This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: extensions/v1beta1 | |
kind: Deployment | |
metadata: | |
name: web | |
namespace: default | |
spec: | |
selector: | |
matchLabels: | |
run: web | |
template: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: web | |
namespace: default | |
spec: | |
ports: | |
- port: 8080 | |
protocol: TCP | |
targetPort: 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: extensions/v1beta1 | |
kind: Ingress | |
metadata: | |
name: basic-ingress | |
annotations: | |
kubernetes.io/ingress.global-static-ip-name: "web-static-ip" | |
spec: | |
backend: | |
serviceName: web | |
servicePort: 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.gke.io/v1beta1 | |
kind: ManagedCertificate | |
metadata: | |
name: iap-demo | |
spec: | |
domains: | |
- example.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
type IntContainer []int | |
func (i IntContainer) Iterator(cancel <-chan struct{}) <-chan int { | |
ch := make(chan int) | |
go func() { | |
for _, val := range i { | |
select { | |
case ch <- val: | |
case <-cancel: | |
close(ch) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<web-app version="3.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns="http://xmlns.jcp.org/xml/ns/javaee" | |
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"> | |
<servlet> | |
<servlet-name>appengine-spring-boot</servlet-name> | |
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> | |
<init-param> | |
<param-name>contextClass</param-name> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import google.auth | |
import google.oauth2.service_account | |
from google.auth.transport.requests import Request | |
import requests | |
IAM_SCOPE = 'https://www.googleapis.com/auth/iam' | |
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
_adc_credentials, _ = google.auth.default(scopes=[IAM_SCOPE]) | |
# For service accounts using the Compute Engine metadata service, which is the | |
# case for Cloud Function service accounts, service_account_email isn't | |
# available until refresh is called. | |
_adc_credentials.refresh(GRequest()) | |
# Since the Compute Engine metadata service doesn't expose the service | |
# account key, we use the IAM signBlob API to sign instead. In order for this | |
# to work, the Cloud Function's service account needs the "Service Account |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check path against whitelist. | |
path = proxied_request.path | |
if not path: | |
path = '/' | |
# TODO: Implement proper wildcarding for paths. | |
if '*' not in _whitelist and path not in _whitelist: | |
logging.warn('Rejected {} {}, not in whitelist'.format( | |
proxied_request.method, url)) | |
return 'Requested path {} not in whitelist'.format(path), 403 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def handle_request(proxied_request): | |
"""Proxy the given request to the URL in the Forward-Host header with an | |
Authorization header set using an OIDC bearer token for the Cloud | |
Function's service account. If the header is not present, return a 400 | |
error. | |
""" | |
host = proxied_request.headers.get(HOST_HEADER) | |
if not host: | |
return 'Required header {} not present'.format(HOST_HEADER), 400 |