This document describes how you deploy Apache Guacamole on GKE and Cloud SQL.
These instructions are intended for server administrators and engineers who want to host Guacamole on GKE and Cloud SQL. The document assumes you are familiar with deploying workloads to Kubernetes and Cloud SQL for MySQL. We recommend that you be familiar with Identity and Access Management and Google Compute Engine as well.
Architecture
The following diagram shows how a Google Cloud load balancer is configured with IAP, to protect an instance of the Guacamole client running in GKE:
The Guacamole client connects to the guacd backend service, which brokers remote desktop connections to one or more Compute Engine VMs. The scripts also deploy a Cloud SQL instance to manage configuration data for Guacamole.
For details, see Apache Guacamole on GKE and Cloud SQL.
Objectives
- Deploy the infrastructure by using Terraform.
- Create a Guacamole database in Cloud SQL.
- Deploy Guacamole to a GKE Cluster by using Skaffold.
- Test a connection to a VM through Guacamole.
Costs
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.
Before you begin
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Resource Manager, Service Usage, Artifact Registry, and Compute Engine APIs.
-
In the Google Cloud console, activate Cloud Shell.
Deploy the infrastructure
In this section, you use Terraform to deploy the following resources:
- Virtual Private Cloud
- A firewall rule
- A GKE cluster
- An Artifact Registry repository
- Cloud SQL for MySQL
- A VM for managing the MySQL database
- Service accounts
The Terraform configuration also enables the use of IAP in your project.
In Cloud Shell, clone the GitHub repository:
git clone https://github.com/GoogleCloudPlatform/guacamole-on-gcp.git
Deploy the required infrastructure by using Terraform:
cd guacamole-on-gcp/tf-infra unset GOOGLE_CLOUD_QUOTA_PROJECT terraform init -upgrade terraform apply
Follow the instructions to enter your Google Cloud project ID.
To approve Terraform's request to deploy resources to your project, enter
yes
.Deploying all resources takes several minutes to complete.
Deploy the Guacamole database
In this section, you create the Guacamole database and tables in Cloud SQL for MySQL, and populate the database with the administrator user information.
In Cloud Shell, set environment variables and find the database root password:
cd .. source bin/read-tf-output.sh
Make a note of the database root password; you need it in the following steps.
The script reads output variables from the Terraform run and sets the following environment variables, which are used throughout this procedure:
CLOUD_SQL_INSTANCE ZONE REGION DB_MGMT_VM PROJECT_ID GKE_CLUSTER GUACAMOLE_URL SUBNET
Copy the
create-schema.sql
andinsert-admin-user.sql
script files to the database management VM, and then connect to the VM:gcloud compute scp \ --tunnel-through-iap \ --zone=$ZONE \ create-schema.sql \ insert-admin-user.sql \ $DB_MGMT_VM: gcloud compute ssh $DB_MGMT_VM \ --zone=$ZONE \ --tunnel-through-iap
A console session to the Database Management VM through Cloud Shell is now established.
Install MySQL client tools:
sudo apt-get update sudo apt-get install -y mariadb-client
Connect to Cloud SQL and create the database. When prompted for a password, use the root password you noted earlier in this section.
export CLOUD_SQL_PRIVATE_IP=$(curl http://metadata.google.internal/computeMetadata/v1/instance/attributes/cloud_sql_ip -H "Metadata-Flavor: Google") mysql -h $CLOUD_SQL_PRIVATE_IP -u root -p
Grant the database user permissions over the newly created database:
CREATE DATABASE guacamole; USE guacamole; GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole.* TO 'guac-db-user'; FLUSH PRIVILEGES; SOURCE create-schema.sql; SOURCE insert-admin-user.sql; quit
After the MySQL commands finish running, exit the VM SSH session:
exit
Deploy Guacamole to GKE by using Skaffold
In this section, you deploy the Guacamole application to the GKE cluster, by using Skaffold. Skaffold handles the workflow for building, pushing, and deploying the Guacamole images to the GKE clusters.
In Cloud Shell, deploy the GKE configuration by using terraform:
cd tf-k8s terraform init -upgrade terraform apply -parallelism=1
Get credentials for the GKE cluster:
gcloud container clusters get-credentials \ --region $REGION $GKE_CLUSTER
Run Skaffold from the root of the cloned git repository:
cd .. skaffold --default-repo $REGION-docker.pkg.dev/$PROJECT_ID/guac-repo run
The Skaffold tool builds container images for Guacamole through Google Cloud Build (the command line includes a flag that specifies which repository to push the images to). The tool also runs a kustomize step to generate Kubernetes ConfigMaps and Secrets based on the output of the Terraform run.
Verify that the certificate was provisioned:
kubectl get -w managedcertificates/guacamole-client-cert \ -n guacamole \ -o jsonpath="{.spec.domains[0]} is {.status.domainStatus[0].status}"
Provisioning the certificate can take up to 60 minutes to complete.
Once the certificate is provisioned, you can visit your URL in a browser.
View the URL from the terraform output:
echo $GUACAMOLE_URL
In a browser window, enter the URL that you got in the previous step.
When IAP prompts you, sign in with your Google credentials.
After you sign in, you are logged into Guacamole with administrative privileges, based on the
insert-admin-user.sql
script you ran previously in this procedure.
You can now add additional users based on their email address through the
Guacamole user interface. For details, see
Administration in the Guacamole documentation.
These additional users also require permissions through Google
IAM, with the IAP-secured Web App User
role.
Test a connection to a VM
After you deploy, configure, and successfully sign in to Guacamole, you can create a Windows VM and connect to the newly created VM through Guacamole.
Create a VM
In Cloud Shell, create a Windows VM to test connections to:
export TEST_VM=windows-vm gcloud compute instances create $TEST_VM \ --project=$PROJECT_ID \ --zone=$ZONE \ --machine-type=n1-standard-1 \ --subnet=$SUBNET \ --no-address \ --image-family=windows-2019 \ --image-project=windows-cloud \ --boot-disk-size=50GB \ --boot-disk-type=pd-standard \ —-shielded-secure-boot
After running the command, you may need to wait a few minutes for Windows to finish initializing, before you proceed to the next step.
Reset the Windows password for the VM you just created:
gcloud compute reset-windows-password $TEST_VM \ --user=admin \ --zone=$ZONE
Add a new connection to the VM
- In a browser window, enter the Guacamole instance URL from Deploy Guacamole to GKE using Skaffold, and then sign in through IAP.
- In the Guacamole UI, click your username, and then click Settings.
- Under the Connections tab, click New Connection.
- In the Name field, enter a name for the connection.
- In the Location field, enter the location for the connection.
- From the Protocol drop-down list, select RDP.
Under Network, in the Hostname field, enter the name of the VM you created,
windows-vm
.Your project DNS resolves this hostname to the instance's internal IP address.
In the Authentication section, set the following fields:
- Username:
admin
- Password: the password you got when you reset the password for the VM
- Security mode:
NLA
(Network Level Authentication) Ignore server certificate: select the checkbox
Compute Engine Windows VMs are provisioned with a self-signed certificate for Remote Desktop Services, so you need to instruct Guacamole to ignore certificate validation issues.
- Username:
Click Save.
Click your username, and select Home.
Click the connection you just created to test connectivity. After a few seconds, you should see the desktop of the VM instance.
For more details on configuring Guacamole, see the Apache Guacamole Manual.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this procedure, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the project
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete the new resources
As an alternative to deleting the entire project, you can delete the individual resources created during this procedure. Note that the OAuth Consent Screen configuration cannot be removed from a project, only modified.
In Cloud Shell, use terraform to delete the resources:
cd ~/guacamole-on-gcp/tf-k8s terraform destroy cd ~/guacamole-on-gcp/tf-infra terraform destroy gcloud compute instances delete $TEST_VM –-zone=$ZONE
What's next
- Review the GKE guidance on Hardening your cluster's security.
- Review Encrypt secrets at the application layer to learn how to boost security for secrets, such as database credentials and OAuth credentials.
- Review IAM Conditions to learn how to provide more granular control over user access to Guacamole.
- Understand more about how IAP integration works by reviewing the custom authentication provider in the GitHub repository.
- For more reference architectures, diagrams, and best practices, explore the Cloud Architecture Center.