diff --git a/tasks.py b/tasks.py --- a/tasks.py +++ b/tasks.py @@ -1,41 +1,58 @@ -import sys import time from invoke import task -from invoke.exceptions import UnexpectedExit - - -def authCert(ctx): - for tries in range(100): - try: - ctx.run("kubectl apply -f config/60-auth-cert.yaml", echo=True, ) - sys.stderr.write("worked") - return - except UnexpectedExit: - time.sleep(2) - sys.stderr.write('.') - sys.stderr.flush() - raise ValueError - @task def run(ctx): ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True) - ctx.run("skaffold run -f use-invoke-not-skaffold.yaml", echo=True) - authCert(ctx) - ctx.run("./make_global.py | kubectl apply -f -", echo=True) + ctx.run("kubectl kustomize upstream | kubectl apply -f -", echo=True) + print("let CM start up") + time.sleep(15) + ctx.run("kubectl apply -f config/05-idp-secret.yaml", echo=True) + ctx.run("kubectl apply -f config/dns-secret.yaml", echo=True) + # ctx.run("kubectl apply -f config/06-postgres.yaml", echo=True) ctx.run("kubectl apply -f config/51-pomerium-production-issuer.yaml", echo=True) ctx.run("kubectl apply -f config/51-pomerium-staging-issuer.yaml", echo=True) + ctx.run("kubectl apply -f config/dns-issuers.yaml", echo=True) + ctx.run("./make_global.py no_cert | kubectl apply -f -", echo=True) + + ctx.run("./make_global.py output_pom_cert | kubectl apply -f -", echo=True) + # that will make infinite certs :( Clean up the redundant requests before LE ratelimits! + # k delete -n pomerium certificaterequests.cert-manager.io + + ctx.run("kubectl apply -f ingress/default.yaml", echo=True) + ctx.run("kubectl apply -f ingress/static.yaml", echo=True) + + # this may wait for + # 1) nothing; cert+secret exist + # 2) a letsencrypt session + # 3) a cert-manager delay before a LE session (e.g. 45 minutes) + ctx.run("./make_global.py wait_for_cert | kubectl apply -f -", echo=True) @task def delete(ctx): - # todo don't delete certs that have big timeouts to remake + ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True) + ctx.run("kubectl delete -f config/dns-issuers.yaml --ignore-not-found", echo=True) ctx.run("kubectl delete -f config/51-pomerium-staging-issuer.yaml --ignore-not-found", echo=True) ctx.run("kubectl delete -f config/51-pomerium-production-issuer.yaml --ignore-not-found", echo=True) - ctx.run("kubectl delete -f config/60-auth-cert.yaml --ignore-not-found", echo=True) - ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True) - ctx.run("skaffold delete -f use-invoke-not-skaffold.yaml ", echo=True) + ctx.run("kubectl delete -f config/06-postgres.yaml --ignore-not-found", echo=True) + ctx.run("kubectl delete -f config/05-idp-secret.yaml --ignore-not-found", echo=True) + + # the kustomize workloads and svcs + for type, ns, name in [ + ('job', 'pomerium', 'pomerium-gen-secrets'), + ('deploy', 'cert-manager', 'cert-manager'), + ('deploy', 'cert-manager', 'cert-manager-cainjector'), + ('deploy', 'cert-manager', 'cert-manager-webhook'), + ('deploy', 'pomerium', 'pomerium'), + ('service', 'cert-manager', 'cert-manager'), + ('service', 'cert-manager', 'cert-manager-webhook'), + ('service', 'pomerium', 'pomerium-metrics'), + ('service', 'pomerium', 'pomerium-proxy'), + ]: + ctx.run(f"kubectl delete -n {ns} {type} {name} --ignore-not-found", echo=True) + ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True)