[hardwaresofton]

Inspired by Fly.io's post a while ago[0] I also did something similar to this on my small k8s cluster with the help of stunnel, sslh, and traefik[1].

Weirdly enough I thought this was the ability to provision a wireguard-esque proxy to any machine you want, operated at the edge of the cloud, but it seems like it's really TCP-over-HTTPS.

It's easy to imagine doing the former (dynamic wireguard proxy surfacing) too though -- wireguard sidecar container with shared network namespace with the workload in question + open-to-the-world port somewhere and you'd theoretically have access to any port you wanted on said machine as well. Feels like an easy set up to trust as wireguard is pretty reliable/sound.

[0]: https://fly.io/blog/ssh-and-user-mode-ip-wireguard/

[1]: https://vadosware.io/post/stuffing-both-ssh-and-https-on-por...

[chucky_z]

I run IAP. It's TCP-over-HTTPS but it works remarkably well, connects to all kinds of things, and for users it really is just "login with google, proceed as normal."

I use a JWT proxy + ghostunnel within GKE with a VIP so it's not quite their reference setup but it's extremely "just works" outside GKE being weird and eating its own routes.

BTW, side-note but try out ghostunnel over stunnel! I've really enjoyed using it and it's been fantastic to debug and work with.

[hardwaresofton]

> I run IAP. It's TCP-over-HTTPS but it works remarkably well, connects to all kinds of things, and for users it really is just "login with google, proceed as normal."

Yeah that's really amazing, with client-side software like they've already made and I've seen from other vendors (whether GUI or TUI) the interfaces IaaS/PaaS companies can build are really slick. Looks like they'll be able to cut down on dashboard fatigue/complexity people are wrangling quite a bit.

> I use a JWT proxy + ghostunnel within GKE with a VIP so it's not quite their reference setup but it's extremely "just works" outside GKE being weird and eating its own routes.

Interesting, so JWT proxy (or any other auth mechanism that is viable over HTTPS) -> ghostunnel machine w/ public VIP -> Target machine ? Or ghostunnel directly running on the Target machine which holds the public VIP? Or does the JWT proxy take the public IP and the ghostunnel machine keep the private VIP?

Apologies just want to be able to picture your solution clearly.

> BTW, side-note but try out ghostunnel over stunnel! I've really enjoyed using it and it's been fantastic to debug and work with.

Thanks for the recommendation of ghostunnel, will use it in the future over stunnel next time I hack together something like this.

BTW: super-side note, breath of fire III avatar was a blast from the past, instantly recognized it.

[chucky_z]

haha i've used garr as an avatar for a super long time now!

> Interesting, so JWT proxy (or any other auth mechanism that is viable over HTTPS) -> ghostunnel machine w/ public VIP -> Target machine ? Or ghostunnel directly running on the Target machine which holds the public VIP? Or does the JWT proxy take the public IP and the ghostunnel machine keep the private VIP?

jwt proxy takes in the iap jwt, they give you the audience and it's just parsed, this lives in the same pod as ghostunnel. ghostunnel goes through a NAT to a public dest, where ghostunnel is _also_ running. it has extremely strict TLS requirements (Forced valid CN to be sent/accepted, strict DNS, along with a single purpose CA, cert, and key).

It's like

IAP =inside-gcp=> (JWT proxy -> ghostunnel) =public=> (ghostunnel -> thing)

There's a more modern way to do this, but this works really well and gives absolutely fantastic introspection, is super easy to use it as a public proxy, and allows you to only use minimal APIs in GCP (IAP + GKE, you don't need GKE but you also don't wanna manage all the things it does for you with annotations. :D)

[hardwaresofton]

Ahhh thank you for the detail, I understand the setup now -- I hadn't taken into account the IAP (intra GCP) bit!