fix: devops profile fails — kubectl, helm, terraform not in Debian repos

[b00y0h]

Summary

The devops profile fails during docker build because kubectl, helm, and terraform are not available in Debian bookworm's apt repositories.

E: Unable to locate package kubectl
E: Unable to locate package helm
E: Unable to locate package terraform

Fix

Install these tools from their official upstream sources (matching the pattern used by Rust, Go, Flutter, and Java profiles):

• kubectl: Direct binary download from dl.k8s.io with architecture detection
• helm: Official get-helm-3 install script (handles arch automatically)
• terraform: Binary zip from releases.hashicorp.com with architecture detection

Keep docker.io, docker-compose, and ansible as apt packages since they are available in bookworm.

Also removed awscli which is not a valid Debian package name (the Debian package is python3-aws or requires pip installation).

Testing

Verified the profile generates valid Dockerfile RUN commands:

RUN apt-get update && apt-get install -y docker.io docker-compose ansible && apt-get clean
RUN ARCH=$(dpkg --print-architecture) && \
    curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" -o /usr/local/bin/kubectl && \
    chmod +x /usr/local/bin/kubectl
RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
RUN ARCH=$(dpkg --print-architecture) && \
    curl -fsSL "https://releases.hashicorp.com/terraform/1.9.8/terraform_1.9.8_linux_${ARCH}.zip" -o /tmp/terraform.zip && \
    unzip -o /tmp/terraform.zip -d /usr/local/bin && \
    rm /tmp/terraform.zip

Tested on arm64 (Apple Silicon / OrbStack).

Summary by Sourcery

Update the devops profile to install kubectl, helm, and terraform from their official upstream sources instead of Debian packages, ensuring compatibility with Debian bookworm.

Bug Fixes:

• Fix devops Docker image builds failing due to kubectl, helm, and terraform not being available in Debian bookworm apt repositories.

Enhancements:

• Install kubectl via architecture-aware binary download, helm via the official installation script, and terraform via architecture-aware binary zip download in the devops profile.
• Remove the non-existent awscli Debian package from the devops profile while retaining docker.io, docker-compose, and ansible as apt-installed tools.

Build:

• Adjust generated Dockerfile RUN commands for the devops profile to use upstream installation methods for kubectl, helm, and terraform.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

DevOps profile now installs kubectl, helm, and terraform via upstream scripts/binaries instead of Debian packages, keeping only available tools in apt and removing invalid awscli, with get_profile_devops emitting the corresponding Dockerfile RUN commands.

Sequence diagram for devops profile Docker build and upstream tool installation

sequenceDiagram
    actor Developer
    participant DevopsProfile as Devops_profile_script
    participant Docker as Docker_daemon
    participant Apt as Debian_apt_repos
    participant K8s as K8s_dl_server
    participant Helm as Helm_GitHub_script
    participant Terraform as Hashicorp_releases

    Developer->>DevopsProfile: Request devops Dockerfile
    DevopsProfile-->>Developer: Dockerfile with RUN commands

    Developer->>Docker: docker build
    Docker->>Apt: Install docker.io, docker-compose, ansible
    Apt-->>Docker: Packages installed

    Docker->>K8s: Download kubectl binary (arch-specific)
    K8s-->>Docker: kubectl binary

    Docker->>Helm: Fetch and run get-helm-3 script
    Helm-->>Docker: Helm installed

    Docker->>Terraform: Download terraform zip (arch-specific)
    Terraform-->>Docker: terraform zip
    Docker->>Docker: Unzip terraform to /usr/local/bin

    Docker-->>Developer: Built devops image with all tools installed

Loading

Flow diagram for devops profile Dockerfile generation and tool installation

flowchart TD
    dev["Developer selects devops profile"] --> cfg["get_profile_devops in config_sh"]

    cfg --> pkgs["Resolve apt packages: docker.io, docker-compose, ansible"]
    cfg --> scripts["Emit RUN commands for kubectl, helm, terraform installation scripts"]

    pkgs --> df["Generated Dockerfile"]
    scripts --> df

    df --> build["docker build"]

    build --> apt["Debian apt repositories"]
    build --> k8s["dl.k8s.io for kubectl binary"]
    build --> helm["get-helm-3 script from GitHub"]
    build --> tf["HashiCorp releases for terraform zip"]

    apt --> img["DevOps image with docker.io, docker-compose, ansible"]
    k8s --> img
    helm --> img
    tf --> img

Loading

File-Level Changes

Change	Details	Files
Switch DevOps profile from installing all tools via apt to mixing apt packages with upstream-installed CLIs for kubectl, helm, and terraform.	Update devops profile package list to only include docker.io, docker-compose, and ansible as apt-installed packages Remove kubectl, helm, terraform, and awscli from the apt package list due to absence/invalidity in Debian bookworm repositories Add scripted installation steps for kubectl, helm, and terraform into the devops Dockerfile generation function, including architecture detection and binary placement under /usr/local/bin	lib/config.sh

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The Terraform download URL hardcodes version 1.9.8; consider extracting this into a variable or build arg so the version can be updated in one place without editing the heredoc body.
• For the curl | bash Helm install, it would be safer to add -fsSL to curl and ensure the shell is configured with set -euo pipefail (or similar) so failures in the download or script cause the Docker build to fail.
• You compute ARCH=$(dpkg --print-architecture) in two separate RUN steps; consider factoring this into a single earlier RUN or using a build arg/env to avoid duplication and reduce the chance of divergent logic in future changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The Terraform download URL hardcodes version 1.9.8; consider extracting this into a variable or build arg so the version can be updated in one place without editing the heredoc body.
- For the curl | bash Helm install, it would be safer to add `-fsSL` to curl and ensure the shell is configured with `set -euo pipefail` (or similar) so failures in the download or script cause the Docker build to fail.
- You compute `ARCH=$(dpkg --print-architecture)` in two separate RUN steps; consider factoring this into a single earlier RUN or using a build arg/env to avoid duplication and reduce the chance of divergent logic in future changes.

## Individual Comments

### Comment 1
<location> `lib/config.sh:329-330` </location>
<code_context>
         echo "RUN apt-get update && apt-get install -y $packages && apt-get clean"
     fi
+    cat << 'EOF'
+RUN ARCH=$(dpkg --print-architecture) && \
+    curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" -o /usr/local/bin/kubectl && \
+    chmod +x /usr/local/bin/kubectl
+RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
</code_context>

<issue_to_address>
**issue:** Architecture string from dpkg may not match upstream kubectl/terraform archive naming

Using `dpkg --print-architecture` in the URL assumes upstream uses Debian’s arch names. This is fine for `amd64`/`arm64`, but will likely break on `ppc64el`, `armhf`, etc., where upstream expects different values. Please map `$ARCH` to the upstream’s expected strings, or fail fast with a clear error on unsupported architectures.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue: Architecture string from dpkg may not match upstream kubectl/terraform archive naming

Using dpkg --print-architecture in the URL assumes upstream uses Debian’s arch names. This is fine for amd64/arm64, but will likely break on ppc64el, armhf, etc., where upstream expects different values. Please map $ARCH to the upstream’s expected strings, or fail fast with a clear error on unsupported architectures.