[BUG]: HelmDeploy@1 doesn't support EntraID authentication without local accounts

[avvale-sorgenia]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

HelmDeploy@1

Task version

1

Issue Description

I'm trying to use the HelmDeploy@1 task on my Azure DevOps yaml pipelines to configure my Azure Kubernetes Service.

For security reasons I am required to disable local accounts on my AKS and only use authentication with EntraID, so I have configured a Service Connection on Azure DevOps which uses a Service Principal that has been enabled on K8S as admin (we use K8S RBAC).

My HelmDeploy task looks like this:

          - task: KubectlInstaller@0
            displayName: 'Install kubectl'
            inputs:
              kubectlVersion: '1.30.1'

          - task: KubeloginInstaller@0
            inputs:
              kubeloginVersion: 'latest'

          - task: HelmInstaller@1
            displayName: 'Install Helm'
            inputs:
              helmVersionToInstall: latest

          - task: HelmDeploy@1
            displayName: 'Istio CRD Install'
            inputs:
              connectionType: 'Azure Resource Manager'
              azureSubscriptionEndpoint: $(ServiceConnectionName)
              azureResourceGroup: $(ResourceGroupName)
              kubernetesCluster: $(AKSClusterName)
              command: upgrade
              chartType: 'Name'
              chartName: "istio/base"
              overrideValues: 'defaultRevision=default'
              arguments: '--create-namespace'
              namespace: 'istio-system'
              releaseName: istio-base
              install: true
              waitForExecution: false
              useClusterAdmin: false

Since when I disabled AKS local accounts and switched "useClusterAdmin" to false my pipeline has been failing with authentication/authorization related errors or kubelogin not found.

I think this is a bug, because I would expect the task to be able to successfully use kubectl/kubelogin to authenticate and it should not rely on local accounts being enabled on the cluster.

If it already supports this, then there is no clear documentation on how to use this task with this configuration.

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu

Relevant log output

Error: Kubernetes cluster unreachable: Get "https://CLUSTERADDRESS.hcp.westeurope.azmk8s.io:443/version": getting credentials: exec: executable kubelogin not found

It looks like you are trying to use a client-go credential plugin that is not installed.

To learn more about this feature, consult the documentation available at:
      https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins


kubelogin is not installed which is required to connect to AAD enabled cluster.

To learn more, please go to https://aka.ms/aks/kubelogin

Full task logs with system.debug enabled

No response

Repro steps

[bkarakashev]

@avvale-sorgenia did you manage to get this working or did you find a workaround?

[avvale-sorgenia]

Hello,
no currently the only solution I found is not using HelmDeploy task and directly use the AzCli task with:

az aks get-credentials ....
kubelogin
helm ....

This is the only way I found to make it recognize the correct authentication and authorizations when local accounts are disabled

[bkarakashev]

I actually managed to get it all working by using connectionType: 'Azure Resource Manager'
and disabling the useClusterAdmin: false.

This way the helm task executes kubelogin automatically populates the command with the necessary credentials and it all worked.

Also, I had to add the - task: KubeloginInstaller@0 just before the helm task.

I hope this is helpful to you or anyone else who is having this problem.

[bkarakashev]

I just realised that this is exactly what you have above in the issue...
Have they fixed this bug and now it is all working?
Not sure but this works for me now :)