Mercurial > code > home > repos > pomerium

annotate make_global.py @ 34:b1f75b0584f3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
redo 'run' task and 'delete' (less tested)
author drewp@bigasterisk.com
date Wed, 21 Jun 2023 23:01:32 -0700
parents 1d3d12b7cf6d
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
1 #!/usr/bin/python3
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
2
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
3 import json
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
4 import subprocess
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
5 import sys
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
6 import time
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
7
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
8 POM_CERT_NAME = 'pomerium-proxy-tls'
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
9 AUTH_HOST = 'authenticate2.bigasterisk.com'
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
10
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
11 (phase,) = sys.argv[1:]
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
12
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
13
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
14 def secretExists(qname):
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
15 ns, localName = qname.split('/')
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
16 j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
17 for item in j['items']:
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
18 name = item['metadata']['name']
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
19 if name == localName:
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
20 return
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
21 raise ValueError()
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
22
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
23
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
24 def waitForSecret(qname):
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
25 sys.stderr.write(f"\nwait for secret {qname}: ")
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
26 for tries in range(100):
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
27 try:
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
28 return secretExists(qname)
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
29 except ValueError:
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
30 sys.stderr.write('.')
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
31 sys.stderr.flush()
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
32 time.sleep(10)
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
33 else:
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
34 raise ValueError
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
35
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
36 def pomeriumGlobalConfig():
27
0f6176ce0b46 refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
drewp@bigasterisk.com
parents: 24
diff changeset
37
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
38 config = {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
39 'apiVersion': "ingress.pomerium.io/v1",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
40 'kind': "Pomerium",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
41 'metadata': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
42 'name': "global"
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
43 },
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
44 'spec': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
45 'secrets': "pomerium/bootstrap",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
46 'authenticate': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
47 'url': f"https://{AUTH_HOST}"
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
48 },
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
49 'cookie': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
50 'expire': "20h"
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
51 },
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
52 'identityProvider': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
53 'provider': "oidc",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
54 'url': "https://accounts.google.com",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
55 'scopes': [
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
56 "openid",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
57 "email",
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
58 "profile" # adds name+locale to user details
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
59 ],
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
60 'secret': "pomerium/idp"
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
61 },
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
62 # 'storage': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
63 # 'postgres': {
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
64 # 'secret': "pomerium/postgres-connection-key"
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
65 # }
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
66 # },
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
67 }
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
68 }
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
69
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
70 if phase == 'wait_for_cert':
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
71 waitForSecret('pomerium/pomerium-proxy-tls')
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
72 config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}']
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
73
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
74 sys.stderr.write('\n')
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
75 return config
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
76
32
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
77 def pomCert():
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
78 return {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
79 "apiVersion": "cert-manager.io/v1",
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
80 "kind": "Certificate",
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
81 "metadata": {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
82 "name": POM_CERT_NAME,
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
83 "namespace": "pomerium"
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
84 },
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
85 "spec": {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
86 "dnsNames": [
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
87 AUTH_HOST
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
88 ],
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
89 "issuerRef": {
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
90 "kind": "ClusterIssuer",
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
91 "name": "letsencrypt-dns-prod"
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
92 },
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
93 "secretName": "pomerium-proxy-tls"
1d3d12b7cf6d move pom cert into make_global.py to share some vars
drewp@bigasterisk.com
parents: 30
diff changeset
94 }
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
95 }
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
96
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
97 if phase == 'output_pom_cert':
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
98 output = pomCert()
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
99 else:
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
100 output = pomeriumGlobalConfig()
24
b53ab97e8979 reorganize, and add two retry loops to try to get everything to startup in one 'inv run'
drewp@bigasterisk.com
parents:
diff changeset
101
34
b1f75b0584f3 redo 'run' task and 'delete' (less tested)
drewp@bigasterisk.com
parents: 32
diff changeset
102 print(json.dumps(output))