[BUG]: HelmDeploy@1 doesn't support EntraID authentication without local accounts

[avvale-sorgenia]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

HelmDeploy@1

Task version

1

Issue Description

I'm trying to use the HelmDeploy@1 task on my Azure DevOps yaml pipelines to configure my Azure Kubernetes Service.

For security reasons I am required to disable local accounts on my AKS and only use authentication with EntraID, so I have configured a Service Connection on Azure DevOps which uses a Service Principal that has been enabled on K8S as admin (we use K8S RBAC).

My HelmDeploy task looks like this:

          - task: KubectlInstaller@0
            displayName: 'Install kubectl'
            inputs:
              kubectlVersion: '1.30.1'

          - task: KubeloginInstaller@0
            inputs:
              kubeloginVersion: 'latest'

          - task: HelmInstaller@1
            displayName: 'Install Helm'
            inputs:
              helmVersionToInstall: latest

          - task: HelmDeploy@1
            displayName: 'Istio CRD Install'
            inputs:
              connectionType: 'Azure Resource Manager'
              azureSubscriptionEndpoint: $(ServiceConnectionName)
              azureResourceGroup: $(ResourceGroupName)
              kubernetesCluster: $(AKSClusterName)
              command: upgrade
              chartType: 'Name'
              chartName: "istio/base"
              overrideValues: 'defaultRevision=default'
              arguments: '--create-namespace'
              namespace: 'istio-system'
              releaseName: istio-base
              install: true
              waitForExecution: false
              useClusterAdmin: false

Since when I disabled AKS local accounts and switched "useClusterAdmin" to false my pipeline has been failing with authentication/authorization related errors or kubelogin not found.

I think this is a bug, because I would expect the task to be able to successfully use kubectl/kubelogin to authenticate and it should not rely on local accounts being enabled on the cluster.

If it already supports this, then there is no clear documentation on how to use this task with this configuration.

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu

Relevant log output

Error: Kubernetes cluster unreachable: Get "https://CLUSTERADDRESS.hcp.westeurope.azmk8s.io:443/version": getting credentials: exec: executable kubelogin not found

It looks like you are trying to use a client-go credential plugin that is not installed.

To learn more about this feature, consult the documentation available at:
      https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins


kubelogin is not installed which is required to connect to AAD enabled cluster.

To learn more, please go to https://aka.ms/aks/kubelogin

Full task logs with system.debug enabled

No response

Repro steps