I have the a use case where I need to integrate two different service using a fanout ingress (different path). I decide to do so because both services is actually related so I don't want to separate the domain. Another reason is I don't want to use another ingress. However, this problem arises, I understand that once I activate Google IAP, a new clientId and secretId will be created. And the redirect javascript url should be a domain (doesn't include any path or in it's wildcard form).
I'm tring to access https://{my-domain}/{some-path}. It turns out I got the following error.
Error: redirect_uri_mismatch
The redirect URI in the request, https://{my-domain}/_gcp_gatekeeper/authenticate, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: https://console.developers.google.com/apis/credentials/oauthclient/
This is my ingress config:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: <some-static-ip>
name: <name>
namespace: <namespace>
spec:
backend:
serviceName: <service-1>
servicePort: <port-of-service-1>
rules:
- http:
paths:
- backend:
serviceName: <service-2>
servicePort: <port-of-service-2>
path: /<some-path>/*
tls:
- secretName: <secret-name>
However when I tried to access my 1st service it just fine and works as expected.
Just wondering if it's possible to create IAP for two different backend services using the same ingress. I don't manage to find more about this tho. Thanks!
Best,
After I read this:
I realize that I just need to enable IAP for my second service and then override the value of clientId and secretId of my 2nd service by the value provided by IAP config for my 1st service. Go to your IAP console:
kubectl create secret generic backend-config-secret --namespace {namespace} \
--from-literal=client_id=client_id_key \
--from-literal=client_secret=client_secret_key
Create your BackendConfig:
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: {name}
namespace: {namespace}
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: backend-config-secret
Add this to your service:
beta.cloud.google.com/backend-config: '{"default": "{name}"}'