# HG changeset patch # User drewp@bigasterisk.com # Date 2023-06-22 06:01:32 # Node ID b1f75b0584f33aff0833dfc6e2e961193df51618 # Parent 48b4ebc376364e234055cf9d3c708bb7330d33af redo 'run' task and 'delete' (less tested) diff --git a/config/kustomization.yaml b/config/kustomization.yaml deleted file mode 100644 --- a/config/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -bases: - - 05-idp-secret.yaml - - 06-postgres.yaml - \ No newline at end of file diff --git a/make_global.py b/make_global.py --- a/make_global.py +++ b/make_global.py @@ -5,22 +5,27 @@ import subprocess import sys import time +POM_CERT_NAME = 'pomerium-proxy-tls' +AUTH_HOST = 'authenticate2.bigasterisk.com' -def getSuffixedName() -> str: - ns = 'pomerium' +(phase,) = sys.argv[1:] + + +def secretExists(qname): + ns, localName = qname.split('/') j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8')) for item in j['items']: name = item['metadata']['name'] - if name.startswith('pomerium-proxy-tls'): - return ns + '/' + name + if name == localName: + return raise ValueError() -def retryGetSuffixedName() -> str: - sys.stderr.write("\nwait for secret: ") +def waitForSecret(qname): + sys.stderr.write(f"\nwait for secret {qname}: ") for tries in range(100): try: - return getSuffixedName() + return secretExists(qname) except ValueError: sys.stderr.write('.') sys.stderr.flush() @@ -28,37 +33,47 @@ def retryGetSuffixedName() -> str: else: raise ValueError +def pomeriumGlobalConfig(): -config = { - 'apiVersion': "ingress.pomerium.io/v1", - 'kind': "Pomerium", - 'metadata': { - 'name': "global" - }, - 'spec': { - 'secrets': "pomerium/bootstrap", - 'authenticate': { - 'url': "https://authenticate.bigasterisk.com" - }, - 'cookie': { - 'expire': "20h" + config = { + 'apiVersion': "ingress.pomerium.io/v1", + 'kind': "Pomerium", + 'metadata': { + 'name': "global" }, - 'identityProvider': { - 'provider': "oidc", - 'url': "https://accounts.google.com", - 'scopes': [ - "openid", - "email", - "profile" # adds name+locale to user details - ], - 'secret': "pomerium/idp" - }, -# 'storage': { -# 'postgres': { -# 'secret': "pomerium/postgres-connection-key" -# } -# }, + 'spec': { + 'secrets': "pomerium/bootstrap", + 'authenticate': { + 'url': f"https://{AUTH_HOST}" + }, + 'cookie': { + 'expire': "20h" + }, + 'identityProvider': { + 'provider': "oidc", + 'url': "https://accounts.google.com", + 'scopes': [ + "openid", + "email", + "profile" # adds name+locale to user details + ], + 'secret': "pomerium/idp" + }, + # 'storage': { + # 'postgres': { + # 'secret': "pomerium/postgres-connection-key" + # } + # }, + } } + + if phase == 'wait_for_cert': + waitForSecret('pomerium/pomerium-proxy-tls') + config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}'] + + sys.stderr.write('\n') + return config + def pomCert(): return { "apiVersion": "cert-manager.io/v1", @@ -79,14 +94,9 @@ def pomCert(): } } -# Old note: pom won't start up if this cert doesn't exist, so you have to run once -# with it commented out, then after cert success, run again with it enabled. +if phase == 'output_pom_cert': + output = pomCert() +else: + output = pomeriumGlobalConfig() -config['spec']['certificates'] = [ - # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes - 'pomerium/pomerium-proxy-tls' -] - -sys.stderr.write('\n') - -print(json.dumps(config)) +print(json.dumps(output)) diff --git a/tasks.py b/tasks.py --- a/tasks.py +++ b/tasks.py @@ -1,41 +1,58 @@ -import sys import time from invoke import task -from invoke.exceptions import UnexpectedExit - - -def authCert(ctx): - for tries in range(100): - try: - ctx.run("kubectl apply -f config/60-auth-cert.yaml", echo=True, ) - sys.stderr.write("worked") - return - except UnexpectedExit: - time.sleep(2) - sys.stderr.write('.') - sys.stderr.flush() - raise ValueError - @task def run(ctx): ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True) - ctx.run("skaffold run -f use-invoke-not-skaffold.yaml", echo=True) - authCert(ctx) - ctx.run("./make_global.py | kubectl apply -f -", echo=True) + ctx.run("kubectl kustomize upstream | kubectl apply -f -", echo=True) + print("let CM start up") + time.sleep(15) + ctx.run("kubectl apply -f config/05-idp-secret.yaml", echo=True) + ctx.run("kubectl apply -f config/dns-secret.yaml", echo=True) + # ctx.run("kubectl apply -f config/06-postgres.yaml", echo=True) ctx.run("kubectl apply -f config/51-pomerium-production-issuer.yaml", echo=True) ctx.run("kubectl apply -f config/51-pomerium-staging-issuer.yaml", echo=True) + ctx.run("kubectl apply -f config/dns-issuers.yaml", echo=True) + ctx.run("./make_global.py no_cert | kubectl apply -f -", echo=True) + + ctx.run("./make_global.py output_pom_cert | kubectl apply -f -", echo=True) + # that will make infinite certs :( Clean up the redundant requests before LE ratelimits! + # k delete -n pomerium certificaterequests.cert-manager.io + + ctx.run("kubectl apply -f ingress/default.yaml", echo=True) + ctx.run("kubectl apply -f ingress/static.yaml", echo=True) + + # this may wait for + # 1) nothing; cert+secret exist + # 2) a letsencrypt session + # 3) a cert-manager delay before a LE session (e.g. 45 minutes) + ctx.run("./make_global.py wait_for_cert | kubectl apply -f -", echo=True) @task def delete(ctx): - # todo don't delete certs that have big timeouts to remake + ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True) + ctx.run("kubectl delete -f config/dns-issuers.yaml --ignore-not-found", echo=True) ctx.run("kubectl delete -f config/51-pomerium-staging-issuer.yaml --ignore-not-found", echo=True) ctx.run("kubectl delete -f config/51-pomerium-production-issuer.yaml --ignore-not-found", echo=True) - ctx.run("kubectl delete -f config/60-auth-cert.yaml --ignore-not-found", echo=True) - ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True) - ctx.run("skaffold delete -f use-invoke-not-skaffold.yaml ", echo=True) + ctx.run("kubectl delete -f config/06-postgres.yaml --ignore-not-found", echo=True) + ctx.run("kubectl delete -f config/05-idp-secret.yaml --ignore-not-found", echo=True) + + # the kustomize workloads and svcs + for type, ns, name in [ + ('job', 'pomerium', 'pomerium-gen-secrets'), + ('deploy', 'cert-manager', 'cert-manager'), + ('deploy', 'cert-manager', 'cert-manager-cainjector'), + ('deploy', 'cert-manager', 'cert-manager-webhook'), + ('deploy', 'pomerium', 'pomerium'), + ('service', 'cert-manager', 'cert-manager'), + ('service', 'cert-manager', 'cert-manager-webhook'), + ('service', 'pomerium', 'pomerium-metrics'), + ('service', 'pomerium', 'pomerium-proxy'), + ]: + ctx.run(f"kubectl delete -n {ns} {type} {name} --ignore-not-found", echo=True) + ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True) diff --git a/use-invoke-not-skaffold.yaml b/use-invoke-not-skaffold.yaml deleted file mode 100644 --- a/use-invoke-not-skaffold.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: skaffold/v3 -kind: Config -metadata: - name: pomerium -manifests: - kustomize: - paths: - - "upstream" - - "config" - rawYaml: - - ingress/default.yaml - - ingress/static.yaml