hack: add verify-shellcheck target to validate bash scripts in the repository

* add a bash script to run shellcheck on all the scripts in the
  repository.
* add `verify-shellcheck` make target to run the shellcheck script.
* fix shellcheck warnings in existing bash scripts.

Signed-off-by: Deepesh Pathak <[email protected]>

Author: fristonio

Makefile

@@ -568,7 +568,7 @@ clean-release: ## Remove the release folder
 	rm -rf $(RELEASE_DIR)
 
 .PHONY: verify
-verify: verify-boilerplate verify-modules verify-gen
+verify: verify-boilerplate verify-modules verify-gen verify-shellcheck
 
 .PHONY: verify-boilerplate
 verify-boilerplate:
@@ -585,3 +585,7 @@ verify-gen: generate
 	@if !(git diff --quiet HEAD); then \
 		git diff; echo "generated files are out of date, run make generate"; exit 1; \
 	fi
+
+.PHONY: verify-shellcheck
+verify-shellcheck:
+	./hack/verify-shellcheck.sh

hack/create-dev-cluster.sh

@@ -34,10 +34,13 @@ export AZURE_VNET_NAME=${CLUSTER_NAME}-vnet
 # Azure settings.
 export AZURE_LOCATION="${AZURE_LOCATION:-southcentralus}"
 export AZURE_RESOURCE_GROUP=${CLUSTER_NAME}
-export AZURE_SUBSCRIPTION_ID_B64="$(echo -n "$AZURE_SUBSCRIPTION_ID" | base64 | tr -d '\n')"
-export AZURE_TENANT_ID_B64="$(echo -n "$AZURE_TENANT_ID" | base64 | tr -d '\n')"
-export AZURE_CLIENT_ID_B64="$(echo -n "$AZURE_CLIENT_ID" | base64 | tr -d '\n')"
-export AZURE_CLIENT_SECRET_B64="$(echo -n "$AZURE_CLIENT_SECRET" | base64 | tr -d '\n')"
+
+AZURE_SUBSCRIPTION_ID_B64="$(echo -n "$AZURE_SUBSCRIPTION_ID" | base64 | tr -d '\n')"
+AZURE_TENANT_ID_B64="$(echo -n "$AZURE_TENANT_ID" | base64 | tr -d '\n')"
+AZURE_CLIENT_ID_B64="$(echo -n "$AZURE_CLIENT_ID" | base64 | tr -d '\n')"
+AZURE_CLIENT_SECRET_B64="$(echo -n "$AZURE_CLIENT_SECRET" | base64 | tr -d '\n')"
+
+export AZURE_SUBSCRIPTION_ID_B64 AZURE_TENANT_ID_B64 AZURE_CLIENT_ID_B64 AZURE_CLIENT_SECRET_B64
 
 # Machine settings.
 export CONTROL_PLANE_MACHINE_COUNT=${CONTROL_PLANE_MACHINE_COUNT:-3}
@@ -49,13 +52,15 @@ export CLUSTER_TEMPLATE="${CLUSTER_TEMPLATE:-cluster-template.yaml}"
 
 # Generate SSH key.
 SSH_KEY_FILE=${SSH_KEY_FILE:-""}
-if ! [ -n "$SSH_KEY_FILE" ]; then
+if [ -z "$SSH_KEY_FILE" ]; then
     SSH_KEY_FILE=.sshkey
     rm -f "${SSH_KEY_FILE}" 2>/dev/null
     ssh-keygen -t rsa -b 2048 -f "${SSH_KEY_FILE}" -N '' 1>/dev/null
     echo "Machine SSH key generated in ${SSH_KEY_FILE}"
 fi
-export AZURE_SSH_PUBLIC_KEY_B64=$(cat "${SSH_KEY_FILE}.pub" | base64 | tr -d '\r\n')
+
+AZURE_SSH_PUBLIC_KEY_B64=$(base64 "${SSH_KEY_FILE}.pub" | tr -d '\r\n')
+export AZURE_SSH_PUBLIC_KEY_B64
 
 echo "================ DOCKER BUILD ==============="
 PULL_POLICY=IfNotPresent make modules docker-build

hack/ensure-acr-login.sh

@@ -23,7 +23,7 @@ cd "${REPO_ROOT}" || exit 1
 
 if [[ "${REGISTRY:-}" =~ capzci\.azurecr\.io ]]; then
     # if we are using the prow Azure Container Registry, login.
-    ${REPO_ROOT}/hack/ensure-azcli.sh
+    "${REPO_ROOT}/hack/ensure-azcli.sh"
     : "${AZURE_SUBSCRIPTION_ID:?Environment variable empty or not defined.}"
     az account set -s "${AZURE_SUBSCRIPTION_ID}"
     az acr login --name capzci

hack/ensure-kind.sh

@@ -43,7 +43,7 @@ verify_kind_version() {
   IFS=" " read -ra kind_version <<< "$(kind version)"
   if [[ "${MINIMUM_KIND_VERSION}" != $(echo -e "${MINIMUM_KIND_VERSION}\n${kind_version[1]}" | sort -s -t. -k 1,1 -k 2,2n -k 3,3n | head -n1) ]]; then
     cat <<EOF
-Detected kind version: ${kind_version}.
+Detected kind version: ${kind_version[0]}.
 Requires ${MINIMUM_KIND_VERSION} or greater.
 Please install ${MINIMUM_KIND_VERSION} or later.
 EOF

hack/install-cert-manager.sh

@@ -52,6 +52,10 @@ kubectl wait --for=condition=Available --timeout=5m -n cert-manager deployment/c
 kubectl wait --for=condition=Available --timeout=5m -n cert-manager deployment/cert-manager-cainjector
 kubectl wait --for=condition=Available --timeout=5m -n cert-manager deployment/cert-manager-webhook
 
-for i in {1..6}; do (echo "$TEST_RESOURCE" | kubectl apply -f - ) && break || sleep 15; done
+for _ in {1..6}; do
+  (echo "$TEST_RESOURCE" | kubectl apply -f -) && break
+  sleep 15
+done
+
 kubectl wait --for=condition=Ready --timeout=300s -n cert-manager-test certificate/selfsigned-cert
 echo "$TEST_RESOURCE" | kubectl delete -f -

hack/kustomize-sub.sh

@@ -18,4 +18,4 @@ set -o nounset
 set -o pipefail
 
 root=$(dirname "${BASH_SOURCE[0]}")
-$root/tools/bin/kustomize build $1 | $root/tools/bin/envsubst
+"$root/tools/bin/kustomize" build "$1" | "$root/tools/bin/envsubst"

hack/log/log-dump.sh

@@ -21,9 +21,9 @@ set -o pipefail
 REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
 cd "${REPO_ROOT}" || exit 1
 
-# shellcheck source=../hack/ensure-kind.sh
+# shellcheck source=hack/ensure-kind.sh
 source "${REPO_ROOT}/hack/ensure-kind.sh"
-# shellcheck source=../hack/ensure-kubectl.sh
+# shellcheck source=hack/ensure-kubectl.sh
 source "${REPO_ROOT}/hack/ensure-kubectl.sh"
 
 export ARTIFACTS="${ARTIFACTS:-${PWD}/_artifacts}"
@@ -33,7 +33,8 @@ export KUBECONFIG="${KUBECONFIG:-${PWD}/kubeconfig}"
 
 get_node_name() {
     local -r pod_name="${1}"
-    echo "$(kubectl get pod "${pod_name}" -ojsonpath={.spec.nodeName})"
+    # shellcheck disable=SC1083
+    kubectl get pod "${pod_name}" -ojsonpath={.spec.nodeName}
 }
 
 dump_mgmt_cluster_logs() {
@@ -90,7 +91,8 @@ dump_workload_cluster_logs() {
     kubectl apply -f "${REPO_ROOT}/hack/log/log-dump-daemonset.yaml"
     kubectl wait pod -l app=log-dump-node --for=condition=Ready --timeout=5m
 
-    local -r log_dump_pods=( $(kubectl get pod -l app=log-dump-node -ojsonpath={.items[*].metadata.name}) )
+    local -r log_dump_pods=()
+    IFS=" " read -r -a log_dump_pods <<< "$(kubectl get pod -l app=log-dump-node -ojsonpath='{.items[*].metadata.name}')"
     local log_dump_commands=(
         "journalctl --output=short-precise -u kubelet > kubelet.log"
         "journalctl --output=short-precise -u containerd > containerd.log"
@@ -108,7 +110,8 @@ dump_workload_cluster_logs() {
     fi
 
     for log_dump_pod in "${log_dump_pods[@]}"; do
-        local node_name="$(get_node_name "${log_dump_pod}")"
+        local node_name
+        node_name="$(get_node_name "${log_dump_pod}")"
 
         local log_dump_dir="${ARTIFACTS}/workload-cluster/${node_name}"
         mkdir -p "${log_dump_dir}"
@@ -127,6 +130,7 @@ dump_workload_cluster_logs() {
 
 cleanup() {
     kubectl delete -f "${REPO_ROOT}/hack/log/log-dump-daemonset.yaml" || true
+    # shellcheck source=hack/log/redact.sh
     source "${REPO_ROOT}/hack/log/redact.sh"
 }
 

hack/log/redact.sh

@@ -20,7 +20,8 @@ set -o pipefail
 
 echo "================ REDACTING LOGS ================"
 
-log_files=( $(find "${ARTIFACTS:-${PWD}/_artifacts}" -type f) )
+log_files=()
+while IFS='' read -r line; do log_files+=("$line"); done < <(find "${ARTIFACTS:-${PWD}/_artifacts}" -type f)
 redact_vars=(
     "${AZURE_CLIENT_ID:-}"
     "${AZURE_CLIENT_SECRET:-}"

hack/parse-prow-creds.sh

@@ -25,12 +25,14 @@ parse_cred() {
 # for Prow we use the provided AZURE_CREDENTIALS file.
 # the file is expected to be in toml format.
 if [[ -n "${AZURE_CREDENTIALS:-}" ]]; then
-    export AZURE_SUBSCRIPTION_ID="$(cat ${AZURE_CREDENTIALS} | parse_cred SubscriptionID)"
-    export AZURE_TENANT_ID="$(cat ${AZURE_CREDENTIALS} | parse_cred TenantID)"
-    export AZURE_CLIENT_ID="$(cat ${AZURE_CREDENTIALS} | parse_cred ClientID)"
-    export AZURE_CLIENT_SECRET="$(cat ${AZURE_CREDENTIALS} | parse_cred ClientSecret)"
-    export AZURE_MULTI_TENANCY_ID="$(cat ${AZURE_CREDENTIALS} | parse_cred MultiTenancyClientID)"
-    export AZURE_MULTI_TENANCY_SECRET="$(cat ${AZURE_CREDENTIALS} | parse_cred MultiTenancyClientSecret)"
-    export AZURE_STORAGE_ACCOUNT="$(cat ${AZURE_CREDENTIALS} | parse_cred StorageAccountName)"
-    export AZURE_STORAGE_KEY="$(cat ${AZURE_CREDENTIALS} | parse_cred StorageAccountKey)"
+    AZURE_SUBSCRIPTION_ID="$(parse_cred SubscriptionID < "${AZURE_CREDENTIALS}")"
+    AZURE_TENANT_ID="$(parse_cred TenantID < "${AZURE_CREDENTIALS}")"
+    AZURE_CLIENT_ID="$(parse_cred ClientID < "${AZURE_CREDENTIALS}")"
+    AZURE_CLIENT_SECRET="$(parse_cred ClientSecret < "${AZURE_CREDENTIALS}")"
+    AZURE_MULTI_TENANCY_ID="$(parse_cred MultiTenancyClientID < "${AZURE_CREDENTIALS}")"
+    AZURE_MULTI_TENANCY_SECRET="$(parse_cred MultiTenancyClientSecret < "${AZURE_CREDENTIALS}")"
+    AZURE_STORAGE_ACCOUNT="$(parse_cred StorageAccountName < "${AZURE_CREDENTIALS}")"
+    AZURE_STORAGE_KEY="$(parse_cred StorageAccountKey < "${AZURE_CREDENTIALS}")"
+
+    export AZURE_SUBSCRIPTION_ID AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_MULTI_TENANCY_ID AZURE_MULTI_TENANCY_SECRET AZURE_STORAGE_ACCOUNT AZURE_STORAGE_KEY
 fi

hack/print-workspace-status.sh

@@ -34,12 +34,15 @@ if GIT_VERSION=$(git describe --tags --abbrev=14 2>/dev/null); then
     #
     # TODO: We continue calling this "git version" because so many
     # downstream consumers are expecting it there.
+    # shellcheck disable=SC2001
     DASHES_IN_VERSION=$(echo "${GIT_VERSION}" | sed "s/[^-]//g")
     if [[ "${DASHES_IN_VERSION}" == "---" ]] ; then
         # We have distance to subversion (v1.1.0-subversion-1-gCommitHash)
+        # shellcheck disable=SC2001
         GIT_VERSION=$(echo "${GIT_VERSION}" | sed "s/-\([0-9]\{1,\}\)-g\([0-9a-f]\{14\}\)$/.\1\-\2/")
     elif [[ "${DASHES_IN_VERSION}" == "--" ]] ; then
         # We have distance to base tag (v1.1.0-1-gCommitHash)
+        # shellcheck disable=SC2001
         GIT_VERSION=$(echo "${GIT_VERSION}" | sed "s/-g\([0-9a-f]\{14\}\)$/-\1/")
     fi
     if [[ "${GIT_TREE_STATE}" == "dirty" ]]; then
@@ -66,9 +69,9 @@ if GIT_VERSION=$(git describe --tags --abbrev=14 2>/dev/null); then
     fi
 fi
 
-GIT_BRANCH=$(git branch | grep \* | cut -d ' ' -f2)
+GIT_BRANCH=$(git branch | grep '\*' | cut -d ' ' -f2)
 GIT_RELEASE_TAG=$(git describe --abbrev=0 --tags)
-GIT_RELEASE_COMMIT=$(git rev-list -n 1  ${GIT_RELEASE_TAG} | head -c 14)
+GIT_RELEASE_COMMIT=$(git rev-list -n 1  "${GIT_RELEASE_TAG}" | head -c 14)
 
 cat <<EOF
 GIT_COMMIT ${GIT_COMMIT-}