Kubernetes manifest task
- 10 minutes to read
Use this task in a build or release pipeline to bake and deploy manifests to Kubernetes clusters.
Overview
Following are the key benefits of this task -
Artifact substitution - The deploy action takes as input a list of container images which can be specified along with their tags or digests. The same is substituted into the non-templatized version of manifest files before application to the cluster to ensure that the right version of the image is pulled by the cluster nodes.
Manifest stability - Rollout status is checked for the Kubernetes objects deployed. This is done to incorporate stability checks while computing the task status as success/failure.
Traceability annotations - Annotations are added to the deployed Kubernetes objects to superimpose traceability information in the form of following annotations -
- azure-pipelines/org
- azure-pipelines/project
- azure-pipelines/pipeline
- azure-pipelines/pipelineId
- azure-pipelines/execution
- azure-pipelines/executionuri
- azure-pipelines/jobName
Secret handling - The createSecret action enables creation of docker-registry secrets using Docker Registry Service Connections and generic secrets using plain-text/secret variables. The secrets input can be used along with deploy action so that the manifest files specified as inputs are augmented with appropriate imagePullSecrets before deploying to the cluster.
Bake manifest - The bake action of the task allows for baking Helm charts into Kubernetes manifest files so that the same can be applied onto the cluster.
Deployment strategy - Choosing canary strategy with deploy action leads to creation of workloads suffixed with '-baseline' and '-canary'. There are two methods of traffic splitting supported in the task:
- Service Mesh Interface - Service Mesh Interface abstraction allows for plug-and-play configuration with service mesh providers such as Linkerd and Istio. Meanwhile, the KubernetesManifest task takes away the hard work of mapping SMI's TrafficSplit objects to the stable, baseline and canary services during the lifecycle of the deployment strategy. Service mesh based canary deployments using this task are more accurate as service mesh providers enable granular percentage traffic split (via service registry and sidecar containers injected into pods alongside application containers).
- Only Kubernetes (no service mesh)- In the absence of service mesh, while it may not be possible to achieve exact percentage split at the request level, it is still possible to perform canary deployments by deploying -baseline and -canary workload variants next to the stable variant. The service routes requests to pods of all three workload variants as the selector-label constraints are met (KubernetesManifest will honor these when creating -baseline and -canary variants). This achieves the intended effect of routing only a portion of total requests to the canary.
The -baseline and -canary workloads can be compared using a ManualIntervention task) in release pipelines or using a Delay task in YAML pipeline before utilizing the promote/reject action of the task.
Deploy action
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
kubernetesServiceConnectionKubernetes service connection |
(Required) Name of the Kubernetes service connection |
namespaceNamespace |
(Required) Namespace within the cluster to deploy to |
manifestsManifests |
(Required) Path to the manifest files to be used for deployment. [File matching patterns](../file-matching-patterns.md) is an acceptable value for this input |
containersContainers |
(Optional) Fully qualified resource URL of the image to be used for substitutions on the manifest files. This multiline input accepts specifying multiple artifact substitutions in newline separated form. For example - containers: | contosodemo.azurecr.io/foo:test1 contosodemo.azurecr.io/bar:test2 In this example, all references to contosodemo.azurecr.io/foo and contosodemo.azurecr.io/bar are searched for in the image field of the input manifest files. For the matches found, the tags test1 and test2 are substituted. |
imagePullSecretsImage pull secrets |
(Optional) Multiline input where each line contains the name of a docker-registry secret that has already been setup within the cluster. Each of these secret names are added under imagePullSecrets field for the workloads found in the input manifest files |
strategyStrategy |
(Optional) Deployment strategy to be used while applying manifest files on the cluster. Currently, 'canary' is the only acceptable deployment strategy |
trafficSplitMethodTraffic split method |
(Optional) Acceptable values: pod/smi; Default value: pod SMI: Percentage traffic split is done at request level using service mesh. Service mesh has to be setup by cluster admin. Orchestration of TrafficSplit objects of SMI is handled by this task. Pod: Percentage split not possible at request level in the absence of service mesh. So the percentage input is used to calculate the replicas for baseline and canary as a percentage of replicas specified in the input manifests for the stable variant. |
percentagePercentage |
(Required if strategy == canary) Percentage used to compute the number of replicas of '-baseline' and '-canary' varaints of the workloads found in manifest files. For the specified percentage input, if (percentage * numberOfDesirerdReplicas)/100 is not a round number, the floor of this number is used while creating '-baseline' and '-canary' Example: If Deployment hello-world was found in the input manifest file with 'replicas: 4' and if 'strategy: canary' and 'percentage: 25' are given as inputs to the task, then the Deployments hello-world-baseline and hello-world-canary are created with 1 replica each. The '-baseline' variant is created with the same image and tag as the stable version (4 replica variant prior to deployment) while the '-canary' variant is created with the image and tag corresponding to the new changes being deployed |
baselineAndCanaryReplicasBaseline and canary replicas |
(Optional; Relevant only if trafficSplitMethod == smi) When trafficSplitMethod == smi, as percentage traffic split is controlled in the service mesh plane, the actual number of replicas for canary and baseline variants could be controlled independently of the traffic split. For example, assume that the input Deployment manifest desired 30 replicas to be used for stable and that the following inputs were specified for the task - strategy: canary trafficSplitMethod: smi percentage: 20 baselineAndCanaryReplicas: 1 In this case, stable variant will receive 80% traffic while baseline and canary variants will receive 10% each (20% split equally between baseline and canary). However, instead of creating baseline and canary with 3 replicas, the explicit count of baseline and canary replicas is honored. That is, only 1 replica each is created for baseline and canary variants. |
Following is an example YAML snippet for deploying to a Kubernetes namespace using manifest files -
steps:
- task: KubernetesManifest@0
displayName: Deploy
inputs:
kubernetesServiceConnection: someK8sSC1
namespace: default
manifests: manifests/deployment.yml|manifests/service.yml
containers: |
foo/demo:$(tagVariable1)
bar/demo:$(tagVariable2)
imagePullSecrets: |
some-secret
some-other-secret
In the above example, the tasks tries to find matches for the image foobar/demo in the image fields of manifest files. If a match is found, the value of tagVariable is appended as tag to the image name. Note that it is also possible to specify digests in the containers input for artifact substitution.
Note
While it is possible to author deploy, promote and reject actions with deployment strategy related inputs in YAML, support for ManualIntervention task is currently not in place for build pipeline. It is thus advisable to use the deployment strategy related actions and inputs in release pipelines in the following sequence - 1. Deploy action with strategy: canary and percentage: $(someValue). 2. ManaulIntervention task so that one can pause the pipeline and compare the baseline with canary. 3. Promote (run if ManualIntervention is resumed) and reject actions (run if ManualIntervention is rejected)
Promote and reject actions
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
kubernetesServiceConnectionKubernetes service connection |
(Required) Name of the Kubernetes service connection |
namespaceNamespace |
(Required) Namespace within the cluster to deploy to |
manifestsManifests |
(Required) Path to the manifest files to be used for deployment. [File matching patterns](../file-matching-patterns.md) is an acceptable value for this input |
containersContainers |
(Optional) Fully qualified resource URL of the image to be used for substitutions on the manifest files Example: contosodemo.azurecr.io/helloworld:test |
imagePullSecretsImage pull secrets |
(Optional) Multiline input where each line contains the name of a docker-registry secret that has already been setup within the cluster. Each of these secret names are added under imagePullSecrets field for the workloads found in the input manifest files |
strategyStrategy |
(Optional) Deployment strategy that was used in the deploy action prior to promote/reject. Currently, 'canary' is the only acceptable deployment strategy |
Create secret action
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
secretTypeSecret type |
(Required if action == secret) Acceptable values: dockerRegistry/generic. Set dockerRegistry option for creating/updating imagePullSecret in cluster to facilitate image pull from a private container registry Default value: dockerRegistry |
secretNameSecret name |
(Required) Name of the secret to be created/updated |
dockerRegistryEndpointDocker registry service connection |
(Required if action == createSecret and secretType == dockerRegistry) The specified service connection's credentials are used to create a docker-registry secret within the cluster. This secret's name can then be referred to from manifest files under the imagePullSecrets field |
secretArgumentsSecret arguments |
(Required if action == createSecret and secretType == generic) Multiline input accepting keys and literal values to be used for secret creation/updation. Example: --from-literal=key1=value1 --from-literal=key2="top secret"." |
kubernetesServiceConnectionKubernetes service connection |
(Required) Name of the Kubernetes service connection |
namespaceNamespace |
(Required) Namespace within the cluster to create secret in |
Following is an example YAML snippet for creation of docker registry secrets using Docker Registry service connection-
steps:
- task: KubernetesManifest@0
displayName: Create secret
inputs:
action: createSecret
secretType: dockerRegistry
secretName: foobar
dockerRegistryEndpoint: demoACR
kubernetesServiceConnection: someK8sSC
namespace: default
Following is an example YAML snippet for creation of generic secrets -
steps:
- task: KubernetesManifest@0
displayName: Create secret
inputs:
action: createSecret
secretType: generic
secretName: some-secret
secretArguments: --from-literal=key1=value1
kubernetesServiceConnection: someK8sSC
namespace: default
Bake action
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
renderTypeRender engine |
(Required if action == bake) Acceptable values: helm2/kompose/kustomize. Render type to be used for producing the manifest files Default value: helm2 |
helmChartHelm chart |
(Required if action == bake and renderType == helm2) Path to the helm chart to be used for bake |
overrideFilesOverridee files |
(Optional; Relevant if action == bake and renderType == helm2) Multiline input accepting path to the override files that are to be used when baking manifest files from helm charts |
overridesOverride values |
(Optional; Relevant if action == bake and renderType == helm2) Additional override values that are to be used via --set switch when baking manifest files using helm. If multiple overriding key-value pairs are to be used, each key-value pair is to be specified in a separate line (use newline as delimiter between different key-value pairs). |
releaseNameRelease Name |
(Optional; Relevant if action == bake and renderType == helm2) Name of the release used when baking Helm charts |
kustomizationPathKustomization path |
(Optional; Relevant if action == bake and renderType == kustomize) Path to the directory containing kustomization.yaml |
dockerComposeFilePath to docker compose file |
(Optional; Relevant if action == bake and renderType == kompose) Path to docker compose file |
Following is an example YAML snippet for baking manifest files from Helm charts. Note the usage of name input in the first task which is later referenced from the subsequent deploy step for specifying path to the manifests that were produced by the bake step -
steps:
- task: KubernetesManifest@0
name: bake
displayName: Bake K8s manifests from Helm chart
inputs:
action: bake
helmChart: charts/sample
overrides: 'image.repository:nginx'
- task: KubernetesManifest@0
displayName: Deploy K8s manifests
inputs:
kubernetesServiceConnection: someK8sSC
namespace: default
manifests: $(bake.manifestsBundle)
containers: |
nginx: 1.7.9
Scale action
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
kindKind |
(Required) Kind of Kubernetes object (ReplicaSet/StatefulSet/...) to be scaled up/down |
nameName |
(Required) Name of Kubernetes object to be scaled up/down |
replicasReplica count |
(Required) Number of replicas to scale to |
kubernetesServiceConnectionKubernetes service connection |
(Required) Name of the Kubernetes service connection |
namespaceNamespace |
(Required) Namespace within the cluster to deploy to |
Following is an example YAML snippet for scaling objects -
steps:
- task: KubernetesManifest@0
displayName: Scale
inputs:
action: scale
kind: deployment
name: bootcamp-demo
replicas: 5
kubernetesServiceConnection: someK8sSC
namespace: default
Patch action
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
resourceToPatchResource to patch |
(Required) Acceptablee values: file/name. Indicates whether a manifest file is to be used to identify the objects to be patched or if an individual object is to be identified by kind and name as the target for patch Default value: file |
resourceFiletoPatchFile path |
(Required if action == patch and resourceToPatch == file) Path to the file used for patch |
kindKind |
(Required if action == patch and resourceToPatch == name) Kind of Kubernetes object (ReplicaSet/StatefulSet/...) |
nameName |
(Required if action == patch and resourceToPatch == name) Name of Kubernetes object to be patched |
mergeStrategyMerge strategy |
(Required) Acceptable values: json/merge/strategic. Strategy to be used for applying the patch. Default: strategic |
patchPatch |
(Required) Contents of the patch |
kubernetesServiceConnectionKubernetes service connection |
(Required) Name of the Kubernetes service connection |
namespaceNamespace |
(Required) Namespace within the cluster to deploy to |
Following is an example YAML snippet for patching an object -
steps:
- task: KubernetesManifest@0
displayName: Patch
inputs:
action: patch
kind: pod
name: demo-5fbc4d6cd9-pgxn4
mergeStrategy: strategic
patch: '{"spec":{"containers":[{"name":"demo","image":"foobar/demo:2239"}]}}'
kubernetesServiceConnection: someK8sSC
namespace: default
Delete action
| Parameters | Description |
|---|---|
actionAction |
(Required) Acceptable values: deploy/promote/reject/bake/scale/patch/delete |
argumentsArguments |
(Required) Arguments to be passed onto kubectl for deleting the necessary objects. For example - arguments: deployment hello-world foo-bar |
kubernetesServiceConnectionKubernetes service connection |
(Required) Name of the Kubernetes service connection |
namespaceNamespace |
(Required) Namespace within the cluster to deploy to |
Following is an example YAML snippet for deleting objects -
steps:
- task: KubernetesManifest@0
displayName: Delete
inputs:
action: delete
arguments: deployment expressapp
kubernetesServiceConnection: someK8sSC
namespace: default
Open source
This task is open source on GitHub. Feedback and contributions are welcome.
Feedback
Loading feedback...