1

I have an application that has react in the front-end and a node service in the back-end. The app is deployed in the GKE cluster. Both the apps are exposed as a NodePort Service, and the fan out ingress path is done as follows :

- host: example.com
   http:
     paths:
     - backend:
         serviceName: frontend-service
         servicePort: 3000
       path: /*
     - backend:
         serviceName: backend-service
         servicePort: 5000
       path: /api/*

I have enabled authentication using IAP for both services. When enabling IAP for both the kubernetes services, new Client Id and Client Secret is created individually. But I need to provide authentication for the back-end API from the front-end, since they have 2 different accounts, its not possible, i.e when I call the back-end API service from the front-end the authentication fails because the cookies provided from the FE does not match in the back-end service.

What is the best way to handle this scenario. Is there a way to use the same client credentials for both these services and if so, Is that the right way to do it or Is there a way to authenticate the Rest API using IAP directly.

Ameena
  • 11
  • 2
  • Would having both Services use the same [BackendConfig](https://cloud.google.com/iap/docs/enabling-kubernetes-howto#add-iap-to-backendconfig) (and thus the same IAP client `secret`) be an option with your setup? – Arnau C. Mar 11 '21 at 16:16

1 Answers1

1

If IAP is setup using BackendConfig, then you can have two separate BackendConfig objects for frontend and backend applications but both of them use the same secrete (secretName) for oauthclientCredentials.

For frontend app

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name:  frontend-iap-config
  namespace: namespace-1
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: common-iap-oauth-credentials

For backend app

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name:  backend-iap-config
  namespace: namespace-1
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: common-iap-oauth-credentials

Then refer these BackendConfigs from respective kubernetes service objects

Ravindu Rathugama
  • 163
  • 1
  • 8