diff --git a/k3s/apps/authentik/helm/namespace.yaml b/k3s/apps/authentik/helm/namespace.yaml new file mode 100644 index 0000000..bb24d8d --- /dev/null +++ b/k3s/apps/authentik/helm/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authentik diff --git a/k3s/apps/authentik/helm/values.yaml b/k3s/apps/authentik/helm/values.yaml new file mode 100644 index 0000000..5152cfe --- /dev/null +++ b/k3s/apps/authentik/helm/values.yaml @@ -0,0 +1,28 @@ + +namespace: authentik +authentik: + secret_key: "6sNotXqR3cvcVHx3RbYCViX6J/OmMvopb4b7ge80V3EdSgBtWzG0l4SXBPo80J3mRy0BDaCCfb1EZoz+" + # This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.io, and is fully opt-in + error_reporting: + enabled: true + postgresql: + password: "WoPbKRCEeLoLb9J840FqwDE95ergX8CqXq7jC6nbJkoNSiTSlA" + +server: + ingress: + # Specify kubernetes ingress controller class name + # ingressClassName: nginx + # enabled: true + # hosts: + # - authentik.henryathome.home64.de + enabled: false + service: + type: NodePort + port: 9000 + nodePort: 32222 + +postgresql: + enabled: true + auth: + password: "WoPbKRCEeLoLb9J840FqwDE95ergX8CqXq7jC6nbJkoNSiTSlA" \ No newline at end of file diff --git a/k3s/apps/gitea/gitea-dump-1747479769.zip b/k3s/apps/gitea/gitea-dump-1747479769.zip new file mode 100644 index 0000000..83415c2 Binary files /dev/null and b/k3s/apps/gitea/gitea-dump-1747479769.zip differ diff --git a/k3s/apps/gitea/gitea.yaml b/k3s/apps/gitea/gitea.yaml index 5e42edd..e05402d 100644 --- a/k3s/apps/gitea/gitea.yaml +++ b/k3s/apps/gitea/gitea.yaml @@ -19,8 +19,8 @@ spec: - ReadWriteMany persistentVolumeReclaimPolicy: Retain nfs: - server: 192.168.178.132 - path: /slowData/gitea/repos + server: 192.168.178.166 + path: /export/fastData/gitea/repos --- apiVersion: v1 kind: PersistentVolumeClaim @@ -49,8 +49,8 @@ spec: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain nfs: - server: 192.168.178.132 - path: /slowData/gitea/postgres + server: 192.168.178.166 + path: /export/fastData/gitea/postgres --- apiVersion: v1 kind: PersistentVolumeClaim @@ -97,6 +97,10 @@ spec: volumeMounts: - name: postgres-storage mountPath: /var/lib/postgresql/data + securityContext: + runAsUser: 1001 + runAsGroup: 1000 +# fsGroup: 1000 volumes: - name: postgres-storage persistentVolumeClaim: @@ -152,12 +156,26 @@ spec: value: gitea - name: GITEA__database__PASSWD value: giteapassword + - name: GITEA__server__ROOT_URL + value: "https://git.henryathome.home64.de" + - name: GITEA__server__SSH_DOMAIN + value: git.henryathome.home64.de + - name: GITEA__server__START_SSH_SERVER + value: "true" + - name: GITEA__server__SSH_LISTEN_PORT + value: "32000" + - name: GITEA__server__SSH_PORT + value: "32000" ports: - containerPort: 3000 # HTTP - - containerPort: 22 # SSH + - containerPort: 32000 # SSH volumeMounts: - name: gitea-storage mountPath: /data + securityContext: +# runAsUser: 1001 +# runAsGroup: 1000 +# fsGroup: 1000 volumes: - name: gitea-storage persistentVolumeClaim: @@ -181,5 +199,6 @@ spec: targetPort: 3000 - name: ssh protocol: TCP - port: 22 - targetPort: 22 + port: 32000 + targetPort: 32000 + nodePort: 32000 diff --git a/k3s/nfs-pv/nfs-pv.yaml b/k3s/apps/nfs-pv/nfs-pv.yaml similarity index 84% rename from k3s/nfs-pv/nfs-pv.yaml rename to k3s/apps/nfs-pv/nfs-pv.yaml index 82855c3..4572a92 100644 --- a/k3s/nfs-pv/nfs-pv.yaml +++ b/k3s/apps/nfs-pv/nfs-pv.yaml @@ -10,5 +10,5 @@ spec: storageClassName: nfs persistentVolumeReclaimPolicy: Retain # Optional: verhindert, dass K8s dein Share löscht nfs: - path: /fastData/photos - server: 192.168.178.132 + path: /export/slowData/photos + server: 192.168.178.166 diff --git a/k3s/apps/photo/immich/immich-data-pv.yaml b/k3s/apps/photo/immich/immich-data-pv.yaml new file mode 100644 index 0000000..29d9c49 --- /dev/null +++ b/k3s/apps/photo/immich/immich-data-pv.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: immich-data-pv +spec: + capacity: + storage: 100Gi # Irgendwas großzügiges, spielt bei NFS weniger Rolle + accessModes: + - ReadWriteMany # GANZ WICHTIG! + storageClassName: nfs + persistentVolumeReclaimPolicy: Retain # Optional: verhindert, dass K8s dein Share löscht + nfs: + path: /export/fastData/immichData + server: 192.168.178.166 diff --git a/k3s/apps/photo/immich/immich-db-deployment.yaml b/k3s/apps/photo/immich/immich-db-deployment.yaml index dd9850e..e318162 100644 --- a/k3s/apps/photo/immich/immich-db-deployment.yaml +++ b/k3s/apps/photo/immich/immich-db-deployment.yaml @@ -40,6 +40,10 @@ spec: mountPath: /var/lib/postgresql/data subPath: postgres resources: {} + securityContext: + runAsUser: 1001 + runAsGroup: 1000 +# fsGroup: 2000 volumes: - name: pgdata persistentVolumeClaim: diff --git a/k3s/apps/photo/immich/immich-db-pv.yaml b/k3s/apps/photo/immich/immich-db-pv.yaml index dac8785..22ad9fa 100644 --- a/k3s/apps/photo/immich/immich-db-pv.yaml +++ b/k3s/apps/photo/immich/immich-db-pv.yaml @@ -12,6 +12,6 @@ spec: accessModes: - ReadWriteMany nfs: - path: /slowData/immichDB # Static path on the NFS server - server: 192.168.178.132 # Your NFS server's IP + path: /export/fastData/immichDB # Static path on the NFS server + server: 192.168.178.166 # Your NFS server's IP persistentVolumeReclaimPolicy: Retain diff --git a/k3s/apps/photo/immich/immich-library-pv.yaml b/k3s/apps/photo/immich/immich-library-pv.yaml index b500881..b8c112a 100644 --- a/k3s/apps/photo/immich/immich-library-pv.yaml +++ b/k3s/apps/photo/immich/immich-library-pv.yaml @@ -12,5 +12,5 @@ spec: accessModes: - ReadWriteMany nfs: - path: /fastData/immichLibrary # Static path on the NFS server - server: 192.168.178.132 + path: /export/fastData/immichLibrary # Static path on the NFS server + server: 192.168.178.166 diff --git a/k3s/apps/photo/immich/immich-server-deployment.yaml b/k3s/apps/photo/immich/immich-server-deployment.yaml index 65436ea..c9297de 100644 --- a/k3s/apps/photo/immich/immich-server-deployment.yaml +++ b/k3s/apps/photo/immich/immich-server-deployment.yaml @@ -88,6 +88,10 @@ spec: subPath: library - name: ext-library mountPath: /photos + # securityContext: +# runAsUser: 1001 +# runAsGroup: 1000 +# fsGroup: 2000 volumes: - name: library persistentVolumeClaim: diff --git a/k3s/apps/photo/photoprism/immich-db-pvc.yaml b/k3s/apps/photo/photoprism/immich-db-pvc.yaml new file mode 100644 index 0000000..5dba549 --- /dev/null +++ b/k3s/apps/photo/photoprism/immich-db-pvc.yaml @@ -0,0 +1,15 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: immich-db-pvc + namespace: photoprism + labels: + app: immich +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 20Gi # Match or be less than the PV's capacity + volumeName: immich-db-pv # Bind explicitly to the PV created above + storageClassName: nfs diff --git a/k3s/apps/photo/photoprism/mariadb-pv.yaml b/k3s/apps/photo/photoprism/mariadb-pv.yaml index 8873233..83ec140 100644 --- a/k3s/apps/photo/photoprism/mariadb-pv.yaml +++ b/k3s/apps/photo/photoprism/mariadb-pv.yaml @@ -1,13 +1,17 @@ -apiVersion: v1 kind: PersistentVolume +apiVersion: v1 metadata: - name: mariadb-pv + name: mariadb-db-pv + namespace: photoprism + labels: + app: photoprism-mariadb spec: capacity: - storage: 50Gi + storage: 20Gi # Adjust the storage size as needed + storageClassName: nfs accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain # Optional: verhindert, dass K8s dein Share löscht - storageClassName: local-path - hostPath: - path: /slowData/photoprismDB + - ReadWriteMany + nfs: + path: /fastData/photoprismDB # Static path on the NFS server + server: 192.168.178.166 # Your NFS server's IP + persistentVolumeReclaimPolicy: Retain diff --git a/k3s/apps/photo/photoprism/mariadb-pv.yaml.old b/k3s/apps/photo/photoprism/mariadb-pv.yaml.old new file mode 100644 index 0000000..8873233 --- /dev/null +++ b/k3s/apps/photo/photoprism/mariadb-pv.yaml.old @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: mariadb-pv +spec: + capacity: + storage: 50Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain # Optional: verhindert, dass K8s dein Share löscht + storageClassName: local-path + hostPath: + path: /slowData/photoprismDB diff --git a/k3s/apps/photo/photoprism/mariadb.yaml b/k3s/apps/photo/photoprism/mariadb.yaml index b366503..a8c60d5 100644 --- a/k3s/apps/photo/photoprism/mariadb.yaml +++ b/k3s/apps/photo/photoprism/mariadb.yaml @@ -4,13 +4,14 @@ metadata: name: mariadb namespace: photoprism spec: - storageClassName: local-path - volumeName: mariadb-pv accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: - storage: 50Gi + storage: 20Gi # Match or be less than the PV's capacity + volumeName: mariadb-db-pv # Bind explicitly to the PV created above + storageClassName: nfs + --- apiVersion: apps/v1 kind: Deployment @@ -42,6 +43,10 @@ spec: volumeMounts: - mountPath: /var/lib/mysql name: mariadb + securityContext: + runAsUser: 1001 + runAsGroup: 1000 + # fsGroup: 2000 volumes: - name: mariadb persistentVolumeClaim: diff --git a/k3s/apps/photo/photoprism/photoprism.yaml b/k3s/apps/photo/photoprism/photoprism.yaml index dfc4593..e01ff11 100644 --- a/k3s/apps/photo/photoprism/photoprism.yaml +++ b/k3s/apps/photo/photoprism/photoprism.yaml @@ -52,7 +52,7 @@ spec: - name: PHOTOPRISM_AUTH_MODE value: password - name: PHOTOPRISM_SITE_URL - value: https://photoprism.henryathome.home64.de + value: https://henrysfotos.henryathome.home64.de - name: PHOTOPRISM_INDEX_WORKERS value: "3" - name: PHOTOPRISM_INDEX_SCHEDULE @@ -68,6 +68,19 @@ spec: value: photoprism - name: PHOTOPRISM_DATABASE_PASSWORD value: photoprism + - name: PHOTOPRISM_UID + value: "1001" + - name: PHOTOPRISM_GID + value: "1000" + - name: PHOTOPRISM_DISABLE_CHOWN + value: "true" + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "500m" + memory: "512Mi" volumeMounts: - mountPath: /photoprism/ name: photoprism-storage @@ -76,6 +89,9 @@ spec: # - mountPath: /photoprism/originals # name: photoprism-storage # name: photoprism-originals +# securityContext: +# runAsUser: 1000 +# runAsGroup: 1000 volumes: - name: photoprism-storage persistentVolumeClaim: diff --git a/k3s/get_helm.sh b/k3s/get_helm.sh new file mode 100755 index 0000000..1c90bba --- /dev/null +++ b/k3s/get_helm.sh @@ -0,0 +1,347 @@ +#!/usr/bin/env bash + +# Copyright The Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The install script is based off of the MIT-licensed script from glide, +# the package manager for Go: https://github.com/Masterminds/glide.sh/blob/master/get + +: ${BINARY_NAME:="helm"} +: ${USE_SUDO:="true"} +: ${DEBUG:="false"} +: ${VERIFY_CHECKSUM:="true"} +: ${VERIFY_SIGNATURES:="false"} +: ${HELM_INSTALL_DIR:="/usr/local/bin"} +: ${GPG_PUBRING:="pubring.kbx"} + +HAS_CURL="$(type "curl" &> /dev/null && echo true || echo false)" +HAS_WGET="$(type "wget" &> /dev/null && echo true || echo false)" +HAS_OPENSSL="$(type "openssl" &> /dev/null && echo true || echo false)" +HAS_GPG="$(type "gpg" &> /dev/null && echo true || echo false)" +HAS_GIT="$(type "git" &> /dev/null && echo true || echo false)" +HAS_TAR="$(type "tar" &> /dev/null && echo true || echo false)" + +# initArch discovers the architecture for this system. +initArch() { + ARCH=$(uname -m) + case $ARCH in + armv5*) ARCH="armv5";; + armv6*) ARCH="armv6";; + armv7*) ARCH="arm";; + aarch64) ARCH="arm64";; + x86) ARCH="386";; + x86_64) ARCH="amd64";; + i686) ARCH="386";; + i386) ARCH="386";; + esac +} + +# initOS discovers the operating system for this system. +initOS() { + OS=$(echo `uname`|tr '[:upper:]' '[:lower:]') + + case "$OS" in + # Minimalist GNU for Windows + mingw*|cygwin*) OS='windows';; + esac +} + +# runs the given command as root (detects if we are root already) +runAsRoot() { + if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then + sudo "${@}" + else + "${@}" + fi +} + +# verifySupported checks that the os/arch combination is supported for +# binary builds, as well whether or not necessary tools are present. +verifySupported() { + local supported="darwin-amd64\ndarwin-arm64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-loong64\nlinux-ppc64le\nlinux-s390x\nlinux-riscv64\nwindows-amd64\nwindows-arm64" + if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then + echo "No prebuilt binary for ${OS}-${ARCH}." + echo "To build from source, go to https://github.com/helm/helm" + exit 1 + fi + + if [ "${HAS_CURL}" != "true" ] && [ "${HAS_WGET}" != "true" ]; then + echo "Either curl or wget is required" + exit 1 + fi + + if [ "${VERIFY_CHECKSUM}" == "true" ] && [ "${HAS_OPENSSL}" != "true" ]; then + echo "In order to verify checksum, openssl must first be installed." + echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment." + exit 1 + fi + + if [ "${VERIFY_SIGNATURES}" == "true" ]; then + if [ "${HAS_GPG}" != "true" ]; then + echo "In order to verify signatures, gpg must first be installed." + echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment." + exit 1 + fi + if [ "${OS}" != "linux" ]; then + echo "Signature verification is currently only supported on Linux." + echo "Please set VERIFY_SIGNATURES=false or verify the signatures manually." + exit 1 + fi + fi + + if [ "${HAS_GIT}" != "true" ]; then + echo "[WARNING] Could not find git. It is required for plugin installation." + fi + + if [ "${HAS_TAR}" != "true" ]; then + echo "[ERROR] Could not find tar. It is required to extract the helm binary archive." + exit 1 + fi +} + +# checkDesiredVersion checks if the desired version is available. +checkDesiredVersion() { + if [ "x$DESIRED_VERSION" == "x" ]; then + # Get tag from release URL + local latest_release_url="https://get.helm.sh/helm4-latest-version" + local latest_release_response="" + if [ "${HAS_CURL}" == "true" ]; then + latest_release_response=$( curl -L --silent --show-error --fail "$latest_release_url" 2>&1 || true ) + elif [ "${HAS_WGET}" == "true" ]; then + latest_release_response=$( wget "$latest_release_url" -q -O - 2>&1 || true ) + fi + TAG=$( echo "$latest_release_response" | grep '^v[0-9]' ) + if [ "x$TAG" == "x" ]; then + printf "Could not retrieve the latest release tag information from %s: %s\n" "${latest_release_url}" "${latest_release_response}" + exit 1 + fi + else + TAG=$DESIRED_VERSION + fi +} + +# checkHelmInstalledVersion checks which version of helm is installed and +# if it needs to be changed. +checkHelmInstalledVersion() { + if [[ -f "${HELM_INSTALL_DIR}/${BINARY_NAME}" ]]; then + local version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}") + if [[ "$version" == "$TAG" ]]; then + echo "Helm ${version} is already ${DESIRED_VERSION:-latest}" + return 0 + else + echo "Helm ${TAG} is available. Changing from version ${version}." + return 1 + fi + else + return 1 + fi +} + +# downloadFile downloads the latest binary package and also the checksum +# for that binary. +downloadFile() { + HELM_DIST="helm-$TAG-$OS-$ARCH.tar.gz" + DOWNLOAD_URL="https://get.helm.sh/$HELM_DIST" + CHECKSUM_URL="$DOWNLOAD_URL.sha256" + HELM_TMP_ROOT="$(mktemp -dt helm-installer-XXXXXX)" + HELM_TMP_FILE="$HELM_TMP_ROOT/$HELM_DIST" + HELM_SUM_FILE="$HELM_TMP_ROOT/$HELM_DIST.sha256" + echo "Downloading $DOWNLOAD_URL" + if [ "${HAS_CURL}" == "true" ]; then + curl -SsL "$CHECKSUM_URL" -o "$HELM_SUM_FILE" + curl -SsL "$DOWNLOAD_URL" -o "$HELM_TMP_FILE" + elif [ "${HAS_WGET}" == "true" ]; then + wget -q -O "$HELM_SUM_FILE" "$CHECKSUM_URL" + wget -q -O "$HELM_TMP_FILE" "$DOWNLOAD_URL" + fi +} + +# verifyFile verifies the SHA256 checksum of the binary package +# and the GPG signatures for both the package and checksum file +# (depending on settings in environment). +verifyFile() { + if [ "${VERIFY_CHECKSUM}" == "true" ]; then + verifyChecksum + fi + if [ "${VERIFY_SIGNATURES}" == "true" ]; then + verifySignatures + fi +} + +# installFile installs the Helm binary. +installFile() { + HELM_TMP="$HELM_TMP_ROOT/$BINARY_NAME" + mkdir -p "$HELM_TMP" + tar xf "$HELM_TMP_FILE" -C "$HELM_TMP" + HELM_TMP_BIN="$HELM_TMP/$OS-$ARCH/helm" + echo "Preparing to install $BINARY_NAME into ${HELM_INSTALL_DIR}" + runAsRoot cp "$HELM_TMP_BIN" "$HELM_INSTALL_DIR/$BINARY_NAME" + echo "$BINARY_NAME installed into $HELM_INSTALL_DIR/$BINARY_NAME" +} + +# verifyChecksum verifies the SHA256 checksum of the binary package. +verifyChecksum() { + printf "Verifying checksum... " + local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}') + local expected_sum=$(cat ${HELM_SUM_FILE}) + if [ "$sum" != "$expected_sum" ]; then + echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting." + exit 1 + fi + echo "Done." +} + +# verifySignatures obtains the latest KEYS file from GitHub main branch +# as well as the signature .asc files from the specific GitHub release, +# then verifies that the release artifacts were signed by a maintainer's key. +verifySignatures() { + printf "Verifying signatures... " + local keys_filename="KEYS" + local github_keys_url="https://raw.githubusercontent.com/helm/helm/main/${keys_filename}" + if [ "${HAS_CURL}" == "true" ]; then + curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}" + elif [ "${HAS_WGET}" == "true" ]; then + wget -q -O "${HELM_TMP_ROOT}/${keys_filename}" "${github_keys_url}" + fi + local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg" + local gpg_homedir="${HELM_TMP_ROOT}/gnupg" + mkdir -p -m 0700 "${gpg_homedir}" + local gpg_stderr_device="/dev/null" + if [ "${DEBUG}" == "true" ]; then + gpg_stderr_device="/dev/stderr" + fi + gpg --batch --quiet --homedir="${gpg_homedir}" --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}" + gpg --batch --no-default-keyring --keyring "${gpg_homedir}/${GPG_PUBRING}" --export > "${gpg_keyring}" + local github_release_url="https://github.com/helm/helm/releases/download/${TAG}" + if [ "${HAS_CURL}" == "true" ]; then + curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" + curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" + elif [ "${HAS_WGET}" == "true" ]; then + wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" + wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" + fi + local error_text="If you think this might be a potential security issue," + error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md" + local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') + if [[ ${num_goodlines_sha} -lt 2 ]]; then + echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!" + echo -e "${error_text}" + exit 1 + fi + local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') + if [[ ${num_goodlines_tar} -lt 2 ]]; then + echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!" + echo -e "${error_text}" + exit 1 + fi + echo "Done." +} + +# fail_trap is executed if an error occurs. +fail_trap() { + result=$? + if [ "$result" != "0" ]; then + if [[ -n "$INPUT_ARGUMENTS" ]]; then + echo "Failed to install $BINARY_NAME with the arguments provided: $INPUT_ARGUMENTS" + help + else + echo "Failed to install $BINARY_NAME" + fi + echo -e "\tFor support, go to https://github.com/helm/helm." + fi + cleanup + exit $result +} + +# testVersion tests the installed client to make sure it is working. +testVersion() { + set +e + HELM="$(command -v $BINARY_NAME)" + if [ "$?" = "1" ]; then + echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?' + exit 1 + fi + set -e +} + +# help provides possible cli installation arguments +help () { + echo "Accepted cli arguments are:" + echo -e "\t[--help|-h ] ->> prints this help" + echo -e "\t[--version|-v ] . When not defined it fetches the latest release tag from the Helm CDN" + echo -e "\te.g. --version v4.0.0 or -v canary" + echo -e "\t[--no-sudo] ->> install without sudo" +} + +# cleanup temporary files to avoid https://github.com/helm/helm/issues/2977 +cleanup() { + if [[ -d "${HELM_TMP_ROOT:-}" ]]; then + rm -rf "$HELM_TMP_ROOT" + fi +} + +# Execution + +#Stop execution on any error +trap "fail_trap" EXIT +set -e + +# Set debug if desired +if [ "${DEBUG}" == "true" ]; then + set -x +fi + +# Parsing input arguments (if any) +export INPUT_ARGUMENTS="${@}" +set -u +while [[ $# -gt 0 ]]; do + case $1 in + '--version'|-v) + shift + if [[ $# -ne 0 ]]; then + export DESIRED_VERSION="${1}" + if [[ "$1" != "v"* ]]; then + echo "Expected version arg ('${DESIRED_VERSION}') to begin with 'v', fixing..." + export DESIRED_VERSION="v${1}" + fi + else + echo -e "Please provide the desired version. e.g. --version v4.0.0 or -v canary" + exit 0 + fi + ;; + '--no-sudo') + USE_SUDO="false" + ;; + '--help'|-h) + help + exit 0 + ;; + *) exit 1 + ;; + esac + shift +done +set +u + +initArch +initOS +verifySupported +checkDesiredVersion +if ! checkHelmInstalledVersion; then + downloadFile + verifyFile + installFile +fi +testVersion +cleanup