[bitnami/kafka] SASL client users list not being updated on chart upgrade

[dfgrosso]

Name and Version

bitnami/kafka 25.1.6

What architecture are you using?

None

What steps will reproduce the bug?

1. Install the chart with a given list of users configured in sasl.client.users
2. Add a user to the list or change an existing one
3. Upgrade the chart
4. Authentication fails for the new/edited users

Are you using any custom parameters or values?

## @section Kafka SASL parameters
## Kafka SASL settings for authentication, required if SASL_PLAINTEXT or SASL_SSL listeners are configured
##
sasl:
  ## @param sasl.enabledMechanisms Comma-separated list of allowed SASL mechanisms when SASL listeners are configured. Allowed types: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512`
  ## NOTE: At the moment, Kafka Raft mode does not support SCRAM, that is why only PLAIN is configured.
  ##
  enabledMechanisms: PLAIN
  ## @param sasl.interBrokerMechanism SASL mechanism for inter broker communication.
  ##
  interBrokerMechanism: PLAIN
  ## @param sasl.controllerMechanism SASL mechanism for controller communications.
  ##
  controllerMechanism: PLAIN
  ## Credentials for inter-broker communications.
  ## @param sasl.interbroker.user Username for inter-broker communications when SASL is enabled
  ## @param sasl.interbroker.password Password for inter-broker communications when SASL is enabled. If not set and SASL is enabled for the controller listener, a random password will be generated.
  ##
  interbroker:
    user: inter_broker_user
    password: ""
  ## Credentials for controller communications.
  ## @param sasl.controller.user Username for controller communications when SASL is enabled
  ## @param sasl.controller.password Password for controller communications when SASL is enabled. If not set and SASL is enabled for the inter-broker listener, a random password will be generated.
  ##
  controller:
    user: controller_user
    password: ""
  ## Credentials for client communications.
  ## @param sasl.client.users Comma-separated list of usernames for client communications when SASL is enabled
  ## @param sasl.client.passwords Comma-separated list of passwords for client communications when SASL is enabled, must match the number of client.users
  ##
  ## The provisioning job uses the first user of the list and its password must also be in a key named "system-user-password" in the given secret
  client:
    users:
      - system-user
      - api-admin-kafka
      - api-audit-kafka
      - api-auth-kafka
      - api-crm-kafka
      - api-game-kafka
      - api-game-trx-kafka
      - api-ext-com-kafka
      - api-ext-int-kafka
      - clickhouse-kafka
      - opm-event-notifications-manager-kafka
      - opm-external-message-request-manager-kafka

  ## @param sasl.existingSecret Name of the existing secret containing credentials for clientUsers, interBrokerUser, controllerUser and zookeeperUser
  ## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create:
  ##       kubectl create secret generic SECRET_NAME --from-literal=client-passwords=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=controller-password=CONTROLLER_PASSWORD --from-literal=zookeeper-password=ZOOKEEPER_PASSWORD
  ##
  existingSecret: "api-kafka-secret"

What is the expected behavior?

The new/edited users should work

What do you see instead?

org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password

Additional information

I'm using KRAFT mode

[dfgrosso]

Actually the first time the chart was installed the enabledMechanisms property was the default one.

enabledMechanisms: PLAIN,SCRAM-SHA-256,SCRAM-SHA-512

I've changed it to PLAIN only to test.

[theblinkingusb]

@dfgrosso if helpful - adding/removing a user to the list and running an upgrade worked on 26.2.0. It looks like some adjustments were made here - https://github.com/bitnami/charts/commit/f7896ec27cf165e86233f60bfb7fc68943717bc3 so maybe you can try upgrading to 25.3. That said - it looks like editing existing users (thereby keeping the array the same length) did not trigger an upgrade - I suppose a "workaround" would be to add/remove a temporary user to trigger the upgrade.

[dfgrosso]

Hello @theblinkingusb I will try the upgrade. Already tried to change the users array length by adding a temp user but it didn'twork. I will try again just to make sure. Thank you.

[dfgrosso]

Hello again. Just made a clean install of 26.2.0 (new PVs also) and still the last users of the list are not working:

  client:
    users:
      - system-user
      - api-admin-kafka
      - api-audit-kafka
      - api-auth-kafka
      - api-crm-kafka
      - api-game-kafka
      - api-game-trx-kafka
      - api-ext-com-kafka
      - api-ext-int-kafka
      - clickhouse-kafka
      - opm-event-notifications-manager-kafka
      - opm-external-message-request-manager-kafka

[dfgrosso]

Hello again. Just made a clean install of 26.2.0 (new PVs also) and still the last users of the list are not working:

  client:
    users:
      - system-user
      - api-admin-kafka
      - api-audit-kafka
      - api-auth-kafka
      - api-crm-kafka
      - api-game-kafka
      - api-game-trx-kafka
      - api-ext-com-kafka
      - api-ext-int-kafka
      - clickhouse-kafka
      - opm-event-notifications-manager-kafka
      - opm-external-message-request-manager-kafka

I've noticed that all the users until the 9th position of the array work but the the users on the 10th position and beyond don't work. Can anyone help me on this please? Thanks

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.