Mercurial > code > home > repos > pomerium

annotate make_global.py @ 32:1d3d12b7cf6d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
move pom cert into make_global.py to share some vars
author drewp@bigasterisk.com
date Wed, 21 Jun 2023 22:57:20 -0700
parents 7d0e02a13b43
children b1f75b0584f3
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
1 #!/usr/bin/python3
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
2
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
3 import json
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
4 import subprocess
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
5 import sys
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
6 import time
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
7
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
8
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
9 def getSuffixedName() -> str:
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
10 ns = 'pomerium'
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
11 j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
12 for item in j['items']:
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
13 name = item['metadata']['name']
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
14 if name.startswith('pomerium-proxy-tls'):
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
15 return ns + '/' + name
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
16 raise ValueError()
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
17
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
18
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
19 def retryGetSuffixedName() -> str:
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
20 sys.stderr.write("\nwait for secret: ")
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
21 for tries in range(100):
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
22 try:
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
23 return getSuffixedName()
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
24 except ValueError:
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
25 sys.stderr.write('.')
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
26 sys.stderr.flush()
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
27 time.sleep(10)
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
28 else:
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
29 raise ValueError
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
30
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
31
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
32 config = {
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
33 'apiVersion': "ingress.pomerium.io/v1",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
34 'kind': "Pomerium",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
35 'metadata': {
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
36 'name': "global"
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
37 },
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
38 'spec': {
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
39 'secrets': "pomerium/bootstrap",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
40 'authenticate': {
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
41 'url': "https://authenticate.bigasterisk.com"
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
42 },
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
43 'cookie': {
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
44 'expire': "20h"
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
45 },
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
46 'identityProvider': {
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
47 'provider': "oidc",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
48 'url': "https://accounts.google.com",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
49 'scopes': [
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
50 "openid",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
51 "email",
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
52 "profile" # adds name+locale to user details
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
53 ],
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
54 'secret': "pomerium/idp"
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
55 },
30
7d0e02a13b43 turn off postgres for testing
drewp@bigasterisk.com
parents: 27
diff changeset
56 # 'storage': {
7d0e02a13b43 turn off postgres for testing
drewp@bigasterisk.com
parents: 27
diff changeset
57 # 'postgres': {
7d0e02a13b43 turn off postgres for testing
drewp@bigasterisk.com
parents: 27
diff changeset
58 # 'secret': "pomerium/postgres-connection-key"
7d0e02a13b43 turn off postgres for testing
drewp@bigasterisk.com
parents: 27
diff changeset
59 # }
7d0e02a13b43 turn off postgres for testing
drewp@bigasterisk.com
parents: 27
diff changeset
60 # },
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
61 }
32
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
62 def pomCert():
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
63 return {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
64 "apiVersion": "cert-manager.io/v1",
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
65 "kind": "Certificate",
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
66 "metadata": {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
67 "name": POM_CERT_NAME,
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
68 "namespace": "pomerium"
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
69 },
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
70 "spec": {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
71 "dnsNames": [
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
72 AUTH_HOST
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
73 ],
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
74 "issuerRef": {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
75 "kind": "ClusterIssuer",
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
76 "name": "letsencrypt-dns-prod"
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
77 },
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
78 "secretName": "pomerium-proxy-tls"
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
79 }
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
80 }
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
81
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
82 # Old note: pom won't start up if this cert doesn't exist, so you have to run once
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
83 # with it commented out, then after cert success, run again with it enabled.
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
84
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
85 config['spec']['certificates'] = [
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
86 # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
87 'pomerium/pomerium-proxy-tls'
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
88 ]
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
89
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
90 sys.stderr.write('\n')
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
91
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
92 print(json.dumps(config))