v7.42.0 OIDC Discovery URL

[jlhawkins-stuff]

Describe the bug

Upgrading CHE from 7.40.0 to 7.42.0 causes gateway (aka traefik) to fail oauth-proxy

Che version

7.42@latest

Steps to reproduce

### initial chectl version = 7.41.1

chectl server:deploy \
--installer=operator \
--version=7.40.0 \
--domain=che.example.com \
--multiuser \
--chenamespace=eclipse-che \
--platform=k8s \
--telemetry=off 

chectl update
# chectl: Updating CLI from 7.41.1 to 7.42.0... done
# chectl: Updating CLI... done

chectl server:update
# ...terminal output...

kubectl rollout -n eclipse-che restart deployment che

New gateway 7.42.0 pod:

Expected behavior

https://keycloak-eclipse-che.che.example.com/auth/realms/che/.well-known/openid-configuration
provides a non 404 response.

Runtime

Kubernetes (vanilla)

Screenshots

No response

Installation method

chectl/latest

Environment

other (please specify in additional context)

Eclipse Che Logs

No response

Additional context

vsphere infrastructure
juju charmed Kubernetes deployment

[tolusha]

Hello @jlhawkins-stuff
Eclipse Che versions v7.40.x and v7.42.x are not backward compatible.
It is not possible to deploy a lower versions of Eclipse Che with chectl 7.42.x (#21001)
So, pls use chectl 7.40.x https://github.com/che-incubator/chectl/releases/tag/7.40.2

[svor]

@jlhawkins-stuff could you please explain why do you want to use chectl v7.41.1 to deploy lower version of Che?

[jlhawkins-stuff]

@svor Fresh installs of che 7.42.0 using chectl 7.42.0 wasn't installing an OIDC (keycloak). Which required using the --skip-oidc-provider-check option to deploy. I downgrade chectl and was able to deploy the server with keycloak.

@tolusha Che 7.40.0 was deployed with chectl 7.41.1. That deployment was successful. chectl was updated to 7.42.0, then the server was updated to 7.42.0. That update was successful except for the gateway pod. That pod was accessing the wrong URL https://keycloak-eclipse-che.che.example.com/auth/.well-known/openid-configuration resulting in a 404 error. The correct URL should be https://keycloak-eclipse-che.che.example.com/auth/realms/che/.well-known/openid-configuration notice the realms/che path

[tolusha]

@jlhawkins-stuff
It should not be possible to update 7.40.0 to 7.42.2.
Either use 7.41.2 version or deploy 7.42.0 from the scratch (see some discussion here #21049)

[barrygear]

I was watching this because it is happening to me as well but it got closed! I simply upgraded from 7.38 to 7.42 and the fourth container (the oauth-proxy) pod fails trying to fetch https://<host>/auth/.well-known/openid-configuration instead of https://<host>/auth/realms/che/.well-known/openid-configuration. If I change .spec.auth.identityProviderURL to https://<host>/auth/realms/che it starts but fails to login. So, going by the comment there is no upgrade path to 7.42 and a fresh install is required?

[jlhawkins-stuff]

@barrygear I closed the issue because a fresh install of 7.42.0 did resolve THIS issue. Installing 7.42.0 had a whole host of other learning experiences. I'd be down to share experiences. I ultimately reverted to 7.38.0 cause I could get it working.