KubernetesManifest@0 - Deploy to Kubernetes v0 task
Use a Kubernetes manifest task in a build or release pipeline to bake and deploy manifests to Kubernetes clusters using Helm charts.
This version of the task is deprecated; use KubernetesManifest@1 to take advantage of the latest features like Workload identity federation.
Use a Kubernetes manifest task in a build or release pipeline to bake and deploy manifests to Kubernetes clusters using Helm charts.
Syntax
# Deploy to Kubernetes v0
# Use Kubernetes manifest files to deploy to clusters or even bake the manifest files to be used for deployments using Helm charts.
- task: KubernetesManifest@0
inputs:
#action: 'deploy' # 'bake' | 'createSecret' | 'delete' | 'deploy' | 'patch' | 'promote' | 'scale' | 'reject'. Action. Default: deploy.
#kubernetesServiceConnection: # string. Required when action != bake. Kubernetes service connection.
#namespace: # string. Namespace.
#strategy: 'none' # 'canary' | 'none'. Optional. Use when action = deploy || action = promote || action = reject. Strategy. Default: none.
#trafficSplitMethod: 'pod' # 'pod' | 'smi'. Optional. Use when strategy = canary. Traffic split method. Default: pod.
#percentage: '0' # string. Required when strategy = Canary && action = deploy. Percentage. Default: 0.
#baselineAndCanaryReplicas: '1' # string. Required when strategy = Canary && action = deploy && trafficSplitMethod = SMI. Baseline and canary replicas. Default: 1.
#manifests: # string. Required when action = deploy || action = promote || action = reject. Manifests.
#containers: # string. Optional. Use when action = deploy || action = promote || action = bake. Containers.
#imagePullSecrets: # string. Optional. Use when action = deploy || action = promote. ImagePullSecrets.
#renderType: 'helm' # 'helm' | 'kompose' | 'kustomize'. Optional. Use when action = bake. Render Engine. Default: helm.
#dockerComposeFile: # string. Required when action = bake && renderType = kompose. Path to docker compose file.
#helmChart: # string. Required when action = bake && renderType = helm. Helm Chart.
#releaseName: # string. Optional. Use when action = bake && renderType = helm. Helm Release Name.
#overrideFiles: # string. Optional. Use when action = bake && renderType = helm. Override Files.
#overrides: # string. Optional. Use when action = bake && renderType = helm. Overrides.
#kustomizationPath: # string. Optional. Use when action = bake && renderType = kustomize. Kustomization Path.
#resourceToPatch: 'file' # 'file' | 'name'. Required when action = patch. Resource to patch. Default: file.
#resourceFileToPatch: # string. Required when action = patch && resourceToPatch = file. File path.
#kind: # 'deployment' | 'replicaset' | 'statefulset'. Required when action = scale || resourceToPatch = name. Kind.
#name: # string. Required when action = scale || resourceToPatch = name. Name.
#replicas: # string. Required when action = scale. Replica count.
#mergeStrategy: 'strategic' # 'json' | 'merge' | 'strategic'. Required when action = patch. Merge Strategy. Default: strategic.
#arguments: # string. Optional. Use when action = delete. Arguments.
#patch: # string. Required when action = patch. Patch.
#secretType: 'dockerRegistry' # 'dockerRegistry' | 'generic'. Required when action = createSecret. Type of secret. Default: dockerRegistry.
#secretName: # string. Optional. Use when action = createSecret. Secret name.
#secretArguments: # string. Optional. Use when action = createSecret && secretType = generic. Arguments.
#dockerRegistryEndpoint: # string. Optional. Use when action = createSecret && secretType = dockerRegistry. Docker registry service connection.
#rolloutStatusTimeout: '0' # string. Optional. Use when action = deploy || action = patch || action = scale || action = promote. Timeout for rollout status. Default: 0.
# Deploy Kubernetes manifests v0
# Use Kubernetes manifest files to deploy to clusters or even bake the manifest files to be used for deployments using Helm charts.
- task: KubernetesManifest@0
inputs:
#action: 'deploy' # 'bake' | 'createSecret' | 'delete' | 'deploy' | 'patch' | 'promote' | 'scale' | 'reject'. Action. Default: deploy.
#kubernetesServiceConnection: # string. Required when action != bake. Kubernetes service connection.
#namespace: 'default' # string. Required when action != bake. Namespace. Default: default.
#strategy: 'none' # 'canary' | 'none'. Optional. Use when action = deploy || action = promote || action = reject. Strategy. Default: none.
#percentage: '0' # string. Required when strategy = Canary && action = deploy. Percentage. Default: 0.
#manifests: # string. Required when action = deploy || action = promote || action = reject. Manifests.
#containers: # string. Optional. Use when action = deploy || action = promote. Containers.
#imagePullSecrets: # string. Optional. Use when action = deploy || action = promote. ImagePullSecrets.
#renderType: 'helm2' # 'helm2'. Optional. Use when action = bake. Render Engine. Default: helm2.
#helmChart: # string. Required when action = bake && renderType = helm2. Helm Chart.
#releaseName: # string. Optional. Use when action = bake && renderType = helm2. Helm Release Name.
#overrideFiles: # string. Optional. Use when action = bake && renderType = helm2. Override Files.
#overrides: # string. Optional. Use when action = bake && renderType = helm2. Overrides.
#resourceToPatch: 'file' # 'file' | 'name'. Required when action = patch. Resource to patch. Default: file.
#resourceFileToPatch: # string. Required when action = patch && resourceToPatch = file. File path.
#kind: # 'deployment' | 'replicaset' | 'statefulset'. Required when action = scale || resourceToPatch = name. Kind.
#name: # string. Required when action = scale || resourceToPatch = name. Name.
#replicas: # string. Required when action = scale. Replica count.
#mergeStrategy: 'strategic' # 'json' | 'merge' | 'strategic'. Required when action = patch. Merge Strategy. Default: strategic.
#arguments: # string. Optional. Use when action = delete. Arguments.
#patch: # string. Required when action = patch. Patch.
#secretType: 'dockerRegistry' # 'dockerRegistry' | 'generic'. Required when action = createSecret. Type of secret. Default: dockerRegistry.
#secretName: # string. Optional. Use when action = createSecret. Secret name.
#secretArguments: # string. Optional. Use when action = createSecret && secretType = generic. Arguments.
#dockerRegistryEndpoint: # string. Optional. Use when action = createSecret && secretType = dockerRegistry. Docker registry service connection.
Inputs
action
- Action
string
. Allowed values: bake
, createSecret
(create secret), delete
, deploy
, patch
, promote
, scale
, reject
. Default value: deploy
.
Specifies the action to be performed.
kubernetesServiceConnection
- Kubernetes service connection
string
. Required when action != bake
.
Specifies a Kubernetes service connection.
namespace
- Namespace
string
.
Specifies the namespace for the commands by using the –namespace
flag. If the namespace is not provided, the commands will run in the default namespace.
namespace
- Namespace
string
. Required when action != bake
. Default value: default
.
Specifies the namespace for the commands by using the –namespace
flag. If the namespace is not provided, the commands will run in the default namespace.
strategy
- Strategy
string
. Optional. Use when action = deploy || action = promote || action = reject
. Allowed values: canary
, none
. Default value: none
.
Specifies the deployment strategy used in the deploy
action before a promote
action or reject
action. Currently, canary
is the only acceptable deployment strategy.
trafficSplitMethod
- Traffic split method
string
. Optional. Use when strategy = canary
. Allowed values: pod
, smi
. Default value: pod
.
For the value smi
, the percentage traffic split is done at the request level by using a service mesh. A service mesh must be set up by a cluster admin. This task handles orchestration of SMI TrafficSplit objects.
For the value pod
, the percentage split isn't possible at the request level in the absence of a service mesh. Instead, the percentage input is used to calculate the replicas for baseline and canary. The calculation is a percentage of replicas that are specified in the input manifests for the stable variant.
percentage
- Percentage
string
. Required when strategy = Canary && action = deploy
. Default value: 0
.
The percentage that is used to compute the number of baseline-variant and canary-variant replicas of the workloads that are contained in manifest files.
For the specified percentage input, calculate:
(percentage × number of replicas) / 100
If the result isn't an integer, the mathematical floor of the result is used when baseline and canary variants are created.
For example, assume the deployment hello-world
is in the input manifest file and that the following lines are in the task input:
replicas: 4
strategy: canary
percentage: 25
In this case, the deployments hello-world-baseline
and hello-world-canary
are created with one replica each. The baseline variant is created with the same image and tag as the stable version, which is the four-replica variant before deployment. The canary variant is created with the image and tag corresponding to the newly deployed changes.
baselineAndCanaryReplicas
- Baseline and canary replicas
string
. Required when strategy = Canary && action = deploy && trafficSplitMethod = SMI
. Default value: 1
.
When you set trafficSplitMethod
to smi
, the percentage traffic split is controlled in the service mesh plane. You can control the actual number of replicas for canary and baseline variants independently of the traffic split.
For example, assume that the input deployment manifest specifies 30 replicas for the stable variant. Also assume that you specify the following input for the task:
strategy: canary
trafficSplitMethod: smi
percentage: 20
baselineAndCanaryReplicas: 1
In this case, the stable variant receives 80% of the traffic, while the baseline and canary variants each receive half of the specified 20%. Baseline and canary variants don't receive three replicas each. They instead receive the specified number of replicas, which means they each receive one replica.
manifests
- Manifests
string
. Required when action = deploy || action = promote || action = reject
.
Specifies the path to the manifest files to be used for deployment. Each line represents a single path. A file-matching pattern is an acceptable value for each line.
containers
- Containers
string
. Optional. Use when action = deploy || action = promote || action = bake
.
Specifies the fully qualified resource URL of the image to be used for substitutions on the manifest files. The URL contosodemo.azurecr.io/helloworld:test
is an example.
containers
- Containers
string
. Optional. Use when action = deploy || action = promote
.
Specifies the fully qualified URL of the image to be used for substitutions on the manifest files. This input accepts the specification of multiple artifact substitutions in a newline-separated form. Here's an example:
containers: |
contosodemo.azurecr.io/foo:test1
contosodemo.azurecr.io/bar:test2
In this example, all references to contosodemo.azurecr.io/foo
and contosodemo.azurecr.io/bar
are searched for in the image field of the input manifest files. For each match found, the tag test1
or test2
replaces the matched reference.
imagePullSecrets
- ImagePullSecrets
string
. Optional. Use when action = deploy || action = promote
.
Specifies a multiline input where each line contains the name of a Docker registry secret that has already been set up within the cluster. Each secret name is added under imagePullSecrets
for the workloads that are found in the input manifest files.
renderType
- Render Engine
string
. Optional. Use when action = bake
. Allowed values: helm
, kompose
, kustomize
. Default value: helm
.
Specifies the render type used to produce the manifest files.
renderType
- Render Engine
string
. Optional. Use when action = bake
. Allowed values: helm2
(Helm 2). Default value: helm2
.
Specifies the render type used to produce the manifest files.
dockerComposeFile
- Path to docker compose file
string
. Required when action = bake && renderType = kompose
.
Specifies a docker-compose file path.
helmChart
- Helm Chart
string
. Required when action = bake && renderType = helm
.
Specifies the Helm chart path to bake.
helmChart
- Helm Chart
string
. Required when action = bake && renderType = helm2
.
Specifies the Helm chart path to bake.
releaseName
- Helm Release Name
string
. Optional. Use when action = bake && renderType = helm
.
Specifies the Helm release name to use.
releaseName
- Helm Release Name
string
. Optional. Use when action = bake && renderType = helm2
.
Specifies the Helm release name to use.
overrideFiles
- Override Files
string
. Optional. Use when action = bake && renderType = helm
.
Specifies a multiline input that accepts the path to the override files. The files are used when manifest files from Helm charts are baked.
overrideFiles
- Override Files
string
. Optional. Use when action = bake && renderType = helm2
.
Specifies a multiline input that accepts the path to the override files. The files are used when manifest files from Helm charts are baked.
overrides
- Overrides
string
. Optional. Use when action = bake && renderType = helm
.
Specifies the override values to set.
overrides
- Overrides
string
. Optional. Use when action = bake && renderType = helm2
.
Specifies additional override values that are used via the command-line switch --set
when manifest files using Helm are baked.
Specify override values as key-value
pairs in the format key:value
. If you use multiple overriding key-value
pairs, specify each key-value
pair in a separate line. Use a newline character as the delimiter between different key-value
pairs.
kustomizationPath
- Kustomization Path
string
. Optional. Use when action = bake && renderType = kustomize
.
Specifies the argument that must be the path to the directory containing the file, or a git repository URL with a path suffix specifying same
with respect to the repository root.
resourceToPatch
- Resource to patch
string
. Required when action = patch
. Allowed values: file
, name
. Default value: file
.
Indicates one of the following patch methods:
- A manifest file identifies the objects to be patched.
- An individual object is identified by kind and name as the patch target.
Acceptable values are file and name.
resourceFileToPatch
- File path
string
. Required when action = patch && resourceToPatch = file
.
Specifies the path to the file used for a patch.
kind
- Kind
string
. Required when action = scale || resourceToPatch = name
. Allowed values: deployment
, replicaset
, statefulset
.
Specifies the kind of K8s object, such as deployment
, replicaSet
and more.
name
- Name
string
. Required when action = scale || resourceToPatch = name
.
Specifies the name of the K8s object.
replicas
- Replica count
string
. Required when action = scale
.
Specifies the number of replicas to scale to.
mergeStrategy
- Merge Strategy
string
. Required when action = patch
. Allowed values: json
, merge
, strategic
. Default value: strategic
.
Specifies the type of patch being provided.
arguments
- Arguments
string
. Optional. Use when action = delete
.
Specifies the arguments for the kubectl delete
command. An example is:
arguments: deployment hello-world foo-bar
patch
- Patch
string
. Required when action = patch
.
Specifies the contents of the patch.
secretType
- Type of secret
string
. Required when action = createSecret
. Allowed values: dockerRegistry
, generic
. Default value: dockerRegistry
.
Creates or updates a generic or docker imagepullsecret
. Specify dockerRegistry
to create or update the imagepullsecret
of the selected registry. An imagePullSecret
is a way to pass a secret that contains a container registry password to the Kubelet, so it can pull a private image on behalf of your Pod.
secretName
- Secret name
string
. Optional. Use when action = createSecret
.
Specifies the name of the secret. You can use this secret name in the Kubernetes YAML configuration file.
secretArguments
- Arguments
string
. Optional. Use when action = createSecret && secretType = generic
.
Specifies keys and literal values to insert in secret. For example, --from-literal=key1=value1
--from-literal=key2="top secret"
.
dockerRegistryEndpoint
- Docker registry service connection
string
. Optional. Use when action = createSecret && secretType = dockerRegistry
.
Specifies the credentials of the specified service connection that are used to create a Docker registry secret within the cluster. Manifest files under the imagePullSecrets
field can then refer to this secret's name.
rolloutStatusTimeout
- Timeout for rollout status
string
. Optional. Use when action = deploy || action = patch || action = scale || action = promote
. Default value: 0
.
Specifies the length of time (in seconds) to wait before ending watch on rollout
status.
Task control options
All tasks have control options in addition to their task inputs. For more information, see Control options and common task properties.
Output variables
This task defines the following output variables, which you can consume in downstream steps, jobs, and stages.
manifestsBundle
Specifies the location of the manifest bundles created by bake action.
Remarks
Note
There is a newer version of this task available that provides additional support for targetting a Kubernetes cluster in different ways, using the connectionType
property. For more information, see KubernetesManifest@1 and KubernetesManifest@1 service connection remarks
Use a Kubernetes manifest task in a build or release pipeline to bake and deploy manifests to Kubernetes clusters.
This task supports the following:
Artifact substitution: The deployment action takes as input a list of container images that you can specify along with their tags and digests. The same input is substituted into the nontemplatized manifest files before application to the cluster. This substitution ensures that the cluster nodes pull the right version of the image.
Manifest stability: The rollout status of the deployed Kubernetes objects is checked. The stability checks are incorporated to determine whether the task status is a success or a failure.
Traceability annotations: Annotations are added to the deployed Kubernetes objects to superimpose traceability information. The following annotations are supported:
- azure-pipelines/org
- azure-pipelines/project
- azure-pipelines/pipeline
- azure-pipelines/pipelineId
- azure-pipelines/execution
- azure-pipelines/executionuri
- azure-pipelines/jobName
Secret handling: The
createSecret
action lets Docker registry secrets be created using Docker registry service connections. It also lets generic secrets be created using either plain-text variables or secret variables. Before deployment to the cluster, you can use thesecrets
input along with thedeploy
action to augment the input manifest files with the appropriateimagePullSecrets
value.Bake manifest: The
bake
action of the task allows for baking templates into Kubernetes manifest files. The action uses tools such as Helm, Compose, and Kustomize. With baking, these Kubernetes manifest files are usable for deployments to the cluster.Deployment strategy: Choosing the
canary
strategy with thedeploy
action leads to the creation of workload names suffixed with-baseline
and-canary
. The task supports two methods of traffic splitting:Service Mesh Interface: Service Mesh Interface (SMI) abstraction allows configuration with service mesh providers like
Linkerd
andIstio
. The Kubernetes Manifest task maps SMITrafficSplit
objects to the stable, baseline, and canary services during the life cycle of the deployment strategy.Canary deployments that are based on a service mesh and use this task are more accurate. This accuracy is due to how service mesh providers enable the granular percentage-based split of traffic. The service mesh uses the service registry and sidecar containers that are injected into pods. This injection occurs alongside application containers to achieve the granular traffic split.
Kubernetes with no service mesh: In the absence of a service mesh, you might not get the exact percentage split you want at the request level. However, you can do canary deployments by using baseline and canary variants next to the stable variant.
The service sends requests to pods of all three workload variants as the selector-label constraints are met. Kubernetes Manifest honors these requests when creating baseline and canary variants. This routing behavior achieves the intended effect of routing only a portion of total requests to the canary.
Compare the baseline and canary workloads by using either a Manual Intervention task in release pipelines or a Delay task in YAML pipelines. Do the comparison before using the promote or reject action of the task.
Deploy action
The following YAML code is an example of deploying to a Kubernetes namespace by using manifest files:
steps:
- task: KubernetesManifest@0
displayName: Deploy
inputs:
kubernetesServiceConnection: someK8sSC1
namespace: default
manifests: |
manifests/deployment.yml
manifests/service.yml
containers: |
foo/demo:$(tagVariable1)
bar/demo:$(tagVariable2)
imagePullSecrets: |
some-secret
some-other-secret
In the above example, the task tries to find matches for the images foo/demo
and bar/demo
in the image fields of manifest files. For each match found, the value of either tagVariable1
or tagVariable2
is appended as a tag to the image name. You can also specify digests in the containers input for artifact substitution.
Note
While you can author deploy
, promote
, and reject
actions with YAML input related to deployment strategy, support for a Manual Intervention task is currently unavailable for build pipelines.
For release pipelines, we advise you to use actions and input related to deployment strategy in the following sequence:
- A deploy action specified with
strategy: canary
andpercentage: $(someValue)
. - A Manual Intervention task so that you can pause the pipeline and compare the baseline variant with the canary variant.
- A promote action that runs if a Manual Intervention task is resumed and a reject action that runs if a Manual Intervention task is rejected.
Create secret action
The following YAML code shows a sample creation of Docker registry secrets by using Docker Registry service connection:
steps:
- task: KubernetesManifest@0
displayName: Create secret
inputs:
action: createSecret
secretType: dockerRegistry
secretName: foobar
dockerRegistryEndpoint: demoACR
kubernetesServiceConnection: someK8sSC
namespace: default
This YAML code shows a sample creation of generic secrets:
steps:
- task: KubernetesManifest@0
displayName: Create secret
inputs:
action: createSecret
secretType: generic
secretName: some-secret
secretArguments: --from-literal=key1=value1
kubernetesServiceConnection: someK8sSC
namespace: default
Bake action
The following YAML code is an example of baking manifest files from Helm charts. Note the usage of a name input in the first task. This name is later referenced from the deploy step for specifying the path to the manifests that were produced by the bake step.
steps:
- task: KubernetesManifest@0
name: bake
displayName: Bake K8s manifests from Helm chart
inputs:
action: bake
helmChart: charts/sample
overrides: 'image.repository:nginx'
- task: KubernetesManifest@0
displayName: Deploy K8s manifests
inputs:
kubernetesServiceConnection: someK8sSC
namespace: default
manifests: $(bake.manifestsBundle)
containers: |
nginx: 1.7.9
Note
To use Helm directly for managing releases and rollbacks, see the Package and deploy Helm charts task.
Kustomize example
The following YAML code is an example of baking manifest files generated with Kustomize that contain a kustomization.yaml
file.
steps:
- task: KubernetesManifest@0
name: bake
displayName: Bake K8s manifests from kustomization path
inputs:
action: bake
renderType: kustomize
kustomizationPath: folderContainingKustomizationFile
- task: KubernetesManifest@0
displayName: Deploy K8s manifests
inputs:
kubernetesServiceConnection: k8sSC1
manifests: $(bake.manifestsBundle)
Kompose example
The following YAML code is an example of baking manifest files generated with Kompose, a conversion tool for Docker Compose.
steps:
- task: KubernetesManifest@0
name: bake
displayName: Bake K8s manifests from Docker Compose
inputs:
action: bake
renderType: kompose
dockerComposeFile: docker-compose.yaml
- task: KubernetesManifest@0
displayName: Deploy K8s manifests
inputs:
kubernetesServiceConnection: k8sSC1
manifests: $(bake.manifestsBundle)
Scale action
The following YAML code shows an example of scaling objects:
steps:
- task: KubernetesManifest@0
displayName: Scale
inputs:
action: scale
kind: deployment
name: bootcamp-demo
replicas: 5
kubernetesServiceConnection: someK8sSC
namespace: default
Patch action
The following YAML code shows an example of object patching:
steps:
- task: KubernetesManifest@0
displayName: Patch
inputs:
action: patch
kind: pod
name: demo-5fbc4d6cd9-pgxn4
mergeStrategy: strategic
patch: '{"spec":{"containers":[{"name":"demo","image":"foobar/demo:2239"}]}}'
kubernetesServiceConnection: someK8sSC
namespace: default
Delete action
This YAML code shows a sample object deletion:
steps:
- task: KubernetesManifest@0
displayName: Delete
inputs:
action: delete
arguments: deployment expressapp
kubernetesServiceConnection: someK8sSC
namespace: default
Troubleshooting
My Kubernetes cluster is behind a firewall and I am using hosted agents. How can I deploy to this cluster?
You can grant hosted agents access through your firewall by allowing the IP addresses for the hosted agents. For more details, see Agent IP ranges.
How do requests work to stable and variant service routes with canary deployments?
The label selector relationship between pods and services in Kubernetes allows for setting up deployments so that a single service routes requests to both the stable and the canary variants. The Kubernetes manifest task uses this for canary deployments.
If the task includes the inputs of action: deploy
and strategy: canary
, for each workload (Deployment, ReplicaSet, Pod, ...) defined in the input manifest files, a -baseline
and -canary
variant of the deployment are created. In this example, there's a deployment sampleapp
in the input manifest file and that after completion of run number 22 of the pipeline, the stable variant of this deployment named sampleapp
is deployed in the cluster. In the subsequent run (in this case run number 23), Kubernetes manifest task with action: deploy
and strategy: canary
would result in creation of sampleapp-baseline and sampleapp-canary deployments whose number of replicas are determined by the product of percentage
task input with the value of the desired number of replicas for the final stable variant of sampleapp
as per the input manifest files.
Excluding the number of replicas, the baseline version has the same configuration as the stable variant while the canary version has the new changes that are being introduced by the current run (in this case, run number 23). If a manual intervention is set up in the pipeline after the above mentioned step, it would allow for an opportunity to pause the pipeline so that the pipeline admin can evaluate key metrics for the baseline and canary versions and take the decision on whether the canary changes are safe and good enough for a complete rollout.
Theaction: promote
and strategy: canary
or action: reject
and strategy: canary
inputs of the Kubernetes manifest tasks can be used to promote or reject the canary changes respectively. Note that in either cases, at the end of this step, only the stable variant of the workloads declared in the input manifest files will be remain deployed in the cluster, while the ephemeral baseline and canary versions are cleaned up.
Requirements
Requirement | Description |
---|---|
Pipeline types | YAML, Classic build, Classic release |
Runs on | Agent, DeploymentGroup |
Demands | None |
Capabilities | This task does not satisfy any demands for subsequent tasks in the job. |
Command restrictions | Any |
Settable variables | Any |
Agent version | All supported agent versions. |
Task category | Deploy |