pomerium: tasks.py comparison

comparison tasks.py @ 34:b1f75b0584f3

redo 'run' task and 'delete' (less tested)

author	drewp@bigasterisk.com
date	Wed, 21 Jun 2023 23:01:32 -0700
parents	bd2cbc36bc65
children

comparison

equal deleted inserted replaced

-:48b4ebc37636
+:b1f75b0584f3
-import sys
 import time
 from invoke import task
-from invoke.exceptions import UnexpectedExit
-def authCert(ctx):
-for tries in range(100):
-try:
-ctx.run("kubectl apply -f config/60-auth-cert.yaml", echo=True, )
-sys.stderr.write("worked")
-return
-except UnexpectedExit:
-time.sleep(2)
-sys.stderr.write('.')
-sys.stderr.flush()
-raise ValueError
 @task
 def run(ctx):
 ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True)
-ctx.run("skaffold run -f use-invoke-not-skaffold.yaml", echo=True)
+ctx.run("kubectl kustomize upstream | kubectl apply -f -", echo=True)
-authCert(ctx)
+print("let CM start up")
-ctx.run("./make_global.py | kubectl apply -f -", echo=True)
+time.sleep(15)
+ctx.run("kubectl apply -f config/05-idp-secret.yaml", echo=True)
+ctx.run("kubectl apply -f config/dns-secret.yaml", echo=True)
+# ctx.run("kubectl apply -f config/06-postgres.yaml", echo=True)
 ctx.run("kubectl apply -f config/51-pomerium-production-issuer.yaml", echo=True)
 ctx.run("kubectl apply -f config/51-pomerium-staging-issuer.yaml", echo=True)
+ctx.run("kubectl apply -f config/dns-issuers.yaml", echo=True)
+ctx.run("./make_global.py no_cert | kubectl apply -f -", echo=True)
+ctx.run("./make_global.py output_pom_cert | kubectl apply -f -", echo=True)
+# that will make infinite certs :( Clean up the redundant requests before LE ratelimits!
+#   k delete -n pomerium certificaterequests.cert-manager.io <tab>
+ctx.run("kubectl apply -f ingress/default.yaml", echo=True)
+ctx.run("kubectl apply -f ingress/static.yaml", echo=True)
+# this may wait for
+# 1) nothing; cert+secret exist
+# 2) a letsencrypt session
+# 3) a cert-manager delay before a LE session (e.g. 45 minutes)
+ctx.run("./make_global.py wait_for_cert | kubectl apply -f -", echo=True)
 @task
 def delete(ctx):
-# todo don't delete certs that have big timeouts to remake
+ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True)
+ctx.run("kubectl delete -f config/dns-issuers.yaml --ignore-not-found", echo=True)
 ctx.run("kubectl delete -f config/51-pomerium-staging-issuer.yaml --ignore-not-found", echo=True)
 ctx.run("kubectl delete -f config/51-pomerium-production-issuer.yaml --ignore-not-found", echo=True)
-ctx.run("kubectl delete -f config/60-auth-cert.yaml --ignore-not-found", echo=True)
+ctx.run("kubectl delete -f config/06-postgres.yaml --ignore-not-found", echo=True)
-ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True)
+ctx.run("kubectl delete -f config/05-idp-secret.yaml --ignore-not-found", echo=True)
-ctx.run("skaffold delete -f use-invoke-not-skaffold.yaml ", echo=True)
+# the kustomize workloads and svcs
+for type, ns, name in [
+('job', 'pomerium', 'pomerium-gen-secrets'),
+('deploy', 'cert-manager', 'cert-manager'),
+('deploy', 'cert-manager', 'cert-manager-cainjector'),
+('deploy', 'cert-manager', 'cert-manager-webhook'),
+('deploy', 'pomerium', 'pomerium'),
+('service', 'cert-manager', 'cert-manager'),
+('service', 'cert-manager', 'cert-manager-webhook'),
+('service', 'pomerium', 'pomerium-metrics'),
+('service', 'pomerium', 'pomerium-proxy'),
+]:
+ctx.run(f"kubectl delete -n {ns} {type} {name} --ignore-not-found", echo=True)
 ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True)
 '''
 troubleshooting, based on

Mercurial > code > home > repos > pomerium

comparison tasks.py @ 34:b1f75b0584f3