#!/usr/bin/python3
import json
import subprocess
import sys
import time
def getSuffixedName() -> str:
ns = 'pomerium'
j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
for item in j['items']:
name = item['metadata']['name']
if name.startswith('pomerium-proxy-tls'):
return ns + '/' + name
raise ValueError()
def retryGetSuffixedName() -> str:
sys.stderr.write("\nwait for secret: ")
for tries in range(100):
try:
return getSuffixedName()
except ValueError:
sys.stderr.write('.')
sys.stderr.flush()
time.sleep(10)
else:
raise ValueError
config = {
'apiVersion': "ingress.pomerium.io/v1",
'kind': "Pomerium",
'metadata': {
'name': "global"
},
'spec': {
'secrets': "pomerium/bootstrap",
'authenticate': {
'url': "https://authenticate.bigasterisk.com"
},
'cookie': {
'expire': "20h"
},
'identityProvider': {
'provider': "oidc",
'url': "https://accounts.google.com",
'scopes': [
"openid",
"email",
"profile" # adds name+locale to user details
],
'secret': "pomerium/idp"
},
# 'storage': {
# 'postgres': {
# 'secret': "pomerium/postgres-connection-key"
# }
# },
}
def pomCert():
return {
"apiVersion": "cert-manager.io/v1",
"kind": "Certificate",
"metadata": {
"name": POM_CERT_NAME,
"namespace": "pomerium"
},
"spec": {
"dnsNames": [
AUTH_HOST
],
"issuerRef": {
"kind": "ClusterIssuer",
"name": "letsencrypt-dns-prod"
},
"secretName": "pomerium-proxy-tls"
}
}
# Old note: pom won't start up if this cert doesn't exist, so you have to run once
# with it commented out, then after cert success, run again with it enabled.
config['spec']['certificates'] = [
# retryGetSuffixedName() # it appear this is a temporary cert and we should set the line below then wait a few minutes
'pomerium/pomerium-proxy-tls'
]
sys.stderr.write('\n')
print(json.dumps(config))