#!/usr/bin/python3

import json
import subprocess
import sys
import time


def getSuffixedName() -> str:
    ns = 'pomerium'
    j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
    for item in j['items']:
        name = item['metadata']['name']
        if name.startswith('pomerium-proxy-tls'):
            return ns + '/' + name
    raise ValueError()


def retryGetSuffixedName() -> str:
    sys.stderr.write("\nwait for secret: ")
    for tries in range(100):
        try:
            return getSuffixedName()
        except ValueError:
            sys.stderr.write('.')
            sys.stderr.flush()
            time.sleep(10)
    else:
        raise ValueError


config = {
    'apiVersion': "ingress.pomerium.io/v1",
    'kind': "Pomerium",
    'metadata': {
        'name': "global"
    },
    'spec': {
        'secrets': "pomerium/bootstrap",
        'authenticate': {
            'url': "https://authenticate.bigasterisk.com"
        },
        'cookie': {
            'expire': "20h"
        },
        'identityProvider': {
            'provider': "oidc",
            'url': "https://accounts.google.com",
            'scopes': [
                "openid",
                "email",
                "profile"  # adds name+locale to user details
            ],
            'secret': "pomerium/idp"
        },
        'storage': {
            'postgres': {
                'secret': "pomerium/postgres-connection-key"
            }
        },
    }
}

# Old note: pom won't start up if this cert doesn't exist, so you have to run once
# with it commented out, then after cert success, run again with it enabled.

config['spec']['certificates'] = [
    # retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
    'pomerium/pomerium-proxy-tls'
]

sys.stderr.write('\n')

print(json.dumps(config))