From 2c869a591e25cb6e480e9fc5c4b529277b2c4c30 Mon Sep 17 00:00:00 2001
From: Jan Gutter <jan.gutter@workday.com>
Date: Thu, 2 Oct 2025 14:35:03 +0100
Subject: [PATCH] Update ensure-helm role to add more functionality

* The role now allows the caller to use a custom path to download
  the helm release from.
* The install directory can now be overridden.
* There's now some extra logic that can optionally be used to
  autodetect the platform, and version.
* Because the role has a default version of helm, that's not been
  removed. This should likely be addressed in a future update with a
  proper announcement.

Change-Id: If38cfd2965a9b53c5cac646713d11c53ac63c1a2
---
 roles/ensure-helm/README.rst         | 17 +++++++-
 roles/ensure-helm/defaults/main.yaml | 21 ++++++++++
 roles/ensure-helm/tasks/main.yaml    | 63 +++++++++++++++++++++-------
 3 files changed, 86 insertions(+), 15 deletions(-)

diff --git a/roles/ensure-helm/README.rst b/roles/ensure-helm/README.rst
index cfb1889da..cc385a120 100644
--- a/roles/ensure-helm/README.rst
+++ b/roles/ensure-helm/README.rst
@@ -1,7 +1,22 @@
 Ensure Helm is installed
 
+Currently, this role always downloads and installs the requested version
+of helm.
+
 **Role Variables**
 
 .. zuul:rolevar:: helm_version
+   :default: 2.17.0
 
-   Version of Helm to install
+   Version of Helm to install. For historical reasons this does not include
+   the "v" prefix. Use "latest" to probe for the latest release.
+
+.. zuul:rolevar:: helm_release_repo_url
+   :default: https://get.helm.sh
+
+   The repo where the helm releases should be fetched from.
+
+.. zuul:rolevar:: helm_install_dir
+   :default: /usr/local/bin
+
+   The installation directory for helm.
diff --git a/roles/ensure-helm/defaults/main.yaml b/roles/ensure-helm/defaults/main.yaml
index e716db001..2b6e9051c 100644
--- a/roles/ensure-helm/defaults/main.yaml
+++ b/roles/ensure-helm/defaults/main.yaml
@@ -1,2 +1,23 @@
 ---
+# These are reasonable overrides for users of the role and are part of the
+# stable interface.
 helm_version: 2.17.0
+helm_release_repo_url: https://get.helm.sh
+helm_install_dir: /usr/local/bin
+
+# These defaults are not part of the stable interface for the role.
+helm_archive_url: "{{ helm_release_repo_url }}/{{ helm_archive_name }}"
+helm_arch: >-
+  {{ "amd64" if ansible_architecture == "x86_64"
+  else ansible_architecture }}
+helm_system: >-
+  {{ ansible_system | lower }}
+helm_download_version: >-
+  {{ helm_version if helm_version != "latest" else helm_latest_version }}
+helm_archive_name: >-
+  helm-v{{ helm_download_version }}-{{ helm_system }}-{{ helm_arch }}.tar.gz
+# We always need to lazy evaluate this value even if we don't use it.
+# This value won't make sense unless the query task has run.
+helm_latest_version: >-
+  {{ helm_latest_version_query.content | default("")
+  | regex_search("[0-9].*[0-9]") }}
diff --git a/roles/ensure-helm/tasks/main.yaml b/roles/ensure-helm/tasks/main.yaml
index bd74cfd52..55a79edda 100644
--- a/roles/ensure-helm/tasks/main.yaml
+++ b/roles/ensure-helm/tasks/main.yaml
@@ -1,23 +1,58 @@
 ---
-- name: Download Helm
-  unarchive:
-    remote_src: true
-    src: "https://get.helm.sh/helm-v{{ helm_version }}-linux-amd64.tar.gz"
-    dest: /tmp
+- name: Create a temporary directory for downloading helm
+  ansible.builtin.tempfile:
+    state: directory
+  register: helm_download_dir
 
-- name: Install Helm
-  become: true
-  copy:
-    remote_src: true
-    src: /tmp/linux-amd64/helm
-    dest: /usr/local/bin/helm
-    mode: '0755'
+- name: Fetch the latest helm version (if needed)
+  ansible.builtin.uri:
+    url: "{{ helm_release_repo_url }}/helm-latest-version"
+    return_content: true
+  retries: 2
+  delay: 15
+  register: helm_latest_version_query
+  until: helm_latest_version_query is not failed
+  when: helm_version == "latest"
+
+- name: Download and extract the helm binary
+  vars:
+    helm_archive_path: >-
+      {{ [helm_download_dir.path, helm_archive_name]
+      | ansible.builtin.path_join }}
+  block:
+    - name: Fetch the helm binary archive
+      ansible.builtin.uri:
+        url: "{{ helm_archive_url }}"
+        dest: "{{ helm_archive_path }}"
+        mode: "0644"
+      retries: 2
+      delay: 15
+      register: result
+      until: result is not failed
+
+    - name: Extract the helm binary from the archive
+      ansible.builtin.unarchive:
+        src: "{{ helm_archive_path }}"
+        dest: "{{ helm_install_dir }}"
+        mode: "0755"
+        remote_src: true
+        extra_opts:
+          - --strip=1
+          - --wildcards
+          - "*/helm"
+      become: true
+
+- name: Remove the temporary helm download dir
+  ansible.builtin.file:
+    path: "{{ helm_download_dir.path }}"
+    state: absent
+  when: helm_download_dir.path is defined
 
 - name: Initialize Helm
-  shell: helm init --client-only
+  ansible.builtin.shell: helm init --client-only
   # NOTE(b.schanzel): The init command was removed with helm v3 and no
   #                   initialization is needed anymore
-  when: helm_version is version('3', '<')
+  when: helm_download_version is version('3', '<')
   tags:
     # NOTE(mnaser): The `helm` module does not support running init only.
     - skip_ansible_lint