keycloak-benchmark icon indicating copy to clipboard operation
keycloak-benchmark copied to clipboard
verified publisher icon keycloak

Infinispan pods don't pick up an updated certificate when deploying it in KCB

Open ahus1 opened this issue 1 year ago • 1 comments

Describe the bug

When the certificates for JGroups and XSite are updated, the Infinispan Pods need to be restarted manually so they pick up the certificate.

Version

main

Expected behavior

The certificate should be picked up automatically - either by Infinispan without a restart, or by an automatic rolling restart, possibly triggered by the Infinispan Operator.

Actual behavior

A manual restart is required.

How to Reproduce?

Deploy a new set of certificates, see #887

Anything else?

The Keycloak Operator watches the resources Keycloak depends on, converts them into a hash and adds it as an annotation to the Keycloak Pods. Once the hash changes, this triggers a rolling restart.

See https://github.com/keycloak/keycloak/blob/f55e9030927f1c9d4c329d89df5d1bd32b8205b6/operator/src/main/java/org/keycloak/operator/controllers/WatchedResources.java

cc: @pruivo, @ryanemerson

ahus1 avatar Jul 05 '24 09:07 ahus1

ISPN-15916 added Keystore reloading capabilities to the Infinispan server, so in theory this should just work. I've created https://github.com/infinispan/infinispan-operator/issues/2122 to investigate what's going on an add/fix the missing pieces.

ryanemerson avatar Jul 09 '24 08:07 ryanemerson

Resolved by https://github.com/keycloak/keycloak/issues/31963

ryanemerson avatar Aug 07 '24 09:08 ryanemerson