Mercurial > code > home > repos > pomerium
annotate make_global.py @ 30:7d0e02a13b43
turn off postgres for testing
| author | drewp@bigasterisk.com |
|---|---|
| date | Mon, 19 Jun 2023 22:21:18 -0700 |
| parents | 0f6176ce0b46 |
| children | 1d3d12b7cf6d |
| rev | line source |
|---|---|
|
24
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
1 #!/usr/bin/python3 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
2 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
3 import json |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
4 import subprocess |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
5 import sys |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
6 import time |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
7 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
8 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
9 def getSuffixedName() -> str: |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
10 ns = 'pomerium' |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
11 j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8')) |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
12 for item in j['items']: |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
13 name = item['metadata']['name'] |
|
27
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
14 if name.startswith('pomerium-proxy-tls'): |
|
24
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
15 return ns + '/' + name |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
16 raise ValueError() |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
17 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
18 |
|
27
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
19 def retryGetSuffixedName() -> str: |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
20 sys.stderr.write("\nwait for secret: ") |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
21 for tries in range(100): |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
22 try: |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
23 return getSuffixedName() |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
24 except ValueError: |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
25 sys.stderr.write('.') |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
26 sys.stderr.flush() |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
27 time.sleep(10) |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
28 else: |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
29 raise ValueError |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
30 |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
31 |
|
24
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
32 config = { |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
33 'apiVersion': "ingress.pomerium.io/v1", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
34 'kind': "Pomerium", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
35 'metadata': { |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
36 'name': "global" |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
37 }, |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
38 'spec': { |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
39 'secrets': "pomerium/bootstrap", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
40 'authenticate': { |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
41 'url': "https://authenticate.bigasterisk.com" |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
42 }, |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
43 'cookie': { |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
44 'expire': "20h" |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
45 }, |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
46 'identityProvider': { |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
47 'provider': "oidc", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
48 'url': "https://accounts.google.com", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
49 'scopes': [ |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
50 "openid", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
51 "email", |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
52 "profile" # adds name+locale to user details |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
53 ], |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
54 'secret': "pomerium/idp" |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
55 }, |
| 30 | 56 # 'storage': { |
| 57 # 'postgres': { | |
| 58 # 'secret': "pomerium/postgres-connection-key" | |
| 59 # } | |
| 60 # }, | |
|
24
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
61 } |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
62 } |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
63 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
64 # Old note: pom won't start up if this cert doesn't exist, so you have to run once |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
65 # with it commented out, then after cert success, run again with it enabled. |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
66 |
|
27
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
67 config['spec']['certificates'] = [ |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
68 # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
69 'pomerium/pomerium-proxy-tls' |
|
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
70 ] |
|
24
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
71 |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
72 sys.stderr.write('\n') |
|
b53ab97e8979
reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff
changeset
|
73 |
|
27
0f6176ce0b46
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents:
24
diff
changeset
|
74 print(json.dumps(config)) |