Updates to eliminate shellcheck failures in #72956

Extend quotes to full filepath strings

Fixes for reviewers comments

cluster/centos/build.sh

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Download the flannel, etcd, docker, bridge-utils and K8s binaries automatically 
+# Download the flannel, etcd, docker, bridge-utils and K8s binaries automatically
 # and store into binaries directory.
 # Run as sudoers only
 
@@ -24,84 +24,84 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-readonly ROOT=$(dirname "${BASH_SOURCE}")
+readonly ROOT=$(dirname "${BASH_SOURCE[0]}")
-source ${ROOT}/config-build.sh
+source "${ROOT}/config-build.sh"
 
 # ensure $RELEASES_DIR is an absolute file path
-mkdir -p ${RELEASES_DIR}
+mkdir -p "${RELEASES_DIR}"
-RELEASES_DIR=$(cd ${RELEASES_DIR}; pwd)
+RELEASES_DIR=$(cd "${RELEASES_DIR}"; pwd)
 
 # get absolute file path of binaries
-BINARY_DIR=$(cd ${ROOT}; pwd)/binaries
+BINARY_DIR=$(cd "${ROOT}"; pwd)/binaries
 
 function clean-up() {
-  rm -rf ${RELEASES_DIR}
+  rm -rf "${RELEASES_DIR}"
-  rm -rf ${BINARY_DIR}
+  rm -rf "${BINARY_DIR}"
 }
 
 function download-releases() {
-  rm -rf ${RELEASES_DIR}
+  rm -rf "${RELEASES_DIR}"
-  mkdir -p ${RELEASES_DIR}
+  mkdir -p "${RELEASES_DIR}"
 
   echo "Download flannel release v${FLANNEL_VERSION} ..."
-  curl -L ${FLANNEL_DOWNLOAD_URL} -o ${RELEASES_DIR}/flannel.tar.gz
+  curl -L "${FLANNEL_DOWNLOAD_URL}" -o "${RELEASES_DIR}/flannel.tar.gz"
 
   echo "Download etcd release v${ETCD_VERSION} ..."
-  curl -L ${ETCD_DOWNLOAD_URL} -o ${RELEASES_DIR}/etcd.tar.gz
+  curl -L "${ETCD_DOWNLOAD_URL}" -o "${RELEASES_DIR}/etcd.tar.gz"
 
   echo "Download kubernetes release v${K8S_VERSION} ..."
-  curl -L ${K8S_CLIENT_DOWNLOAD_URL} -o ${RELEASES_DIR}/kubernetes-client-linux-amd64.tar.gz
+  curl -L "${K8S_CLIENT_DOWNLOAD_URL}" -o "${RELEASES_DIR}/kubernetes-client-linux-amd64.tar.gz"
-  curl -L ${K8S_SERVER_DOWNLOAD_URL} -o ${RELEASES_DIR}/kubernetes-server-linux-amd64.tar.gz
+  curl -L "${K8S_SERVER_DOWNLOAD_URL}" -o "${RELEASES_DIR}/kubernetes-server-linux-amd64.tar.gz"
 
   echo "Download docker release v${DOCKER_VERSION} ..."
-  curl -L ${DOCKER_DOWNLOAD_URL} -o ${RELEASES_DIR}/docker.tar.gz
+  curl -L "${DOCKER_DOWNLOAD_URL}" -o "${RELEASES_DIR}/docker.tar.gz"
 }
 
 function unpack-releases() {
-  rm -rf ${BINARY_DIR}
+  rm -rf "${BINARY_DIR}"
-  mkdir -p ${BINARY_DIR}/master/bin
+  mkdir -p "${BINARY_DIR}/master/bin"
-  mkdir -p ${BINARY_DIR}/node/bin
+  mkdir -p "${BINARY_DIR}/node/bin"
 
   # flannel
-  if [[ -f ${RELEASES_DIR}/flannel.tar.gz ]] ; then
+  if [[ -f "${RELEASES_DIR}/flannel.tar.gz" ]] ; then
-    tar xzf ${RELEASES_DIR}/flannel.tar.gz -C ${RELEASES_DIR}
+    tar xzf "${RELEASES_DIR}/flannel.tar.gz" -C "${RELEASES_DIR}"
-    cp ${RELEASES_DIR}/flanneld ${BINARY_DIR}/master/bin
+    cp "${RELEASES_DIR}/flanneld" "${BINARY_DIR}/master/bin"
-    cp ${RELEASES_DIR}/flanneld ${BINARY_DIR}/node/bin
+    cp "${RELEASES_DIR}/flanneld" "${BINARY_DIR}/node/bin"
   fi
 
   # etcd
-  if [[ -f ${RELEASES_DIR}/etcd.tar.gz ]] ; then
+  if [[ -f "${RELEASES_DIR}/etcd.tar.gz" ]] ; then
-    tar xzf ${RELEASES_DIR}/etcd.tar.gz -C ${RELEASES_DIR}
+    tar xzf "${RELEASES_DIR}/etcd.tar.gz" -C "${RELEASES_DIR}"
     ETCD="etcd-v${ETCD_VERSION}-linux-amd64"
-    cp ${RELEASES_DIR}/$ETCD/etcd \
+    cp "${RELEASES_DIR}/${ETCD}/etcd" \
-       ${RELEASES_DIR}/$ETCD/etcdctl ${BINARY_DIR}/master/bin
+       "${RELEASES_DIR}/${ETCD}/etcdctl" "${BINARY_DIR}/master/bin"
-    cp ${RELEASES_DIR}/$ETCD/etcd \
+    cp "${RELEASES_DIR}/${ETCD}/etcd" \
-       ${RELEASES_DIR}/$ETCD/etcdctl ${BINARY_DIR}/node/bin
+       "${RELEASES_DIR}/${ETCD}/etcdctl" "${BINARY_DIR}/node/bin"
   fi
 
   # k8s
-  if [[ -f ${RELEASES_DIR}/kubernetes-client-linux-amd64.tar.gz ]] ; then
+  if [[ -f "${RELEASES_DIR}/kubernetes-client-linux-amd64.tar.gz" ]] ; then
-    tar xzf ${RELEASES_DIR}/kubernetes-client-linux-amd64.tar.gz -C ${RELEASES_DIR}
+    tar xzf "${RELEASES_DIR}/kubernetes-client-linux-amd64.tar.gz" -C "${RELEASES_DIR}"
-    cp ${RELEASES_DIR}/kubernetes/client/bin/kubectl ${BINARY_DIR}
+    cp "${RELEASES_DIR}/kubernetes/client/bin/kubectl" "${BINARY_DIR}"
   fi
 
-  if [[ -f ${RELEASES_DIR}/kubernetes-server-linux-amd64.tar.gz ]] ; then
+  if [[ -f "${RELEASES_DIR}/kubernetes-server-linux-amd64.tar.gz" ]] ; then
-    tar xzf ${RELEASES_DIR}/kubernetes-server-linux-amd64.tar.gz -C ${RELEASES_DIR}
+    tar xzf "${RELEASES_DIR}/kubernetes-server-linux-amd64.tar.gz" -C "${RELEASES_DIR}"
-    cp ${RELEASES_DIR}/kubernetes/server/bin/kube-apiserver \
+    cp "${RELEASES_DIR}/kubernetes/server/bin/kube-apiserver" \
-       ${RELEASES_DIR}/kubernetes/server/bin/kube-controller-manager \
+       "${RELEASES_DIR}/kubernetes/server/bin/kube-controller-manager" \
-       ${RELEASES_DIR}/kubernetes/server/bin/kube-scheduler ${BINARY_DIR}/master/bin
+       "${RELEASES_DIR}/kubernetes/server/bin/kube-scheduler" "${BINARY_DIR}/master/bin"
-    cp ${RELEASES_DIR}/kubernetes/server/bin/kubelet \
+    cp "${RELEASES_DIR}/kubernetes/server/bin/kubelet" \
-       ${RELEASES_DIR}/kubernetes/server/bin/kube-proxy ${BINARY_DIR}/node/bin
+       "${RELEASES_DIR}/kubernetes/server/bin/kube-proxy" "${BINARY_DIR}/node/bin"
   fi
 
   # docker
-  if [[ -f ${RELEASES_DIR}/docker.tar.gz ]]; then
+  if [[ -f "${RELEASES_DIR}/docker.tar.gz" ]]; then
-    tar xzf ${RELEASES_DIR}/docker.tar.gz -C ${RELEASES_DIR}
+    tar xzf "${RELEASES_DIR}/docker.tar.gz" -C "${RELEASES_DIR}"
 
-    cp ${RELEASES_DIR}/docker/docker* ${BINARY_DIR}/node/bin
+    cp "${RELEASES_DIR}/docker/docker*" "${BINARY_DIR}/node/bin"
   fi
 
-  chmod -R +x ${BINARY_DIR}
+  chmod -R +x "${BINARY_DIR}"
   echo "Done! All binaries are stored in ${BINARY_DIR}"
 }
 
@@ -134,4 +134,4 @@ function parse-opt() {
   esac
 }
 
-parse-opt $@
+parse-opt "${@}"

cluster/centos/config-build.sh

@@ -31,16 +31,22 @@ ETCD_VERSION=${ETCD_VERSION:-"3.0.9"}
 # Define k8s version to use.
 K8S_VERSION=${K8S_VERSION:-"1.3.7"}
 
+# shellcheck disable=2034 # Variables sourced in other scripts executed from the same shell
 DOCKER_DOWNLOAD_URL=\
 "https://get.docker.com/builds/Linux/x86_64/docker-${DOCKER_VERSION}.tgz"
 
+# shellcheck disable=2034 # Variables sourced in other scripts executed from the same shell
 FLANNEL_DOWNLOAD_URL=\
 "https://github.com/coreos/flannel/releases/download/v${FLANNEL_VERSION}/flannel-v${FLANNEL_VERSION}-linux-amd64.tar.gz"
 
+# shellcheck disable=2034 # Variables sourced in other scripts executed from the same shell
 ETCD_DOWNLOAD_URL=\
 "https://github.com/coreos/etcd/releases/download/v${ETCD_VERSION}/etcd-v${ETCD_VERSION}-linux-amd64.tar.gz"
 
+# shellcheck disable=2034 # Variables sourced in other scripts executed from the same shell
 K8S_CLIENT_DOWNLOAD_URL=\
 "https://dl.k8s.io/v${K8S_VERSION}/kubernetes-client-linux-amd64.tar.gz"
+
+# shellcheck disable=2034 # Variables sourced in other scripts executed from the same shell
 K8S_SERVER_DOWNLOAD_URL=\
 "https://dl.k8s.io/v${K8S_VERSION}/kubernetes-server-linux-amd64.tar.gz"

cluster/centos/config-default.sh

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-readonly root=$(dirname "${BASH_SOURCE}")
+readonly root=$(dirname "${BASH_SOURCE[0]}")
 
 ## Contains configuration values for the CentOS cluster
 # The user should have sudo privilege
@@ -30,8 +30,9 @@ export MASTERS="${MASTERS:-$MASTER}"
 # Get the length of specific arg0, could be a space-separate string or array.
 function length-of() {
   local len=0
+  # shellcheck disable=SC2034  # Unused variables left for readability
   for part in $1; do
-    let ++len
+    ((++len))
   done
   echo $len
 }
@@ -41,9 +42,9 @@ export NUM_MASTERS="${NUM_MASTERS:-$(length-of "$MASTERS")}"
 # Get default master advertise address: first master node.
 function default-advertise-address() {
   # get the first master node
-  local masters_array=(${MASTERS})
+  local masters_array=("${MASTERS}")
   local master=${masters_array[0]}
-  echo ${master#*@}
+  echo "${master#*@}"
 }
 
 # Define advertise address of masters, could be a load balancer address.
@@ -76,7 +77,8 @@ function concat-etcd-servers() {
 
   echo "$etcd_servers"
 }
-export ETCD_SERVERS="$(concat-etcd-servers)"
+ETCD_SERVERS="$(concat-etcd-servers)"
+export ETCD_SERVERS
 
 # By default, etcd cluster will use runtime configuration
 #   https://coreos.com/etcd/docs/latest/v2/runtime-configuration.html
@@ -90,17 +92,19 @@ function concat-etcd-initial-cluster() {
       etcd_initial_cluster+=","
     fi
     etcd_initial_cluster+="infra${num_infra}=https://${master_ip}:2380"
-    let ++num_infra
+    ((++num_infra))
   done
 
   echo "$etcd_initial_cluster"
 }
-export ETCD_INITIAL_CLUSTER="$(concat-etcd-initial-cluster)"
+ETCD_INITIAL_CLUSTER="$(concat-etcd-initial-cluster)"
+export ETCD_INITIAL_CLUSTER
 
 CERT_DIR="${CERT_DIR:-${root}/ca-cert}"
 mkdir -p "${CERT_DIR}"
 # CERT_DIR path must be absolute.
-export CERT_DIR="$(cd "${CERT_DIR}"; pwd)"
+CERT_DIR="$(cd "${CERT_DIR}" && pwd)"
+export CERT_DIR
 
 # define the IP range used for service cluster IPs.
 # according to rfc 1918 ref: https://tools.ietf.org/html/rfc1918 choose a private ip range here.
@@ -108,12 +112,14 @@ export SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-"192.168.3.0/24"}
 
 # Optional: Install cluster DNS.
 ENABLE_CLUSTER_DNS="${KUBE_ENABLE_CLUSTER_DNS:-true}"
+export ENABLE_CLUSTER_DNS
 # DNS_SERVER_IP must be a IP in SERVICE_CLUSTER_IP_RANGE
 DNS_SERVER_IP=${DNS_SERVER_IP:-"192.168.3.100"}
 DNS_DOMAIN=${DNS_DOMAIN:-"cluster.local"}
 
 # Optional: Install Kubernetes UI
 ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}"
+export ENABLE_CLUSTER_UI
 
 # define the IP range used for flannel overlay network, should not conflict with above SERVICE_CLUSTER_IP_RANGE
 export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"}

cluster/centos/config-test.sh

@@ -15,5 +15,5 @@
 # limitations under the License.
 
 ## for CentOS/Fedora/RHEL cluster in test mode
-KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
 source "${KUBE_ROOT}/cluster/centos/config-default.sh"

cluster/centos/deployAddons.sh

@@ -18,8 +18,8 @@
 
 set -e
 
-KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
-source "config-default.sh"
+source "${KUBE_ROOT}/cluster/centos/config-default.sh"
 KUBECTL="${KUBE_ROOT}/cluster/kubectl.sh"
 export KUBECTL_PATH="${KUBE_ROOT}/cluster/centos/binaries/kubectl"
 export KUBE_CONFIG_FILE=${KUBE_CONFIG_FILE:-${KUBE_ROOT}/cluster/centos/config-default.sh}
@@ -30,8 +30,8 @@ function deploy_dns {
   sed -i -e "s/\\\$DNS_DOMAIN/${DNS_DOMAIN}/g" kube-dns.yaml
   sed -i -e "s/\\\$DNS_SERVER_IP/${DNS_SERVER_IP}/g" kube-dns.yaml
 
-  KUBEDNS=`eval "${KUBECTL} get services --namespace=kube-system | grep kube-dns | cat"`
+  KUBEDNS=$("${KUBECTL} get services --namespace=kube-system | grep kube-dns | cat")
-      
+
   if [ ! "$KUBEDNS" ]; then
     # use kubectl to create kube-dns addon
     ${KUBECTL} --namespace=kube-system create -f kube-dns.yaml
@@ -47,11 +47,11 @@ function deploy_dns {
 function deploy_dashboard {
   echo "Deploying Kubernetes Dashboard"
 
-  ${KUBECTL} apply -f ${KUBE_ROOT}/cluster/addons/dashboard/dashboard-secret.yaml
+  ${KUBECTL} apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-secret.yaml"
-  ${KUBECTL} apply -f ${KUBE_ROOT}/cluster/addons/dashboard/dashboard-configmap.yaml
+  ${KUBECTL} apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-configmap.yaml"
-  ${KUBECTL} apply -f ${KUBE_ROOT}/cluster/addons/dashboard/dashboard-rbac.yaml
+  ${KUBECTL} apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-rbac.yaml"
-  ${KUBECTL} apply -f ${KUBE_ROOT}/cluster/addons/dashboard/dashboard-controller.yaml
+  ${KUBECTL} apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-controller.yaml"
-  ${KUBECTL} apply -f ${KUBE_ROOT}/cluster/addons/dashboard/dashboard-service.yaml
+  ${KUBECTL} apply -f "${KUBE_ROOT}/cluster/addons/dashboard/dashboard-service.yaml"
 
   echo
 }
@@ -64,4 +64,3 @@ fi
 if [ "${ENABLE_CLUSTER_UI}" == true ]; then
   deploy_dashboard
 fi
-

cluster/centos/make-ca-cert.sh

@@ -66,11 +66,11 @@ tar xzf easy-rsa.tar.gz > /dev/null 2>&1
 
 cd easy-rsa-master/easyrsa3
 ./easyrsa init-pki > /dev/null 2>&1
-./easyrsa --batch "--req-cn=$cert_ip@`date +%s`" build-ca nopass > /dev/null 2>&1
+./easyrsa --batch "--req-cn=${cert_ip}@$(date +%s)" build-ca nopass > /dev/null 2>&1
 if [ $use_cn = "true" ]; then
-    ./easyrsa build-server-full $cert_ip nopass > /dev/null 2>&1
+    ./easyrsa build-server-full "${cert_ip}" nopass > /dev/null 2>&1
-    cp -p pki/issued/$cert_ip.crt "${cert_dir}/server.cert" > /dev/null 2>&1
+    cp -p "pki/issued/${cert_ip}.crt" "${cert_dir}/server.cert" > /dev/null 2>&1
-    cp -p pki/private/$cert_ip.key "${cert_dir}/server.key" > /dev/null 2>&1
+    cp -p "pki/private/${cert_ip}.key" "${cert_dir}/server.key" > /dev/null 2>&1
 else
     ./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1
     cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
@@ -85,5 +85,5 @@ cp -p pki/ca.crt "${cert_dir}/ca.crt"
 cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
 cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
 # Make server certs accessible to apiserver.
-chgrp $cert_group "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
+chgrp "${cert_group}" "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
 chmod 660 "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"

cluster/centos/master/scripts/flannel.sh

@@ -48,10 +48,9 @@ EOF
 # Store FLANNEL_NET to etcd.
 attempt=0
 while true; do
-  /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
+  if /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
-    --no-sync -C ${ETCD_SERVERS} \
+    --no-sync -C "${ETCD_SERVERS}" \
-    get /coreos.com/network/config >/dev/null 2>&1
+    get /coreos.com/network/config >/dev/null 2>&1; then
-  if [[ "$?" == 0 ]]; then
     break
   else
     if (( attempt > 600 )); then
@@ -60,7 +59,7 @@ while true; do
     fi
 
     /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
-      --no-sync -C ${ETCD_SERVERS} \
+      --no-sync -C "${ETCD_SERVERS}" \
       mk /coreos.com/network/config "{\"Network\":\"${FLANNEL_NET}\"}" >/dev/null 2>&1
     attempt=$((attempt+1))
     sleep 3

cluster/centos/node/bin/mk-docker-opts.sh

@@ -30,7 +30,7 @@ OPTIONS:
     -c  Output combined Docker options into DOCKER_OPTS var
     -k  Set the combined options key to this value (default DOCKER_OPTS=)
     -m  Do not output --ip-masq (useful for older Docker version)
-" >/dev/stderr 
+" >/dev/stderr
   exit 1
 }
 
@@ -40,8 +40,9 @@ combined_opts_key="DOCKER_OPTS"
 indiv_opts=false
 combined_opts=false
 ipmasq=true
+val=""
 
-while getopts "f:d:ick:" opt; do
+while getopts "f:d:icmk:" opt; do
   case $opt in
     f)
       flannel_env=$OPTARG
@@ -72,37 +73,41 @@ if [[ $indiv_opts = false ]] && [[ $combined_opts = false ]]; then
   combined_opts=true
 fi
 
-if [[ -f "$flannel_env" ]]; then
+if [[ -f "${flannel_env}" ]]; then
-  source $flannel_env
+  source "${flannel_env}"
 fi
 
 if [[ -n "$FLANNEL_SUBNET" ]]; then
+  # shellcheck disable=SC2034  # Variable name referenced in OPT_LOOP below
   DOCKER_OPT_BIP="--bip=$FLANNEL_SUBNET"
 fi
 
 if [[ -n "$FLANNEL_MTU" ]]; then
+  # shellcheck disable=SC2034  # Variable name referenced in OPT_LOOP below
   DOCKER_OPT_MTU="--mtu=$FLANNEL_MTU"
 fi
 
 if [[ "$FLANNEL_IPMASQ" = true ]] && [[ $ipmasq = true ]]; then
+  # shellcheck disable=SC2034  # Variable name referenced in OPT_LOOP below
   DOCKER_OPT_IPMASQ="--ip-masq=false"
 fi
 
 eval docker_opts="\$${combined_opts_key}"
 docker_opts+=" "
 
-echo -n "" >$docker_env
+echo -n "" >"${docker_env}"
+
+# OPT_LOOP
 for opt in $(compgen -v DOCKER_OPT_); do
-  eval val=\$$opt
+  eval val=\$"${opt}"
 
   if [[ "$indiv_opts" = true ]]; then
-    echo "$opt=\"$val\"" >>$docker_env
+    echo "$opt=\"$val\"" >>"${docker_env}"
   fi
 
   docker_opts+="$val "
 done
 
 if [[ "$combined_opts" = true ]]; then
-  echo "${combined_opts_key}=\"${docker_opts}\"" >>$docker_env
+  echo "${combined_opts_key}=\"${docker_opts}\"" >>"${docker_env}"
 fi
-

cluster/centos/node/scripts/flannel.sh

@@ -52,10 +52,9 @@ EOF
 # Store FLANNEL_NET to etcd.
 attempt=0
 while true; do
-  /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
+  if /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
-    --no-sync -C ${ETCD_SERVERS} \
+    --no-sync -C "${ETCD_SERVERS}" \
-    get /coreos.com/network/config >/dev/null 2>&1
+    get /coreos.com/network/config >/dev/null 2>&1; then
-  if [[ "$?" == 0 ]]; then
     break
   else
     if (( attempt > 600 )); then
@@ -64,7 +63,7 @@ while true; do
     fi
 
     /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
-      --no-sync -C ${ETCD_SERVERS} \
+      --no-sync -C "${ETCD_SERVERS}" \
       mk /coreos.com/network/config "{\"Network\":\"${FLANNEL_NET}\"}" >/dev/null 2>&1
     attempt=$((attempt+1))
     sleep 3

cluster/centos/util.sh

@@ -23,16 +23,16 @@ SSH_OPTS="-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oLogLevel=E
 
 # Use the config file specified in $KUBE_CONFIG_FILE, or default to
 # config-default.sh.
-KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
-readonly ROOT=$(dirname "${BASH_SOURCE}")
+readonly ROOT=$(dirname "${BASH_SOURCE[0]}")
 source "${ROOT}/${KUBE_CONFIG_FILE:-"config-default.sh"}"
 source "$KUBE_ROOT/cluster/common.sh"
 
-
+# shellcheck disable=SC2034 # Can't tell if this is still needed or not
 KUBECTL_PATH=${KUBE_ROOT}/cluster/centos/binaries/kubectl
 
 # Directory to be used for master and node provisioning.
-KUBE_TEMP="~/kube_temp"
+KUBE_TEMP="${HOME}/kube_temp"
 
 
 # Get master IP addresses and store in KUBE_MASTER_IP_ADDRESSES[]
@@ -88,12 +88,13 @@ function trap-add {
   local signal="${2-EXIT}"
   local cur
 
-  cur="$(eval "sh -c 'echo \$3' -- $(trap -p ${signal})")"
+  cur="$(eval "sh -c 'echo \$3' -- $(trap -p "${signal}")")"
   if [[ -n "${cur}" ]]; then
     handler="${cur}; ${handler}"
   fi
 
-  trap "${handler}" ${signal}
+  # shellcheck disable=SC2064 # Early expansion is intentional here.
+  trap "${handler}" "${signal}"
 }
 
 # Validate a kubernetes cluster
@@ -101,13 +102,12 @@ function validate-cluster() {
   # by default call the generic validate-cluster.sh script, customizable by
   # any cluster provider if this does not fit.
   set +e
-  "${KUBE_ROOT}/cluster/validate-cluster.sh"
+  if ! "${KUBE_ROOT}/cluster/validate-cluster.sh"; then
-  if [[ "$?" -ne "0" ]]; then
     for master in ${MASTERS}; do
-      troubleshoot-master ${master}
+      troubleshoot-master "${master}"
     done
     for node in ${NODES}; do
-      troubleshoot-node ${node}
+      troubleshoot-node "${node}"
     done
     exit 1
   fi
@@ -121,7 +121,7 @@ function kube-up() {
   local num_infra=0
   for master in ${MASTERS}; do
     provision-master "${master}" "infra${num_infra}"
-    let ++num_infra
+    ((++num_infra))
   done
 
   for master in ${MASTERS}; do
@@ -147,11 +147,11 @@ function kube-up() {
 # Delete a kubernetes cluster
 function kube-down() {
   for master in ${MASTERS}; do
-    tear-down-master ${master}
+    tear-down-master "${master}"
   done
 
   for node in ${NODES}; do
-    tear-down-node ${node}
+    tear-down-node "${node}"
   done
 }
 
@@ -170,7 +170,7 @@ function troubleshoot-master() {
     else
       daemon_status="active"
     fi
-    printf "%-24s %s\n" ${daemon} ${daemon_status}
+    printf "%-24s %s\n" "${daemon}" ${daemon_status}
   done
   printf "\n"
 }
@@ -190,7 +190,7 @@ function troubleshoot-node() {
     else
       daemon_status="active"
     fi
-    printf "%-24s %s\n" ${daemon} ${daemon_status}
+    printf "%-24s %s\n" "${daemon}" ${daemon_status}
   done
   printf "\n"
 }
@@ -307,8 +307,9 @@ function provision-node() {
   local node=$1
   local node_ip=${node#*@}
   local dns_ip=${DNS_SERVER_IP#*@}
+  # shellcheck disable=SC2153  # DNS_DOMAIN sourced from external file
   local dns_domain=${DNS_DOMAIN#*@}
-  ensure-setup-dir ${node}
+  ensure-setup-dir "${node}"
 
   kube-scp "${node}" "${ROOT}/binaries/node ${ROOT}/node ${ROOT}/config-default.sh ${ROOT}/util.sh" "${KUBE_TEMP}"
   kube-scp "${node}" "${ROOT}/etcd-cert/ca.pem \
@@ -360,15 +361,15 @@ function ensure-etcd-cert() {
 function kube-ssh() {
   local host="$1"
   shift
-  ssh ${SSH_OPTS} -t "${host}" "$@" >/dev/null 2>&1
+  ssh "${SSH_OPTS}" -t "${host}" "$@" >/dev/null 2>&1
 }
 
 # Copy file recursively over ssh
 function kube-scp() {
   local host="$1"
-  local src=($2)
+  local src=("$2")
   local dst="$3"
-  scp -r ${SSH_OPTS} ${src[*]} "${host}:${dst}"
+  scp -r "${SSH_OPTS}" "${src[*]}" "${host}:${dst}"
 }
 
 # Ensure that we have a password created for validating to the master. Will
@@ -380,8 +381,8 @@ function kube-scp() {
 function get-password {
   load-or-gen-kube-basicauth
   if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
-    KUBE_USER=admin
+    KUBE_USER="admin"
-    KUBE_PASSWORD=$(python -c 'import string,random; \
+    KUBE_PASSWORD=$(python -c 'import string,random; '\
-      print("".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16)))')
+      'print("".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16)))')
   fi
 }

hack/.shellcheck_failures

@@ -3,16 +3,6 @@
 ./cluster/addons/addon-manager/kube-addons.sh
 ./cluster/addons/fluentd-elasticsearch/es-image/run.sh
 ./cluster/addons/fluentd-elasticsearch/fluentd-es-image/run.sh
-./cluster/centos/build.sh
-./cluster/centos/config-build.sh
-./cluster/centos/config-default.sh
-./cluster/centos/config-test.sh
-./cluster/centos/deployAddons.sh
-./cluster/centos/make-ca-cert.sh
-./cluster/centos/master/scripts/flannel.sh
-./cluster/centos/node/bin/mk-docker-opts.sh
-./cluster/centos/node/scripts/flannel.sh
-./cluster/centos/util.sh
 ./cluster/clientbin.sh
 ./cluster/common.sh
 ./cluster/gce/config-common.sh