There is currently no transition from read() to close() in SslTransportLayer to handle graceful shutdown requests. As a result, Kafka SSL connections are never shutdown gracefully. In addition to this, close() does not handle ungraceful termination of connections correctly. If flush() fails because the other end has performed a close (eg. because graceful termination was not handled), Kafka prints out a warning and does not close the socket. This leaks file descriptors.
We are seeing a large number of open file descriptors because our health checks to Kafka result in connections that are neither terminated gracefully nor closed correctly.