Infinispan pods don't pick up an updated certificate when deploying it in KCB

Question

Infinispan pods don't pick up an updated certificate when deploying it in KCB

ahus1 opened this issue 4 months ago · comments

Alexander Schwartz commented 4 months ago

Describe the bug

When the certificates for JGroups and XSite are updated, the Infinispan Pods need to be restarted manually so they pick up the certificate.

Version

main

Expected behavior

The certificate should be picked up automatically - either by Infinispan without a restart, or by an automatic rolling restart, possibly triggered by the Infinispan Operator.

Actual behavior

A manual restart is required.

How to Reproduce?

Deploy a new set of certificates, see #887

Anything else?

The Keycloak Operator watches the resources Keycloak depends on, converts them into a hash and adds it as an annotation to the Keycloak Pods. Once the hash changes, this triggers a rolling restart.

See https://github.com/keycloak/keycloak/blob/f55e9030927f1c9d4c329d89df5d1bd32b8205b6/operator/src/main/java/org/keycloak/operator/controllers/WatchedResources.java

cc: @pruivo, @ryanemerson

Ryan Emerson · Answer 1 · Tue Jul 09 2024 16:31:28 GMT+0800 (China Standard Time)

ISPN-15916 added Keystore reloading capabilities to the Infinispan server, so in theory this should just work. I've created infinispan/infinispan-operator#2122 to investigate what's going on an add/fix the missing pieces.

Ryan Emerson · Answer 2 · Wed Aug 07 2024 17:20:09 GMT+0800 (China Standard Time)

Resolved by keycloak/keycloak#31963