This directory contains the sample code used in the tutorial Authenticating end users of Cloud Run for Anthos services using Istio and Identity Platform. The tutorial demonstrates how to authenticate end users to applications deployed to Cloud Run for Anthos using Istio authentication policies and Identity Platform.
Follow the steps below to create the GCP resources used in the tutorial.
-
Open Cloud Shell:
-
Define environment variables for the GKE cluster name and Compute Engine zone:
CLUSTER=cloud-run-gke-auth-tutorial ZONE=us-central1-c -
Create a GKE cluster with the Cloud Run add-on:
gcloud beta container clusters create $CLUSTER \ --addons HorizontalPodAutoscaling,HttpLoadBalancing,CloudRun \ --enable-ip-alias \ --enable-stackdriver-kubernetes \ --machine-type n1-standard-2 \ --zone $ZONE -
Go to the Identity Platform Marketplace page.
-
Turn on Identity Platform by clicking Enable Identity Platform.
-
Click the Application setup details link on the Identity Platform > Providers page.
-
In Cloud Shell, define environment variables for the Identity Platform credentials in the Configure your application popup:
export AUTH_APIKEY=[your Identity Platform apiKey] export AUTH_DOMAIN=[your Identity Platform authDomain] -
Substitute the Identity Platform credentials in the frontend JavaScript file:
envsubst < frontend/index.template.js > frontend/index.js(If you are not using Cloud Shell, install
envsubst.) -
Use Cloud Build to create container images for the sample application frontend and backend and store them in Container Registry:
gcloud builds submit frontend \ -t gcr.io/$GOOGLE_CLOUD_PROJECT/cloud-run-gke-auth-frontend gcloud builds submit backend \ -t gcr.io/$GOOGLE_CLOUD_PROJECT/cloud-run-gke-auth-backend -
Create two namespaces called
publicandapi:kubectl create namespace public kubectl create namespace api -
Deploy the frontend container image to Cloud Run on GKE as a service in the
publicnamespace:gcloud run deploy frontend \ --namespace public \ --image gcr.io/$GOOGLE_CLOUD_PROJECT/cloud-run-gke-auth-frontend \ --platform gke \ --cluster $CLUSTER \ --cluster-location $ZONE -
Deploy the backend container image to Cloud Run on GKE as a service in the
apinamespace:gcloud run deploy backend \ --namespace api \ --image gcr.io/$GOOGLE_CLOUD_PROJECT/cloud-run-gke-auth-backend \ --platform gke \ --cluster $CLUSTER \ --cluster-location $ZONE -
Create an Istio virtual service that routes requests by URI path:
kubectl apply -f istio/virtualservice.yaml -
Create an Istio authentication policy:
envsubst < istio/authenticationpolicy.template.yaml | \ kubectl apply -f - -
Follow the steps in the tutorial to create a test user and verify the solution.
-
Delete the container images from Container Registry:
gcloud container images list-tags \ gcr.io/$GOOGLE_CLOUD_PROJECT/cloud-run-gke-auth-backend \ --format 'value(digest)' | \ xargs -I {} gcloud container images delete \ --force-delete-tags --quiet \ gcr.io/$GOOGLE_CLOUD_PROJECT/cloudrun-gke-auth-backend@sha256:{} gcloud container images list-tags \ gcr.io/$GOOGLE_CLOUD_PROJECT/cloud-run-gke-auth-frontend \ --format 'value(digest)' | \ xargs -I {} gcloud container images delete \ --force-delete-tags --quiet \ gcr.io/$GOOGLE_CLOUD_PROJECT/cloudrun-gke-auth-frontend@sha256:{} -
Delete the GKE cluster:
gcloud container clusters delete $CLUSTER --zone $ZONE --async --quiet
This is not an officially supported Google product.