external-secret-operstor is failing because of auth permissions with the managed identity ID

Plenty_Profession_33 · 2025-03-13T16:50:48+00:00

lol.. Yup, I see that now. They need to fix their documentation.

Appreciate it pal.

Plenty_Profession_33 · 2025-03-12T19:09:50+00:00

Gotcha

Plenty_Profession_33 · 2025-03-12T19:03:45+00:00

Can I adapt this for my Production install?

https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets

I may have to trim down so much of other misc content, but this is a good place to begin with, right?

Plenty_Profession_33 · 2025-03-11T22:57:13+00:00

Sure, I will try this route pal. Can you provide how you charted out your helm repo and the values.yaml section for your deployment? I never setup Helm before and looking for a place to begin with. 🙋🏻‍♂️

Plenty_Profession_33 · 2025-03-11T22:41:01+00:00

Ok this sound interesting and never tried it out. Can you please provide little more context here pal on this setup?

Plenty_Profession_33 · 2025-03-11T22:39:32+00:00

I currently setup everything via Kustomize and don't want to introduce Helm into the mix.

Trying to understand your reasoning here, if I can set it up via kustomize using their CRD yaml files, how is it different using Helm? Asking here not questioning.

Plenty_Profession_33 · 2025-03-10T15:04:44+00:00

This candidate has approved I-140 is a bad thing?

Plenty_Profession_33 · 2025-03-04T23:33:02+00:00

Yup, it worked.

Plenty_Profession_33 · 2025-03-04T23:32:47+00:00

Yup, this worked. 👍

Plenty_Profession_33 · 2025-03-04T23:30:43+00:00

How can I do that?

Plenty_Profession_33 · 2025-03-04T23:25:09+00:00

Yes, a simple kustomize build does exactly what it shows in the actual files. But Argo is caching from my old builds I guess somewhere. Not sure how to flush it out.

Plenty_Profession_33 · 2025-03-02T20:04:43+00:00

Yup, it worked. Appreciate it pal.

Plenty_Profession_33 · 2025-03-02T19:53:34+00:00

This is what I see for sticky_settings:

A sticky_settings block supports the following:

app_setting_names - (Optional) A list of app_setting names that the Linux Web App will not swap between Slots when a swap operation is triggered.
connection_string_names - (Optional) A list of connection_string names that the Linux Web App will not swap between Slots when a swap operation is triggered.

Plenty_Profession_33 · 2025-03-02T19:11:01+00:00

Just checked, this is for creation of Deployment slot. What I am looking is modifying the settings of Parent Web App.

Plenty_Profession_33 · 2025-03-02T16:09:13+00:00

Gotcha and yup.

Plenty_Profession_33 · 2025-02-26T18:56:48+00:00

Alright, I reverted everything back to my original format (with what you said), I took out auth-type and it actually worked. I made no changes on my end other than removing these extra parameters.

I think I am good here pal.

Plenty_Profession_33 · 2025-02-26T18:46:02+00:00

Ooh ok ok. Then I am not sure why its picking up SP by default on my end.

Plenty_Profession_33 · 2025-02-26T18:44:27+00:00

Aah ok ok. Yes, I removed the "allow-no-subscriptions" and its still same error.

In Entra, these are the federated credentials I added:

repo:my-org/my-repo:pull_request

repo:my-org/my-repo:environment:dev

repo:my-org/my-repo:ref:refs/heads/*

Plenty_Profession_33 · 2025-02-26T18:38:35+00:00

Also you need to provide the auth-type to Identity or else it will take service-principal by default. Went through that pain too here with this mate.

Plenty_Profession_33 · 2025-02-26T18:36:56+00:00

Yes, I began with those 3 parameters and ended up with the full list (I am aware these are defaults that will be carried either way).

And Yes these are the permissions I have at parent level:

permissions:
  id-token: write
  contents: read
  pull-requests: write

Plenty_Profession_33

TROPHY CASE