Changeset - 0f6176ce0b46
[Not reviewed]
default
0 1 0
drewp@bigasterisk.com - 18 months ago 2023-06-20 05:18:30
drewp@bigasterisk.com
refactor retry code, but then don't use it since it seems we don't want the suffixed name after all
1 file changed with 19 insertions and 17 deletions:
0 comments (0 inline, 0 general)
make_global.py
Show inline comments
 
#!/usr/bin/python3
 

	
 
import json
 
import subprocess
 
import sys
 
import time
 

	
 

	
 
def getSuffixedName() -> str:
 
    ns = 'pomerium'
 
    j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
 
    for item in j['items']:
 
        name = item['metadata']['name']
 
        if name.startswith('pomerium-proxy-tls-'):
 
        if name.startswith('pomerium-proxy-tls'):
 
            return ns + '/' + name
 
    raise ValueError()
 

	
 

	
 
def retryGetSuffixedName() -> str:
 
    sys.stderr.write("\nwait for secret: ")
 
    for tries in range(100):
 
        try:
 
            return getSuffixedName()
 
        except ValueError:
 
            sys.stderr.write('.')
 
            sys.stderr.flush()
 
            time.sleep(10)
 
    else:
 
        raise ValueError
 

	
 

	
 
config = {
 
    'apiVersion': "ingress.pomerium.io/v1",
 
    'kind': "Pomerium",
 
    'metadata': {
 
        'name': "global"
 
    },
 
    'spec': {
 
        'secrets': "pomerium/bootstrap",
 
        'authenticate': {
 
            'url': "https://authenticate.bigasterisk.com"
 
        },
 
        'cookie': {
 
            'expire': "20h"
 
        },
 
        'identityProvider': {
 
            'provider': "oidc",
 
            'url': "https://accounts.google.com",
 
            'scopes': [
 
                "openid",
 
                "email",
 
                "profile"  # adds name+locale to user details
 
            ],
 
            'secret': "pomerium/idp"
 
        },
 
        'storage': {
 
            'postgres': {
 
                'secret': "pomerium/postgres-connection-key"
 
            }
 
        },
 
    }
 
}
 

	
 
# Old note: pom won't start up if this cert doesn't exist, so you have to run once
 
# with it commented out, then after cert success, run again with it enabled.
 

	
 
sys.stderr.write("wait for secret: ")
 
for tries in range(100):
 
    try:
 
        config['spec']['certificates'] = [
 
            #getSuffixedName()
 
            'pomerium/pomerium-proxy-tls'
 
            ]
 
    except ValueError:
 
        sys.stderr.write('.')
 
        sys.stderr.flush()
 
        time.sleep(10)
 
    else:
 
        break
 
else:
 
    raise ValueError
 
config['spec']['certificates'] = [
 
    # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
 
    'pomerium/pomerium-proxy-tls'
 
]
 

	
 
sys.stderr.write('\n')
 

	
 
print(json.dumps(config))
 
\ No newline at end of file
 
print(json.dumps(config))
0 comments (0 inline, 0 general)