> <directory path of the extracted chart>

Create and manage API Keys

The initial API key created should be used to create a new admin secure key. This is done by creating a new Account entity and setting the generate_api_key. The "username" attribute should be the desired name to uniquely identify the account.

If the cURL version is below 7.43, replace --data-raw option with --data.

ACTIONSCRIPT3 
curl --location --request POST 'https://<hostname>/v2/management/accounts' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3' \
--data-raw '{
   "username": "secure-key",
   "generate_api_key": true,
   "is_admin": true
}'

A response should be received similar to the lines below:

ACTIONSCRIPT3 
{
   "id": 2,
   "token": "2.vCfC0MnpySYZLshuxap2aZ7xqBKAnQvV7hFnobe7xuNlHS9AF2NQnV9XXw4UyET6"
   "username":"secure-key"
}

Now that the new and secure API key is created, the old one must be deleted for security reasons since the key appeared in the logs. To do this make the following request:

ACTIONSCRIPT3 
curl --location --request DELETE 'https://<hostname>/v2/management/api-clients/<id>' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk 2.vCfC0MnpySYZLshuxap2aZ7xqBKAnQvV7hFnobe7xuNlHS9AF2NQnV9XXw4UyET6'

The id referenced above is the numeric id of the Account. It is the integer before the period in the token. For example, the id of 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3 is 1.

Finally, to list all of the current Accounts, make the following request:

ACTIONSCRIPT3 
curl --location --request GET 'https://<hostname>/v2/management/accounts/' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>'
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close