Overview
%%{
init: {
"flowchart": {
"wrappingWidth": "300"
}
}
}%%
flowchart TB
cloudflare["Cloudflare"]
loadBalancer["HTTP(s) Load Balancer"]
vault["Hashicorp Vault"]
lbsink["Load Balancer Sink Service"]
machineMgmt["Machine Management Service"]
objectStore["Object Storage"]
cloudflare -->|machine.example.com| loadBalancer
loadBalancer -->|Unknown Route| lbsink
loadBalancer --> machineMgmt
loadBalancer --> vault
machineMgmt --> objectStoreThe above diagram documents the high level architecture deployed on Google Cloud. All services are a part of the network boot process for the home lab physical infrastracture.
mTLS
flowchart LR
clientCA["Client CA"]
serverCA["Server CA"]
clientCert["Client Certificate"]
serverCert["Server Certificate"]
client["Client"]
server["Server"]
subgraph Client Side
direction TB
clientCA --> clientCert --> client
end
subgraph Server Side
direction TB
serverCA --> serverCert --> server
end
client <-->|exchange certs| server
server -->|verify client certificate| clientCA
client -->|verify server certificate| serverCAThe above diagram gives a high level overview of the mTLS certificate verification flow. It begins by the client and server exchange certificates during the TLS handshake process. Next, both the client and server verify the certificate chain against the respective trust anchor(s) i.e. client verifies against server CA trush anchor and vice versa.
Due to the added cost of running a private CA in GCP, the decision was made to leverage offerings from Cloudflare for generating the server side certificate and trust anchor(s), specifically:
The below diagram shows the high level mTLS certificate verification flow again but with the Cloudflare solutions substituted in.
flowchart
originPullsCA["Cloudflare Authenticated Origin Pulls CA"]
clientCert["Client Certificate"]
originCA["Cloudflare Origin CA"]
originCert["Cloudflare Origin Certificate"]
cloudflareProxy["Cloudflare Proxy"]
loadBalancer["HTTP(s) Load Balancer"]
subgraph Cloudflare
originPullsCA --> clientCert --> cloudflareProxy
originCA --> originCert
end
originCert -->|use as server side cert| loadBalancer
subgraph GCP
loadBalancer
end
cloudflareProxy <-->|exchange certs| loadBalancer
cloudflareProxy -->|verify server certificate| originCA
loadBalancer -->|verify client certificate| originPullsCAGoogle Cloud Products
Below is a possibly exhaustive list of Google Cloud products used:
- Artifact Registry
- Cloud Run
- Cloud Storage
- Cloud Logging
- Cloud Monitoring
- Cloud Trace
- IAM
- Certificate Manager
- Cloud Load Balancing
- Secret Manager
HTTP(s) Load Balancer
%%{
init: {
"flowchart": {
"wrappingWidth": "350"
}
}
}%%
flowchart TB
ipv6["Global External IPv6 Address"]
forwarding["Global Forwarding Rule"]
httpsProxy["HTTP(s) Proxy Target"]
urlMap["URL map"]
sslCerts["SSL Certificates"]
secret["Secret"]
tlsPolicy["Server TLS Policy"]
trustConfig["Certificate Manager Trust Config"]
trustAnchor["Trust Anchor aka Root Client CA"]
hostRule["Host Rule"]
pathMatcher["Path Matcher"]
backendService["Backend Service"]
neg["Serverless Network Endpoint Group (NEG)"]
cloudRun["Cloud Run"]
forwarding --> ipv6
forwarding --> httpsProxy
httpsProxy --> urlMap
httpsProxy --> sslCerts
httpsProxy --> tlsPolicy
sslCerts --> secret
tlsPolicy --> trustConfig
trustConfig --> trustAnchor
trustAnchor --> secret
urlMap --> hostRule
hostRule --> pathMatcher
pathMatcher --> backendService
backendService --> neg
neg --> cloudRunSSL Certificates
The SSL certificates will be generated by Cloudflare, uploaded to Secret Manager. Then, while deploying the HTTP(s) Load Balancer the certificate will be extracted from the secret and a ssl certificate resource will be created.
flowchart TB
originCA["Cloudflare Origin CA"]
originCert["Cloudflare Origin Certificate"]
secret["Secret"]
sslCertificate["SSL Certificate"]
originCA --> originCert --> secret
sslCertificate --> secretForwarding Rule
The forwarding rule is what connects the external IP address to an actual HTTP(s) reverse proxy. Thus, making the load balancer callable from the internet.
HTTP(s) Proxy Target
The reverse proxy target is made up of 3 key components:
- Server TLS Policy: Defines client certificate validation for mTLS support.
- SSL certificates: The certificates that the load balancer hands out to clients for TLS connections.
- URL map: Relates HTTP hosts and paths to backend services.
URL map
The URL map allows for multi-host, multi-path configurations where each path can map to a distinct backend service.
For each path matcher, a default service is also required to handle unmatched paths. That’s where the Load Balancer Sink Service comes in to play.
Load Balancer Sink Service
flowchart TB
sa["Service Account"]
artifactRegistry["Artifact Registry"]
cloudRun["Cloud Run"]
cloudTrace["Cloud Trace"]
cloudLogging["Cloud Logging"]
sa --> cloudRun
artifactRegistry --> cloudRun
cloudRun --> cloudTrace
cloudRun --> cloudLoggingThis service is needed as part of deployment process for an HTTP/HTTP(s) Load Balancer on Google Cloud. Its role is to receive any requests which do not match any of the patterns defined in the URL map for the Load Balancer. Upon receiving the request, the service simply responds with a 503 Service Unavailable HTTP status code.
Machine Management Service
flowchart TB
sa["Service Account"]
artifactRegistry["Artifact Registry"]
cloudRun["Cloud Run"]
cloudTrace["Cloud Trace"]
cloudLogging["Cloud Logging"]
cloudStorage["Cloud Storage"]
sa --> cloudRun
artifactRegistry --> cloudRun
cloudRun --> cloudTrace
cloudRun --> cloudLogging
cloudRun --> cloudStorageThis is core of the network boot procedure for the homelab physical infrastructure. It is responsible for serving the appropriate boot scripts and images from Cloud Storage based on unique machine requests.