Identity Aware Proxy (IAP)

For using Estafette CI at your company you probably want to keep the web interface to be private and only accessible to your employees. One way to do that is to run it behind Identity Aware Proxy (IAP) if you're on Google Cloud. This makes it accessible based on the user's identity, instead of relying on a less secure or less friendly option like VPN.

Creating OAuth credentials

You might have already followed the instructions on how to set up Google login, otherwise do that first. Once done go back to the credentials page in the Google Cloud Console.

There you have to add an additional Authorized redirect URI of the form:

https://iap.googleapis.com/v1/oauth/clientIds/<client id>:handleRedirect

Where you'll use the Client ID visible on the same page for the value of <client id>.

Configure Helm values

api:
  iap:
    enabled: true
    clientId: '***.apps.googleusercontent.com'
    clientSecret: '***'
api:
  web:
    enabled: true
    clientId: '***.apps.googleusercontent.com'
    clientSecret: '***'

Permissions for IAP

After applying the new values you'll have to set up the access rule for the Identity Aware Proxy; You can do so in the Google Cloud Console at https://console.cloud.google.com/security/iap.

First select the estafette-ci/estafette-ci-api backend service and click Add principal in the right info pane. You want to add either your organization or groups, rather than individuals to automatically have new joiners be able to access the system. Add them in the new principals field and then select role Cloud IAP > IAP-Secured Web App User. Repeat this for the estafette-ci/estafette-ci-web backend service. Now it's a matter of minutes before the base host address of the Estafette CI installation is accessible through IAP.

Cockroachdb Admin UI

In order to be able to access the the CockroachDB admin interface you might want to set up IAP as well. Best to create a dedicated set of OAuth credentials for this, because you'll access cockroachdb on another host and want a more restricted audience to be able to connect through IAP.

Create the credentials at https://console.cloud.google.com/apis/credentials?project=<gcp project id> and click Create credentials and select OAuth client ID. Fill in the form with the following values:

  • Application Type - Web application
  • Name - hostname for cockroachdb admin interface, for example cockroachdb-estafette.mydomain.com
  • Authorized Javascript origins, for example https://cockroachdb-estafette.mydomain.com

After creating it it will have a Client ID and you can add

  • Authorized redirect URI - https://iap.googleapis.com/v1/oauth/clientIds/<client id>:handleRedirect

With this in place you can update the values for the Helm chart:

db:
  ingress:
    enabled: true
    annotations: {}
      # cert-manager.io/cluster-issuer: nameOfClusterIssuer
    paths: ['/*']
    hosts:
    - cockroachdb-estafette.mydomain.com
    tls:
    - hosts: [cockroachdb-estafette.mydomain.com]
      secretName: estafette-ci-db.tls
  iap:
    enabled: true
    clientId: '***.apps.googleusercontent.com'
    clientSecret: '***'

You'll have to specify the correct annotation depending on which certificate provisioning method you are using.

After applying the changes you'll have to go into the IAP console page and set permissions for backend service estafette-ci/estafette-ci-db-public.

Note

One outstanding issue with the used CockroachDB helm chart is that uses the wrong pathType in the ingress object; it sets it to Prefix, while the Google Cloud Ingress controller only understands pathType: ImplementationSpecific. This will be resolved by issue https://github.com/cockroachdb/helm-charts/issues/170, once the associated pull request is merged and published.