Deploying another IAP connector to an existing GKE cluster

This page describes the process for deploying an additional on-premises IAP connector to an existing Google Kubernetes Engine (GKE) cluster in a production environment. You should already be familiar with tools such as Google Cloud SDK , kubectl, and Helm.

For a quick overview of deploying an on-premises IAP connector for the first time, see Enabling IAP for on-premises apps.

Before you begin

Make sure you're prepared for the deployment with:

  • Existing GKE cluster
    • The cluster should be set up to use VPC-Native (IP Aliases). The VPC it's in should have internet access via a route in the VPC (NAT gateway or otherwise).
    • For GKE clusters to serve multiple IAP connector instances from a single cluster, they should be configured to autoscale, along with the pods servicing individual applications.
  • Firewall rule permitting traffic from GKE cluster (node/pod) to backend/on-premise instance
  • Google-managed SSL certificate and static external IP
  • Helm (version 2.0.0 or later) package manager installed on your local client machine
  • Cloud NAT configured on subnet to retrieve Ambassador images
  • Number of global load balancers increased to accommodate the TLS certificate limits described for target pools and target proxies

Configuring and deploying with Helm

  1. Begin by cloning this GitHub repository.

  2. Configure the Helm chart values_example.yaml found in the iap-connector/terraform-and-helm/iap-connector/helm/values directory where you cloned the repo.

    This chart shows how to deploy two applications via two Ambassador proxies to the cluster sharing a single global load balancer proxy. The proxy has two certificates bound to it, one for each app. This example file can be customized to support up to the limit of the single ingress proxy.

    Once the YAML file is configured, save it as values.yaml.

  3. Initialize Helm.

    helm init
    
  4. Grant Helm permission to install into the GKE cluster.

    kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin
      --user system:serviceaccount:kube-system:default
    
  5. Install the Helm chart to create the global load balancer, the ingress service in GKE and the backend services as defined in the YAML file.

    helm install --name my-release ./iap-connector -f values.yaml
    

Configuring an HTTP backend application

By default, Ambassador deploys with HTTPS to the targeted resource, but you might prefer an HTTP backend. To change your deployment to HTTP, do the following:

  1. Find the service that you want to edit.

    kubectl get services
    
  2. Edit the service by copying the service name from the previous command.

    kubectl edit service <serviceName>
    
  3. Find the line that begins with service and change the protocol from https to http and the port number to 80.

    service:http://example.service.internal:80
    
  4. Remove the line that specifies TLS.

    tls:true