Aim: to enable Identity Aware Proxy (IAP) in conjunction with Kubernetes (k8s).
Methods:
- Two apps were deployed
- A SSL load balancer was put in front
- When one navigates to domain/app1, app1 is shown
- This tutorial was followed to enable IAP for k8s https://cloud.google.com/iap/docs/enabling-kubernetes-howto
Results
- The Google login screen appears when one navigates to domain/app1
- When the login succeeds a ‘default gateway - 404’ is shown instead of the app when IAP is disabled
Discussion
- Should a redirect not be configured somewhere? When the authentication and authorization succeeds a URI _gcp_gatekeeper/authenticate was added and a 404 was returned, while a redirect to the app should be done right?
- When an App engine is deployed, IAP is enable the IAP works out of the box. What makes this deploy different? Perhaps App Engine contains some elements that are omitted in k8s.
Current problem
When the authentication succeeds the following error is shown:
There was a problem with your request. Error code 11
To begin with, here’s some general information:
To get started with IAP in GCP, add an App Engine app or configure Cloud Load Balancer for IAP. In case you are running Kubernetes cluster, you may have the Load Balancer configured already.
Then you should enable IAP for it here:
Menu -> Security -> Identity-Aware ProxyAnd finally, that is the place where redirect URI can be configured. You can get there from previous step by selecting triple dot on the right side of your App/LB and choosing
Edit OAuth Client.Create
OAuth clientIDand setAuthorized redirect URIsfor it.For App Engine apps this value is predefined, but you can adjust it according to your needs.