Skip to content

Commit 269c171

Browse files
gabemonteroclaude
andcommitted
fix(boost): make load-secrets.sh safe to source
Remove set -euo pipefail which kills the shell on kubectl errors. Use return 1 instead so failures abort the script without closing the terminal. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent a12bb27 commit 269c171

1 file changed

Lines changed: 44 additions & 47 deletions

File tree

Lines changed: 44 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -1,54 +1,51 @@
11
#!/usr/bin/env bash
2-
# Load development secrets from a Kubernetes secret into environment
3-
# variables for local boost backend development.
2+
# Load boost dev secrets from a K8s namespace.
3+
# Source this before launching the debugger:
4+
# source workspaces/boost/scripts/load-secrets.sh
45
#
5-
# Usage:
6-
# source scripts/load-secrets.sh [secret-name] [namespace]
6+
# Override defaults via env vars:
7+
# BOOST_SECRET_NAMESPACE (default: rolling-demo-ns)
8+
# BOOST_SECRET_NAME (default: augment-secrets)
79
#
8-
# Defaults:
9-
# secret-name: boost-dev-secrets
10-
# namespace: boost-dev
10+
# Requires: kubectl access to the cluster (KUBECONFIG set)
1111

12-
set -euo pipefail
13-
14-
SECRET_NAME="${1:-boost-dev-secrets}"
15-
NAMESPACE="${2:-boost-dev}"
12+
NAMESPACE="${BOOST_SECRET_NAMESPACE:-rolling-demo-ns}"
13+
SECRET_NAME="${BOOST_SECRET_NAME:-augment-secrets}"
1614

1715
echo "Loading secrets from ${NAMESPACE}/${SECRET_NAME}..."
1816

19-
# Read fields from the K8s secret
20-
export KAGENTI_CLIENT_SECRET
21-
KAGENTI_CLIENT_SECRET=$(kubectl get secret "${SECRET_NAME}" \
22-
-n "${NAMESPACE}" -o jsonpath='{.data.KAGENTI_CLIENT_SECRET}' | base64 -d)
23-
24-
export KAGENTI_CLIENT_ID
25-
KAGENTI_CLIENT_ID=$(kubectl get secret "${SECRET_NAME}" \
26-
-n "${NAMESPACE}" -o jsonpath='{.data.KAGENTI_CLIENT_ID}' | base64 -d)
27-
28-
export KAGENTI_TOKEN_ENDPOINT
29-
KAGENTI_TOKEN_ENDPOINT=$(kubectl get secret "${SECRET_NAME}" \
30-
-n "${NAMESPACE}" -o jsonpath='{.data.KAGENTI_TOKEN_ENDPOINT}' | base64 -d)
31-
32-
export KAGENTI_BASE_URL
33-
KAGENTI_BASE_URL=$(kubectl get secret "${SECRET_NAME}" \
34-
-n "${NAMESPACE}" -o jsonpath='{.data.KAGENTI_BASE_URL}' | base64 -d)
35-
36-
export KAGENTI_NAMESPACE
37-
KAGENTI_NAMESPACE=$(kubectl get secret "${SECRET_NAME}" \
38-
-n "${NAMESPACE}" -o jsonpath='{.data.KAGENTI_NAMESPACE}' | base64 -d)
39-
40-
export BOOST_MODEL
41-
BOOST_MODEL=$(kubectl get secret "${SECRET_NAME}" \
42-
-n "${NAMESPACE}" -o jsonpath='{.data.BOOST_MODEL}' | base64 -d)
43-
44-
# Accept self-signed certs from OpenShift routes (override with 1 to enforce)
45-
export NODE_TLS_REJECT_UNAUTHORIZED="${NODE_TLS_REJECT_UNAUTHORIZED:-0}"
46-
47-
echo "Environment loaded:"
48-
echo " KAGENTI_CLIENT_SECRET=<set>"
49-
echo " KAGENTI_CLIENT_ID=<set>"
50-
echo " KAGENTI_TOKEN_ENDPOINT=${KAGENTI_TOKEN_ENDPOINT}"
51-
echo " KAGENTI_BASE_URL=${KAGENTI_BASE_URL}"
52-
echo " KAGENTI_NAMESPACE=${KAGENTI_NAMESPACE}"
53-
echo " BOOST_MODEL=${BOOST_MODEL}"
54-
echo " NODE_TLS_REJECT_UNAUTHORIZED=${NODE_TLS_REJECT_UNAUTHORIZED}"
17+
_load_field() {
18+
local val
19+
val=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" \
20+
-o jsonpath="{.data.$1}" 2>/dev/null) || {
21+
echo " WARNING: failed to read $1 from secret ${NAMESPACE}/${SECRET_NAME}" >&2
22+
return 1
23+
}
24+
if [ -z "${val}" ]; then
25+
echo " WARNING: $1 is empty in secret ${NAMESPACE}/${SECRET_NAME}" >&2
26+
return 1
27+
fi
28+
echo "${val}" | base64 -d
29+
}
30+
31+
KAGENTI_CLIENT_SECRET=$(_load_field KAGENTI_CLIENT_SECRET) || { echo "Aborting." >&2; unset -f _load_field; return 1; }
32+
KAGENTI_CLIENT_ID=$(_load_field KAGENTI_CLIENT_ID) || { echo "Aborting." >&2; unset -f _load_field; return 1; }
33+
KAGENTI_TOKEN_ENDPOINT=$(_load_field KAGENTI_TOKEN_ENDPOINT) || { echo "Aborting." >&2; unset -f _load_field; return 1; }
34+
KAGENTI_BASE_URL=$(_load_field KAGENTI_BASE_URL) || { echo "Aborting." >&2; unset -f _load_field; return 1; }
35+
KAGENTI_NAMESPACE=$(_load_field KAGENTI_NAMESPACE) || { echo "Aborting." >&2; unset -f _load_field; return 1; }
36+
BOOST_MODEL=$(_load_field AUGMENT_MODEL) || { echo "Aborting." >&2; unset -f _load_field; return 1; }
37+
38+
unset -f _load_field
39+
40+
export KAGENTI_CLIENT_SECRET KAGENTI_CLIENT_ID KAGENTI_TOKEN_ENDPOINT
41+
export KAGENTI_BASE_URL KAGENTI_NAMESPACE BOOST_MODEL
42+
export NODE_TLS_REJECT_UNAUTHORIZED=0
43+
44+
echo "Loaded: KAGENTI_BASE_URL=$KAGENTI_BASE_URL"
45+
echo "Loaded: KAGENTI_NAMESPACE=$KAGENTI_NAMESPACE"
46+
echo "Loaded: KAGENTI_CLIENT_ID=$KAGENTI_CLIENT_ID"
47+
echo "Loaded: KAGENTI_CLIENT_SECRET=<set>"
48+
echo "Loaded: KAGENTI_TOKEN_ENDPOINT=$KAGENTI_TOKEN_ENDPOINT"
49+
echo "Loaded: BOOST_MODEL=$BOOST_MODEL"
50+
echo "Set: NODE_TLS_REJECT_UNAUTHORIZED=0 (for self-signed OpenShift route certs)"
51+
echo "Ready — launch the debugger in this shell."

0 commit comments

Comments
 (0)