diff --git a/make_global.py b/make_global.py
new file mode 100755
--- /dev/null
+++ b/make_global.py
@@ -0,0 +1,72 @@
+#!/usr/bin/python3
+
+import json
+import subprocess
+import sys
+import time
+
+
+def getSuffixedName() -> str:
+    ns = 'pomerium'
+    j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
+    for item in j['items']:
+        name = item['metadata']['name']
+        if name.startswith('pomerium-proxy-tls-'):
+            return ns + '/' + name
+    raise ValueError()
+
+
+config = {
+    'apiVersion': "ingress.pomerium.io/v1",
+    'kind': "Pomerium",
+    'metadata': {
+        'name': "global"
+    },
+    'spec': {
+        'secrets': "pomerium/bootstrap",
+        'authenticate': {
+            'url': "https://authenticate.bigasterisk.com"
+        },
+        'cookie': {
+            'expire': "20h"
+        },
+        'identityProvider': {
+            'provider': "oidc",
+            'url': "https://accounts.google.com",
+            'scopes': [
+                "openid",
+                "email",
+                "profile"  # adds name+locale to user details
+            ],
+            'secret': "pomerium/idp"
+        },
+        'storage': {
+            'postgres': {
+                'secret': "pomerium/postgres-connection-key"
+            }
+        },
+    }
+}
+
+# Old note: pom won't start up if this cert doesn't exist, so you have to run once
+# with it commented out, then after cert success, run again with it enabled.
+
+sys.stderr.write("wait for secret: ")
+for tries in range(100):
+    try:
+        config['spec']['certificates'] = [
+            #getSuffixedName()
+            'pomerium/pomerium-proxy-tls'
+            ]
+    except ValueError:
+        sys.stderr.write('.')
+        sys.stderr.flush()
+        time.sleep(10)
+    else:
+        break
+else:
+    raise ValueError
+
+sys.stderr.write('\n')
+
+print(json.dumps(config))
\ No newline at end of file