|
|
|
|
|
|
by chucky_z
1752 days ago
|
|
|
I run IAP. It's TCP-over-HTTPS but it works remarkably well, connects to all kinds of things, and for users it really is just "login with google, proceed as normal." I use a JWT proxy + ghostunnel within GKE with a VIP so it's not quite their reference setup but it's extremely "just works" outside GKE being weird and eating its own routes. BTW, side-note but try out ghostunnel over stunnel! I've really enjoyed using it and it's been fantastic to debug and work with. |
|
|
Yeah that's really amazing, with client-side software like they've already made and I've seen from other vendors (whether GUI or TUI) the interfaces IaaS/PaaS companies can build are really slick. Looks like they'll be able to cut down on dashboard fatigue/complexity people are wrangling quite a bit.
> I use a JWT proxy + ghostunnel within GKE with a VIP so it's not quite their reference setup but it's extremely "just works" outside GKE being weird and eating its own routes.
Interesting, so JWT proxy (or any other auth mechanism that is viable over HTTPS) -> ghostunnel machine w/ public VIP -> Target machine ? Or ghostunnel directly running on the Target machine which holds the public VIP? Or does the JWT proxy take the public IP and the ghostunnel machine keep the private VIP?
Apologies just want to be able to picture your solution clearly.
> BTW, side-note but try out ghostunnel over stunnel! I've really enjoyed using it and it's been fantastic to debug and work with.
Thanks for the recommendation of ghostunnel, will use it in the future over stunnel next time I hack together something like this.
BTW: super-side note, breath of fire III avatar was a blast from the past, instantly recognized it.