Merge pull request #1300 from rackerlabs/shellcheck-20250926

cardoe · web-flow · commit 724093f84808 · 2025-09-26T17:28:47.000Z
fix(shellcheck): Fixes shellcheck issues
diff --git a/scripts/gen-os-secrets.sh b/scripts/gen-os-secrets.sh
@@ -1,50 +1,82 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
-if [ $# -ne 1 ]; then
+# Check arguments
+if [ "$#" -ne 1 ]; then
     echo "$(basename "$0") <output-file>" >&2
     exit 1
 fi
 
+# Enable safer bash settings
 set -o pipefail
 
-if ! type -p yq > /dev/null; then
+# Check dependencies
+if ! command -v yq >/dev/null; then
     echo "You must have yq installed to use this script" >&2
     exit 1
 fi
 
-if ! type -p kubectl > /dev/null; then
+if ! command -v kubectl >/dev/null; then
     echo "You must have kubectl installed to use this script" >&2
     exit 1
 fi
 
-KUSTOMIZE_VERSION=$(kubectl version --client -o yaml | yq .kustomizeVersion)
-if ! (echo -e "v5.0.0\n$KUSTOMIZE_VERSION" | sort -V -C); then
-  echo "kustomize needs to be at version 5.0.0 or newer (comes with kubectl 1.27+)"
-  exit 1
+# Get kustomize version (declare/assign separately)
+KUSTOMIZE_VERSION=""
+KUSTOMIZE_VERSION=$(kubectl version --client -o yaml | yq '.kustomizeVersion')
+if ! (printf '%s\n' "v5.0.0" "$KUSTOMIZE_VERSION" | sort -V -C); then
+    echo "kustomize needs to be at version 5.0.0 or newer (comes with kubectl 1.27+)"
+    exit 1
 fi
 
-SCRIPTS_DIR="$(dirname "$0")"
+# Scripts directory
+SCRIPTS_DIR=""
+SCRIPTS_DIR=$(dirname "$0")
 
 echo "This script will attempt to look up the existing values this repo used"
 echo "or will generate new values. The output below will be related to that."
 
 # memcache secret key
-export MEMCACHE_SECRET_KEY=$("${SCRIPTS_DIR}/pwgen.sh" 64)
+MEMCACHE_SECRET_KEY=""
+MEMCACHE_SECRET_KEY=$("${SCRIPTS_DIR}/pwgen.sh" 64)
+export MEMCACHE_SECRET_KEY
 
 # keystone admin
-export KEYSTONE_ADMIN_PASSWORD=$(kubectl -n openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+KEYSTONE_ADMIN_PASSWORD=""
+KEYSTONE_ADMIN_PASSWORD=$(kubectl -n openstack get secret keystone-admin \
+  -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+export KEYSTONE_ADMIN_PASSWORD
+
 # keystone mariadb
-export KEYSTONE_DB_PASSWORD=$(kubectl -n openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+KEYSTONE_DB_PASSWORD=""
+KEYSTONE_DB_PASSWORD=$(kubectl -n openstack get secret keystone-db-password \
+  -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+export KEYSTONE_DB_PASSWORD
+
 # keystone rabbitmq
-export KEYSTONE_RABBITMQ_PASSWORD=$(kubectl -n openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+KEYSTONE_RABBITMQ_PASSWORD=""
+KEYSTONE_RABBITMQ_PASSWORD=$(kubectl -n openstack get secret keystone-rabbitmq-password \
+  -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+export KEYSTONE_RABBITMQ_PASSWORD
 
 # ironic keystone service account
-export IRONIC_KEYSTONE_PASSWORD=$(kubectl -n openstack get secret ironic-keystone-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+IRONIC_KEYSTONE_PASSWORD=""
+IRONIC_KEYSTONE_PASSWORD=$(kubectl -n openstack get secret ironic-keystone-password \
+  -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+export IRONIC_KEYSTONE_PASSWORD
+
 # ironic mariadb
-export IRONIC_DB_PASSWORD=$(kubectl -n openstack get secret ironic-db-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+IRONIC_DB_PASSWORD=""
+IRONIC_DB_PASSWORD=$(kubectl -n openstack get secret ironic-db-password \
+  -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+export IRONIC_DB_PASSWORD
+
 # ironic rabbitmq
-export IRONIC_RABBITMQ_PASSWORD=$(kubectl -n openstack get secret ironic-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+IRONIC_RABBITMQ_PASSWORD=""
+IRONIC_RABBITMQ_PASSWORD=$(kubectl -n openstack get secret ironic-rabbitmq-password \
+  -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+export IRONIC_RABBITMQ_PASSWORD
 
+# Generate output
 yq '(.. | select(tag == "!!str")) |= envsubst' \
     "${SCRIPTS_DIR}/../components/openstack-secrets.tpl.yaml" \
     > "$1"
diff --git a/scripts/gitops-deploy.sh b/scripts/gitops-deploy.sh
@@ -10,14 +10,15 @@ usage() {
 template() {
     local subvars
     subvars="\$DNS_ZONE \$UC_DEPLOY_GIT_URL \$DEPLOY_NAME"
+    # shellcheck disable=SC2002  # Using cat for clarity with envsubst
     cat "$1" | envsubst "${subvars}" > "$2"
 }
 
-if [ $# -ne 1 ]; then
+if [ "$#" -ne 1 ]; then
     usage
 fi
 
-SCRIPTS_DIR=$(dirname "$0")
+SCRIPTS_DIR="$(dirname "$0")"
 
 if [ ! -f "$1" ]; then
     echo "Did not get a file with environment variables." >&2
@@ -43,7 +44,7 @@ if [ ! -d "${UC_DEPLOY}" ]; then
     usage
 fi
 
-if [ "x${DEPLOY_NAME}" = "x" ]; then
+if [ -z "${DEPLOY_NAME}" ]; then
     echo "DEPLOY_NAME is not set." >&2
     usage
 fi
@@ -57,14 +58,16 @@ export DEPLOY_NAME
 
 # create helm-configs directory for values.yaml overrides
 mkdir -p "${UC_DEPLOY_HELM_CFG}"
-for component in dex; do
+
+# shellcheck disable=SC2043
+for component in "dex"; do
     helmvals="${UC_DEPLOY_HELM_CFG}/${component}.yaml"
     if [ -f "${helmvals}" ]; then
         echo "You have ${helmvals} already, not overwriting"
         continue
     fi
-    if  [ -f "${UC_REPO_COMPONENTS}/${component}/values.tpl.yaml" ]; then
-            template "${UC_REPO_COMPONENTS}/${component}/values.tpl.yaml" "${helmvals}"
+    if [ -f "${UC_REPO_COMPONENTS}/${component}/values.tpl.yaml" ]; then
+        template "${UC_REPO_COMPONENTS}/${component}/values.tpl.yaml" "${helmvals}"
     else
         echo "# add your values.yaml overrides for the helm chart here" > "${helmvals}"
     fi
