Upgrade to 4 with UAA authenticated teams


#1

At one of my customers we run a BOSH deployed concourse 3.14.1 and use CF UAA authentication for all the teams except main. The teams are created by a service broker btw.

Now because all teams use the same auth provider but a slightly different config (CF space GUID is different) I cannot migrate to concourse 4.0 according to the release notes. Of course I tried it on a test concourse instance and the upgrade did indeed fail.

In an attempt to make the migration work I manually updated the teams table in the DB. I just removed the content from all the auth fields except for the main team. Then I ran “atc migrate” manually and that ran succesful.

But if I try to start the ATC now it throws this error: json: cannot unmarshal object into Go value of type []string
So obviously something is broken. Unfortunately the error doesn’t tell me exactly what is broken where.

This is a test instance so it’s no problem. But I do plan to upgrade our production instance. So what would be the right procedure to upgrade concourse from version 3.14.1 to 4.0 when using UAA auth for all the team?


#2

Nobody any suggestions? Or is a github issue a better place for this problem?

Also: is there any automated upgrade procedure planned for future releases? I’m sure I’m not the only one with multiple team authenticating against UAA.


#3

Hi vchris,

I have the exact same setup at my job. Did you find any answer to your questions?


#4

No I haven’t found a solution yet. I was hoping newer concourse versions would have a more sophisticated upgrade mechanism. But nothing so far.


#5

Hello, we had a similar problem. You can try following the same reasoning.

For us the problem was that bitbucket OAuth is not supported any more with Concourse 4.x.

Here is what we did:

  • Dump the DB from prod
  • Move the dump to my dev-workspace
  • Import the dump

Now the tricky part as we wouldn’t be able to migrate the DB in this state because Bitbucket Auth is no longer supported

  • Run Concourse web V3.14.1 in dev-workspace, with fly change auth for the impacted teams to be basic auth (with some temp username and pass but different usernames)
  • Stop Concourse web
  • Run the migration tool: concourse migrate --migrate-db-to-version 1533934775 --encryption-key <db_encryption_key> --postgres-host <host> --postgres-user <user> --postgres-password <db_password>

:slight_smile: