Files
@ 1d3d12b7cf6d
Branch filter:
Location: pomerium/make_global.py - annotation
1d3d12b7cf6d
2.2 KiB
text/x-python
move pom cert into make_global.py to share some vars
b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 0f6176ce0b46 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 7d0e02a13b43 7d0e02a13b43 7d0e02a13b43 7d0e02a13b43 7d0e02a13b43 b53ab97e8979 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 b53ab97e8979 b53ab97e8979 b53ab97e8979 0f6176ce0b46 | #!/usr/bin/python3
import json
import subprocess
import sys
import time
def getSuffixedName() -> str:
ns = 'pomerium'
j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
for item in j['items']:
name = item['metadata']['name']
if name.startswith('pomerium-proxy-tls'):
return ns + '/' + name
raise ValueError()
def retryGetSuffixedName() -> str:
sys.stderr.write("\nwait for secret: ")
for tries in range(100):
try:
return getSuffixedName()
except ValueError:
sys.stderr.write('.')
sys.stderr.flush()
time.sleep(10)
else:
raise ValueError
config = {
'apiVersion': "ingress.pomerium.io/v1",
'kind': "Pomerium",
'metadata': {
'name': "global"
},
'spec': {
'secrets': "pomerium/bootstrap",
'authenticate': {
'url': "https://authenticate.bigasterisk.com"
},
'cookie': {
'expire': "20h"
},
'identityProvider': {
'provider': "oidc",
'url': "https://accounts.google.com",
'scopes': [
"openid",
"email",
"profile" # adds name+locale to user details
],
'secret': "pomerium/idp"
},
# 'storage': {
# 'postgres': {
# 'secret': "pomerium/postgres-connection-key"
# }
# },
}
def pomCert():
return {
"apiVersion": "cert-manager.io/v1",
"kind": "Certificate",
"metadata": {
"name": POM_CERT_NAME,
"namespace": "pomerium"
},
"spec": {
"dnsNames": [
AUTH_HOST
],
"issuerRef": {
"kind": "ClusterIssuer",
"name": "letsencrypt-dns-prod"
},
"secretName": "pomerium-proxy-tls"
}
}
# Old note: pom won't start up if this cert doesn't exist, so you have to run once
# with it commented out, then after cert success, run again with it enabled.
config['spec']['certificates'] = [
# retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
'pomerium/pomerium-proxy-tls'
]
sys.stderr.write('\n')
print(json.dumps(config))
|