elastisys · Zash · Oct 13, 2025 · Aug 19, 2025 · Sep 25, 2025 · rarescosma
@@ -202,6 +202,7 @@ kubectl delete pvc --all -A
 ### Bash
 
 - See [Googles style guide](https://google.github.io/styleguide/shellguide.html).
+- Prefer long versions of flags to improve readability, i.e. `--long-flag` instead of `-f`|
- Prefer long versions of flags to improve readability, i.e. `--long-flag` instead of `-f`|
+- Prefer long versions of flags to improve readability, i.e. `--long-flag` instead of `-f`
- Prefer long versions of flags to improve readability, i.e. `--long-flag` instead of `-f`|
+- Prefer long versions of flags to improve readability, i.e. `--long-flag` instead of `-f`
 
 ### Markdown
 

@@ -6,7 +6,7 @@
 set -euo pipefail
 
 declare here
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"

@@ -4,7 +4,7 @@
 
 set -e -o pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 

@@ -7,7 +7,7 @@ usage() {
   exit 1
 }
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 

@@ -5,7 +5,7 @@
 # are used throughout all of the scripts.
 
 : "${CK8S_CONFIG_PATH:?Missing CK8S_CONFIG_PATH}"
-here="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+here="$(dirname "$(readlink --canonicalize "${BASH_SOURCE[0]}")")"
 root_path="${here}/.."
 
 # shellcheck disable=SC2034
@@ -23,7 +23,7 @@ CK8S_AUTO_APPROVE=${CK8S_AUTO_APPROVE:-"false"}
 
 # Create CK8S_CONFIG_PATH if it does not exist and make it absolute
 mkdir -p "${CK8S_CONFIG_PATH}"
-CK8S_CONFIG_PATH=$(readlink -f "${CK8S_CONFIG_PATH}")
+CK8S_CONFIG_PATH=$(readlink --canonicalize "${CK8S_CONFIG_PATH}")
 export CK8S_CONFIG_PATH
 
 config_template_path="${root_path}/config"
@@ -147,14 +147,14 @@ check_tools() {
     fi
   }
 
-  check_minor "$(echo "${req}" | jq -r '.["github.com/mikefarah/yq/v4"].version')" "$(yq --version)" yq
-  check_minor "$(echo "${req}" | jq -r '.["kubectl"].version')" "$(kubectl version --client=true -oyaml 2>/dev/null | yq '.clientVersion.gitVersion')" kubectl
-  check_minor "$(echo "${req}" | jq -r '.["helm.sh/helm/v3"].version')" "$(helm version --template='{{.Version}}')" helm
-  check_minor "$(echo "${req}" | jq -r '.["github.com/helmfile/helmfile"].version')" "$(helmfile --version)" helmfile
-  check_minor "$(echo "${req}" | jq -r '.["github.com/databus23/helm-diff/v3"].version')" "$(helm plugin list | grep diff)" "helm diff plugin"
-  check_minor "$(echo "${req}" | jq -r '.["helm-secrets"].version')" "$(helm plugin list | grep secrets)" "helm secrets plugin"
-  check_minor "$(echo "${req}" | jq -r '.["getsops/sops/v3"].version')" "$(sops --version)" "sops"
-  check_minor "$(echo "${req}" | jq -r '.["s3cmd"].version')" "$(s3cmd --version)" "s3cmd"
+  check_minor "$(echo "${req}" | jq --raw-output '.["github.com/mikefarah/yq/v4"].version')" "$(yq --version)" yq
+  check_minor "$(echo "${req}" | jq --raw-output '.["kubectl"].version')" "$(kubectl version --client=true -oyaml 2>/dev/null | yq '.clientVersion.gitVersion')" kubectl
+  check_minor "$(echo "${req}" | jq --raw-output '.["helm.sh/helm/v3"].version')" "$(helm version --template='{{.Version}}')" helm
+  check_minor "$(echo "${req}" | jq --raw-output '.["github.com/helmfile/helmfile"].version')" "$(helmfile --version)" helmfile
+  check_minor "$(echo "${req}" | jq --raw-output '.["github.com/databus23/helm-diff/v3"].version')" "$(helm plugin list | grep diff)" "helm diff plugin"
+  check_minor "$(echo "${req}" | jq --raw-output '.["helm-secrets"].version')" "$(helm plugin list | grep secrets)" "helm secrets plugin"
+  check_minor "$(echo "${req}" | jq --raw-output '.["getsops/sops/v3"].version')" "$(sops --version)" "sops"
+  check_minor "$(echo "${req}" | jq --raw-output '.["s3cmd"].version')" "$(s3cmd --version)" "s3cmd"
 
   if [[ "${warn}" != 0 ]]; then
     if [[ -t 1 ]]; then
@@ -550,7 +550,7 @@ sops_config_write_fingerprints() {
 
 # Encrypt stdin to file. If the file already exists it's overwritten.
 sops_encrypt_stdin() {
-  sops --config "${sops_config}" -e --input-type "${1}" --output-type "${1}" /dev/stdin >"${2}"
+  sops --config "${sops_config}" --encrypt --input-type "${1}" --output-type "${1}" /dev/stdin >"${2}"
 }
 
 # Encrypt a file in place.
@@ -563,7 +563,7 @@ sops_encrypt() {
 
   log_info "Encrypting ${1}"
 
-  sops --config "${sops_config}" -e -i "${1}"
+  sops --config "${sops_config}" --encrypt --in-place "${1}"
 }
 
 # Check that a file exists and is actually encrypted using SOPS.
@@ -595,7 +595,7 @@ sops_decrypt() {
 
   sops_decrypt_verify "${1}"
 
-  sops --config "${sops_config}" -d -i "${1}"
+  sops --config "${sops_config}" --decrypt --in-place "${1}"
   append_trap "sops_encrypt ${1}" EXIT
 }
 

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 
@@ -108,7 +108,7 @@ sops_encrypt_file() {
 
   log_info "Encrypting ${file}"
 
-  sops --pgp "${CK8S_PGP_FP}" -e -i "${file}"
+  sops --pgp "${CK8S_PGP_FP}" --encrypt --in-place "${file}"
 }
 
 fetch_oidc_token() {
@@ -155,7 +155,7 @@ run_diagnostics() {
   # -- DS and Deployments --
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
   echo -e "\nFetching Deployments without desired number of ready pods (<deployment>)"
-  deployments=$("${here}"/ops.bash kubectl "${cluster}" get deployments -A -o=yaml | yq '.items[] | select(.status.conditions[] | select((.type == "Progressing" and .status != "True") or (.type == "Available" and .status != "True")))')
+  deployments=$("${here}"/ops.bash kubectl "${cluster}" get deployments --all-namespaces -o=yaml | yq '.items[] | select(.status.conditions[] | select((.type == "Progressing" and .status != "True") or (.type == "Available" and .status != "True")))')
   if [ -z "${deployments}" ]; then
     echo -e "All Deployments are ready"
   else
@@ -164,7 +164,7 @@ run_diagnostics() {
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
 
   echo -e "\nFetching DaemonSets without desired number of ready pods (<daemonset>)"
-  daemonsets=$("${here}"/ops.bash kubectl "${cluster}" get daemonsets -A -o=yaml | yq '.items[] | select(.status.numberMisscheduled != 0)')
+  daemonsets=$("${here}"/ops.bash kubectl "${cluster}" get daemonsets --all-namespaces -o=yaml | yq '.items[] | select(.status.numberMisscheduled != 0)')
   if [ -z "${daemonsets}" ]; then
     echo -e "All daemonsets are ready"
   else
@@ -173,7 +173,7 @@ run_diagnostics() {
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
 
   echo -e "\nFetching StatefulSets without desired number of ready pods (<statefulset>)"
-  statefulsets=$("${here}"/ops.bash kubectl "${cluster}" get statefulsets -A -o=yaml | yq '.items[] | select(.status.collisionCount != 0 and .status.readyReplicas != .status.updatedReplicas and .status.replicas != .status.readyReplicas)')
+  statefulsets=$("${here}"/ops.bash kubectl "${cluster}" get statefulsets --all-namespaces -o=yaml | yq '.items[] | select(.status.collisionCount != 0 and .status.readyReplicas != .status.updatedReplicas and .status.replicas != .status.readyReplicas)')
   if [ -z "${statefulsets}" ]; then
     echo -e "All statefulsets are ready"
   else
@@ -183,15 +183,15 @@ run_diagnostics() {
 
   # -- Pods --
   echo -e "\nFetching Pods that are NotReady (<pod>)"
-  pods=$("${here}/ops.bash" kubectl "${cluster}" get pod -A -o=yaml | yq '.items[] | select(.status.conditions[] | select(.type == "Ready" and .status != "True" and .reason != "PodCompleted")) | [{"name": .metadata.name, "namespace": .metadata.namespace}]')
+  pods=$("${here}/ops.bash" kubectl "${cluster}" get pod --all-namespaces -o=yaml | yq '.items[] | select(.status.conditions[] | select(.type == "Ready" and .status != "True" and .reason != "PodCompleted")) | [{"name": .metadata.name, "namespace": .metadata.namespace}]')
   readarray pod_arr < <(echo "$pods" | yq e -o=j -I=0 '.[]')
 
   if [ "${pods}" == '[]' ]; then
     echo -e "All pods are ready"
   else
     for pod in "${pod_arr[@]}"; do
-      pod_name=$(echo "$pod" | jq -r '.name')
-      namespace=$(echo "$pod" | jq -r '.namespace')
+      pod_name=$(echo "$pod" | jq --raw-output '.name')
+      namespace=$(echo "$pod" | jq --raw-output '.namespace')
 
       echo -e "\nDescribing pod <${pod_name}>"
       "${here}/ops.bash" kubectl "${cluster}" describe pod "${pod_name}" -n "${namespace}"
@@ -223,7 +223,7 @@ run_diagnostics() {
   # -- Helm --
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
   echo -e "\nFetching Helm releases that are not deployed (<helm>)"
-  helm=$("${here}"/ops.bash helm "${cluster}" list -A --all -o yaml | yq '.[] | select(.status != "deployed")')
+  helm=$("${here}"/ops.bash helm "${cluster}" list --all-namespaces --all -o yaml | yq '.[] | select(.status != "deployed")')
   if [ -z "${helm}" ]; then
     echo -e "All charts are deployed"
   else
@@ -238,14 +238,14 @@ run_diagnostics() {
 
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
   echo -e "\nDescribing failed Challenges (<challenge>)"
-  challenges=$("${here}/ops.bash" kubectl "${cluster}" get challenge -A -o=yaml | yq '.items[] | select(.status.state != "valid") | [{"name": .metadata.name, "namespace": .metadata.namespace}]')
+  challenges=$("${here}/ops.bash" kubectl "${cluster}" get challenge --all-namespaces -o=yaml | yq '.items[] | select(.status.state != "valid") | [{"name": .metadata.name, "namespace": .metadata.namespace}]')
   readarray challenge_arr < <(echo "$challenges" | yq e -o=j -I=0 '.[]')
   if [ "${challenges}" == '[]' ]; then
     echo -e "All challenges are valid"
   else
     for challenge in "${challenge_arr[@]}"; do
-      challenge_name=$(echo "$challenge" | jq -r '.name')
-      namespace=$(echo "$challenge" | jq -r '.namespace')
+      challenge_name=$(echo "$challenge" | jq --raw-output '.name')
+      namespace=$(echo "$challenge" | jq --raw-output '.namespace')
       "${here}/ops.bash" kubectl "${cluster}" describe challenge "${challenge_name}" -n "${namespace}"
     done
   fi
@@ -254,7 +254,7 @@ run_diagnostics() {
   # -- Events --
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
   echo -e "\nFetching all Events (<event>)"
-  "${here}/ops.bash" kubectl "${cluster}" get events -A --sort-by=.metadata.creationTimestamp
+  "${here}/ops.bash" kubectl "${cluster}" get events --all-namespaces --sort-by=.metadata.creationTimestamp
   printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -
 
   # # -- Test --
@@ -345,7 +345,7 @@ run_diagnostics_default_metrics() {
     print_func="${2}"
     res="$(curl "${endpoint}/query_range" --insecure -s --header "${header}" --data-urlencode query="${query}" "${range_arg[@]}")"
     if [[ $(jq '.data.result | length' <<<"${res}") -gt 0 ]]; then
-      readarray metric_results_arr < <(jq -c '.data.result[]' <<<"${res}")
+      readarray metric_results_arr < <(jq --compact-output '.data.result[]' <<<"${res}")
       for row in "${metric_results_arr[@]}"; do
         "${print_func}" "${row}"
       done
@@ -364,7 +364,7 @@ run_diagnostics_default_metrics() {
   query_and_parse 'sum(rate(fluentd_output_status_retry_count[1m])) > 0' print_fluentd
 
   print_dropped_packages() {
-    direction="$([[ $(jq -r .metric.type <<<"${1}") == "fw" ]] && echo "from" || echo "to")"
+    direction="$([[ $(jq --raw-output .metric.type <<<"${1}") == "fw" ]] && echo "from" || echo "to")"
     pod="$(jq '.metric.exported_pod' <<<"${1}")"
     echo "Found dropped packages going ${direction} pod: ${pod} on dates:"
     jq '.values[][0]' <<<"${1}" | xargs -I {} date -d@{}

@@ -9,7 +9,7 @@ set -eu -o pipefail
 # TODO: Implement a proper dry-run command which actually gives the user some
 #       reassurance that the cluster will not change when deploying.
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 

@@ -6,7 +6,7 @@
 set -euo pipefail
 
 declare here root
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 root="$(dirname "${here}")"
 
 # shellcheck source=bin/common.bash

@@ -2,7 +2,7 @@
 
 : "${CK8S_CLUSTER:?Missing CK8S_CLUSTER}"
 
-ROOT="$(readlink -f "$(dirname "${0}")/../")"
+ROOT="$(readlink --canonicalize "$(dirname "${0}")/../")"
 
 # shellcheck source=scripts/migration/lib.sh
 source "${ROOT}/scripts/migration/lib.sh"

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-here="$(readlink -f "$(dirname "${0}")")"
+here="$(readlink --canonicalize "$(dirname "${0}")")"
 
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"

@@ -9,7 +9,7 @@
 
 set -eu -o pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-root_path="$(readlink -f "$(dirname "${0}")/../")"
+root_path="$(readlink --canonicalize "$(dirname "${0}")/../")"
 
 export ANSIBLE_STDOUT_CALLBACK=yaml
 

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 

@@ -4,7 +4,7 @@
 
 set -eu
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"

@@ -4,7 +4,7 @@
 
 set -eu -o pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 
@@ -102,7 +102,7 @@ sops_rotate_data_key() {
     fi
 
     log_info "Rotating data key and reencrypting: ${secret}"
-    sops --config "${sops_config}" -r -i "${secret}"
+    sops --config "${sops_config}" --rotate --in-place "${secret}"
   done
 }
 

@@ -5,7 +5,7 @@
 
 set -eu -o pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 # shellcheck source=pipeline/test/services/service-cluster/testOpensearch.sh

@@ -9,7 +9,7 @@
 
 set -euo pipefail
 
-here="$(dirname "$(readlink -f "$0")")"
+here="$(dirname "$(readlink --canonicalize "$0")")"
 # shellcheck source=bin/common.bash
 source "${here}/common.bash"
 
@@ -63,7 +63,7 @@ yq_read_secret() {
   local default_value="${2}"
 
   local value
-  value=$(sops -d "${secrets["secrets_file"]}" | yq "${config_option}")
+  value=$(sops --decrypt "${secrets["secrets_file"]}" | yq "${config_option}")
 
   if [[ "${value}" != "null" ]]; then
     echo "${value}"
@@ -277,7 +277,7 @@ get_swift_url() {
       [[ -z "${header}" ]] && break
       [[ "${header}" == "x-subject-token:" ]] && os_token="${value}"
     done
-    swift_url=$(jq -r '.token.catalog[] | select( .type == "object-store" and .name == "swift") | .endpoints[] | select(.interface == "public" and .region == "'"${swift_region}"'") | .url')
+    swift_url=$(jq --raw-output '.token.catalog[] | select( .type == "object-store" and .name == "swift") | .endpoints[] | select(.interface == "public" and .region == "'"${swift_region}"'") | .url')
   } <<<"${response}"
 
   curl -i -s -X DELETE -H "X-Auth-Token: ${os_token}" -H "X-Subject-Token: ${os_token}" "${auth_url}/auth/tokens" >/dev/null

@@ -2,9 +2,9 @@
 
 : "${CK8S_CLUSTER:?Missing CK8S_CLUSTER}"
 
-here="$(readlink -f "$(dirname "${0}")")"
+here="$(readlink --canonicalize "$(dirname "${0}")")"
 
-ROOT="$(readlink -f "${here}/../")"
+ROOT="$(readlink --canonicalize "${here}/../")"
 # Allow overriding from test suite
 MIGRATION_ROOT="${MIGRATION_ROOT:-"${ROOT}/migration"}"