Setup Guide for Airbyte + GKE + Identity Aware Proxy

Summary

Guide on setting up Airbyte with GKE and Identity Aware Proxy, struggling with setting up basic ingress and accessing Airbyte via public IP.


Question

Hey guys!

Could anyone please share a nice setup guide of
Airbyte + GKE + Identity Aware Proxy.

I’m at the point where I’m struggling to setup a basic ingress and access airbyte via public ip.

Thanks in advance!



This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. Click here if you want
to access the original thread.

Join the conversation on Slack

["airbyte", "gke", "identity-aware-proxy", "ingress", "public-ip"]

Hi!

Thank you so much for your assistance. It helped me to setup Airbyte. Although, I seem to be having this issue in console when using IAP. It resolves when I refresh the page and everything works fine.

Looks like a CORS issue. I’m a bit confused where to whitelist http://google.com|google.com in CORS header. Is it possible at all? Maybe you’ve already solved this.

Thanks in advance.

So the short answers is . . . it’s complicated :joy:

We have this working (and it’s wonderful), but getting there is a little complex.

Here’s what we’re doing (just so you have a lay of the land, as there’s a lot of variation to different people’s setups and some are easier than others):
Networking: Shared VPC from VPC host project
GKE: Autopilot mode, private
DB: Cloud SQL, also private
Logs/state: Cloud Storage (GCS)
LB: Native “Application (Classic)” HTTP/S LB, including HTTP->HTTPS redirect, modified backend timeout
SSL: Google-issued (automated on LB)
IP: Static reserved IP for inbound LB, static reserved IP for outbound (using Cloud NAT) to allow for IP-whitelisting with APIs
Auth: IAP
I’ve toyed a LOT with trying to get Airbyte’s helm charts to deploy/re-deploy the load balancer correctly with only changes to values.yaml, but haven’t quite gotten there without some intervention still needed.

So my recommendation is to not try to fight it—and instead just do the minimum you need to make it break a manually configured LB. That’s most likely just disabling the ingress section of the chart and making your load balancer yourself.

Note that depending on your setup, you may not be able to directly point the LB to the pods you want (called “container-native load balancing”).For example, it’s disabled by default for us because we use a Shared VPC. In these cases, you need to make sure that this annotation is present in values.yaml:

  service:
    annotations:
      <http://cloud.google.com/neg|cloud.google.com/neg>: '{"ingress": true}'```
. . . which should allow you to point traffic at the service you want. From there you can either set the ingress up for the cluster (from the Services list in GKE, check the box for `*-airbyte-webapp-svc` and then click Create Ingress). Or if you want the LB to live outside of the cluster (which makes it less prone to being nuked when you're fiddling with your deployment), you can create it independently under Network Services &gt; Load Balancers in GCP. There are trade-offs from a visibility/management standpoint, so chose your poison :slightly_smiling_face:

*So, that's probably the easy way.*

But, if you don't want to listen to me (I wouldn't, because I'm a glutton for punishment), you would need to figure out some combination of annotations on the service and ingress to make everything play nice together. Here's part of the config I've been playing with, in case it helps.

`values.yaml`:
```webapp:
  service:
    annotations:
      # Note: you'd need to create this BackendConfig via kubectl before deploying. example below
      <http://cloud.google.com/backend-config|cloud.google.com/backend-config>: '{"default": "your-custom-backend-config"}'
      <http://cloud.google.com/neg|cloud.google.com/neg>: '{"ingress": true}'
  ingress:
    enabled: true
    annotations:
      # Note: different values here trigger different LB types
      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: gce
      <http://kubernetes.io/ingress.global-static-ip-name|kubernetes.io/ingress.global-static-ip-name>: your-static-reserved-ingress-ip
      <http://networking.gke.io/managed-certificates|networking.gke.io/managed-certificates>: your-generated-cert-if-you-already-created-it
      # Note: provisioning the cert takes a long time, so I wanted to pre-provision it and pass the CertMap but haven't been able to get it to work right
      # <http://networking.gke.io/certmap|networking.gke.io/certmap>: your-cert-map
      # Note: I only do this to configure the HTTP-&gt;HTTPS redirect
      <http://networking.gke.io/v1beta1.FrontendConfig|networking.gke.io/v1beta1.FrontendConfig>: your-custom-frontend-config
    hosts:
      - host: <http://your-hostname.example.com|your-hostname.example.com>
        paths:
          - path: /*
            pathType: ImplementationSpecific```
`your-custom-backend-config.yaml`:
```apiVersion: <http://cloud.google.com/v1|cloud.google.com/v1>
kind: BackendConfig
metadata:
  name: your-custom-backend-config
spec:
  timeoutSec: 600
  iap:
    enabled: true
    oauthclientCredentials:
      # you'd create this like any other secret, and it's based on your Oauth config
      secretName: your-iap-secret```
`your-custom-frontend-config.yaml`:
```apiVersion: <http://networking.gke.io/v1beta1|networking.gke.io/v1beta1>
kind: FrontendConfig
metadata:
  name: your-custom-frontend-config
spec:
  redirectToHttps:
    enabled: true
    responseCodeName: MOVED_PERMANENTLY_DEFAULT```
That gets it painfully close to working right, but cert provisioning is slow (and while that's happening you can't connect), and IAP likes to toggle off sometimes during upgrades/re-deploys. It also seems to try to auto-link a second set of backend endpoint groups, which conflict with the specified NEGs and you have to manually remove them and reset the defaults.

Google has added a lot more annotations (some of which might help here), but I haven't been able to spend a lot of time fiddling with it again.

If you come up with anything to make it smoother, let me know!

This thread may also be useful, but doesn’t contain as many details:
https://airbytehq.slack.com/archives/C021R3F2HUJ/p1723574695101559?thread_ts=1723571767.440949&amp;cid=C021R3F2HUJ

<@U035912NS77>

Hi! I’m so sorry to bother you on the weekend. Please, do not feel obligated to respond.

I used your config and I ran into response 404 (backend NotFound), service rules for the path non-existent
this error once I navigated to LB frontend url.

Maybe you faced it during your first setup and could assist here.
Thank you in advance!