This page describes the process for deploying an additional on-premises
IAP connector to an existing Google Kubernetes Engine (GKE)
cluster in a production environment. You should already be familiar with tools
Google Cloud SDK
kubectl, and Helm.
For a quick overview of deploying an on-premises IAP connector for the first time, see Enabling IAP for on-premises apps.
Before you begin
Make sure you're prepared for the deployment with:
- Existing GKE cluster
- The cluster should be set up to use VPC-Native (IP Aliases). The VPC it's in should have internet access via a route in the VPC (NAT gateway or otherwise).
- For GKE clusters to serve multiple IAP connector instances from a single cluster, they should be configured to autoscale, along with the pods servicing individual applications.
- Firewall rule permitting traffic from GKE cluster (node/pod) to backend/on-premise instance
- Google-managed SSL certificate and static external IP
- Helm (version 2.0.0 or later) package manager installed on your local client machine
- Cloud NAT configured on subnet to retrieve Ambassador images
- Number of global load balancers increased to accommodate the TLS certificate limits described for target pools and target proxies
Configuring and deploying with Helm
Begin by cloning this GitHub repository.
Configure the Helm chart
values_example.yamlfound in the
iap-connector/terraform-and-helm/iap-connector/helm/valuesdirectory where you cloned the repo.
This chart shows how to deploy two applications via two Ambassador proxies to the cluster sharing a single global load balancer proxy. The proxy has two certificates bound to it, one for each app. This example file can be customized to support up to the limit of the single ingress proxy.
Once the YAML file is configured, save it as
Grant Helm permission to install into the GKE cluster.
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user system:serviceaccount:kube-system:default
Install the Helm chart to create the global load balancer, the ingress service in GKE and the backend services as defined in the YAML file.
helm install --name my-release ./iap-connector -f values.yaml
Configuring an HTTP backend application
By default, Ambassador deploys with HTTPS to the targeted resource, but you might prefer an HTTP backend. To change your deployment to HTTP, do the following:
Find the service that you want to edit.
kubectl get services
Edit the service by copying the service name from the previous command.
kubectl edit service <serviceName>
Find the line that begins with
serviceand change the protocol from
httpand the port number to
Remove the line that specifies TLS.