kie-issues#1914: remove Infinispan persistence related modules and dependencies by porcelli · Pull Request #2297 · apache/incubator-kie-kogito-apps

porcelli · 2026-01-12T22:45:28Z

Remove Infinispan as a persistence option as agreed in ML discussion.

Maintaining Infinispan support has become an unnecessary toll - dealing with API changes, upgrades, and transitive dependency security vulnerabilities outweighs its benefits. This simplifies maintenance and allows focus on better-supported options (PostgreSQL, MongoDB).

Related issue: apache/incubator-kie-issues#1914

Ensamble:

apache/incubator-kie-kogito-runtimes#4165
#2297
apache/incubator-kie-kogito-examples#2153
apache/incubator-kie-kogito-pipelines#1294

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

...t-utils/src/main/java/org/kie/kogito/index/test/containers/DataIndexInfinispanContainer.java

jitexecutor-native/jitexecutor-native-darwin/pom.xml

pefernan · 2026-01-15T11:46:25Z

Hey @porcelli sorry for the late review! I'm +1 on this PR but I see there are a lot of reds in the CI

I saw this error:

026-01-12T23:02:41.6261464Z [WARNING] 
2026-01-12T23:02:41.6486021Z [ERROR] [ERROR] Could not find the selected project in the reactor: org.kie.kogito:integration-tests-springboot-processes-infinispan @ 
2026-01-12T23:02:41.6497928Z [ERROR] Could not find the selected project in the reactor: org.kie.kogito:integration-tests-springboot-processes-infinispan -> [Help 1]
2026-01-12T23:02:41.6503548Z org.apache.maven.MavenExecutionException: Could not find the selected project in the reactor: org.kie.kogito:integration-tests-springboot-processes-infinispan
2026-01-12T23:02:41.6505413Z     at org.apache.maven.graph.DefaultGraphBuilder.trimExcludedProjects (DefaultGraphBuilder.java:219)

which makes me think that the actual pr still has a reference to org.kie.kogito:integration-tests-springboot-processes-infinispan somewhere in kogito-runtimes.

Also there are some problems in the RAT exclusions.

…pendencies

…re jitexecutor-native Delete empty Infinispan-related test files that were missed in the initial removal, causing Apache RAT license header checks to fail: - DataIndexInfinispanContainer.java - DataIndexInfinispanHttpQuarkusTestResource.java - DataIndexInfinispanHttpResource.java - DataIndexInfinispanKafkaResource.java - DataIndexInfinispanQuarkusKafkaTestResource.java Restore jitexecutor-native module that was incorrectly removed (not related to Infinispan persistence).

porcelli · 2026-02-04T01:10:16Z

@pefernan did a new push, tomorrow I'll check back. sorry for taking longer

Update README files to reflect the removal of Infinispan persistence: - data-index: remove infinispan from supported storage list - persistence-commons: remove persistence-commons-infinispan module reference - trusty: update to reference PostgreSQL/Redis instead of Infinispan

Copilot

Pull request overview

Copilot reviewed 153 out of 154 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (4)

trusty/trusty-service/trusty-service-infinispan/src/main/resources/application.properties:1

This configuration previously set default Infinispan credentials in quarkus.infinispan-client.username and quarkus.infinispan-client.password using values like admin, which constitutes hardcoded credentials. If these defaults are ever used in non-test environments (for example when the corresponding environment variables are not overridden), an attacker who can reach the Infinispan service can authenticate with full privileges. Removing this configuration and requiring credentials to be supplied securely at deploy time mitigates this risk; ensure no other production configs ship with similar built‑in secrets.
trusty/trusty-service/trusty-service-infinispan/src/main/resources/application.properties:1
The property quarkus.infinispan-client.sasl-mechanism here defaulted to DIGEST-MD5, which relies on MD5 and is considered a weak and deprecated authentication mechanism. An attacker who can capture the SASL handshake can perform efficient offline dictionary attacks against MD5 digests, significantly weakening protection of the Infinispan credentials. Removing this default and requiring a stronger SASL mechanism (such as a SCRAM-SHA variant) reduces the risk of credential compromise.
jobs-service/jobs-service-infinispan/src/main/resources/application.properties:1
This file previously configured default Infinispan credentials in quarkus.infinispan-client.username and quarkus.infinispan-client.password (for example admin / password), which are hardcoded secrets. If deployed without overriding these values, anyone who can reach the Infinispan endpoint can authenticate with these known credentials and gain unauthorized access to jobs data. Deleting this configuration removes the embedded credentials; ensure that any replacement configuration requires secrets to be injected securely rather than baked into source.
jobs-service/jobs-service-infinispan/src/main/resources/application.properties:1
The quarkus.infinispan-client.sasl-mechanism property here used a default of DIGEST-MD5, a SASL mechanism based on the weak MD5 hash function. Attackers who can observe authentication traffic can leverage MD5 weaknesses to mount efficient offline password guessing attacks against these digests. By removing this configuration and avoiding DIGEST-MD5, the authentication flow no longer depends on a deprecated and weak algorithm and can rely on stronger mechanisms instead.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-04T01:17:29Z

...ice-quarkus/src/test/java/org/kie/kogito/index/quarkus/kafka/InfinispanKafkaTestProfile.java

 public class InfinispanKafkaTestProfile implements QuarkusTestProfile {

    @Override
    public List<TestResourceEntry> testResources() {
-        return Arrays.asList(new TestResourceEntry(KogitoServiceRandomPortQuarkusKafkaTestResource.class),
-                new TestResourceEntry(DataIndexInfinispanQuarkusKafkaTestResource.class));
+        return Arrays.asList(new TestResourceEntry(KogitoServiceRandomPortQuarkusKafkaTestResource.class));
    }


InfinispanKafkaTestProfile no longer provisions any Infinispan-related test resources (it only registers KogitoServiceRandomPortQuarkusKafkaTestResource). The class name is now misleading and the file appears unused in the codebase. Consider either deleting it, or renaming it to reflect what it actually configures (and updating any references if they exist).

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

kie-ci3 · 2026-02-04T09:18:26Z

PR job #3 was: UNSTABLE
Possible explanation: This should be test failures

Reproducer

build-chain build full_downstream -f 'https://raw.githubusercontent.com/${AUTHOR:apache}/incubator-kie-kogito-pipelines/${BRANCH:main}/.ci/buildchain-config-pr-cdb.yaml' -o 'bc' -p apache/incubator-kie-kogito-apps -u #2297 --skipParallelCheckout

NOTE: To install the build-chain tool, please refer to https://github.com/kiegroup/github-action-build-chain#local-execution

Please look here: https://ci-builds.apache.org/job/KIE/job/kogito/job/main/job/pullrequest_jobs/job/kogito-apps-pr/job/PR-2297/3/display/redirect

Test results:

PASSED: 673
FAILED: 26

Those are the test failures:

org.kie.kogito.index.mongodb.query.DomainQueryIT.test