K
Q

Google Identity Aware Proxy for Two Different Backend Service using same domain

12/17/2018

I have the a use case where I need to integrate two different service using a fanout ingress (different path). I decide to do so because both services is actually related so I don't want to separate the domain. Another reason is I don't want to use another ingress. However, this problem arises, I understand that once I activate Google IAP, a new clientId and secretId will be created. And the redirect javascript url should be a domain (doesn't include any path or in it's wildcard form).

I'm tring to access https://{my-domain}/{some-path}. It turns out I got the following error.

  1. That’s an error.

Error: redirect_uri_mismatch

The redirect URI in the request, https://{my-domain}/_gcp_gatekeeper/authenticate, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: https://console.developers.google.com/apis/credentials/oauthclient/

This is my ingress config:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: <some-static-ip>
  name: <name>
  namespace: <namespace>
spec:
  backend:
    serviceName: <service-1>
    servicePort: <port-of-service-1>
  rules:
  - http:
      paths:
      - backend:
          serviceName: <service-2>
          servicePort: <port-of-service-2>
        path: /<some-path>/*
  tls:
  - secretName: <secret-name>

However when I tried to access my 1st service it just fine and works as expected.

Just wondering if it's possible to create IAP for two different backend services using the same ingress. I don't manage to find more about this tho. Thanks!

Best,

-- irvifa
google-cloud-platform
google-iap
kubernetes

Similar Questions

Access Kubernetes API using REST APIs
How do I roll out a new version of a container in a pod on Kubernetes using Terraform?
PV PVC seems to be bound to a same Kubernetes node
Liveness probe with http post
Istio - Can&#39;t see default metrics in Prometheus
Keycloak-nodejs-connect grantManager can&#39;t validateToken when configured with internal kubernetes keycloak service address

1 Answer

12/17/2018

After I read this:

  1. https://cloud.google.com/iap/docs/reference/compute-engine-apis#set_iap_properties_by_updating
  2. https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig
  3. https://cloud.google.com/iap/docs/enabling-kubernetes-howto

I realize that I just need to enable IAP for my second service and then override the value of clientId and secretId of my 2nd service by the value provided by IAP config for my 1st service. Go to your IAP console:

kubectl create secret generic backend-config-secret --namespace {namespace}  \
--from-literal=client_id=client_id_key  \
    --from-literal=client_secret=client_secret_key

Create your BackendConfig:

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: {name}
  namespace: {namespace}
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: backend-config-secret

Add this to your service:

beta.cloud.google.com/backend-config: '{"default": "{name}"}'
-- irvifa
Source: StackOverflow