The company I work for has a Composer environment on Google Cloud and I recently had to create our own self-managed webserver application on the same GKE cluster because the standard webserver that was provided was experiencing a lot of timeout issues.
Anyway, when exposing this webserver through a basic ingress and without any access restrictions, I was able to connect to it just fine using the generated external ip address. However, our team needs to restrict access to this webserver to only certain users, and we thought the best way to do this is to use IAP to restrict access to specific google accounts as described in this document: https://cloud.google.com/iap/docs/enabling-kubernetes-howto .
I've followed the guidelines in the above document to create an IAP-enabled load balancer, and when I connect to the webserver through the external ip address the load balancer logs in stackdriver state the request has been "handled_by_identity_aware_proxy" so I think it's being redirected. But the problem is the browser is showing as "This site can't be reached", and I'm not being connected to the webserver.
I have a few suspicions as to the reason why and I was wondering if anyone could clarify these points:
The document above states that two requirements for setting up IAP are "a domain name registered to the address of the load balancer" and "app code to verify that all requests have an identity". My first question is, is a registered domain name necessary for IAP, I don't have a registered domain name but is the external ip address generated by the ingress not enough? And what does the document mean by "app code to verify that all requests have an identity"? Does it mean I need to create a script in the webserver application to authenticate users? Is this why I'm getting the "This site can't be reached" error in my browser?
In the Identity-Aware Proxy page on my Google Console, the status on my backend service is showing as "Warning". I suspect this is because my project has a few firewall rules that allow for all ip ranges to have unrestricted access to the GKE cluster that this webserver is in. My second question is, do ALL requests coming into the cluster have to go through this load balancer, or if there are certain ip ranges that can bypass the load balancer does that still allow for the IAP to run, despite the obvious security risks? Or is this the reason why the ingress isn't working?
Thanks a lot for your help guys.
1a. IAP works over HTTPS, so a SSL certificate is required to certificate of the ownership of the domain name registration. Without a certificate the site can be reached through the public external IP but it wouldn't work at all.
1b. Getting the user's identity enables your application to verify that a request came through IAP, and it is necessary config this in your app. You must always use some of the mechanisms: Get the users identity with signed headers, with App Engine and Users API