This repository was archived by the owner on Jul 28, 2025. It is now read-only.
This repository was archived by the owner on Jul 28, 2025. It is now read-only.
TES and Trigger service deployments fail if a UAMI is reused. #843
Description
TES and Trigger service pods fail to start if a UAMI is reused, with the error: No matching federated identity record found for presented assertion issuer
The deployer creates a new federated identity with the issuer configured to the AKS cluster created during the deployment for COA. If a new deployment uses the same UAMI, a new cluster is created, but the deployer does not create a new federated identity as one already exists. However, the existing federated identity won’t work because the issuer is configured to the AKS cluster created first. This results in the issue described above.
Recommended fix:
Change the deployer to check if the configured issuer for an existing federated identity matches the cluster.
- If it is a match, then continue the deployment as is.
- This scenario would only occur during an upgrade (the AKS cluster already exists).
- If not a match, fail the deployment with a helpful error message indicating the condition, and suggest creating a new UAMI or deleting the existing federated identity if no other deployment is using it.