4747
4848# --- get: retrieve credentials for the requested registry ---
4949
50- read -r server_url || true
51- registry_hostname=" $( echo " ${server_url} " | sed -E ' s|^https?://([^/]+).*|\1|' ) "
50+ read -r SERVER_URL || true
51+ readonly SERVER_URL
52+ REGISTRY_HOSTNAME=" $( echo " ${SERVER_URL} " | sed -E ' s|^https?://([^/]+).*|\1|' ) "
53+ readonly REGISTRY_HOSTNAME
5254
5355readonly SECRETS_JSON=" /home/core/secrets.json"
5456if [[ ! -f " ${SECRETS_JSON} " ]]; then
5557 echo " Error: ${SECRETS_JSON} not found" >&2
5658 exit 1
5759fi
5860
59- secret_entry =" $( jq --arg registry " ${registry_hostname } " \
61+ SECRET_ENTRY =" $( jq --arg registry " ${REGISTRY_HOSTNAME } " \
6062 ' .[] | select(.dockerRegistry == $registry)' \
6163 " ${SECRETS_JSON} " ) "
64+ readonly SECRET_ENTRY
6265
63- if [[ -z " ${secret_entry } " || " ${secret_entry } " == " null" ]]; then
64- echo " Error: No secret configured for registry ${registry_hostname } " >&2
66+ if [[ -z " ${SECRET_ENTRY } " || " ${SECRET_ENTRY } " == " null" ]]; then
67+ echo " Error: No secret configured for registry ${REGISTRY_HOSTNAME } " >&2
6568 exit 1
6669fi
6770
68- secret_name=" $( echo " ${secret_entry} " | jq -r ' .name' ) "
71+ SECRET_NAME=" $( echo " ${SECRET_ENTRY} " | jq -r ' .name' ) "
72+ readonly SECRET_NAME
6973
7074# shellcheck source=/dev/null
7175source /home/core/metadata-utils.sh
@@ -75,56 +79,69 @@ source /home/core/service-utils.sh
7579source /home/core/secret-utils.sh
7680
7781CLI_SERVER=" $( get_metadata_value " terra-cli-server" " prod" ) "
82+ readonly CLI_SERVER
83+
7884WSM_URL=" $( get_service_url " wsm" " ${CLI_SERVER} " ) "
85+ readonly WSM_URL
7986
8087WORKSPACE_UFID=" $( get_metadata_value " terra-workspace-id" " " ) "
88+ readonly WORKSPACE_UFID
8189if [[ -z " ${WORKSPACE_UFID} " ]]; then
8290 echo " Error: No workspace ID found in metadata" >&2
8391 exit 1
8492fi
8593
8694RESOURCE_ID=" $( get_metadata_value " wb-resource-id" " " ) "
95+ readonly RESOURCE_ID
8796if [[ -z " ${RESOURCE_ID} " ]]; then
8897 echo " Error: No resource ID found in metadata" >&2
8998 exit 1
9099fi
91100
92101TOKEN=" $( /home/core/wb.sh auth print-access-token) "
102+ # shellcheck disable=SC2034
103+ readonly TOKEN
93104
94105WORKSPACE_ID=" $( curl_with_auth TOKEN -s -f \
95106 " ${WSM_URL} /api/workspaces/v1/workspaceByUserFacingId/${WORKSPACE_UFID} " \
96107 | jq -r ' .id' ) "
108+ readonly WORKSPACE_ID
97109if [[ -z " ${WORKSPACE_ID} " || " ${WORKSPACE_ID} " == " null" ]]; then
98110 echo " Error: Failed to resolve workspace UUID for '${WORKSPACE_UFID} '" >&2
99111 exit 1
100112fi
101113
102- readonly KEY_FILE=" /home/core/signing-key/signing.key"
114+ KEY_FILE=" /home/core/signing-key/signing.key"
115+ readonly KEY_FILE
103116if [[ ! -f " ${KEY_FILE} " ]]; then
104117 echo " Error: Signing key not found at ${KEY_FILE} " >&2
105118 exit 1
106119fi
107120
108- app_resource =" $( curl_with_auth TOKEN -s -f \
121+ APP_RESOURCE =" $( curl_with_auth TOKEN -s -f \
109122 " ${WSM_URL} /api/workspaces/v1/${WORKSPACE_ID} /${RESOURCE_PATH} /${RESOURCE_ID} " ) "
123+ readonly APP_RESOURCE
110124
111- secret_workspace_id=" $( echo " ${app_resource} " | jq -r --arg name " ${secret_name} " ' .attributes.secrets[$name].workspaceId' ) "
112- secret_resource_id=" $( echo " ${app_resource} " | jq -r --arg name " ${secret_name} " ' .attributes.secrets[$name].resourceId' ) "
125+ SECRET_WORKSPACE_ID=" $( echo " ${APP_RESOURCE} " | jq -r --arg name " ${SECRET_NAME} " ' .attributes.secrets[$name].workspaceId' ) "
126+ readonly SECRET_WORKSPACE_ID
127+ SECRET_RESOURCE_ID=" $( echo " ${APP_RESOURCE} " | jq -r --arg name " ${SECRET_NAME} " ' .attributes.secrets[$name].resourceId' ) "
128+ readonly SECRET_RESOURCE_ID
113129
114- if [[ -z " ${secret_workspace_id } " || " ${secret_workspace_id } " == " null" || \
115- -z " ${secret_resource_id } " || " ${secret_resource_id } " == " null" ]]; then
116- echo " Error: Secret '${secret_name } ' not found in app resource's attached secrets" >&2
130+ if [[ -z " ${SECRET_WORKSPACE_ID } " || " ${SECRET_WORKSPACE_ID } " == " null" || \
131+ -z " ${SECRET_RESOURCE_ID } " || " ${SECRET_RESOURCE_ID } " == " null" ]]; then
132+ echo " Error: Secret '${SECRET_NAME } ' not found in app resource's attached secrets" >&2
117133 exit 1
118134fi
119135
120- validate_allowed_secret " ${secret_entry } " " ${secret_workspace_id } " " ${secret_resource_id } "
136+ validate_allowed_secret " ${SECRET_ENTRY } " " ${SECRET_WORKSPACE_ID } " " ${SECRET_RESOURCE_ID } "
121137
122- credential=" $( retrieve_secret TOKEN " ${WSM_URL} " " ${RESOURCE_ID} " " ${KEY_FILE} " \
123- " ${secret_workspace_id} " " ${secret_resource_id} " ) "
138+ CREDENTIAL=" $( retrieve_secret TOKEN " ${WSM_URL} " " ${RESOURCE_ID} " " ${KEY_FILE} " \
139+ " ${SECRET_WORKSPACE_ID} " " ${SECRET_RESOURCE_ID} " ) "
140+ readonly CREDENTIAL
124141
125- if ! echo " ${credential } " | jq -e ' .Username and .Secret' > /dev/null 2>&1 ; then
126- echo " Error: Secret '${secret_name } ' is not valid docker credential JSON (expected Username and Secret fields)" >&2
142+ if ! echo " ${CREDENTIAL } " | jq -e ' .Username and .Secret' > /dev/null 2>&1 ; then
143+ echo " Error: Secret '${SECRET_NAME } ' is not valid docker credential JSON (expected Username and Secret fields)" >&2
127144 exit 1
128145fi
129146
130- echo " ${credential } " | jq --arg url " ${server_url } " ' . + {"ServerURL": $url}'
147+ echo " ${CREDENTIAL } " | jq --arg url " ${SERVER_URL } " ' . + {"ServerURL": $url}'
0 commit comments