| > I run IAP. It's TCP-over-HTTPS but it works remarkably well, connects to all kinds of things, and for users it really is just "login with google, proceed as normal." Yeah that's really amazing, with client-side software like they've already made and I've seen from other vendors (whether GUI or TUI) the interfaces IaaS/PaaS companies can build are really slick. Looks like they'll be able to cut down on dashboard fatigue/complexity people are wrangling quite a bit. > I use a JWT proxy + ghostunnel within GKE with a VIP so it's not quite their reference setup but it's extremely "just works" outside GKE being weird and eating its own routes. Interesting, so JWT proxy (or any other auth mechanism that is viable over HTTPS) -> ghostunnel machine w/ public VIP -> Target machine ? Or ghostunnel directly running on the Target machine which holds the public VIP? Or does the JWT proxy take the public IP and the ghostunnel machine keep the private VIP? Apologies just want to be able to picture your solution clearly. > BTW, side-note but try out ghostunnel over stunnel! I've really enjoyed using it and it's been fantastic to debug and work with. Thanks for the recommendation of ghostunnel, will use it in the future over stunnel next time I hack together something like this. BTW: super-side note, breath of fire III avatar was a blast from the past, instantly recognized it. |
> Interesting, so JWT proxy (or any other auth mechanism that is viable over HTTPS) -> ghostunnel machine w/ public VIP -> Target machine ? Or ghostunnel directly running on the Target machine which holds the public VIP? Or does the JWT proxy take the public IP and the ghostunnel machine keep the private VIP?
jwt proxy takes in the iap jwt, they give you the audience and it's just parsed, this lives in the same pod as ghostunnel. ghostunnel goes through a NAT to a public dest, where ghostunnel is _also_ running. it has extremely strict TLS requirements (Forced valid CN to be sent/accepted, strict DNS, along with a single purpose CA, cert, and key).
It's like
IAP =inside-gcp=> (JWT proxy -> ghostunnel) =public=> (ghostunnel -> thing)
There's a more modern way to do this, but this works really well and gives absolutely fantastic introspection, is super easy to use it as a public proxy, and allows you to only use minimal APIs in GCP (IAP + GKE, you don't need GKE but you also don't wanna manage all the things it does for you with annotations. :D)