Files
@ b1f75b0584f3
Branch filter:
Location: pomerium/make_global.py - annotation
b1f75b0584f3
2.4 KiB
text/x-python
redo 'run' task and 'delete' (less tested)
b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b53ab97e8979 b53ab97e8979 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 b53ab97e8979 b53ab97e8979 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 0f6176ce0b46 0f6176ce0b46 b1f75b0584f3 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 0f6176ce0b46 b1f75b0584f3 0f6176ce0b46 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d 1d3d12b7cf6d b53ab97e8979 b53ab97e8979 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b1f75b0584f3 b53ab97e8979 b1f75b0584f3 | #!/usr/bin/python3
import json
import subprocess
import sys
import time
POM_CERT_NAME = 'pomerium-proxy-tls'
AUTH_HOST = 'authenticate2.bigasterisk.com'
(phase,) = sys.argv[1:]
def secretExists(qname):
ns, localName = qname.split('/')
j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
for item in j['items']:
name = item['metadata']['name']
if name == localName:
return
raise ValueError()
def waitForSecret(qname):
sys.stderr.write(f"\nwait for secret {qname}: ")
for tries in range(100):
try:
return secretExists(qname)
except ValueError:
sys.stderr.write('.')
sys.stderr.flush()
time.sleep(10)
else:
raise ValueError
def pomeriumGlobalConfig():
config = {
'apiVersion': "ingress.pomerium.io/v1",
'kind': "Pomerium",
'metadata': {
'name': "global"
},
'spec': {
'secrets': "pomerium/bootstrap",
'authenticate': {
'url': f"https://{AUTH_HOST}"
},
'cookie': {
'expire': "20h"
},
'identityProvider': {
'provider': "oidc",
'url': "https://accounts.google.com",
'scopes': [
"openid",
"email",
"profile" # adds name+locale to user details
],
'secret': "pomerium/idp"
},
# 'storage': {
# 'postgres': {
# 'secret': "pomerium/postgres-connection-key"
# }
# },
}
}
if phase == 'wait_for_cert':
waitForSecret('pomerium/pomerium-proxy-tls')
config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}']
sys.stderr.write('\n')
return config
def pomCert():
return {
"apiVersion": "cert-manager.io/v1",
"kind": "Certificate",
"metadata": {
"name": POM_CERT_NAME,
"namespace": "pomerium"
},
"spec": {
"dnsNames": [
AUTH_HOST
],
"issuerRef": {
"kind": "ClusterIssuer",
"name": "letsencrypt-dns-prod"
},
"secretName": "pomerium-proxy-tls"
}
}
if phase == 'output_pom_cert':
output = pomCert()
else:
output = pomeriumGlobalConfig()
print(json.dumps(output))
|