Refactor exposure to have an ability share host among components (#760)

* Refactor exposure to have an ability share host among components Signed-off-by: Anatolii Bazko <abazko@redhat.com> Co-authored-by: Anatolii Bazko <abazko@redhat.com>
2021-04-09 12:09:59 +03:00 · 2021-04-09 12:09:59 +03:00 · 78d3585b7c
parent 87936ec478
commit 78d3585b7c
15 changed files with 183 additions and 121 deletions
--- a/pkg/controller/che/che_controller.go
+++ b/pkg/controller/che/che_controller.go
@ -749,10 +749,11 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 	exposedServiceName := getServerExposingServiceName(instance)
 	cheHost := ""
 	if !isOpenShift {
-		done, err := deploy.SyncIngressToCluster(
+		_, done, err := deploy.SyncIngressToCluster(
 			deployContext,
 			cheFlavor,
-			instance.Spec.Server.CheHost,
+			instance.Spec.K8s.IngressDomain,
+			"",
 			exposedServiceName,
 			8080,
 			deployContext.CheCluster.Spec.Server.CheServerIngress,
@ -786,6 +787,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 			deployContext,
 			cheFlavor,
 			customHost,
+			"",
 			exposedServiceName,
 			8080,
 			deployContext.CheCluster.Spec.Server.CheServerRoute,
@ -829,7 +831,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}

-	provisioned, err = devfile_registry.SyncDevfileRegistryToCluster(deployContext, cheHost)
+	provisioned, err = devfile_registry.SyncDevfileRegistryToCluster(deployContext)
 	if !tests {
 		if !provisioned {
 			if err != nil {
@ -839,7 +841,7 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}

-	provisioned, err = plugin_registry.SyncPluginRegistryToCluster(deployContext, cheHost)
+	provisioned, err = plugin_registry.SyncPluginRegistryToCluster(deployContext)
 	if !tests {
 		if !provisioned {
 			if err != nil {
@ -970,6 +972,7 @@ func getDefaultCheHost(deployContext *deploy.DeployContext) (string, error) {
 		deployContext,
 		cheFlavor,
 		"",
+		"",
 		getServerExposingServiceName(deployContext.CheCluster),
 		8080,
 		deployContext.CheCluster.Spec.Server.CheServerRoute,
--- a/pkg/deploy/devfile-registry/devfile_registry.go
+++ b/pkg/deploy/devfile-registry/devfile_registry.go
@ -31,16 +31,14 @@ type DevFileRegistryConfigMap struct {
 /**
 * Create devfile registry resources unless an external registry is used.
 */
-func SyncDevfileRegistryToCluster(deployContext *deploy.DeployContext, cheHost string) (bool, error) {
+func SyncDevfileRegistryToCluster(deployContext *deploy.DeployContext) (bool, error) {
 	devfileRegistryURL := deployContext.CheCluster.Spec.Server.DevfileRegistryUrl
 	if !deployContext.CheCluster.Spec.Server.ExternalDevfileRegistry {
 		endpoint, done, err := expose.Expose(
 			deployContext,
-			cheHost,
 			deploy.DevfileRegistryName,
 			deployContext.CheCluster.Spec.Server.DevfileRegistryRoute,
-			deployContext.CheCluster.Spec.Server.DevfileRegistryIngress,
-			deploy.DevfileRegistryName)
+			deployContext.CheCluster.Spec.Server.DevfileRegistryIngress)
 		if !done {
 			return false, err
 		}
--- a/pkg/deploy/expose/expose.go
+++ b/pkg/deploy/expose/expose.go
@ -12,72 +12,59 @@
 package expose

 import (
+	"strings"
+
+	routev1 "github.com/openshift/api/route/v1"
+
 	orgv1 "github.com/eclipse-che/che-operator/pkg/apis/org/v1"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
 	"github.com/eclipse-che/che-operator/pkg/deploy/gateway"
 	"github.com/eclipse-che/che-operator/pkg/util"
-	routev1 "github.com/openshift/api/route/v1"
 	"github.com/sirupsen/logrus"
 	extentionsv1beta1 "k8s.io/api/extensions/v1beta1"
 )

+//Expose exposes the specified component according to the configured exposure strategy rules
 func Expose(
 	deployContext *deploy.DeployContext,
-	cheHost string,
-	endpointName string,
+	componentName string,
 	routeCustomSettings orgv1.RouteCustomSettings,
-	ingressCustomSettings orgv1.IngressCustomSettings,
-	component string) (endpont string, done bool, err error) {
+	ingressCustomSettings orgv1.IngressCustomSettings) (endpointUrl string, done bool, err error) {
+	//the host and path are empty and will be evaluated for the specified component
+	return ExposeWithHostPath(deployContext, componentName, "", "", routeCustomSettings, ingressCustomSettings)
+}
+
+//Expose exposes the specified component on the specified host and domain.
+//Empty host or path will be evaluated according to the configured strategy rules.
+//Note: path may be prefixed according to the configured strategy rules.
+func ExposeWithHostPath(
+	deployContext *deploy.DeployContext,
+	component string,
+	host string,
+	path string,
+	routeCustomSettings orgv1.RouteCustomSettings,
+	ingressCustomSettings orgv1.IngressCustomSettings) (endpointUrl string, done bool, err error) {
+
 	exposureStrategy := util.GetServerExposureStrategy(deployContext.CheCluster)
-	var domain string
-	var endpoint string
-	var pathPrefix string
-	var stripPrefix bool

-	if endpointName == deploy.IdentityProviderName {
-		pathPrefix = "auth"
-		stripPrefix = false
-	} else {
-		pathPrefix = endpointName
-		stripPrefix = true
-	}
-	if exposureStrategy == "multi-host" {
-		// this won't get used on openshift, because there we're intentionally let Openshift decide on the domain name
-		domain = endpointName + "-" + deployContext.CheCluster.Namespace + "." + deployContext.CheCluster.Spec.K8s.IngressDomain
-		endpoint = domain
-	} else {
-		domain = cheHost
-		if endpointName == deploy.IdentityProviderName {
-			// legacy
-			endpoint = domain
-		} else {
-			endpoint = domain + "/" + pathPrefix
-		}
+	if path != "" && !strings.HasPrefix(path, "/") {
+		path = "/" + path
 	}

-	gatewayConfig := "che-gateway-route-" + endpointName
 	singleHostExposureType := deploy.GetSingleHostExposureType(deployContext.CheCluster)
 	useGateway := exposureStrategy == "single-host" && (util.IsOpenShift || singleHostExposureType == "gateway")
-
+	gatewayConfig := "che-gateway-route-" + component
 	if !util.IsOpenShift {
 		if useGateway {
-			cfg := gateway.GetGatewayRouteConfig(deployContext, gatewayConfig, "/"+pathPrefix, 10, "http://"+endpointName+":8080", stripPrefix)
-			done, err := deploy.SyncConfigMapSpecToCluster(deployContext, &cfg)
-			if !util.IsTestMode() {
-				if !done {
-					if err != nil {
-						logrus.Error(err)
-					}
-					return "", false, err
+			return exposeWithGateway(deployContext, gatewayConfig, component, path, func() {
+				if _, err = deploy.DeleteNamespacedObject(deployContext, component, &extentionsv1beta1.Ingress{}); err != nil {
+					logrus.Error(err)
 				}
-			}
-			if _, err = deploy.DeleteNamespacedObject(deployContext, endpointName, &extentionsv1beta1.Ingress{}); err != nil {
-				logrus.Error(err)
-			}
+			})
 		} else {
-			done, err := deploy.SyncIngressToCluster(deployContext, endpointName, domain, endpointName, 8080, ingressCustomSettings, component)
+			endpointUrl, done, err = deploy.SyncIngressToCluster(deployContext, component, host, path, component, 8080, ingressCustomSettings, component)
 			if !done {
-				logrus.Infof("Waiting on ingress '%s' to be ready", endpointName)
+				logrus.Infof("Waiting on ingress '%s' to be ready", component)
 				if err != nil {
 					logrus.Error(err)
 				}
@ -86,38 +73,29 @@ func Expose(
 			if err := gateway.DeleteGatewayRouteConfig(gatewayConfig, deployContext); !util.IsTestMode() && err != nil {
 				logrus.Error(err)
 			}
+
+			return endpointUrl, true, nil
 		}
 	} else {
 		if useGateway {
-			cfg := gateway.GetGatewayRouteConfig(deployContext, gatewayConfig, "/"+pathPrefix, 10, "http://"+endpointName+":8080", stripPrefix)
-			done, err := deploy.SyncConfigMapSpecToCluster(deployContext, &cfg)
-			if !done {
-				if err != nil {
+			return exposeWithGateway(deployContext, gatewayConfig, component, path, func() {
+				if _, err := deploy.DeleteNamespacedObject(deployContext, component, &routev1.Route{}); !util.IsTestMode() && err != nil {
 					logrus.Error(err)
 				}
-				return "", false, err
-			}
-
-			_, err = deploy.DeleteNamespacedObject(deployContext, endpointName, &routev1.Route{})
-			if err != nil {
-				logrus.Error(err)
-			}
+			})
 		} else {
 			// the empty string for a host is intentional here - we let OpenShift decide on the hostname
-			done, err := deploy.SyncRouteToCluster(deployContext, endpointName, "", endpointName, 8080, routeCustomSettings, component)
+			done, err := deploy.SyncRouteToCluster(deployContext, component, host, path, component, 8080, routeCustomSettings, component)
 			if !done {
+				logrus.Infof("Waiting on route '%s' to be ready", component)
 				if err != nil {
 					logrus.Error(err)
 				}
 				return "", false, err
 			}

-			if err := gateway.DeleteGatewayRouteConfig(gatewayConfig, deployContext); !util.IsTestMode() && err != nil {
-				logrus.Error(err)
-			}
-
 			route := &routev1.Route{}
-			exists, err := deploy.GetNamespacedObject(deployContext, endpointName, route)
+			exists, err := deploy.GetNamespacedObject(deployContext, component, route)
 			if !exists {
 				if err != nil {
 					logrus.Error(err)
@ -125,8 +103,46 @@ func Expose(
 				return "", false, err
 			}

-			endpoint = route.Spec.Host
+			if err := gateway.DeleteGatewayRouteConfig(gatewayConfig, deployContext); !util.IsTestMode() && err != nil {
+				logrus.Error(err)
+			}
+
+			// Keycloak needs special rule in multihost. It's exposed on / which redirects to /auth
+			// clients which does not support redirects needs /auth be explicitely set
+			if path == "" && component == deploy.IdentityProviderName {
+				path = "/auth"
+			}
+			return route.Spec.Host + path, true, nil
 		}
 	}
-	return endpoint, true, nil
+}
+
+func exposeWithGateway(deployContext *deploy.DeployContext,
+	gatewayConfig string,
+	component string,
+	path string,
+	cleanUpRouting func()) (endpointUrl string, done bool, err error) {
+	var stripPrefix bool
+	if path == "" {
+		if component == deploy.IdentityProviderName {
+			path = "/auth" + path
+			stripPrefix = false
+		} else {
+			path = "/" + component + path
+			stripPrefix = true
+		}
+	}
+
+	cfg := gateway.GetGatewayRouteConfig(deployContext, gatewayConfig, component, path, 10, "http://"+component+":8080", stripPrefix)
+	done, err = deploy.SyncConfigMapSpecToCluster(deployContext, &cfg)
+	if !done {
+		if err != nil {
+			logrus.Error(err)
+		}
+		return "", false, err
+	}
+
+	cleanUpRouting()
+
+	return deployContext.CheCluster.Spec.Server.CheHost + path, true, err
 }
--- a/pkg/deploy/gateway/gateway.go
+++ b/pkg/deploy/gateway/gateway.go
@ -186,7 +186,7 @@ func delete(clusterAPI deploy.ClusterAPI, obj metav1.Object) error {
 // GetGatewayRouteConfig creates a config map with traefik configuration for a single new route.
 // `serviceName` is an arbitrary name identifying the configuration. This should be unique within operator. Che server only creates
 // new configuration for workspaces, so the name should not resemble any of the names created by the Che server.
-func GetGatewayRouteConfig(deployContext *deploy.DeployContext, serviceName string, pathPrefix string, priority int, internalUrl string, stripPrefix bool) corev1.ConfigMap {
+func GetGatewayRouteConfig(deployContext *deploy.DeployContext, component string, serviceName string, pathPrefix string, priority int, internalUrl string, stripPrefix bool) corev1.ConfigMap {
 	pathRewrite := pathPrefix != "/" && stripPrefix

 	data := `---
@ -225,14 +225,14 @@ http:
 			Kind:       "ConfigMap",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      serviceName,
+			Name:      component,
 			Namespace: deployContext.CheCluster.Namespace,
 			Labels: util.MergeMaps(
 				deploy.GetLabels(deployContext.CheCluster, gatewayConfigComponentName),
 				util.GetMapValue(deployContext.CheCluster.Spec.Server.SingleHostGatewayConfigMapLabels, deploy.DefaultSingleHostGatewayConfigMapLabels)),
 		},
 		Data: map[string]string{
-			serviceName + ".yml": data,
+			component + ".yml": data,
 		},
 	}

@ -255,7 +255,7 @@ func DeleteGatewayRouteConfig(serviceName string, deployContext *deploy.DeployCo
 // below functions declare the desired states of the various objects required for the gateway

 func getGatewayServerConfigSpec(deployContext *deploy.DeployContext) corev1.ConfigMap {
-	return GetGatewayRouteConfig(deployContext, gatewayServerConfigName, "/", 1, "http://"+deploy.CheServiceName+":8080", false)
+	return GetGatewayRouteConfig(deployContext, gatewayServerConfigName, gatewayServerConfigName, "/", 1, "http://"+deploy.CheServiceName+":8080", false)
 }

 func getGatewayServiceAccountSpec(instance *orgv1.CheCluster) corev1.ServiceAccount {
--- a/pkg/deploy/identity-provider/deployment_keycloak.go
+++ b/pkg/deploy/identity-provider/deployment_keycloak.go
@ -540,7 +540,7 @@ func GetSpecKeycloakDeployment(
 		if cheFlavor == "codeready" {
 			keycloakEnv = append(keycloakEnv, corev1.EnvVar{
 				Name:  "KEYCLOAK_FRONTEND_URL",
-				Value: deployContext.CheCluster.Status.KeycloakURL + "/auth",
+				Value: deployContext.CheCluster.Status.KeycloakURL,
 			})
 		}
 	}
--- a/pkg/deploy/identity-provider/identity_provider.go
+++ b/pkg/deploy/identity-provider/identity_provider.go
@ -80,17 +80,15 @@ func syncExposure(deployContext *deploy.DeployContext) (bool, error) {
 		false: "http"})[cr.Spec.Server.TlsSupport]
 	endpoint, done, err := expose.Expose(
 		deployContext,
-		cr.Spec.Server.CheHost,
 		deploy.IdentityProviderName,
 		cr.Spec.Auth.IdentityProviderRoute,
-		cr.Spec.Auth.IdentityProviderIngress,
-		deploy.IdentityProviderName)
+		cr.Spec.Auth.IdentityProviderIngress)
 	if !done {
 		return false, err
 	}

 	keycloakURL := protocol + "://" + endpoint
-	deployContext.InternalService.KeycloakHost = fmt.Sprintf("%s://%s.%s.svc:%d", "http", deploy.IdentityProviderName, cr.Namespace, 8080)
+	deployContext.InternalService.KeycloakHost = fmt.Sprintf("%s://%s.%s.svc:%d/auth", "http", deploy.IdentityProviderName, cr.Namespace, 8080)

 	if cr.Spec.Auth.IdentityProviderURL != keycloakURL {
 		cr.Spec.Auth.IdentityProviderURL = keycloakURL
--- a/pkg/deploy/ingres_test.go
+++ b/pkg/deploy/ingres_test.go
@ -37,6 +37,7 @@ func TestIngressSpec(t *testing.T) {
 		name                  string
 		ingressName           string
 		ingressHost           string
+		ingressPath           string
 		ingressComponent      string
 		serviceName           string
 		servicePort           int
@ -57,6 +58,7 @@ func TestIngressSpec(t *testing.T) {
 			ingressName:      "test",
 			ingressComponent: "test-component",
 			ingressHost:      "test-host",
+			ingressPath:      "",
 			serviceName:      "che",
 			servicePort:      8080,
 			ingressCustomSettings: orgv1.IngressCustomSettings{
@ -124,9 +126,10 @@ func TestIngressSpec(t *testing.T) {
 				},
 			}

-			actualIngress := GetIngressSpec(deployContext,
+			_, actualIngress := GetIngressSpec(deployContext,
 				testCase.ingressName,
 				testCase.ingressHost,
+				testCase.ingressPath,
 				testCase.serviceName,
 				testCase.servicePort,
 				testCase.ingressCustomSettings,
@ -157,12 +160,12 @@ func TestSyncIngressToCluster(t *testing.T) {
 		},
 	}

-	done, err := SyncIngressToCluster(deployContext, "test", "host-1", "service-1", 8080, orgv1.IngressCustomSettings{}, "component")
+	_, done, err := SyncIngressToCluster(deployContext, "test", "host-1", "", "service-1", 8080, orgv1.IngressCustomSettings{}, "component")
 	if !done || err != nil {
 		t.Fatalf("Failed to sync ingress: %v", err)
 	}

-	done, err = SyncIngressToCluster(deployContext, "test", "host-2", "service-2", 8080, orgv1.IngressCustomSettings{}, "component")
+	_, done, err = SyncIngressToCluster(deployContext, "test", "host-2", "", "service-2", 8080, orgv1.IngressCustomSettings{}, "component")
 	if !done || err != nil {
 		t.Fatalf("Failed to sync ingress: %v", err)
 	}
--- a/pkg/deploy/ingress.go
+++ b/pkg/deploy/ingress.go
@ -31,28 +31,34 @@ var ingressDiffOpts = cmp.Options{
 	}),
 }

+// SyncIngressToCluster creates ingress to expose service with the set settings
+// host and path are evaluated if they are empty
 func SyncIngressToCluster(
 	deployContext *DeployContext,
 	name string,
 	host string,
+	path string,
 	serviceName string,
 	servicePort int,
 	ingressCustomSettings orgv1.IngressCustomSettings,
-	component string) (bool, error) {
+	component string) (endpointUrl string, done bool, err error) {

-	ingressSpec := GetIngressSpec(deployContext, name, host, serviceName, servicePort, ingressCustomSettings, component)
-	return Sync(deployContext, ingressSpec, ingressDiffOpts)
+	ingressUrl, ingressSpec := GetIngressSpec(deployContext, name, host, path, serviceName, servicePort, ingressCustomSettings, component)
+	sync, err := Sync(deployContext, ingressSpec, ingressDiffOpts)
+	return ingressUrl, sync, err
 }

 // GetIngressSpec returns expected ingress config for given parameters
+// host and path are evaluated if they are empty
 func GetIngressSpec(
 	deployContext *DeployContext,
 	name string,
 	host string,
+	path string,
 	serviceName string,
 	servicePort int,
 	ingressCustomSettings orgv1.IngressCustomSettings,
-	component string) *v1beta1.Ingress {
+	component string) (ingressUrl string, i *v1beta1.Ingress) {

 	tlsSupport := deployContext.CheCluster.Spec.Server.TlsSupport
 	ingressStrategy := util.GetServerExposureStrategy(deployContext.CheCluster)
@ -63,7 +69,7 @@ func GetIngressSpec(

 	if host == "" {
 		if ingressStrategy == "multi-host" {
-			host = name + "-" + deployContext.CheCluster.Namespace + "." + ingressDomain
+			host = component + "-" + deployContext.CheCluster.Namespace + "." + ingressDomain
 		} else if ingressStrategy == "single-host" {
 			host = ingressDomain
 		}
@ -71,21 +77,17 @@ func GetIngressSpec(

 	tlsSecretName := util.GetValue(deployContext.CheCluster.Spec.K8s.TlsSecretName, "")
 	if tlsSupport {
-		if name == DefaultCheFlavor(deployContext.CheCluster) && deployContext.CheCluster.Spec.Server.CheHostTLSSecret != "" {
+		if component == DefaultCheFlavor(deployContext.CheCluster) && deployContext.CheCluster.Spec.Server.CheHostTLSSecret != "" {
 			tlsSecretName = deployContext.CheCluster.Spec.Server.CheHostTLSSecret
 		}
 	}

-	path := "/"
-	if ingressStrategy != "multi-host" {
-		switch name {
-		case IdentityProviderName:
-			path = "/auth"
-		case DevfileRegistryName:
-			path = "/" + DevfileRegistryName + "/(.*)"
-		case PluginRegistryName:
-			path = "/" + PluginRegistryName + "/(.*)"
-		}
+	var endpointPath, ingressPath string
+	if path == "" {
+		endpointPath, ingressPath = evaluatePath(component, ingressStrategy)
+	} else {
+		ingressPath = path
+		endpointPath = path
 	}

 	annotations := map[string]string{
@ -94,7 +96,7 @@ func GetIngressSpec(
 		"nginx.ingress.kubernetes.io/proxy-connect-timeout": "3600",
 		"nginx.ingress.kubernetes.io/ssl-redirect":          strconv.FormatBool(tlsSupport),
 	}
-	if ingressStrategy != "multi-host" && (name == DevfileRegistryName || name == PluginRegistryName) {
+	if ingressStrategy != "multi-host" && (component == DevfileRegistryName || component == PluginRegistryName) {
 		annotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$1"
 	}

@ -121,7 +123,7 @@ func GetIngressSpec(
 										ServiceName: serviceName,
 										ServicePort: intstr.FromInt(servicePort),
 									},
-									Path: path,
+									Path: ingressPath,
 								},
 							},
 						},
@ -142,5 +144,35 @@ func GetIngressSpec(
 		}
 	}

-	return ingress
+	return host + endpointPath, ingress
+}
+
+// evaluatePath evaluates ingress path (one which is used for rule)
+// and endpoint path (one which client should use during endpoint accessing)
+func evaluatePath(component, ingressStrategy string) (endpointPath, ingressPath string) {
+	if ingressStrategy == "multi-host" {
+		ingressPath = "/"
+		endpointPath = "/"
+		// Keycloak needs special rule in multihost. It's exposed on / which redirects to /auth
+		// clients which does not support redirects needs /auth be explicitely set
+		if component == IdentityProviderName {
+			endpointPath = "/auth"
+		}
+	} else {
+		switch component {
+		case IdentityProviderName:
+			endpointPath = "/auth"
+			ingressPath = endpointPath + "/(.*)"
+		case DevfileRegistryName:
+			fallthrough
+		case PluginRegistryName:
+			endpointPath = "/" + component
+			ingressPath = endpointPath + "/(.*)"
+		default:
+			ingressPath = "/"
+			endpointPath = "/"
+		}
+
+	}
+	return endpointPath, ingressPath
 }
--- a/pkg/deploy/oauthclient.go
+++ b/pkg/deploy/oauthclient.go
@ -29,7 +29,7 @@ func GetOAuthClientSpec(name string, oauthSecret string, keycloakURL string, key
 		providerName = "openshift-v4"
 	}

-	redirectURLSuffix := "/auth/realms/" + keycloakRealm + "/broker/" + providerName + "/endpoint"
+	redirectURLSuffix := "/realms/" + keycloakRealm + "/broker/" + providerName + "/endpoint"
 	redirectURIs := []string{
 		keycloakURL + redirectURLSuffix,
 	}
--- a/pkg/deploy/plugin-registry/plugin_registry.go
+++ b/pkg/deploy/plugin-registry/plugin_registry.go
@ -14,6 +14,7 @@ package plugin_registry
 import (
 	"encoding/json"
 	"fmt"
+	"strings"

 	"github.com/eclipse-che/che-operator/pkg/deploy"
 	"github.com/eclipse-che/che-operator/pkg/deploy/expose"
@ -31,25 +32,29 @@ type PluginRegistryConfigMap struct {
 /**
 * Create plugin registry resources unless an external registry is used.
 */
-func SyncPluginRegistryToCluster(deployContext *deploy.DeployContext, cheHost string) (bool, error) {
+func SyncPluginRegistryToCluster(deployContext *deploy.DeployContext) (bool, error) {
 	pluginRegistryURL := deployContext.CheCluster.Spec.Server.PluginRegistryUrl
 	if !deployContext.CheCluster.Spec.Server.ExternalPluginRegistry {
 		endpoint, done, err := expose.Expose(
 			deployContext,
-			cheHost,
 			deploy.PluginRegistryName,
 			deployContext.CheCluster.Spec.Server.PluginRegistryRoute,
-			deployContext.CheCluster.Spec.Server.PluginRegistryIngress,
-			deploy.PluginRegistryName)
+			deployContext.CheCluster.Spec.Server.PluginRegistryIngress)
 		if !done {
 			return false, err
 		}

 		if pluginRegistryURL == "" {
 			if deployContext.CheCluster.Spec.Server.TlsSupport {
-				pluginRegistryURL = "https://" + endpoint + "/v3"
+				pluginRegistryURL = "https://" + endpoint
 			} else {
-				pluginRegistryURL = "http://" + endpoint + "/v3"
+				pluginRegistryURL = "http://" + endpoint
+			}
+			// append the API version to plugin registry
+			if !strings.HasSuffix(pluginRegistryURL, "/") {
+				pluginRegistryURL = pluginRegistryURL + "/v3"
+			} else {
+				pluginRegistryURL = pluginRegistryURL + "v3"
 			}
 		}

--- a/pkg/deploy/route.go
+++ b/pkg/deploy/route.go
@ -50,12 +50,13 @@ func SyncRouteToCluster(
 	deployContext *DeployContext,
 	name string,
 	host string,
+	path string,
 	serviceName string,
 	servicePort int32,
 	routeCustomSettings orgv1.RouteCustomSettings,
 	component string) (bool, error) {

-	routeSpec, err := GetRouteSpec(deployContext, name, host, serviceName, servicePort, routeCustomSettings, component)
+	routeSpec, err := GetRouteSpec(deployContext, name, host, path, serviceName, servicePort, routeCustomSettings, component)
 	if err != nil {
 		return false, err
 	}
@ -71,6 +72,7 @@ func GetRouteSpec(
 	deployContext *DeployContext,
 	name string,
 	host string,
+	path string,
 	serviceName string,
 	servicePort int32,
 	routeCustomSettings orgv1.RouteCustomSettings,
@ -104,6 +106,7 @@ func GetRouteSpec(
 			Name:   serviceName,
 			Weight: &weight,
 		},
+		Path: path,
 		Port: &routev1.RoutePort{
 			TargetPort: targetPort,
 		},
--- a/pkg/deploy/route_test.go
+++ b/pkg/deploy/route_test.go
@ -39,6 +39,7 @@ func TestRouteSpec(t *testing.T) {
 		name                string
 		routeName           string
 		routeHost           string
+		routePath           string
 		routeComponent      string
 		serviceName         string
 		servicePort         int32
@ -160,6 +161,7 @@ func TestRouteSpec(t *testing.T) {
 			actualRoute, err := GetRouteSpec(deployContext,
 				testCase.routeName,
 				testCase.routeHost,
+				testCase.routePath,
 				testCase.serviceName,
 				testCase.servicePort,
 				testCase.routeCustomSettings,
@ -194,13 +196,13 @@ func TestSyncRouteToCluster(t *testing.T) {
 		},
 	}

-	done, err := SyncRouteToCluster(deployContext, "test", "", "service", 80, orgv1.RouteCustomSettings{}, "test")
+	done, err := SyncRouteToCluster(deployContext, "test", "", "", "service", 80, orgv1.RouteCustomSettings{}, "test")
 	if !done || err != nil {
 		t.Fatalf("Failed to sync route: %v", err)
 	}

 	// sync another route
-	done, err = SyncRouteToCluster(deployContext, "test", "", "service", 90, orgv1.RouteCustomSettings{}, "test")
+	done, err = SyncRouteToCluster(deployContext, "test", "", "", "service", 90, orgv1.RouteCustomSettings{}, "test")
 	if !done || err != nil {
 		t.Fatalf("Failed to sync route: %v", err)
 	}
@ -215,7 +217,7 @@ func TestSyncRouteToCluster(t *testing.T) {
 	}

 	// sync route with labels & domain
-	done, err = SyncRouteToCluster(deployContext, "test", "", "service", 90, orgv1.RouteCustomSettings{Labels: "a=b", Domain: "domain"}, "test")
+	done, err = SyncRouteToCluster(deployContext, "test", "", "", "service", 90, orgv1.RouteCustomSettings{Labels: "a=b", Domain: "domain"}, "test")
 	if !done || err != nil {
 		t.Fatalf("Failed to sync route: %v", err)
 	}
--- a/pkg/deploy/server/che_configmap.go
+++ b/pkg/deploy/server/che_configmap.go
@ -261,8 +261,8 @@ func GetCheConfigMapData(deployContext *deploy.DeployContext) (cheEnv map[string
 	}

 	if cheMultiUser == "true" {
-		data.KeycloakURL = keycloakURL + "/auth"
-		data.KeycloakInternalURL = keycloakInternalURL + "/auth"
+		data.KeycloakURL = keycloakURL
+		data.KeycloakInternalURL = keycloakInternalURL
 		data.KeycloakRealm = keycloakRealm
 		data.KeycloakClientId = keycloakClientId
 		data.DatabaseURL = "jdbc:postgresql://" + chePostgresHostName + ":" + chePostgresPort + "/" + chePostgresDb
--- a/pkg/deploy/server/che_configmap_test.go
+++ b/pkg/deploy/server/che_configmap_test.go
@ -816,7 +816,7 @@ func TestShouldSetUpCorrectlyInternalIdentityProviderServiceURL(t *testing.T) {
 					Auth: orgv1.CheClusterSpecAuth{
 						OpenShiftoAuth:           util.NewBoolPointer(false),
 						ExternalIdentityProvider: true,
-						IdentityProviderURL:      "http://external-keycloak",
+						IdentityProviderURL:      "http://external-keycloak/auth",
 					},
 				},
 			},
@ -841,7 +841,7 @@ func TestShouldSetUpCorrectlyInternalIdentityProviderServiceURL(t *testing.T) {
 					Auth: orgv1.CheClusterSpecAuth{
 						OpenShiftoAuth:           util.NewBoolPointer(false),
 						ExternalIdentityProvider: true,
-						IdentityProviderURL:      "http://external-keycloak",
+						IdentityProviderURL:      "http://external-keycloak/auth",
 					},
 				},
 			},
@ -866,7 +866,7 @@ func TestShouldSetUpCorrectlyInternalIdentityProviderServiceURL(t *testing.T) {
 					Auth: orgv1.CheClusterSpecAuth{
 						OpenShiftoAuth:           util.NewBoolPointer(false),
 						ExternalIdentityProvider: false,
-						IdentityProviderURL:      "http://keycloak",
+						IdentityProviderURL:      "http://keycloak/auth",
 					},
 				},
 				Status: orgv1.CheClusterStatus{
@ -894,7 +894,7 @@ func TestShouldSetUpCorrectlyInternalIdentityProviderServiceURL(t *testing.T) {
 					Auth: orgv1.CheClusterSpecAuth{
 						OpenShiftoAuth:           util.NewBoolPointer(false),
 						ExternalIdentityProvider: false,
-						IdentityProviderURL:      "http://keycloak",
+						IdentityProviderURL:      "http://keycloak/auth",
 					},
 				},
 			},
@ -921,7 +921,7 @@ func TestShouldSetUpCorrectlyInternalIdentityProviderServiceURL(t *testing.T) {
 				},
 				Proxy: &deploy.Proxy{},
 				InternalService: deploy.InternalService{
-					KeycloakHost: "http://keycloak.eclipse-che.svc:8080",
+					KeycloakHost: "http://keycloak.eclipse-che.svc:8080/auth",
 				},
 			}

--- a/pkg/deploy/tls.go
+++ b/pkg/deploy/tls.go
@ -139,6 +139,7 @@ func GetEndpointTLSCrtChain(deployContext *DeployContext, endpointURL string) ([
 				deployContext,
 				"test",
 				"",
+				"",
 				"test",
 				8080,
 				deployContext.CheCluster.Spec.Server.CheServerRoute,
@ -181,10 +182,11 @@ func GetEndpointTLSCrtChain(deployContext *DeployContext, endpointURL string) ([

 			// Create test ingress to get certificates chain.
 			// Note, it is not possible to use SyncIngressToCluster here as it may cause infinite reconcile loop.
-			ingressSpec := GetIngressSpec(
+			_, ingressSpec := GetIngressSpec(
 				deployContext,
 				"test",
 				"",
+				"",
 				"test",
 				8080,
 				deployContext.CheCluster.Spec.Server.CheServerIngress,