Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
infinispan
Describe the bug
I have updated keycloak to 26.2.0 and I am experiencing multiple log messages when infinispan is enabled in Kubernetes.
These are the logs that repeat:
2025-04-17 15:18:08,907 WARN [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-1,keycloak-5b99d748f8-ktjmj-55080) JGRP000006: 10.244.0.6:7800: failed accepting connection from peer SSLSocket[hostname=10.244.0.5, port=53525, Session(1744903073273|SSL_NULL_WITH_NULL_NULL)]: java.net.SocketException: Socket is closed
2025-04-17 15:18:12,262 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] (TQ-Bundler-5,keycloak-5b99d748f8-ktjmj-55080) On certificate exception
2025-04-17 15:18:12,263 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] () Reloading JGroups Certificate
2025-04-17 15:18:37,960 WARN [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-1,keycloak-5b99d748f8-ktjmj-55080) JGRP000006: 10.244.0.6:7800: failed accepting connection from peer SSLSocket[hostname=10.244.0.5, port=51201, Session(1744903088908|SSL_NULL_WITH_NULL_NULL)]: java.net.SocketException: Socket is closed
2025-04-17 15:18:52,701 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] (TQ-Bundler-5,keycloak-5b99d748f8-ktjmj-55080) On certificate exception
2025-04-17 15:18:52,702 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] () Reloading JGroups Certificate
Version
26.2.0
Regression
- The issue is a regression
Expected behavior
While running 26.1.4 with the same exact configuration, infinispan initializes and works fine. I believe these info and SSL warn messages should not occur. I saw this: #37941, if this could be related in any way I'd be happy to open a quick fix to switch this to debug, however, the SSL warn does look like maybe the issue could be somewhere else.
Actual behavior
In 26.2.0 infinispan goes up, but there are warnings and info messages regarding expired certificates.
How to Reproduce?
You can use the following:
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: keycloak-temp
labels:
app: keycloak
spec:
replicas: 2
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:26.2.0
args: ["start"]
env:
- name: KEYCLOAK_ADMIN
value: "admin"
- name: KEYCLOAK_ADMIN_PASSWORD
value: "admin"
- name: KC_PROXY_HEADERS
value: "xforwarded"
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_HOSTNAME
value: "localhost"
- name: JAVA_OPTS_APPEND
value: '-Djgroups.dns.query="keycloak-temp-headless.keycloak-temp.svc.cluster.local"'
- name: 'KC_CACHE'
value: 'ispn'
- name: 'KC_CACHE_STACK'
value: 'kubernetes'
ports:
- name: http
containerPort: 8080
readinessProbe:
httpGet:
path: /health/ready
port: 9000
---
apiVersion: v1
kind: Service
metadata:
labels:
app: keycloak
name: keycloak-temp-headless
namespace: keycloak-temp
spec:
selector:
app: keycloak
clusterIP: None
type: ClusterIPThe same works without issues when setting 26.1.4. The issue is reproducible for:
- update in place from
26.1.4 - new deployment with
26.2.0
Anything else?
I checked the upgrading notes (https://www.keycloak.org/docs/latest/upgrading/index.html) and found this:
If you are using a custom transport stack, this default behavior can be disabled by setting the option cache-embedded-mtls-enabled to false.
Let me know if this is relevant.
If this is just a matter of switching info to debug I'll be happy to contribute.