Azure-pipelines-tasks: Helm deploy fails for Azure AD enabled AKS clusters

Created on 3 Apr 2019 · 9Comments · Source: microsoft/azure-pipelines-tasks

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: HelmDeploy

Environment

Server - Azure Pipelines - mseng/Domino/_taskgroup/fa591b82-3820-4bb8-8e73-bcc9dec32648
Agent - Hosted Ubuntu 1604

Issue Description

An Azure AD enabled RBAC AKS cluster requires using the clusterAdmin credentials, otherwise an interactive login prompt is presented. Using the Helm Deploy task the clusterUser credentials are used, which blocks the deploy.

Task logs

tasklog_19.log

Troubleshooting

Checkout how to troubleshoot failures and collect debug logs: https://docs.microsoft.com/en-us/vsts/build-release/actions/troubleshooting

Error logs

2019-04-02T21:13:13.7024378Z To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BJWLC87XB to authenticate.
2019-04-02T21:13:13.7025969Z E0402 21:13:13.699661    3564 azure.go:126] Failed to acquire a token: acquiring a new fresh token: waiting for device code authentication to complete: autorest/adal/devicetoken: Error while retrieving OAuth token: Code Expired

Release bug

Source

JohnSchmeichel

👍2 🎉1

Most helpful comment

Hi,
are there any news to this issue?

We have the same problem here in our automated deployment where we setup an AKS (AAD enabled) with application gateway and ingress controller.

In the kubernetes deployment task , there is an option "Use cluster admin credentials" for the service connection type "Azure Resource Manager" which we miss in the "Package and deploy Helm charts" task for the same connection type.

knoxi on 21 Jun 2019

👍2

All 9 comments

azure-pipelines-tasks/Tasks/HelmDeployV0/src/clusters/armkubernetescluster.ts has the following which defaults to using the clusterUser:

var clusterInfo : AKSClusterAccessProfile = await aks.getAccessProfile(resourceGroup, clusterName);

The kubectl task allows this to be overridden, but this option is not available on the helm deploy task.

JohnSchmeichel on 3 Apr 2019

We get the clusteruser creds in the task which is why you are hitting this issue. Could you try creating a kubernetes service connection using azure subscription option? Steps

Choose 'Kubernetes Service Connection' connection type.
Add a Kubernetes Service connection using Azure subscription type (click on +New button)
Choose that connection in the Kubernetes service connection
Populate the namespace field with the chosen namespace in the connection

Let me know if this unblocks you or not!

Anumita on 16 Apr 2019

Hi, Any solution for this problem?

Sudharma on 3 May 2019

@Sudharma Have you tried using the solution that @Anumita mentioned?

bansalaseem on 21 May 2019

well, all our deployments are automated with terraform and CI/CD, this particular option is just a work around AFAIK. However we are managing with the cluster admin role but would like to see how the cli would authenticate with the given Azure AD user.( This user could be a technical user for CI/CD and with proper Azure AD setup)

Sudharma on 21 May 2019

Hi,
are there any news to this issue?

We have the same problem here in our automated deployment where we setup an AKS (AAD enabled) with application gateway and ingress controller.

knoxi on 21 Jun 2019

👍2

I second that. Having the same authentication options as with the Kubernetes tasks is absolutely necessary. AAD enabled clusters look promising, but existing build definitions stopped working after using AAD features.

Especially with fully automated cluster deployments the described workaround is not handy since we do not have a configured kubernetes service connection at the time of cluster creation.

Thanks for an update!