# Package and deploy Helm charts v0
# Deploy, configure, update your Kubernetes cluster in Azure Container Service by running helm commands.
- task: HelmDeploy@0
inputs:
# Kubernetes Cluster
connectionType: 'Azure Resource Manager' # 'Azure Resource Manager' | 'Kubernetes Service Connection' | 'None'. Required. Connection Type. Default: Azure Resource Manager.
#azureSubscription: # string. Alias: azureSubscriptionEndpoint. Required when connectionType = Azure Resource Manager. Azure subscription.
#azureResourceGroup: # string. Required when connectionType = Azure Resource Manager. Resource group.
#kubernetesCluster: # string. Required when connectionType = Azure Resource Manager. Kubernetes cluster.
#kubernetesServiceConnection: # string. Alias: kubernetesServiceEndpoint. Required when connectionType = Kubernetes Service Connection. Kubernetes Service Connection.
#namespace: # string. Namespace.
# Commands
command: 'ls' # 'create' | 'delete' | 'expose' | 'get' | 'init' | 'install' | 'login' | 'logout' | 'ls' | 'package' | 'rollback' | 'upgrade'. Required. Command. Default: ls.
#chartType: 'Name' # 'Name' | 'FilePath'. Required when command == install || command == upgrade. Chart Type. Default: Name.
chartName: # string. Required when chartType == Name. Chart Name.
#chartPath: # string. Required when chartType == FilePath || command == package. Chart Path.
#chartVersion: # string. Alias: version. Optional. Use when command == package. Version.
#releaseName: # string. Optional. Use when command == install || command == upgrade. Release Name.
#overrideValues: # string. Optional. Use when command == install || command == upgrade. Set Values.
#valueFile: # string. Optional. Use when command == install || command == upgrade. Value File.
#destination: '$(Build.ArtifactStagingDirectory)' # string. Optional. Use when command == package. Destination. Default: $(Build.ArtifactStagingDirectory).
#canaryimage: false # boolean. Optional. Use when command == init. Use canary image version. Default: false.
#upgradetiller: true # boolean. Optional. Use when command == init. Upgrade Tiller. Default: true.
#updatedependency: false # boolean. Optional. Use when command == install || command == package. Update Dependency. Default: false.
#save: true # boolean. Optional. Use when command == package. Save. Default: true.
#install: true # boolean. Optional. Use when command == upgrade. Install if release not present. Default: true.
#recreate: false # boolean. Optional. Use when command == upgrade. Recreate Pods. Default: false.
#resetValues: false # boolean. Optional. Use when command == upgrade. Reset Values. Default: false.
#force: false # boolean. Optional. Use when command == upgrade. Force. Default: false.
#waitForExecution: true # boolean. Optional. Use when command == init || command == install || command == upgrade. Wait. Default: true.
#arguments: # string. Optional. Use when command != login && command != logout. Arguments.
# TLS
#enableTls: false # boolean. Enable TLS. Default: false.
#caCert: # string. Required when enableTls == true. CA certificate.
#certificate: # string. Required when enableTls == true. Certificate.
#privatekey: # string. Required when enableTls == true. Key.
# Advanced
#tillernamespace: # string. Tiller namespace.
connectionType - Connection Type
string. Required. Allowed values: Azure Resource Manager, Kubernetes Service Connection, None. Default value: Azure Resource Manager.
Specifies the connection type. Specify Azure Resource Manager to connect to an Azure Kubernetes Service by using Azure Service Connection. Specify Kubernetes Service Connection to connect to any Kubernetes cluster by using kubeconfig or the Azure Service Account.
azureSubscription - Azure subscription
Input alias: azureSubscriptionEndpoint. string. Required when connectionType = Azure Resource Manager.
The name of the Azure Service Connection. Specify an Azure subscription that has your container registry.
azureResourceGroup - Resource group
string. Required when connectionType = Azure Resource Manager.
The name of the resource group within the subscription. Specify an Azure Resource Group.
kubernetesCluster - Kubernetes cluster
string. Required when connectionType = Azure Resource Manager.
The name of the AKS cluster. Specify an Azure Managed Cluster.
useClusterAdmin - Use cluster admin credentials
boolean. Optional. Use when connectionType = Azure Resource Manager. Default value: false.
Uses cluster administrator credentials instead of default cluster user credentials.
kubernetesServiceConnection - Kubernetes Service Connection
Input alias: kubernetesServiceEndpoint. string. Required when connectionType = Kubernetes Service Connection.
Specifies a Kubernetes Service Connection.
azureSubscriptionForACR - Azure subscription for Container Registry
Input alias: azureSubscriptionEndpointForACR. string. Required.
Specifies an Azure subscription that has your Azure Container Registry.
command - Command
string. Required. Allowed values: create, delete, expose, get, init, install, login, logout, ls, package, rollback, save, upgrade, uninstall. Default value: ls.
Specifies a Helm command.
command - Command
string. Required. Allowed values: create, delete, expose, get, init, install, login, logout, ls, package, rollback, save, upgrade. Default value: ls.
Specifies a Helm command.
command - Command
string. Required. Allowed values: create, delete, expose, get, init, install, login, logout, ls, package, rollback, upgrade. Default value: ls.
Specifies a Helm command.
chartType - Chart Type
string. Required when command == install || command == upgrade. Allowed values: Name, FilePath (File Path). Default value: Name.
Specifies how you want to enter chart information. You can either provide the name of the chart or folder/file path to the chart.
chartPath - Chart Path
string. Required when chartType == FilePath || command == package.
The path to the chart to install. This can be a path to a packaged chart or a path to an unpacked chart directory. For example, if you specify ./redis, the task runs helm install ./redis. If you're consuming a chart that's published as an artifact, then the path will be $(System.DefaultWorkingDirectory)/ARTIFACT-NAME/Charts/CHART-NAME.
chartVersion - Version
Input alias: version. string. Optional. Use when command == package || command == install || command == upgrade.
Specifies the exact chart version to install. If you don't specify the chart version, the task installs the latest version. Set the version on the chart to this semver version.
chartVersion - Version
Input alias: version. string. Optional. Use when command == package.
Specifies the exact chart version to install. If you don't specify the chart version, the task installs the latest version. Set the version on the chart to this semver version.
releaseName - Release Name
string. Optional. Use when command == install || command == upgrade.
The release name. If you don't specify the release name, the task autogenerates one for you. The releaseName input is only valid for install and upgrade commands.
overrideValues - Set Values
string. Optional. Use when command == install || command == upgrade.
Specifies values on the command line. This input can specify multiple or separate values with commas: key1=val1,key2=val2.
You can also specify multiple values by delimiting them with a new line, as follows:
key1=val1
key2=val2
If you have a value that contains new lines, use the valueFile option. Otherwise, the task treats the new line as a delimiter. The task constructs the Helm command by using these set values. For example, you can set the value using a command like the following: helm install --set key1=val1 ./redis.
valueFile - Value File
string. Optional. Use when command == install || command == upgrade.
Specifies values in a YAML file or a URL. For example, specifying myvalues.yaml results in helm install --values=myvals.yaml.
destination - Destination
string. Optional. Use when command == package. Default value: $(Build.ArtifactStagingDirectory).
Specifies values in a YAML file or a URL.
canaryimage - Use canary image version.
boolean. Optional. Use when command == init. Default value: false.
Specifies the canary Tiller image. Use the latest pre-release version of Tiller.
upgradetiller - Upgrade Tiller
boolean. Optional. Use when command == init. Default value: true.
If true, this input upgrades Tiller if Tiller is already installed.
updatedependency - Update Dependency
boolean. Optional. Use when command == install || command == package. Default value: false.
If true, this input updates a Helm dependency update before installing the chart. Updates dependencies from requirements.yaml to the charts/ directory before packaging.
install - Install if release not present.
boolean. Optional. Use when command == upgrade. Default value: true.
If a release by this name doesn't already exist, this input runs an install.
recreate - Recreate Pods.
boolean. Optional. Use when command == upgrade. Default value: false.
Performs pods restart for the resource, if applicable.
resetValues - Reset Values.
boolean. Optional. Use when command == upgrade. Default value: false.
Resets the values to the values built into the chart.
waitForExecution - Wait
boolean. Optional. Use when command == init || command == install || command == upgrade. Default value: true.
Blocks the action until the command execution completes.
chartNameForACR - Chart Name For Azure Container Registry
string. Required when command == save.
The chart's name in the Azure Container Registry.
chartPathForACR - Chart Path for Azure Container Registry
string. Required when command == save.
The file path to the chart directory in the Azure Container Registry.
Task control options
All tasks have control options in addition to their task inputs. For more information, see Control options and common task properties.
Output variables
This task defines the following output variables, which you can consume in downstream steps, jobs, and stages.
helmExitCode
The exit code emitted from the execution of specified Helm command.
helmOutput
The output emitted from the execution of specified Helm command.
Use HelmDeploy@0 to deploy, configure, or update a Kubernetes cluster in Azure Container Service by running Helm commands.
Helm is a tool that streamlines deploying and managing Kubernetes apps using a packaging format called
charts.
You can define, version, share, install, and upgrade even the most complex Kubernetes app by using Helm.
Helm helps you combine multiple Kubernetes manifests (yaml) such as service, deployments, configmaps, and more into a single unit called Helm Charts. You don't need to either invent or use a tokenization or a templating tool.
Helm Charts help you manage application dependencies and deploy as well as rollback as a unit. They are also easy to create, version, publish, and share with other partner teams.
Azure Pipelines has built-in support for Helm charts:
The Helm Tool installer task can be used to install the correct version of Helm onto the agents.
The Helm package and deploy task can be used to package the app and deploy it to a Kubernetes cluster.
You can use the task to install or update Tiller to a Kubernetes namespace, to securely connect to Tiller over TLS for deploying charts,
or to run any Helm command such as lint.
The Helm task supports connecting to an Azure Kubernetes Service by using an Azure service connection.
You can connect to any Kubernetes cluster by using kubeconfig or a service account.
Helm deployments can be supplemented by using the Kubectl task; for example, create/update, imagepullsecret, and others.
Service Connection
HelmDeploy@0 works with two service connection types: Azure Resource Manager and Kubernetes Service Connection. See Examples for examples on configuring these two connection types.
A service connection isn't required if an environment resource that points to a Kubernetes cluster has already been specified in the pipeline's stage.
Command values
The command input accepts one of the following helm commands: create/delete/expose/get/init/install/login/logout/ls/package/rollback/upgrade. Examples are provided in the Examples section.
Each command input maps to a set of task inputs. The commands that map to a task input are designated in the YAML syntax block and in the task inputs table
Troubleshooting
HelmDeploy task throws error 'unknown flag: --wait' while running 'helm init --wait --client-only' on Helm 3.0.2 version.
There are some breaking changes between Helm 2 and Helm 3. One of them includes removal of tiller, and hence helm init command is no longer supported. Remove command: init when you use Helm 3.0+ versions.
When using Helm 3, if System.debug is set to true and Helm upgrade is the command being used, the pipeline fails even though the upgrade was successful.
This is a known issue with Helm 3, as it writes some logs to stderr. Helm Deploy Task is marked as failed if there are logs to stderr or exit code is non-zero. Set the task input failOnStderr: false to ignore the logs printed to stderr.
Examples
Azure Resource Manager
This YAML example shows how Azure Resource Manager is used to refer to the Kubernetes cluster.
This is used with one of the helm commands and the appropriate values required for the command:
variables:
azureSubscriptionEndpoint: Contoso
azureContainerRegistry: contoso.azurecr.io
azureResourceGroup: Contoso
kubernetesCluster: Contoso
- task: HelmDeploy@0
displayName: Helm deploy
inputs:
connectionType: Azure Resource Manager
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
Kubernetes Service Connection
This YAML example shows how Kubernetes service connection is used to refer to the Kubernetes cluster.
This is used with one of the helm commands and the appropriate values required for the command:
- task: HelmDeploy@0
displayName: Helm deploy
inputs:
connectionType: Kubernetes Service Connection
kubernetesServiceEndpoint: Contoso
Commands
The command input accepts one of the following helm commands: create/delete/expose/get/init/install/login/logout/ls/package/rollback/upgrade.
This YAML example demonstrates the ls command:
- task: HelmDeploy@0
displayName: Helm list
inputs:
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
command: ls
arguments: --all
init command
This YAML example demonstrates the init command:
- task: HelmDeploy@0
displayName: Helm init
inputs:
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
command: init
upgradetiller: true
waitForExecution: true
arguments: --client-only
install command
This YAML example demonstrates the install command:
- task: HelmDeploy@0
displayName: Helm install
inputs:
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
command: install
chartType: FilePath
chartPath: Application/charts/sampleapp
package command
This YAML example demonstrates the package command:
- task: HelmDeploy@0
displayName: Helm package
inputs:
command: package
chartPath: Application/charts/sampleapp
destination: $(Build.ArtifactStagingDirectory)
upgrade command
This YAML example demonstrates the upgrade command:
- task: HelmDeploy@0
displayName: Helm upgrade
inputs:
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
command: upgrade
chartType: filepath
chartPath: $(Build.ArtifactStagingDirectory)/sampleapp-v0.2.0.tgz
releaseName: azuredevopsdemo
install: true
waitForExecution: false
save command
This YAML example demonstrates the save command:
- task: HelmDeploy@0
displayName: Helm save
inputs:
command: save
chartNameForACR: mycontainerregistry.azurecr.io/helm/hello-world:v1
chartPathForACR: Application/charts/sampleapp
azureSubscriptionEndpointForACR: $(azureSubscriptionEndpointForACR)
azureResourceGroupForACR: $(azureResourceGroupForACR)
azureContainerRegistry: $(azureContainerRegistry)
Package and sign Helm charts
In this section you'll learn how to package and sign Helm charts in a pipeline.
Generate a private-public key pair to sign the helm chart using GPG
Download GPG.
Launch the command prompt in an administrator mode. Run the following command to generate a private-public key pair to sign the helm chart using gpg. While creating the key, you'll be prompted for the username and email address. The "name email address" is later used to name the private-public key pair that is created.
gpg --full-generate-key
You'll be prompted for the passphrase. Give the value and click ok.
After creating the key, you can see the list of keys which contains both private and public using the following command.
To see list of private keys
gpg --list-secret-keys
To see the list of public keys
gpg --list-keys
Store the private and public keys in 2 different files with the extension gpg as shown below.
For a private key
gpg --export-secret-key 94325E18E53EDD99DD8339C3CFD9DAF0707CB788 contoso@microsoft.com > C:/somepath/privatekeys.gpg
You'll see the privatekeys.gpg file exported to the path which was mentioned above.
For a public key
gpg --export-key 94325E18E53EDD99DD8339C3CFD9DAF0707CB788 contoso@microsoft.com > C:/somepath/publickey.gpg
You'll see the publickey.gpg file exported to the path which was mentioned above.
In Azure DevOps, save the privatekey.gpg file in the library secure files section.
Example
pool:
name: Hosted Ubuntu 1604
variables:
# The below variable should be secure
HelmKeyPassphrase: contoso@123
keyName: contoso contoso@microsoft.com
azureSubscriptionEndpoint: contoso
azureResourceGroup: contoso
kubernetesCluster: contoso
steps:
- task: DownloadSecureFile@1
displayName: Download Secure file
inputs:
secureFile: privatekey.gpg
name: privateKeyRing
- task: HelmInstaller@0
displayName: Install Helm 2.12.0
inputs:
helmVersion: 2.12.0
- task: HelmDeploy@0
displayName: helm init
inputs:
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
command: init
arguments: --client-only
- task: HelmDeploy@0
displayName: helm package
inputs:
command: package
chartPath: Application/charts/sampleapp
arguments: --sign --key "$(keyName)" --keyring $(privateKeyRing.secureFilePath)
HelmKeyPassphrase: $(HelmKeyPassphrase)
