Mercurial > code > home > repos > pomerium
changeset 34:b1f75b0584f3
redo 'run' task and 'delete' (less tested)
| author | drewp@bigasterisk.com |
|---|---|
| date | Wed, 21 Jun 2023 23:01:32 -0700 |
| parents | 48b4ebc37636 |
| children | 296f4a4698c6 |
| files | config/kustomization.yaml make_global.py tasks.py use-invoke-not-skaffold.yaml |
| diffstat | 4 files changed, 95 insertions(+), 84 deletions(-) [+] |
line wrap: on
line diff
--- a/config/kustomization.yaml Wed Jun 21 22:59:12 2023 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,4 +0,0 @@ -bases: - - 05-idp-secret.yaml - - 06-postgres.yaml - \ No newline at end of file
--- a/make_global.py Wed Jun 21 22:59:12 2023 -0700 +++ b/make_global.py Wed Jun 21 23:01:32 2023 -0700 @@ -5,22 +5,27 @@ import sys import time +POM_CERT_NAME = 'pomerium-proxy-tls' +AUTH_HOST = 'authenticate2.bigasterisk.com' -def getSuffixedName() -> str: - ns = 'pomerium' +(phase,) = sys.argv[1:] + + +def secretExists(qname): + ns, localName = qname.split('/') j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8')) for item in j['items']: name = item['metadata']['name'] - if name.startswith('pomerium-proxy-tls'): - return ns + '/' + name + if name == localName: + return raise ValueError() -def retryGetSuffixedName() -> str: - sys.stderr.write("\nwait for secret: ") +def waitForSecret(qname): + sys.stderr.write(f"\nwait for secret {qname}: ") for tries in range(100): try: - return getSuffixedName() + return secretExists(qname) except ValueError: sys.stderr.write('.') sys.stderr.flush() @@ -28,37 +33,47 @@ else: raise ValueError +def pomeriumGlobalConfig(): -config = { - 'apiVersion': "ingress.pomerium.io/v1", - 'kind': "Pomerium", - 'metadata': { - 'name': "global" - }, - 'spec': { - 'secrets': "pomerium/bootstrap", - 'authenticate': { - 'url': "https://authenticate.bigasterisk.com" - }, - 'cookie': { - 'expire': "20h" + config = { + 'apiVersion': "ingress.pomerium.io/v1", + 'kind': "Pomerium", + 'metadata': { + 'name': "global" }, - 'identityProvider': { - 'provider': "oidc", - 'url': "https://accounts.google.com", - 'scopes': [ - "openid", - "email", - "profile" # adds name+locale to user details - ], - 'secret': "pomerium/idp" - }, -# 'storage': { -# 'postgres': { -# 'secret': "pomerium/postgres-connection-key" -# } -# }, + 'spec': { + 'secrets': "pomerium/bootstrap", + 'authenticate': { + 'url': f"https://{AUTH_HOST}" + }, + 'cookie': { + 'expire': "20h" + }, + 'identityProvider': { + 'provider': "oidc", + 'url': "https://accounts.google.com", + 'scopes': [ + "openid", + "email", + "profile" # adds name+locale to user details + ], + 'secret': "pomerium/idp" + }, + # 'storage': { + # 'postgres': { + # 'secret': "pomerium/postgres-connection-key" + # } + # }, + } } + + if phase == 'wait_for_cert': + waitForSecret('pomerium/pomerium-proxy-tls') + config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}'] + + sys.stderr.write('\n') + return config + def pomCert(): return { "apiVersion": "cert-manager.io/v1", @@ -79,14 +94,9 @@ } } -# Old note: pom won't start up if this cert doesn't exist, so you have to run once -# with it commented out, then after cert success, run again with it enabled. +if phase == 'output_pom_cert': + output = pomCert() +else: + output = pomeriumGlobalConfig() -config['spec']['certificates'] = [ - # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes - 'pomerium/pomerium-proxy-tls' -] - -sys.stderr.write('\n') - -print(json.dumps(config)) +print(json.dumps(output))
--- a/tasks.py Wed Jun 21 22:59:12 2023 -0700 +++ b/tasks.py Wed Jun 21 23:01:32 2023 -0700 @@ -1,41 +1,58 @@ -import sys import time from invoke import task -from invoke.exceptions import UnexpectedExit - - -def authCert(ctx): - for tries in range(100): - try: - ctx.run("kubectl apply -f config/60-auth-cert.yaml", echo=True, ) - sys.stderr.write("worked") - return - except UnexpectedExit: - time.sleep(2) - sys.stderr.write('.') - sys.stderr.flush() - raise ValueError - @task def run(ctx): ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True) - ctx.run("skaffold run -f use-invoke-not-skaffold.yaml", echo=True) - authCert(ctx) - ctx.run("./make_global.py | kubectl apply -f -", echo=True) + ctx.run("kubectl kustomize upstream | kubectl apply -f -", echo=True) + print("let CM start up") + time.sleep(15) + ctx.run("kubectl apply -f config/05-idp-secret.yaml", echo=True) + ctx.run("kubectl apply -f config/dns-secret.yaml", echo=True) + # ctx.run("kubectl apply -f config/06-postgres.yaml", echo=True) ctx.run("kubectl apply -f config/51-pomerium-production-issuer.yaml", echo=True) ctx.run("kubectl apply -f config/51-pomerium-staging-issuer.yaml", echo=True) + ctx.run("kubectl apply -f config/dns-issuers.yaml", echo=True) + ctx.run("./make_global.py no_cert | kubectl apply -f -", echo=True) + + ctx.run("./make_global.py output_pom_cert | kubectl apply -f -", echo=True) + # that will make infinite certs :( Clean up the redundant requests before LE ratelimits! + # k delete -n pomerium certificaterequests.cert-manager.io <tab> + + ctx.run("kubectl apply -f ingress/default.yaml", echo=True) + ctx.run("kubectl apply -f ingress/static.yaml", echo=True) + + # this may wait for + # 1) nothing; cert+secret exist + # 2) a letsencrypt session + # 3) a cert-manager delay before a LE session (e.g. 45 minutes) + ctx.run("./make_global.py wait_for_cert | kubectl apply -f -", echo=True) @task def delete(ctx): - # todo don't delete certs that have big timeouts to remake + ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True) + ctx.run("kubectl delete -f config/dns-issuers.yaml --ignore-not-found", echo=True) ctx.run("kubectl delete -f config/51-pomerium-staging-issuer.yaml --ignore-not-found", echo=True) ctx.run("kubectl delete -f config/51-pomerium-production-issuer.yaml --ignore-not-found", echo=True) - ctx.run("kubectl delete -f config/60-auth-cert.yaml --ignore-not-found", echo=True) - ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True) - ctx.run("skaffold delete -f use-invoke-not-skaffold.yaml ", echo=True) + ctx.run("kubectl delete -f config/06-postgres.yaml --ignore-not-found", echo=True) + ctx.run("kubectl delete -f config/05-idp-secret.yaml --ignore-not-found", echo=True) + + # the kustomize workloads and svcs + for type, ns, name in [ + ('job', 'pomerium', 'pomerium-gen-secrets'), + ('deploy', 'cert-manager', 'cert-manager'), + ('deploy', 'cert-manager', 'cert-manager-cainjector'), + ('deploy', 'cert-manager', 'cert-manager-webhook'), + ('deploy', 'pomerium', 'pomerium'), + ('service', 'cert-manager', 'cert-manager'), + ('service', 'cert-manager', 'cert-manager-webhook'), + ('service', 'pomerium', 'pomerium-metrics'), + ('service', 'pomerium', 'pomerium-proxy'), + ]: + ctx.run(f"kubectl delete -n {ns} {type} {name} --ignore-not-found", echo=True) + ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True)
--- a/use-invoke-not-skaffold.yaml Wed Jun 21 22:59:12 2023 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,12 +0,0 @@ -apiVersion: skaffold/v3 -kind: Config -metadata: - name: pomerium -manifests: - kustomize: - paths: - - "upstream" - - "config" - rawYaml: - - ingress/default.yaml - - ingress/static.yaml