-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
infinispan
Describe the bug
I have updated keycloak to 26.2.0 and I am experiencing multiple log messages when infinispan is enabled in Kubernetes.
These are the logs that repeat:
2025-04-17 15:18:08,907 WARN [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-1,keycloak-5b99d748f8-ktjmj-55080) JGRP000006: 10.244.0.6:7800: failed accepting connection from peer SSLSocket[hostname=10.244.0.5, port=53525, Session(1744903073273|SSL_NULL_WITH_NULL_NULL)]: java.net.SocketException: Socket is closed 2025-04-17 15:18:12,262 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] (TQ-Bundler-5,keycloak-5b99d748f8-ktjmj-55080) On certificate exception 2025-04-17 15:18:12,263 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] () Reloading JGroups Certificate 2025-04-17 15:18:37,960 WARN [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-1,keycloak-5b99d748f8-ktjmj-55080) JGRP000006: 10.244.0.6:7800: failed accepting connection from peer SSLSocket[hostname=10.244.0.5, port=51201, Session(1744903088908|SSL_NULL_WITH_NULL_NULL)]: java.net.SocketException: Socket is closed 2025-04-17 15:18:52,701 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] (TQ-Bundler-5,keycloak-5b99d748f8-ktjmj-55080) On certificate exception 2025-04-17 15:18:52,702 INFO [org.keycloak.infinispan.module.certificates.CertificateReloadManager] () Reloading JGroups Certificate
Version
26.2.0
Regression
[x] The issue is a regression
Expected behavior
While running 26.1.4 with the same exact configuration, infinispan initializes and works fine. I believe these info and SSL warn messages should not occur. I saw this: https://github.com/keycloak/keycloak/issues/37941, if this could be related in any way I'd be happy to open a quick fix to switch this to debug, however, the SSL warn does look like maybe the issue could be somewhere else.
Actual behavior
In 26.2.0 infinispan goes up, but there are warnings and info messages regarding expired certificates.
How to Reproduce?
You can use the following:
apiVersion: apps/v1 kind: Deployment metadata: name: keycloak namespace: keycloak-temp labels:
app: keycloak
spec: replicas: 2 selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:26.2.0
args: ["start"]
env: - name: KEYCLOAK_ADMIN
value: "admin" - name: KEYCLOAK_ADMIN_PASSWORD
value: "admin" - name: KC_PROXY_HEADERS
value: "xforwarded" - name: KC_HTTP_ENABLED
value: "true" - name: KC_HEALTH_ENABLED
value: "true" - name: KC_HOSTNAME
value: "localhost" - name: JAVA_OPTS_APPEND
value: '-Djgroups.dns.query="keycloak-temp-headless.keycloak-temp.svc.cluster.local"' - name: 'KC_CACHE'
value: 'ispn' - name: 'KC_CACHE_STACK'
value: 'kubernetes'
ports: - name: http
containerPort: 8080
readinessProbe:
httpGet:
path: /health/ready
port: 9000--- apiVersion: v1 kind: Service metadata: labels:
app: keycloak
name: keycloak-temp-headless namespace: keycloak-temp spec: selector:
app: keycloak
clusterIP: None type: ClusterIP
The same works without issues when setting 26.1.4. The issue is reproducible for:
1. update in place from 26.1.4
2. new deployment with 26.2.0
Anything else?
I checked the upgrading notes (https://www.keycloak.org/docs/latest/upgrading/index.html) and found this:
> If you are using a custom transport stack, this default behavior can be disabled by setting the option cache-embedded-mtls-enabled to false.
Let me know if this is relevant.
If this is just a matter of switching info to debug I'll be happy to contribute.
- links to
