Azure-pipelines-tasks: Helm 3.3.4 Issue
Note
Issues in this repo are for tracking bugs, feature requests and questions for the tasks in this repo
For a list:
https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks
If you have an issue or request for the Azure Pipelines service, use developer community instead:
https://developercommunity.visualstudio.com/spaces/21/index.html )
Required Information
Entering this information will route you directly to the right team and expedite traction.
Question, Bug, or Feature?
Type: Bug
Enter Task Name: HelmDeploy@0
list here (V# not needed):
https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks
Environment
Server - Azure Pipelines or TFS on-premises?
If using TFS on-premises, provide the version:
If using Azure Pipelines, provide the account name, team project name, build definition name/build number:
Agent - Hosted or Private:
If using Hosted agent, provide agent queue name:
If using private agent, provide the OS of the machine running the agent and the agent version:
Issue Description
[Include task name(s), screenshots and any other relevant details]
Helm 3.3.4 was released this morning and warnings are now being written to the error stream causing the task to fail. I logged an issue with helm here https://github.com/helm/helm/issues/8792, but they recommended that I log an issue with you.
bacongobbler commented 9 minutes ago •
edited
Please file an issue upstream with Azure DevOps. There's nothing we can do here. Helm is correctly reporting a security issue that the user should address. It is Azure DevOps that is handling the log output incorrectly.
An alternative option would be to fix the permissions of your kubeconfig file within the devops task. I assume this may also be set up by azure devops, which I would again urge you to file an issue there.
Task logs
2020-09-23T04:37:17.5225159Z ##[section]Starting: helm list
2020-09-23T04:37:17.5234692Z ==============================================================================
2020-09-23T04:37:17.5235057Z Task : Package and deploy Helm charts
2020-09-23T04:37:17.5235503Z Description : Deploy, configure, update a Kubernetes cluster in Azure Container Service by running helm commands
2020-09-23T04:37:17.5235832Z Version : 0.175.4
2020-09-23T04:37:17.5236061Z Author : Microsoft Corporation
2020-09-23T04:37:17.5236351Z Help : https://aka.ms/azpipes-helm-tsg
2020-09-23T04:37:17.5236659Z ==============================================================================
2020-09-23T04:37:17.7716777Z [command]/workspace/_tool/helm/3.3.4/x64/linux-amd64/helm ls --namespace cib-k8-magic-dev --output json
2020-09-23T04:37:17.9788806Z WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /workspace/_temp/helmTask/1600835837733/config
2020-09-23T04:37:17.9789681Z WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /workspace/_temp/helmTask/1600835837733/config
2020-09-23T04:37:17.9792110Z [{"name":"dadjokes-gradle-sbt2-jre11-api","namespace":"cib-k8-magic-dev","revision":"1","updated":"2020-07-14 14:30:57.805873782 +0000 UTC","status":"failed","chart":"dadjokes-gradle-sbt2-jre11-api-0.0.2-63254193faa65349a32fb7e791f472107a5d19e0","app_version":"1.16.0"},{"name":"fluentd","namespace":"cib-k8-magic-dev","revision":"6","updated":"2020-09-21 08:54:04.668049177 +0000 UTC","status":"deployed","chart":"fluentd-1.9.1","app_version":"v2.4.0"},{"name":"hello-world-api","namespace":"cib-k8-magic-dev","revision":"419","updated":"2020-09-23 04:32:11.059193346 +0000 UTC","status":"deployed","chart":"hello-world-api-0.0.538","app_version":"1.16.0"}]
2020-09-23T04:37:17.9827315Z ##[error]WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /workspace/_temp/helmTask/1600835837733/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /workspace/_temp/helmTask/1600835837733/config
2020-09-23T04:37:17.9839718Z ##[section]Finishing: helm list
Troubleshooting
Checkout how to troubleshoot failures and collect debug logs: https://docs.microsoft.com/en-us/vsts/build-release/actions/troubleshooting
Error logs
2020-09-23T04:37:17.9827315Z ##[error]WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /workspace/_temp/helmTask/1600835837733/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /workspace/_temp/helmTask/1600835837733/config
pieterv-icloud-com
All 6 comments
@pieterv-icloud-com Thanks for reporting the issue. This security warning is being shown from Helm 3.3.2 onwards. I've already raised a PR to fix the permissions on Kubeconfig file. As a work around, you can continue to use the older helm versions while we work on deploying these changes.
shigupt202
on 23 Sep 2020
While that solves the immediate problem, why not just set the default value of failOnStderr to false? There should not be a case where a pipeline should fail due to a warning or a diagnostic message displayed on standard error. If there's an error, Helm will return a non-zero exit code.
bacongobbler
on 23 Sep 2020
Will definitely give it a try
On 23 Sep 2020, at 16:53, Matthew Fisher notifications@github.com wrote:
While that solves the immediate problem, why not just set the default value of failOnStderr to false? There should not be a case where a pipeline should fail due to a warning or a diagnostic message displayed on standard error. If there's an error, Helm will return a non-zero exit code.
https://github.com/microsoft/azure-pipelines-tasks/blob/d2bc3b4b163dcf7826a8f72cf493f1b2968ca477/Tasks/HelmDeployV0/task.json#L433 https://github.com/microsoft/azure-pipelines-tasks/blob/d2bc3b4b163dcf7826a8f72cf493f1b2968ca477/Tasks/HelmDeployV0/task.json#L433
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/microsoft/azure-pipelines-tasks/issues/13594#issuecomment-697485926, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYPKPBSZFY76RXBQM4SEPLSHIDVVANCNFSM4RWTBXDA.
pieterv-icloud-com
on 23 Sep 2020
@bacongobbler The actual problem here was that the warning from Helm command was being written on stdout. This affected the output parsing logic for Helm version check in the task. Now that the warning is being written on stderr after this commit, and we are also updating the permissions on Kubeconfig file, this issue should be resolved. (Although for immediate fix, the users will have to set failOnStderr to false)
Coming to your suggestion that the default value of failOnStderr should be made false, it looks like a fair point. I'll raise this feedback to the PM's.
shigupt202
on 23 Sep 2020
For anyone looking to follow what's a default and where, we think https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/HelmDeployV0/task.json#L433 being set to true is not a good default, and handling errors like the Bash job handles them (https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/BashV3/task.json#L91) would be a more reasonable default.
bridgetkromhout
on 23 Sep 2020
bacongobbler
on 30 Sep 2020
Related issues
fedemkr
·
3Comments
MarkIannucci
·
3Comments
ThomasBarnekow
·
3Comments
syltaxue
·
3Comments
jabbera
·
3Comments
Most helpful comment
For anyone looking to follow what's a default and where, we think https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/HelmDeployV0/task.json#L433 being set to true is not a good default, and handling errors like the Bash job handles them (https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/BashV3/task.json#L91) would be a more reasonable default.