Skip to content
This repository has been archived by the owner on Jun 24, 2024. It is now read-only.
/ heimdall-oss Public archive

Open source example of how to authenticate IAP requests in Kubernetes

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AsimovBio/heimdall-oss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
k8s
k8s
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
log4j2.xml
log4j2.xml
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Heimdall

Heimdall is a simple gateway for authenticating requests that should come from our IAP-enabled load balancer.

It rejects any request which does not have the expected IAP headers, and performs the work of verifying that those headers are signed by Google.

For some background on using this tool with Ambassador and IAP, check out our blog post.

Dependencies

  • Java 10
  • Maven

Building

`mvn package`
`docker build -t heimdall:1.0 .`
`docker push`

Runtime Pre-requisites

  • Google Cloud Account
  • Kubernetes Cluster
  • Ambassador installed on cluster
  • IAP-secured Ingress
  • Load balancer health check set to '/load-balancer-health' (and some default backend supplying 200 OK at this route)

Deployment

  • Update k8s/deployment.yaml with your audience and the location of your built image.
    • For more information about your audience, see this page.
  • kubectl apply -f k8s

Ambassador should start routing requests here before forwarding them to your backend services. You can test this by port-forwarding ambassador, and then making a request without a token. For example:

kubectl port-forward <ambassador-pod> 8080:80&

curl -i localhost:8080/load-balancer-health
=> 200 OK
curl -i localhost:8080/heimdall-health
=> 200 OK
curl -i localhost:8080/service-route
=> HTTP 403 forbidden, as there's no token

Health Checks

Health checks for this service appear somewhat complicated. I'll try to clarify here:

  1. The health check for the service itself is at "/hemidall-health". It's unlikely any inbound requests are expected to be routed to a service with that resource.
  2. The "/load-balancer-health" HTTP resource on port 8080 exists for the purposes of Google Cloud's health checks on the load balancer that fronts our ingress. Some notes:
    1. We add this handler first because we don't expect to auth the request with a token
    2. This route is explicitly handled by a backend so that it returns 200 OK.
    3. That route has to be configured in the cloud health checks console. It defaults to "/", which we cannot use for health checks because Heimdall would not be able to differentiate that from a request to "/" for any other host. Nobody should try to utilize that route in their services.

TODO

  • This will probably eventually want an autoscaling deployment.
  • We could publicly host an image.

About

Open source example of how to authenticate IAP requests in Kubernetes

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages