#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'

DIR=$(dirname "$(realpath "$0")")
LOG="$DIR/../logs"
INPUT="$(jq </dev/stdin)"

echo "$(date): Request: $INPUT" >>"$LOG"

TOKEN=$(echo "$INPUT" | jq -r .serviceAccountToken)
PAYLOAD_K8S=$(echo "$TOKEN" | jwt decode -j - | jq '.payload."kubernetes.io"')
NAMESPACE=$(echo "$PAYLOAD_K8S" | jq -r .namespace)
SA_NAME=$(echo "$PAYLOAD_K8S" | jq -r .serviceaccount.name)
echo "$(date): Using Service Account \"$SA_NAME\" from namespace \"$NAMESPACE\"" >>"$LOG"

# Test secret retrieval
# In production we should
#   1. Get all secrets of type kubernetes.io/dockerconfigjson
#   2. Match the provided image name with the resolved registry from registries.conf
#   3. Match theh resolved registry with them from the .dockerconfigjsons
#   4. Merge the auths together for the response
SECRET_NAME=my-secret
SECRET=$(curl -k -H "Authorization: Bearer $TOKEN" "https://localhost:6443/api/v1/namespaces/$NAMESPACE/secrets/$SECRET_NAME")
echo "$(date): Secret: $SECRET" >>"$LOG"

RESPONSE=$(echo '{
    "kind": "CredentialProviderResponse",
    "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
    "cacheKeyType": "Registry",
    "cacheDuration": "0h5m0s",
    "auth": {
        "'"$(echo "$INPUT" | jq -r .image)"'": {"username": "", "password": ""}
    }
}' | jq .)

echo "$(date): Response: $RESPONSE" >>"$LOG"
echo "$RESPONSE" | jq -c