Identity-Aware Proxy Configuration
Overview
Identity-Aware Proxy (IAP) is a Google Cloud Platform service that provides access controls for https resources. IAP secures authentication for https requests and only grants access to users you authorize. This allows users to connect from untrusted networks without using a VPN.
Visulate for Oracle supports IAP via the Ingress component
Enable IAP
Make sure you have a valid TLS Certificate then follow the instructions in Enabling IAP for GKE and summarized below
Configure the OAuth consent screen
Open the GCP console and navigate to the OAuth consent screen under APIs & Services
Select internal as User Type and hit the Create
button.
Enter an App name and support email address then click Save
.
Create OAuth credentials
Navigate to to the Credentials page under APIs & Services
Select Web application in the Application type drop down, supply an name and click Create
. This will open a dialog showing a newly created OAuth client ID and secret.
Copy the client ID to the clipboard and use the Download JSON link to save the credentials for later use.
Add a universal redirect URL to the authorized redirect URIs field in the following format
https://iap.googleapis.com/v1/oauth/clientIds/CLIENT_ID
:handleRedirect
where CLIENT_ID is the OAuth client ID you copied to the clipboard.
Setup IAP access
Navigate to the Identity-Aware Proxy page under Security. You should see 3 Visulate for Oracle services listed under Backend Services. These will be labeled with -api-svc, -sql-svc and -ui-svc suffixes as shown in the screenshot below. Select the checkboxes for each one and hit the Add Principal
button on the right of the screen.
In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have access the the Visulate UI and APIs. Select IAP-secured Web App User in the Role field and hit Save
BackendConfig
Create a Kubernetes secret
Use the client_id and client_secret values from the client_secret JSON file downloaded earlier
kubectl create secret generic visulate-iap-secret --namespace=catalog-ns \
--from-literal=client_id=client_id_key \
--from-literal=client_secret=client_secret_key
Create a BackendConfig
Use a text editor to create a manifest file
vi iap-backend-config.yaml
Example:
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: config-default
namespace: catalog-ns
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: visulate-iap-secret
Apply the file to your cluster
kubectl apply -f iap-backend-config.yaml
Annotate Services
Navigate to the Services & Ingress page under Kubernetes Engine in the GCP console. For each service, hit the Edit
button at the top of the page to access the YAML Editor. Add a beta.cloud.google.com/backend-config annotation as shown below (note the “config-default” value matches the BackendConfig name in the previous step)
Example:
metadata:
annotations:
beta.cloud.google.com/backend-config: '{"default": "config-default"}'
Complete this step for each Service (-api-svc, -sql-svc and -ui-svc)
Test
Wait for the changes to take effect then open the Visulate UI in a new Incognito window. You should be required to authenticate with your Google credentials.