mirror of https://github.com/helm/helm
				
				
				
			
			You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							332 lines
						
					
					
						
							11 KiB
						
					
					
				
			
		
		
	
	
							332 lines
						
					
					
						
							11 KiB
						
					
					
				| #!/usr/bin/env bash
 | |
| 
 | |
| # Copyright The Helm Authors.
 | |
| #
 | |
| # Licensed under the Apache License, Version 2.0 (the "License");
 | |
| # you may not use this file except in compliance with the License.
 | |
| # You may obtain a copy of the License at
 | |
| #
 | |
| #     http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| # Unless required by applicable law or agreed to in writing, software
 | |
| # distributed under the License is distributed on an "AS IS" BASIS,
 | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| # See the License for the specific language governing permissions and
 | |
| # limitations under the License.
 | |
| 
 | |
| # The install script is based off of the MIT-licensed script from glide,
 | |
| # the package manager for Go: https://github.com/Masterminds/glide.sh/blob/master/get
 | |
| 
 | |
| : ${BINARY_NAME:="helm"}
 | |
| : ${USE_SUDO:="true"}
 | |
| : ${DEBUG:="false"}
 | |
| : ${VERIFY_CHECKSUM:="true"}
 | |
| : ${VERIFY_SIGNATURES:="false"}
 | |
| : ${HELM_INSTALL_DIR:="/usr/local/bin"}
 | |
| : ${GPG_PUBRING:="pubring.kbx"}
 | |
| 
 | |
| HAS_CURL="$(type "curl" &> /dev/null && echo true || echo false)"
 | |
| HAS_WGET="$(type "wget" &> /dev/null && echo true || echo false)"
 | |
| HAS_OPENSSL="$(type "openssl" &> /dev/null && echo true || echo false)"
 | |
| HAS_GPG="$(type "gpg" &> /dev/null && echo true || echo false)"
 | |
| HAS_GIT="$(type "git" &> /dev/null && echo true || echo false)"
 | |
| 
 | |
| # initArch discovers the architecture for this system.
 | |
| initArch() {
 | |
|   ARCH=$(uname -m)
 | |
|   case $ARCH in
 | |
|     armv5*) ARCH="armv5";;
 | |
|     armv6*) ARCH="armv6";;
 | |
|     armv7*) ARCH="arm";;
 | |
|     aarch64) ARCH="arm64";;
 | |
|     x86) ARCH="386";;
 | |
|     x86_64) ARCH="amd64";;
 | |
|     i686) ARCH="386";;
 | |
|     i386) ARCH="386";;
 | |
|   esac
 | |
| }
 | |
| 
 | |
| # initOS discovers the operating system for this system.
 | |
| initOS() {
 | |
|   OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
 | |
| 
 | |
|   case "$OS" in
 | |
|     # Minimalist GNU for Windows
 | |
|     mingw*|cygwin*) OS='windows';;
 | |
|   esac
 | |
| }
 | |
| 
 | |
| # runs the given command as root (detects if we are root already)
 | |
| runAsRoot() {
 | |
|   if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then
 | |
|     sudo "${@}"
 | |
|   else
 | |
|     "${@}"
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # verifySupported checks that the os/arch combination is supported for
 | |
| # binary builds, as well whether or not necessary tools are present.
 | |
| verifySupported() {
 | |
|   local supported="darwin-amd64\ndarwin-arm64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-ppc64le\nlinux-s390x\nwindows-amd64"
 | |
|   if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then
 | |
|     echo "No prebuilt binary for ${OS}-${ARCH}."
 | |
|     echo "To build from source, go to https://github.com/helm/helm"
 | |
|     exit 1
 | |
|   fi
 | |
| 
 | |
|   if [ "${HAS_CURL}" != "true" ] && [ "${HAS_WGET}" != "true" ]; then
 | |
|     echo "Either curl or wget is required"
 | |
|     exit 1
 | |
|   fi
 | |
| 
 | |
|   if [ "${VERIFY_CHECKSUM}" == "true" ] && [ "${HAS_OPENSSL}" != "true" ]; then
 | |
|     echo "In order to verify checksum, openssl must first be installed."
 | |
|     echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment."
 | |
|     exit 1
 | |
|   fi
 | |
| 
 | |
|   if [ "${VERIFY_SIGNATURES}" == "true" ]; then
 | |
|     if [ "${HAS_GPG}" != "true" ]; then
 | |
|       echo "In order to verify signatures, gpg must first be installed."
 | |
|       echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment."
 | |
|       exit 1
 | |
|     fi
 | |
|     if [ "${OS}" != "linux" ]; then
 | |
|       echo "Signature verification is currently only supported on Linux."
 | |
|       echo "Please set VERIFY_SIGNATURES=false or verify the signatures manually."
 | |
|       exit 1
 | |
|     fi
 | |
|   fi
 | |
| 
 | |
|   if [ "${HAS_GIT}" != "true" ]; then
 | |
|     echo "[WARNING] Could not find git. It is required for plugin installation."
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # checkDesiredVersion checks if the desired version is available.
 | |
| checkDesiredVersion() {
 | |
|   if [ "x$DESIRED_VERSION" == "x" ]; then
 | |
|     # Get tag from release URL
 | |
|     local latest_release_url="https://github.com/helm/helm/releases"
 | |
|     if [ "${HAS_CURL}" == "true" ]; then
 | |
|       TAG=$(curl -Ls $latest_release_url | grep 'href="/helm/helm/releases/tag/v3.[0-9]*.[0-9]*\"' | sed -E 's/.*\/helm\/helm\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1)
 | |
|     elif [ "${HAS_WGET}" == "true" ]; then
 | |
|       TAG=$(wget $latest_release_url -O - 2>&1 | grep 'href="/helm/helm/releases/tag/v3.[0-9]*.[0-9]*\"' | sed -E 's/.*\/helm\/helm\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1)
 | |
|     fi
 | |
|   else
 | |
|     TAG=$DESIRED_VERSION
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # checkHelmInstalledVersion checks which version of helm is installed and
 | |
| # if it needs to be changed.
 | |
| checkHelmInstalledVersion() {
 | |
|   if [[ -f "${HELM_INSTALL_DIR}/${BINARY_NAME}" ]]; then
 | |
|     local version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}")
 | |
|     if [[ "$version" == "$TAG" ]]; then
 | |
|       echo "Helm ${version} is already ${DESIRED_VERSION:-latest}"
 | |
|       return 0
 | |
|     else
 | |
|       echo "Helm ${TAG} is available. Changing from version ${version}."
 | |
|       return 1
 | |
|     fi
 | |
|   else
 | |
|     return 1
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # downloadFile downloads the latest binary package and also the checksum
 | |
| # for that binary.
 | |
| downloadFile() {
 | |
|   HELM_DIST="helm-$TAG-$OS-$ARCH.tar.gz"
 | |
|   DOWNLOAD_URL="https://get.helm.sh/$HELM_DIST"
 | |
|   CHECKSUM_URL="$DOWNLOAD_URL.sha256"
 | |
|   HELM_TMP_ROOT="$(mktemp -dt helm-installer-XXXXXX)"
 | |
|   HELM_TMP_FILE="$HELM_TMP_ROOT/$HELM_DIST"
 | |
|   HELM_SUM_FILE="$HELM_TMP_ROOT/$HELM_DIST.sha256"
 | |
|   echo "Downloading $DOWNLOAD_URL"
 | |
|   if [ "${HAS_CURL}" == "true" ]; then
 | |
|     curl -SsL "$CHECKSUM_URL" -o "$HELM_SUM_FILE"
 | |
|     curl -SsL "$DOWNLOAD_URL" -o "$HELM_TMP_FILE"
 | |
|   elif [ "${HAS_WGET}" == "true" ]; then
 | |
|     wget -q -O "$HELM_SUM_FILE" "$CHECKSUM_URL"
 | |
|     wget -q -O "$HELM_TMP_FILE" "$DOWNLOAD_URL"
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # verifyFile verifies the SHA256 checksum of the binary package
 | |
| # and the GPG signatures for both the package and checksum file
 | |
| # (depending on settings in environment).
 | |
| verifyFile() {
 | |
|   if [ "${VERIFY_CHECKSUM}" == "true" ]; then
 | |
|     verifyChecksum
 | |
|   fi
 | |
|   if [ "${VERIFY_SIGNATURES}" == "true" ]; then
 | |
|     verifySignatures
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # installFile installs the Helm binary.
 | |
| installFile() {
 | |
|   HELM_TMP="$HELM_TMP_ROOT/$BINARY_NAME"
 | |
|   mkdir -p "$HELM_TMP"
 | |
|   tar xf "$HELM_TMP_FILE" -C "$HELM_TMP"
 | |
|   HELM_TMP_BIN="$HELM_TMP/$OS-$ARCH/helm"
 | |
|   echo "Preparing to install $BINARY_NAME into ${HELM_INSTALL_DIR}"
 | |
|   runAsRoot cp "$HELM_TMP_BIN" "$HELM_INSTALL_DIR/$BINARY_NAME"
 | |
|   echo "$BINARY_NAME installed into $HELM_INSTALL_DIR/$BINARY_NAME"
 | |
| }
 | |
| 
 | |
| # verifyChecksum verifies the SHA256 checksum of the binary package.
 | |
| verifyChecksum() {
 | |
|   printf "Verifying checksum... "
 | |
|   local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
 | |
|   local expected_sum=$(cat ${HELM_SUM_FILE})
 | |
|   if [ "$sum" != "$expected_sum" ]; then
 | |
|     echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting."
 | |
|     exit 1
 | |
|   fi
 | |
|   echo "Done."
 | |
| }
 | |
| 
 | |
| # verifySignatures obtains the latest KEYS file from GitHub main branch
 | |
| # as well as the signature .asc files from the specific GitHub release,
 | |
| # then verifies that the release artifacts were signed by a maintainer's key.
 | |
| verifySignatures() {
 | |
|   printf "Verifying signatures... "
 | |
|   local keys_filename="KEYS"
 | |
|   local github_keys_url="https://raw.githubusercontent.com/helm/helm/main/${keys_filename}"
 | |
|   if [ "${HAS_CURL}" == "true" ]; then
 | |
|     curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}"
 | |
|   elif [ "${HAS_WGET}" == "true" ]; then
 | |
|     wget -q -O "${HELM_TMP_ROOT}/${keys_filename}" "${github_keys_url}"
 | |
|   fi
 | |
|   local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg"
 | |
|   local gpg_homedir="${HELM_TMP_ROOT}/gnupg"
 | |
|   mkdir -p -m 0700 "${gpg_homedir}"
 | |
|   local gpg_stderr_device="/dev/null"
 | |
|   if [ "${DEBUG}" == "true" ]; then
 | |
|     gpg_stderr_device="/dev/stderr"
 | |
|   fi
 | |
|   gpg --batch --quiet --homedir="${gpg_homedir}" --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}"
 | |
|   gpg --batch --no-default-keyring --keyring "${gpg_homedir}/${GPG_PUBRING}" --export > "${gpg_keyring}"
 | |
|   local github_release_url="https://github.com/helm/helm/releases/download/${TAG}"
 | |
|   if [ "${HAS_CURL}" == "true" ]; then
 | |
|     curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
 | |
|     curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
 | |
|   elif [ "${HAS_WGET}" == "true" ]; then
 | |
|     wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc"
 | |
|     wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc"
 | |
|   fi
 | |
|   local error_text="If you think this might be a potential security issue,"
 | |
|   error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
 | |
|   local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
 | |
|   if [[ ${num_goodlines_sha} -lt 2 ]]; then
 | |
|     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
 | |
|     echo -e "${error_text}"
 | |
|     exit 1
 | |
|   fi
 | |
|   local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
 | |
|   if [[ ${num_goodlines_tar} -lt 2 ]]; then
 | |
|     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
 | |
|     echo -e "${error_text}"
 | |
|     exit 1
 | |
|   fi
 | |
|   echo "Done."
 | |
| }
 | |
| 
 | |
| # fail_trap is executed if an error occurs.
 | |
| fail_trap() {
 | |
|   result=$?
 | |
|   if [ "$result" != "0" ]; then
 | |
|     if [[ -n "$INPUT_ARGUMENTS" ]]; then
 | |
|       echo "Failed to install $BINARY_NAME with the arguments provided: $INPUT_ARGUMENTS"
 | |
|       help
 | |
|     else
 | |
|       echo "Failed to install $BINARY_NAME"
 | |
|     fi
 | |
|     echo -e "\tFor support, go to https://github.com/helm/helm."
 | |
|   fi
 | |
|   cleanup
 | |
|   exit $result
 | |
| }
 | |
| 
 | |
| # testVersion tests the installed client to make sure it is working.
 | |
| testVersion() {
 | |
|   set +e
 | |
|   HELM="$(command -v $BINARY_NAME)"
 | |
|   if [ "$?" = "1" ]; then
 | |
|     echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?'
 | |
|     exit 1
 | |
|   fi
 | |
|   set -e
 | |
| }
 | |
| 
 | |
| # help provides possible cli installation arguments
 | |
| help () {
 | |
|   echo "Accepted cli arguments are:"
 | |
|   echo -e "\t[--help|-h ] ->> prints this help"
 | |
|   echo -e "\t[--version|-v <desired_version>] . When not defined it fetches the latest release from GitHub"
 | |
|   echo -e "\te.g. --version v3.0.0 or -v canary"
 | |
|   echo -e "\t[--no-sudo]  ->> install without sudo"
 | |
| }
 | |
| 
 | |
| # cleanup temporary files to avoid https://github.com/helm/helm/issues/2977
 | |
| cleanup() {
 | |
|   if [[ -d "${HELM_TMP_ROOT:-}" ]]; then
 | |
|     rm -rf "$HELM_TMP_ROOT"
 | |
|   fi
 | |
| }
 | |
| 
 | |
| # Execution
 | |
| 
 | |
| #Stop execution on any error
 | |
| trap "fail_trap" EXIT
 | |
| set -e
 | |
| 
 | |
| # Set debug if desired
 | |
| if [ "${DEBUG}" == "true" ]; then
 | |
|   set -x
 | |
| fi
 | |
| 
 | |
| # Parsing input arguments (if any)
 | |
| export INPUT_ARGUMENTS="${@}"
 | |
| set -u
 | |
| while [[ $# -gt 0 ]]; do
 | |
|   case $1 in
 | |
|     '--version'|-v)
 | |
|        shift
 | |
|        if [[ $# -ne 0 ]]; then
 | |
|            export DESIRED_VERSION="${1}"
 | |
|        else
 | |
|            echo -e "Please provide the desired version. e.g. --version v3.0.0 or -v canary"
 | |
|            exit 0
 | |
|        fi
 | |
|        ;;
 | |
|     '--no-sudo')
 | |
|        USE_SUDO="false"
 | |
|        ;;
 | |
|     '--help'|-h)
 | |
|        help
 | |
|        exit 0
 | |
|        ;;
 | |
|     *) exit 1
 | |
|        ;;
 | |
|   esac
 | |
|   shift
 | |
| done
 | |
| set +u
 | |
| 
 | |
| initArch
 | |
| initOS
 | |
| verifySupported
 | |
| checkDesiredVersion
 | |
| if ! checkHelmInstalledVersion; then
 | |
|   downloadFile
 | |
|   verifyFile
 | |
|   installFile
 | |
| fi
 | |
| testVersion
 | |
| cleanup
 |