pomerium: make_global.py comparison

comparison make_global.py @ 34:b1f75b0584f3

redo 'run' task and 'delete' (less tested)

author	drewp@bigasterisk.com
date	Wed, 21 Jun 2023 23:01:32 -0700
parents	1d3d12b7cf6d
children

comparison

equal deleted inserted replaced

-:48b4ebc37636
+:b1f75b0584f3
 import json
 import subprocess
 import sys
 import time
+POM_CERT_NAME = 'pomerium-proxy-tls'
+AUTH_HOST = 'authenticate2.bigasterisk.com'
-def getSuffixedName() -> str:
+(phase,) = sys.argv[1:]
-ns = 'pomerium'
+def secretExists(qname):
+ns, localName = qname.split('/')
 j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
 for item in j['items']:
 name = item['metadata']['name']
-if name.startswith('pomerium-proxy-tls'):
+if name == localName:
-return ns + '/' + name
+return
 raise ValueError()
-def retryGetSuffixedName() -> str:
+def waitForSecret(qname):
-sys.stderr.write("\nwait for secret: ")
+sys.stderr.write(f"\nwait for secret {qname}: ")
 for tries in range(100):
 try:
-return getSuffixedName()
+return secretExists(qname)
 except ValueError:
 sys.stderr.write('.')
 sys.stderr.flush()
 time.sleep(10)
 else:
 raise ValueError
+def pomeriumGlobalConfig():
 config = {
 'apiVersion': "ingress.pomerium.io/v1",
 'kind': "Pomerium",
 'metadata': {
 'name': "global"
-},
-'spec': {
-'secrets': "pomerium/bootstrap",
-'authenticate': {
-'url': "https://authenticate.bigasterisk.com"
 },
-'cookie': {
+'spec': {
-'expire': "20h"
+'secrets': "pomerium/bootstrap",
-},
+'authenticate': {
-'identityProvider': {
+'url': f"https://{AUTH_HOST}"
-'provider': "oidc",
+},
-'url': "https://accounts.google.com",
+'cookie': {
-'scopes': [
+'expire': "20h"
-"openid",
+},
-"email",
+'identityProvider': {
-"profile"  # adds name+locale to user details
+'provider': "oidc",
-],
+'url': "https://accounts.google.com",
-'secret': "pomerium/idp"
+'scopes': [
-},
+"openid",
-#        'storage': {
+"email",
-#            'postgres': {
+"profile"  # adds name+locale to user details
-#                'secret': "pomerium/postgres-connection-key"
+],
-#            }
+'secret': "pomerium/idp"
-#        },
+},
+#        'storage': {
+#            'postgres': {
+#                'secret': "pomerium/postgres-connection-key"
+#            }
+#        },
+}
 }
+if phase == 'wait_for_cert':
+waitForSecret('pomerium/pomerium-proxy-tls')
+config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}']
+sys.stderr.write('\n')
+return config
 def pomCert():
 return {
 "apiVersion": "cert-manager.io/v1",
 "kind": "Certificate",
 "metadata": {
 },
 "secretName": "pomerium-proxy-tls"
 }
 }
-# Old note: pom won't start up if this cert doesn't exist, so you have to run once
+if phase == 'output_pom_cert':
-# with it commented out, then after cert success, run again with it enabled.
+output = pomCert()
+else:
+output = pomeriumGlobalConfig()
-config['spec']['certificates'] = [
+print(json.dumps(output))
-# retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
-'pomerium/pomerium-proxy-tls'
-]
-sys.stderr.write('\n')
-print(json.dumps(config))

Mercurial > code > home > repos > pomerium

comparison make_global.py @ 34:b1f75b0584f3