#!/usr/bin/python3
import json
import subprocess
import sys
import time
POM_CERT_NAME = 'pomerium-proxy-tls'
AUTH_HOST = 'authenticate2.bigasterisk.com'
(phase,) = sys.argv[1:]
def secretExists(qname):
ns, localName = qname.split('/')
j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
for item in j['items']:
name = item['metadata']['name']
if name == localName:
return
raise ValueError()
def waitForSecret(qname):
sys.stderr.write(f"\nwait for secret {qname}: ")
for tries in range(100):
try:
return secretExists(qname)
except ValueError:
sys.stderr.write('.')
sys.stderr.flush()
time.sleep(10)
else:
raise ValueError
def pomeriumGlobalConfig():
config = {
'apiVersion': "ingress.pomerium.io/v1",
'kind': "Pomerium",
'metadata': {
'name': "global"
},
'spec': {
'secrets': "pomerium/bootstrap",
'authenticate': {
'url': f"https://{AUTH_HOST}"
},
'cookie': {
'expire': "20h"
},
'identityProvider': {
'provider': "oidc",
'url': "https://accounts.google.com",
'scopes': [
"openid",
"email",
"profile" # adds name+locale to user details
],
'secret': "pomerium/idp"
},
# 'storage': {
# 'postgres': {
# 'secret': "pomerium/postgres-connection-key"
# }
# },
}
}
if phase == 'wait_for_cert':
waitForSecret('pomerium/pomerium-proxy-tls')
config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}']
sys.stderr.write('\n')
return config
def pomCert():
return {
"apiVersion": "cert-manager.io/v1",
"kind": "Certificate",
"metadata": {
"name": POM_CERT_NAME,
"namespace": "pomerium"
},
"spec": {
"dnsNames": [
AUTH_HOST
],
"issuerRef": {
"kind": "ClusterIssuer",
"name": "letsencrypt-dns-prod"
},
"secretName": "pomerium-proxy-tls"
}
}
if phase == 'output_pom_cert':
output = pomCert()
else:
output = pomeriumGlobalConfig()
print(json.dumps(output))