This issue occurs when Access Manager integrated with Advanced Authentication is upgraded. After the upgrade is completed, the pods do not retain the host entries of the Advanced Authentication server. This results in the broken OSP/OAuth2-based authentication.
This is the default behavior of Kubernetes. To resolve this issue, you need to perform one of the following workarounds for Access Manager. No need to make any change in the Advanced Authentication configuration.
Workaround 1: Add the required host entries on worker nodes or on the DNS server configured on workers before installing or upgrading Access Manager. Thus whenever you install or upgrade Access Manager integrated with Advanced Authentication, all pods can resolve DNS.
Workaround 2: Perform the following steps if the entries need to be added inside Access Manager pods:
Before the upgrade, note down the host entries of the Advanced Authentication server from Administration Console, Identity Server, and Access Gateway pods.
After the upgrade, add the same host entries that you noted before the upgrade to the Administration Console, Identity Server, and Access Gateway pods.
NOTE:
This issue does not occur when Access Manager is integrated with Advanced Authentication using the IP address.
By design of Kubernetes, each time when a pod spawns, it inherits the content of /etc/hosts of the worker node.