FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder RUN apk add --no-cache make git WORKDIR /workspace/helmfile COPY go.mod go.sum /workspace/helmfile/ RUN go mod download COPY . /workspace/helmfile ARG TARGETARCH TARGETOS RUN make static-${TARGETOS}-${TARGETARCH} # ----------------------------------------------------------------------------- FROM ubuntu:24.04 LABEL org.opencontainers.image.source=https://github.com/helmfile/helmfile RUN apt update -qq && \ apt install --no-install-recommends -y \ ca-certificates \ gnupg \ git bash curl jq wget openssh-client && \ rm -rf /var/lib/apt/lists/* ARG TARGETARCH TARGETOS TARGETPLATFORM RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_${TARGETOS}_${TARGETARCH} -O /usr/local/bin/yq &&\ chmod +x /usr/local/bin/yq # Set Helm home variables so that also non-root users can use plugins etc. ARG HOME="/helm" ENV HOME="${HOME}" ARG HELM_CACHE_HOME="${HOME}/.cache/helm" ENV HELM_CACHE_HOME="${HELM_CACHE_HOME}" ARG HELM_CONFIG_HOME="${HOME}/.config/helm" ENV HELM_CONFIG_HOME="${HELM_CONFIG_HOME}" ARG HELM_DATA_HOME="${HOME}/.local/share/helm" ENV HELM_DATA_HOME="${HELM_DATA_HOME}" ARG HELM_VERSION="v4.0.1" ENV HELM_VERSION="${HELM_VERSION}" ENV HELM_BIN="/usr/local/bin/helm" ARG HELM_LOCATION="https://get.helm.sh" ARG HELM_FILENAME="helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "${HELM_LOCATION}/${HELM_FILENAME}" && \ echo Verifying ${HELM_FILENAME}... && \ case ${TARGETPLATFORM} in \ "linux/amd64") HELM_SHA256="e0365548f01ed52a58a1181ad310b604a3244f59257425bb1739499372bdff60" ;; \ "linux/arm64") HELM_SHA256="959fa52d34e2e1f0154e3220ed5f22263c8593447647a43af07890bba4b004d1" ;; \ esac && \ echo "${HELM_SHA256} ${HELM_FILENAME}" | sha256sum -c && \ echo Extracting ${HELM_FILENAME}... && \ tar xvf "${HELM_FILENAME}" -C /usr/local/bin --strip-components 1 ${TARGETOS}-${TARGETARCH}/helm && \ rm "${HELM_FILENAME}" && \ [ "$(helm version --template '{{.Version}}')" = "${HELM_VERSION}" ] # using the install documentation found at https://kubernetes.io/docs/tasks/tools/install-kubectl/ # for now but in a future version of alpine (in the testing version at the time of writing) # we should be able to install using apk add. ENV KUBECTL_VERSION="v1.34.0" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" && \ case ${TARGETPLATFORM} in \ # checksums are available at https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl.sha256 "linux/amd64") KUBECTL_SHA256="cfda68cba5848bc3b6c6135ae2f20ba2c78de20059f68789c090166d6abc3e2c" ;; \ "linux/arm64") KUBECTL_SHA256="00b182d103a8a73da7a4d11e7526d0543dcf352f06cc63a1fde25ce9243f49a0" ;; \ esac && \ echo "${KUBECTL_SHA256} kubectl" | sha256sum -c && \ chmod +x kubectl && \ mv kubectl /usr/local/bin/kubectl && \ [ "$(kubectl version -o json | jq -r '.clientVersion.gitVersion')" = "${KUBECTL_VERSION}" ] ENV KUSTOMIZE_VERSION="v5.8.0" ARG KUSTOMIZE_FILENAME="kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/${KUSTOMIZE_FILENAME}" && \ case ${TARGETPLATFORM} in \ # Checksums are available at https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/checksums.txt "linux/amd64") KUSTOMIZE_SHA256="4dfa8307358dd9284aa4d2b1d5596766a65b93433e8fa3f9f74498941f01c5ef" ;; \ "linux/arm64") KUSTOMIZE_SHA256="a4f48b4c3d4ca97d748943e19169de85a2e86e80bcc09558603e2aa66fb15ce1" ;; \ esac && \ echo "${KUSTOMIZE_SHA256} ${KUSTOMIZE_FILENAME}" | sha256sum -c && \ tar xvf "${KUSTOMIZE_FILENAME}" -C /usr/local/bin && \ rm "${KUSTOMIZE_FILENAME}" && \ [ "$(kustomize version)" = "${KUSTOMIZE_VERSION}" ] ENV SOPS_VERSION="v3.10.2" ARG SOPS_FILENAME="sops-${SOPS_VERSION}.${TARGETOS}.${TARGETARCH}" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/${SOPS_FILENAME}" && \ chmod +x "${SOPS_FILENAME}" && \ mv "${SOPS_FILENAME}" /usr/local/bin/sops && \ sops --version --disable-version-check | grep -E "^sops ${SOPS_VERSION#v}" ENV AGE_VERSION="v1.2.1" ARG AGE_FILENAME="age-${AGE_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" RUN set -x && \ curl --retry 5 --retry-connrefused -LO "https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/${AGE_FILENAME}" && \ tar xvf "${AGE_FILENAME}" -C /usr/local/bin --strip-components 1 age/age age/age-keygen && \ rm "${AGE_FILENAME}" && \ [ "$(age --version)" = "${AGE_VERSION}" ] && \ [ "$(age-keygen --version)" = "${AGE_VERSION}" ] ARG HELM_SECRETS_VERSION="4.7.4" RUN helm plugin install https://github.com/databus23/helm-diff --version v3.14.1 --verify=false && \ helm plugin install https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/secrets-${HELM_SECRETS_VERSION}.tgz --verify=false && \ helm plugin install https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/secrets-getter-${HELM_SECRETS_VERSION}.tgz --verify=false && \ helm plugin install https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/secrets-post-renderer-${HELM_SECRETS_VERSION}.tgz --verify=false && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.17.0 --verify=false && \ helm plugin install https://github.com/aslafy-z/helm-git.git --version v1.4.1 --verify=false && \ rm -rf ${HELM_CACHE_HOME}/plugins # Allow users other than root to use helm plugins located in root home RUN chmod 751 ${HOME} COPY --from=builder /workspace/helmfile/dist/helmfile_${TARGETOS}_${TARGETARCH} /usr/local/bin/helmfile CMD ["/usr/local/bin/helmfile"]