From 4b9289d0500670a00e9ead3094d3b89874cf4aef Mon Sep 17 00:00:00 2001 From: Igor Zibarev Date: Wed, 7 Nov 2018 00:46:36 +0300 Subject: [PATCH 1/2] Verify checksum on install --- hack/install.sh | 71 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 56 insertions(+), 15 deletions(-) diff --git a/hack/install.sh b/hack/install.sh index 43e499f1..0151e175 100755 --- a/hack/install.sh +++ b/hack/install.sh @@ -1,35 +1,76 @@ #!/usr/bin/env bash +set -euo pipefail -if [ -n "${HELM_S3_PLUGIN_NO_INSTALL_HOOK}" ]; then +if [ -n "${HELM_S3_PLUGIN_NO_INSTALL_HOOK:-}" ]; then echo "Development mode: not downloading versioned release." exit 0 fi +validate_checksum() { + if ! grep -q ${1} ${2}; then + echo "Invalid checksum" > /dev/stderr + exit 1 + fi + echo "Checksum is valid." +} + +on_exit() { + exit_code=$? + if [ ${exit_code} -ne 0 ]; then + echo "helm-s3 install hook failed. Please remove the plugin using 'helm plugin remove s3' and install again." > /dev/stderr + fi + exit ${exit_code} +} +trap on_exit EXIT + version="$(cat plugin.yaml | grep "version" | cut -d '"' -f 2)" echo "Downloading and installing helm-s3 v${version} ..." -url="" +binary_url="" if [ "$(uname)" == "Darwin" ]; then - url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_darwin_amd64.tar.gz" + binary_url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_darwin_amd64.tar.gz" elif [ "$(uname)" == "Linux" ] ; then - url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_linux_amd64.tar.gz" + binary_url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_linux_amd64.tar.gz" fi -if [ -z "${url}" ]; then +if [ -z "${binary_url}" ]; then echo "Unsupported OS type" exit 1 fi - -# TODO: verify checksum? +checksum_url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_checksums.txt" mkdir -p "bin" mkdir -p "releases/v${version}" +binary_filename="releases/v${version}.tar.gz" +checksums_filename="releases/v${version}_checksums.txt" -# Download with curl if possible. -if [ -x "$(which curl 2>/dev/null)" ]; then - curl -sSL "${url}" -o "releases/v${version}.tar.gz" -else - wget -q "${url}" -O "releases/v${version}.tar.gz" -fi -tar xzf "releases/v${version}.tar.gz" -C "releases/v${version}" -mv "releases/v${version}/bin/helms3" "bin/helms3" \ No newline at end of file +# Download binary and checksums files. +( + if [ -x "$(which curl 2>/dev/null)" ]; then + curl -sSL "${binary_url}" -o "${binary_filename}" + curl -sSL "${checksum_url}" -o "${checksums_filename}" + elif [ -x "$(which wget 2>/dev/null)" ]; then + wget -q "${binary_url}" -O "${binary_filename}" + wget -q "${checksum_url}" -O "${checksums_filename}" + else + echo "ERROR: no curl or wget found to download files." > /dev/stderr + fi +) + +# Verify checksum. +( + if [ -x "$(which sha256sum 2>/dev/null)" ]; then + checksum=$(sha256sum ${binary_filename} | awk '{ print $1 }') + validate_checksum ${checksum} ${checksums_filename} + elif [ -x "$(which openssl 2>/dev/null)" ]; then + checksum=$(openssl dgst -sha256 ${binary_filename} | awk '{ print $2 }') + validate_checksum ${checksum} ${checksums_filename} + else + echo "WARNING: no tool found to verify checksum" > /dev/stderr + fi +) + +# Unpack the binary. +tar xzf "${binary_filename}" -C "releases/v${version}" +mv "releases/v${version}/bin/helms3" "bin/helms3" +exit 0 From d269b3ac7093f69ae12759eeb05180733488997d Mon Sep 17 00:00:00 2001 From: Igor Zibarev Date: Thu, 8 Nov 2018 00:17:28 +0300 Subject: [PATCH 2/2] Add installation test --- .circleci/config.yml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index e16c29b3..ce975fa1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -72,6 +72,35 @@ jobs: - run: name: Run e2e tests command: go test -v ./tests/e2e/... + test-install: + docker: + - image: circleci/buildpack-deps:stretch-curl + working_directory: /tmp + steps: + - run: + name: Install helm + command: | + tar_filename="helm-v2.10.0-linux-amd64.tar.gz" + checksum_filename="helm-v2.10.0-linux-amd64.tar.gz.sha256" + curl -sSL https://storage.googleapis.com/kubernetes-helm/${tar_filename} -O + curl -sSL https://storage.googleapis.com/kubernetes-helm/${checksum_filename} -O + echo "$(cat ${checksum_filename}) ${tar_filename}" | sha256sum -c + tar xzf ${tar_filename} + sudo mv linux-amd64/helm /usr/local/bin/helm + rm -rf linux-amd64 ${tar_filename} ${checksum_filename} + helm init -c + - run: + name: Install helm-s3 plugin + command: | + sudo apt-get install -y make + + version="${CIRCLE_SHA1}" + if [ -n "${CIRCLE_TAG}" ]; then + version="${CIRCLE_TAG#v*}" + fi + + echo "Check installation of version ${version}" + helm plugin install https://github.com/hypnoglow/helm-s3.git --version ${version} release: docker: - image: circleci/golang:1.9 @@ -98,6 +127,9 @@ workflows: - test-integration-and-e2e: requires: - dep + - test-install: + requires: + - dep # release-pipeline runs only on tags. release-pipeline: jobs: @@ -107,6 +139,14 @@ workflows: only: /.*/ branches: ignore: /.*/ + - test-install: + requires: + - dep + filters: + tags: + only: /.*/ + branches: + ignore: /.*/ - release: requires: - dep