-
Notifications
You must be signed in to change notification settings - Fork 6
/
print-your-cert-controller
executable file
·136 lines (117 loc) · 5.84 KB
/
print-your-cert-controller
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/usr/bin/env bash
set -uo pipefail
# I won't set -x because this is a long-lasting script and I can't afford
# crashes.
# For testing purposes, that allows me to run ./print-your-cert-controller
# without having to put cert-card in my PATH.
export PATH="$PATH:$PWD"
# set to a non-empty value to actually try to use a printer
mock=${mock:-}
printf "print-your-cert-controller is now watching certificates.\n"
kubectl get cert -ojson --watch | jq -c --unbuffered | while read -r cert; do
certname=$(jq -r '.metadata.name | select(.)' <<<"$cert")
annotation_value_print=$(jq -r '.metadata.annotations."print" | select(.)' <<<"$cert")
annotation_value_fetchkey=$(jq -r '.metadata.annotations."fetch-key" | select(.)' <<<"$cert")
condition_status_ready=$(jq -r '.status.conditions[]? | select(.type == "Ready") | .status' <<<"$cert")
condition_status_printed=$(jq -r '.status.conditions[]? | select(.type == "Printed") | .status' <<<"$cert")
printf "%s: reconciling. (state: annotation=print:$annotation_value_print, Ready=$condition_status_ready, Printed=$condition_status_printed)\n" "$(jq -r .metadata.name <<<"$cert")"
case $annotation_value_print,$condition_status_ready,$condition_status_printed in
,*,*)
printf "%s: the certificate does not have the 'print' annotation, skipping.\n" "$(jq -r .metadata.name <<<"$cert")"
continue
;;
*,,*)
printf "%s: the certificate does not have the 'Ready' condition yet, skipping.\n" "$(jq -r .metadata.name <<<"$cert")"
continue
;;
true,*,)
printf "%s: certificate has the annotation, let's set the 'Printed' condition to 'False' until it is printed.\n" "$(jq -r .metadata.name <<<"$cert")"
if ! out=$(
kubectl patch cert "$(jq -r .metadata.name <<<"$cert")" --subresource status --type=json -p '
[{
"op": "add", "path": "/status/conditions", "value":[{
"type": "Printed",
"status": "False",
"reason": "Pending",
"message": "The print-your-cert-controller has acknowledged this certificate, and will print it shortly."
}]
}]' 2>&1
); then
printf "%s: failed to set the 'Printed' condition to 'False': %s\n" "$(jq -r .metadata.name <<<"$cert")" "$(tr $'\n' ' ' <<<"$out")"
fi
continue
;;
*,*,True)
printf "%s: the certificate has already been printed, skipping.\n" "$(jq -r .metadata.name <<<"$cert")"
continue
;;
true,True,False)
printf "%s: has the Ready=True condition and can now be printed.\n" "$(jq -r .metadata.name <<<"$cert")"
pem=$(jq -r '.spec.secretName' <<<"$cert" | xargs kubectl get secret -ojson | jq -r '.data."tls.crt"' | base64 -d)
printf "%s: printing.\n" "$(jq -r .metadata.name <<<"$cert")"
if ! out=$(cert-card "$certname" "$annotation_value_fetchkey" <<<"$pem" 2>&1); then
printf "%s: failed to generate front-....png and back-....png.\n" "$(jq -r .metadata.name <<<"$cert")" "$(tr $'\n' ' ' <<<"$out")"
continue
fi
out=
brother_rc=
if [[ -n $mock ]]; then
out="mocked output for front print"
brother_rc=0
else
out=$(brother_ql --model QL-820NWB --printer usb://0x04f9:0x209d print --label 62 "front-$certname.png" 2>&1)
brother_rc=$?
fi
if [[ $brother_rc != 0 ]]; then
printf "%s: failed to print front-$certname.png: %s\n" "$(jq -r .metadata.name <<<"$cert")" "$(tail -1 <<<"$out")"
if ! out=$(kubectl patch cert "$(jq -r .metadata.name <<<"$cert")" --subresource status --type=json -p '
[{
"op": "add", "path": "/status/conditions", "value":[{
"type": "Printed",
"status": "False",
"reason": "Error",
"message": "brother_ql: '"$(tail -1 <<<"$out")"'"
}]
}]' 2>&1); then
printf "%s: failed to set the 'Printed' condition to 'False': %s\n" "$(jq -r .metadata.name <<<"$cert")" "$(tr $'\n' ' ' <<<"$out")"
fi
continue
fi
out=
brother_rc=
if [[ -n $mock ]]; then
out="mocked output for front print"
brother_rc=0
else
out=out=$(brother_ql --model QL-820NWB --printer usb://0x04f9:0x209d print --label 62 back-$certname.png 2>&1)
brother_rc=$?
fi
if [[ $brother_rc != 0 ]]; then
printf "%s: failed to print back-$certname.png: %s\n" "$(jq -r .metadata.name <<<"$cert")" "$(tail -1 <<<"$out")"
if ! out=$(kubectl patch cert "$(jq -r .metadata.name <<<"$cert")" --subresource status --type=json -p '
[{
"op": "add", "path": "/status/conditions", "value":[{
"type": "Printed",
"status": "False",
"reason": "Error",
"message": "brother_ql: '"$(tail -1 <<<"$out")"'"
}]
}]' 2>&1); then
printf "%s: failed to set the 'Printed' condition to 'False': %s\n" "$(jq -r .metadata.name <<<"$cert")" "$(tr $'\n' ' ' <<<"$out")"
fi
continue
fi
# Now that the certificate is printed, we can update the status of
# the certificate.
if ! out=$(kubectl patch cert "$(jq -r .metadata.name <<<"$cert")" --subresource status --type=json -p '
[{
"op": "add", "path": "/status/conditions",
"value":[{"type": "Printed", "status": "True"}]
}]' 2>&1); then
printf "%s: failed to generate front-....png and back-....png: %s\n" "$(jq -r .metadata.name <<<"$cert")" "$(tr $'\n' ' ' <<<"$out")"
fi
continue
;;
esac
done
exit 123