Add GCP okta-conditional-access addon

[robbiet480]

Summary

• Adds addons/gcp/okta-conditional-access/ — a GCP-native equivalent of the existing AWS okta-conditional-access addon
• Updates gcp/byo-project with three new optional inputs: server_tls_policy, backend_custom_request_headers, and okta_subdomain

Architecture

GCP's ServerTLSPolicy applies at the HTTPS proxy level — attaching it to the main proxy enforces mTLS on the Fleet UI too. To avoid that, this addon provisions a dedicated second proxy and global IP for okta.<fleet_domain>, leaving the main Fleet UI proxy untouched and mTLS-free.

fleet.example.com      →  1.2.3.4  →  fleet-lb-https-proxy       (no mTLS)       →  Cloud Run
okta.fleet.example.com →  5.6.7.8  →  fleet-okta-https-proxy  (mTLS enforced)  →  Cloud Run
                                                 ↑
                                      ServerTLSPolicy (REJECT_INVALID)
                                      TrustConfig (Fleet SCEP CA)

Both proxies share the same URL map and backend service. The mTLS proxy forwards the client cert serial to Fleet via X-Client-Cert-Serial.

When okta_subdomain is set, gcp/byo-project automatically:

1. Provisions a dedicated global IP (fleet-okta-ip)
2. Creates a managed SSL cert for okta.<fleet_domain> only
3. Creates a second HTTPS proxy with the ServerTLSPolicy attached
4. Creates a forwarding rule on the new IP → okta proxy
5. Adds a URL map host rule redirecting /api/fleet/conditional_access/idp/sso to the okta subdomain
6. Creates a DNS A record for okta.<fleet_domain> pointing to the new IP

Differences from AWS Addon

Concern	AWS	GCP
CA cert storage	S3 bucket	Inline in TrustConfig (no object storage needed)
mTLS termination	Separate ALB	Dedicated proxy on existing LB
Cert revocation	Supported	Not supported by GCP LB (Fleet still enforces it)
Serial header	ALB-native	Custom request header {client_cert_serial_number}
Extra infrastructure cost	Second ALB + global IP	Second global IP only

Disclosure

This module was written with Claude (Anthropic) as a coding assistant. I reviewed the implementation, tested it end-to-end, and have been running it in production at CampusGroup with Okta conditional access enabled on our Fleet deployment since April 2026.

Test plan

• terraform validate passes
• Deploy addon against an existing gcp/byo-project Fleet stack
• Confirm main Fleet UI is accessible without a client cert prompt
• Confirm fleet-okta-https-proxy has ServerTLSPolicy attached
• Confirm X-Client-Cert-Serial header is forwarded to Fleet on mTLS connections on the okta subdomain
• Confirm non-mTLS connections are rejected at the LB for the okta.* subdomain
• Confirm Okta SSO redirect path (/api/fleet/conditional_access/idp/sso) routes correctly

🤖 Generated with Claude Code, reviewed and deployed by @robbiet480