Single Page App on GCP
Architectural Overview
This is a tutorial for how to get up and running with your own Single Page application and API on GCP quickly. Single Page Apps are web apps that load a single HTML page and dynamically update that page as the user interacts with the application. The browser based applicaiton makes API calls in JavaScript back to the API. This tuotrial assumes that the API is using a different domain and as a result uses Cross Origin Resource Sharing.
From a high level, the static web pages rely on Cloud Storage and Cloud CDN (provided by Firebase Hosting), while the API is hosted in Kubernetes.
Deploying the API
API Architecture
The underlying API is deployed to Kubernetes Engine and load balanced using a Cloud Load Balancing which is added using a Kubernetes ingress object. In this case implemented using Elasticsearch with CORS enabled (installable via a helm chart). However, because the API will be exposed directly to the single page web application (SPA) via the public internet it requires additional security. Cloud Endpoints is used to validate authentication to the API inside the Kubernetes cluster and could be used to throttle requests if necessary (though this is out of scope for this tutorial). Identity Aware Proxy is used for authentication and authorization of the user. Identity Aware Proxy is configured using Cloud Identity and Acccess Management.
Kubernetes Environment
The Kubernetes environment is enhanced for this tutuorial in a couple of ways outside the normal course of deploying the required components. First, you'll install helm which will make it easier to deploy many of the Kubernetes components for this tutorial. Using helm you'll add a custom resource definiton and controller for deploying the Cloud Endpoints and associating it with ingress objects. Finally, you'll install a suite of kubectl plugis to help with some of the commands.
Task 0 - Setup environment
- Set the project, replace
YOUR_PROJECTwith your project ID:
gcloud config set project YOUR_PROJECT
- Install kubectl plugins:
mkdir -p ~/.kube/plugins
git clone https://github.com/danisla/kubefunc.git ~/.kube/plugins/kubefunc
- Create GKE cluster:
VERSION=$(gcloud container get-server-config --zone us-central1-f --format='value(validMasterVersions[0])')
gcloud container clusters create dev --zone=us-central1-c --cluster-version=${VERSION} --scopes=cloud-platform
- Install helm
kubectl plugin install-helm
- Install Cloud Endpoints Controller
kubectl plugin install-cloud-endpoints-controller
Task 1 - Deploy Elastic Search
helm install --name my-release incubator/elasticsearch -f api/es-values.yml
Task 2 - Generate self-signed certificate with cert-manager
- Install the cert-manager chart and clusterissuer using the kubectl plugin:
kubectl plugin install-cert-manager
- Generate CA key and cert:
PROJECT=$(gcloud config get-value project)
COMMON_NAME="spa-api.endpoints.${PROJECT}.cloud.goog"
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt
kubectl create secret tls ca-key-pair --cert=ca.crt --key=ca.key
- Create the certificate:
PROJECT=$(gcloud config get-value project)
COMMON_NAME="spa-api.endpoints.${PROJECT}.cloud.goog"
cat <<EOF | kubectl apply -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: spa-api-ingress
spec:
secretName: spa-api-ingress-tls
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
commonName: ${COMMON_NAME}
dnsNames:
- ${COMMON_NAME}
EOF
- Wait for the certificate:
(until kubectl get secret iap-tutorial-ingress-tls 2>/dev/null; do echo "Waiting for certificate..." ; sleep 2; done)
Task 3 - Configure OAuth consent screen
- Go to the OAuth consent screen.
- Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
- Enter the Product name you would like to display.
- Add any optional details you’d like.
- Click Save.
Task 4 - Set up IAP access
-
Go to the Identity-Aware Proxy page.
-
On the right side panel, next to Access, click Add.
-
In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-Secured Web App User role for the project
The following kinds of accounts can be members:
- Google Accounts: user@gmail.com
- Google Groups: admins@googlegroups.com
- Service accounts: server@example.gserviceaccount.com
- G Suite domains: example.com
Make sure to add a Google account that you have access to.
Task 5 - Deploy iap-ingress chart
- Create values file for chart:
cat > iap-values.yaml <<EOF
projectID: $(gcloud config get-value project)
endpointServiceName: spa-api
targetServiceName: search-api
targetServicePort: 8080
oauthSecretName: iap-oauth
tlsSecretName: iap-tutorial-ingress-tls
esp:
enabled: true
EOF
- Deploy chart to create IAP aware ingress resource:
helm github install \
--name api-iap \
--repo https://github.com/danisla/cloud-endpoints-controller.git \
--ref master \
--path examples/iap-esp/charts/iap-ingress
-f iap-values.yaml
- Wait for the load balancer to be provisioned:
PROJECT=$(gcloud config get-value project)
COMMON_NAME="spa-api.endpoints.${PROJECT}.cloud.goog"
(until [[ $(curl -sfk -w "%{http_code}" https://${COMMON_NAME}) == "302" ]]; do echo "Waiting for LB with IAP..."; sleep 2; done)
Task 5 Deploy
- Open your browser to
https://spa-api.endpoints.PROJECT_ID.cloud.googreplacingPROJECT_IDwith your project id. - Login with your Google account and verify the the sample app is show.
NOTE: It may take 10-15 minutes for the load balancer to be provisioned.
Task 6 - Cleanup
- Delete the chart:
helm delete --purge iap-tutorial-ingress
This will trigger the load balancer cleanup. Wait a few moments before continuing.
- Delete the GKE cluster:
gcloud container clusters delete dev --zone us-central1-c