#!/usr/bin/python3 import json import subprocess import sys import time POM_CERT_NAME = 'pomerium-proxy-tls' AUTH_HOST = 'authenticate2.bigasterisk.com' (phase,) = sys.argv[1:] def secretExists(qname): ns, localName = qname.split('/') j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8')) for item in j['items']: name = item['metadata']['name'] if name == localName: return raise ValueError() def waitForSecret(qname): sys.stderr.write(f"\nwait for secret {qname}: ") for tries in range(100): try: return secretExists(qname) except ValueError: sys.stderr.write('.') sys.stderr.flush() time.sleep(10) else: raise ValueError def pomeriumGlobalConfig(): config = { 'apiVersion': "ingress.pomerium.io/v1", 'kind': "Pomerium", 'metadata': { 'name': "global" }, 'spec': { 'secrets': "pomerium/bootstrap", 'authenticate': { 'url': f"https://{AUTH_HOST}" }, 'cookie': { 'expire': "20h" }, 'identityProvider': { 'provider': "oidc", 'url': "https://accounts.google.com", 'scopes': [ "openid", "email", "profile" # adds name+locale to user details ], 'secret': "pomerium/idp" }, # 'storage': { # 'postgres': { # 'secret': "pomerium/postgres-connection-key" # } # }, } } if phase == 'wait_for_cert': waitForSecret('pomerium/pomerium-proxy-tls') config['spec']['certificates'] = [f'pomerium/{POM_CERT_NAME}'] sys.stderr.write('\n') return config def pomCert(): return { "apiVersion": "cert-manager.io/v1", "kind": "Certificate", "metadata": { "name": POM_CERT_NAME, "namespace": "pomerium" }, "spec": { "dnsNames": [ AUTH_HOST ], "issuerRef": { "kind": "ClusterIssuer", "name": "letsencrypt-dns-prod" }, "secretName": "pomerium-proxy-tls" } } if phase == 'output_pom_cert': output = pomCert() else: output = pomeriumGlobalConfig() print(json.dumps(output))