Frequent Pod Restarts - Keycloak 25.0 on EKS with Istio Proxy

Hello,

I’m running Keycloak version 25.0 on AWS EKS with Istio and have configured an Istio-proxy sidecar in the Keycloak pod. However, I’ve encountered an issue where the Keycloak pod restarts approximately every hour with no apparent reason. I’m seeking help to identify the cause and resolve this issue.

Keycloak Logs (just before the restart):

2024-08-11 07:39:19,840 WARN  [org.keycloak.events] (executor-thread-18) type="REGISTER_ERROR", realmId="**[REDACTED]**", realmName="**[REDACTED]**", clientId="null", userId="null", ipAddress="127.0.0.6", error="invalid_request", reason="Parameter 'client_id' not present or present multiple times in the HTTP request parameters"
2024-08-11 08:13:25,104 INFO  [org.infinispan.CLUSTER] (Thread-14) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-08-11 08:13:25,133 INFO  [com.arjuna.ats.jbossatx] (main) ARJUNA032014: Stopping transaction recovery manager
2024-08-11 08:13:25,159 INFO  [io.quarkus] (main) Keycloak stopped in 0.096s

Istio-proxy Logs (just before the restart):

[2024-08-11T07:59:20.601Z] "- - -" 0 - - - "-" 12251 9469 595148 - "-" "-" "-" "-" "**[REDACTED]**" PassthroughCluster **[REDACTED]**
2024-08-11T08:13:12.310156Z     info    xdsproxy        connected to upstream XDS server: istiod.istio-system.svc:15012
2024-08-11T08:13:25.060633Z     info    Status server has successfully terminated
2024-08-11T08:13:25.060692Z     error   accept tcp [::]:15020: use of closed network connection
2024-08-11T08:13:25.060700Z     info    Agent draining Proxy
2024-08-11T08:13:25.061703Z     info    Graceful termination period is 5s, starting...
2024-08-11T08:13:30.062353Z     info    Graceful termination period complete, terminating remaining proxies.
2024-08-11T08:13:30.062385Z     warn    Aborted proxy instance
2024-08-11T08:13:30.062391Z     warn    Aborting proxy
2024-08-11T08:13:30.062652Z     info    Envoy aborted normally
2024-08-11T08:13:30.062661Z     info    Agent has successfully terminated
2024-08-11T08:13:30.063147Z     info    ads     ADS: "@" keycloak-**[REDACTED]** terminated
2024-08-11T08:13:30.063193Z     info    ads     ADS: "@" keycloak-**[REDACTED]** terminated
2024-08-11T08:13:30.063246Z     info    sds     SDS server for workload certificates started, listening on "./var/run/secrets/workload-spiffe-uds/socket"

Keycloak Dockerfile:

FROM quay.io/keycloak/keycloak:25.0

ADD --chmod=0666 https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/2.3.1/aws-advanced-jdbc-wrapper-2.3.1.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar
COPY ./themes/ /opt/keycloak/themes/
ADD jars/ /opt/keycloak/providers/

Keycloak Configuration:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak-virtual-service
  namespace: keycloak
  labels:
    app: keycloak
spec:
  hosts:
    - "<keycloak dns name>" 
  gateways:
    - istio-ingress/public-gateway 
  http:
    - match:
        - uri:
            prefix: "/" 
      route:
        - destination:
            host: keycloak 
            port:
              number: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  namespace: keycloak
  labels:
    app: keycloak
spec:
  ports:
    - name: http
      port: 8080
      targetPort: 8080
  selector:
    app: keycloak
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: keycloak
  labels:
    app: keycloak
    kubernetes.io/arch: amd64
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
      kubernetes.io/arch: amd64
  template:
    metadata:
      labels:
        app: keycloak
        kubernetes.io/arch: amd64
    spec:
      nodeSelector:
        kubernetes.io/arch: amd64
      containers:
        - name: keycloak
          image: <keycloak-image>:latest
          imagePullPolicy: Always
          env:
            - name: KEYCLOAK_ADMIN
              value: "admin"
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: admin
                  key: password
            - name: KC_HOSTNAME 
              value: "<keycloak dns name>"
            - name: KC_PROXY_HEADERS
              value: forwarded
            - name: KC_FEATURES
              value: "admin-fine-grained-authz,passkeys,persistent-user-sessions"
            - name: ADT_ENDPOINT_URL
              value: "<adt dns name>"
            - name: KC_HOSTNAME_ADMIN 
              value: "<keycloak dns name>"
            - name: KC_HOSTNAME_STRICT
              value: "true"
            - name: KC_HTTP_ENABLED
              value: "true"
            - name: KC_DB
              value: postgres
            - name: KC_DB_URL
              value: "jdbc:aws-wrapper:postgresql://keycloak.cluster.rds.amazonaws.com/keycloak"
            - name: KC_DB_DRIVER
              value: "software.amazon.jdbc.Driver"
            - name: KC_TRANSACTION_XA_ENABLED
              value: "false"
            - name: KC_DB_USERNAME
              value: "postgres"
            - name: KC_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: db
                   key: password
          ports:
            - name: http
              containerPort: 8080
          readinessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8080
            initialDelaySeconds: 60
            periodSeconds: 1

I would greatly appreciate any insights or suggestions on what might be causing these frequent restarts and how to resolve the issue.

Thank you!