Skip to content

[BUG]: HelmDeploy@1 doesn't support EntraID authentication without local accounts #20674

New issue
New issue
Open
Open
[BUG]: HelmDeploy@1 doesn't support EntraID authentication without local accounts#20674
Labels
Area: Releasebug
@avvale-sorgenia

Description

@avvale-sorgenia
avvale-sorgenia
opened on Nov 19, 2024

New issue checklist

Task name

HelmDeploy@1

Task version

1

Issue Description

I'm trying to use the HelmDeploy@1 task on my Azure DevOps yaml pipelines to configure my Azure Kubernetes Service.

For security reasons I am required to disable local accounts on my AKS and only use authentication with EntraID, so I have configured a Service Connection on Azure DevOps which uses a Service Principal that has been enabled on K8S as admin (we use K8S RBAC).

My HelmDeploy task looks like this:

          - task: KubectlInstaller@0
            displayName: 'Install kubectl'
            inputs:
              kubectlVersion: '1.30.1'

          - task: KubeloginInstaller@0
            inputs:
              kubeloginVersion: 'latest'

          - task: HelmInstaller@1
            displayName: 'Install Helm'
            inputs:
              helmVersionToInstall: latest

          - task: HelmDeploy@1
            displayName: 'Istio CRD Install'
            inputs:
              connectionType: 'Azure Resource Manager'
              azureSubscriptionEndpoint: $(ServiceConnectionName)
              azureResourceGroup: $(ResourceGroupName)
              kubernetesCluster: $(AKSClusterName)
              command: upgrade
              chartType: 'Name'
              chartName: "istio/base"
              overrideValues: 'defaultRevision=default'
              arguments: '--create-namespace'
              namespace: 'istio-system'
              releaseName: istio-base
              install: true
              waitForExecution: false
              useClusterAdmin: false

Since when I disabled AKS local accounts and switched "useClusterAdmin" to false my pipeline has been failing with authentication/authorization related errors or kubelogin not found.

I think this is a bug, because I would expect the task to be able to successfully use kubectl/kubelogin to authenticate and it should not rely on local accounts being enabled on the cluster.

If it already supports this, then there is no clear documentation on how to use this task with this configuration.

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu

Relevant log output

Error: Kubernetes cluster unreachable: Get "https://CLUSTERADDRESS.hcp.westeurope.azmk8s.io:443/version": getting credentials: exec: executable kubelogin not found

It looks like you are trying to use a client-go credential plugin that is not installed.

To learn more about this feature, consult the documentation available at:
      https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins


kubelogin is not installed which is required to connect to AAD enabled cluster.

To learn more, please go to https://aka.ms/aks/kubelogin

Full task logs with system.debug enabled

No response

Repro steps

Metadata
Assignees
No one assigned
    Labels
    Area: Releasebug
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions