scripts: localize all 9 ADMIN_* in build_admin_flags

Two gemini medium findings on PR #678 caught that the
defense-in-depth localization I added was incomplete:
ADMIN_SESSION_SIGNING_KEY_FILE et al got `${VAR:-}` defaults into
locals at the top of the helper, but ADMIN_ENABLED and the two
ADMIN_ALLOW_* booleans were still accessed directly from the
calling environment further down in the function.

The gap defeated the comment's own claim. If a future refactor
ever drops one of those three booleans from the env forwarding,
`set -u` would crash on `${ADMIN_ENABLED}` (and the code path
below would silently fall through to defaults for the two
ALLOW_* flags, masking the misconfiguration). The point of the
local-with-default pattern is that every ADMIN_* reference goes
through one place where the safety net is guaranteed.

Localized all nine into `enabled`, `signing_key`, `full_keys`,
`read_only_keys`, `previous_key`, `admin_listen`, `tls_cert`,
`tls_key`, `allow_plaintext`, `insecure_cookie`. The two
ALLOW_* check sites at the bottom now read the locals instead of
re-fetching the globals — same value, but consistent with the
rest of the helper and the comment's contract.

No behaviour change for any valid input. Smoke-tested both
boolean validators (`ADMIN_ENABLED=invalid` and
`ADMIN_ALLOW_PLAINTEXT_NON_LOOPBACK=yes`) — local script-level
errors still fire with the targeted message before reaching
update_one_node.

Author: bootjp

scripts/rolling-update.sh

@@ -872,8 +872,12 @@ build_admin_flags() {
   # update_one_node. If a future refactor ever drops one of the
   # forwarded variables, the operator gets the targeted "ADMIN_*
   # required" error below instead of an opaque "unbound variable"
-  # crash with no hint at which variable.
-  if [[ "${ADMIN_ENABLED:-false}" != "true" ]]; then
+  # crash with no hint at which variable. All nine ADMIN_* values
+  # are read into locals once at the top so the rest of the helper
+  # cannot accidentally re-fetch a global and bypass the safety net
+  # (gemini medium on PR #678 caught the original three-boolean gap).
+  local enabled="${ADMIN_ENABLED:-false}"
+  if [[ "$enabled" != "true" ]]; then
     return 0
   fi
 
@@ -884,6 +888,8 @@ build_admin_flags() {
   local admin_listen="${ADMIN_ADDRESS:-}"
   local tls_cert="${ADMIN_TLS_CERT_FILE:-}"
   local tls_key="${ADMIN_TLS_KEY_FILE:-}"
+  local allow_plaintext="${ADMIN_ALLOW_PLAINTEXT_NON_LOOPBACK:-false}"
+  local insecure_cookie="${ADMIN_ALLOW_INSECURE_DEV_COOKIE:-false}"
 
   if [[ -z "$signing_key" ]]; then
     echo "ADMIN_ENABLED=true requires ADMIN_SESSION_SIGNING_KEY_FILE; aborting" >&2
@@ -944,10 +950,10 @@ build_admin_flags() {
     _volumes+=(-v "${tls_key}:${tls_key}:ro")
   fi
 
-  if [[ "${ADMIN_ALLOW_PLAINTEXT_NON_LOOPBACK:-false}" == "true" ]]; then
+  if [[ "$allow_plaintext" == "true" ]]; then
     _flags+=(--adminAllowPlaintextNonLoopback)
   fi
-  if [[ "${ADMIN_ALLOW_INSECURE_DEV_COOKIE:-false}" == "true" ]]; then
+  if [[ "$insecure_cookie" == "true" ]]; then
     _flags+=(--adminAllowInsecureDevCookie)
   fi
 }