java.lang.IllegalStateException: Error while creating AdminClient for Cluster Default

[machuecos]

Issue submitter TODO list

• [X] I've looked up my issue in FAQ
• [X] I've searched for an already existing issues here
• [X] I've tried running main-labeled docker image and the issue still persists there
• [X] I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I have been following the documentation to provide the truststore.jks and keystore.jks to be able to connect to the Kaka cluster via SSL https://docs.kafka-ui.provectus.io/configuration/helm-charts/configuration/ssl-example#create-secret exactly the same steps but Kafka-UI is not able to up the application in the pod and I get an error in loop.

Expected behavior

No response

Your installation details

1. Not UI appearing - Exception error
2. Helm chart version 0.7.6 / AppVersion 0.7.2
3. Application config (Helm templates generated related SSL)

   # Source: kafka-ui/templates/secret.yaml
   apiVersion: v1
   kind: Secret
   metadata:
   name: ssl-secret
   namespace: strimzi-ui
   type: Opaque
   data:
   KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: xxxxxxxx
   KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD: xxxxxxxx
   ---
   # Source: kafka-ui/templates/configmap_fromValues.yaml
   apiVersion: v1
   kind: ConfigMap
   metadata:
   name: release-name-kafka-ui-fromvalues
   namespace: strimzi-ui
   labels:
   helm.sh/chart: kafka-ui-0.7.6
   app.kubernetes.io/name: kafka-ui
   app.kubernetes.io/instance: release-name
   app.kubernetes.io/version: "v0.7.2"
   app.kubernetes.io/managed-by: Helm
   data:
   config.yml: |-
   auth:
     type: disabled
   kafka:
     clusters:
     - bootstrapServers: my-strimzi-kafka-bootstrap.strimzi.svc:9093
       name: strimzi
   management:
     health:
       ldap:
         enabled: false
   ---
   # Source: kafka-ui/templates/deployment.yaml
   apiVersion: apps/v1
   kind: Deployment
   metadata:
   name: release-name-kafka-ui
   namespace: strimzi-ui
   labels:
   helm.sh/chart: kafka-ui-0.7.6
   app.kubernetes.io/name: kafka-ui
   app.kubernetes.io/instance: release-name
   app.kubernetes.io/version: "v0.7.2"
   app.kubernetes.io/managed-by: Helm
   spec:
   selector:
   matchLabels:
     app.kubernetes.io/name: kafka-ui
     app.kubernetes.io/instance: release-name
   template:
   metadata:
     annotations:
       checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
       checksum/configFromValues: a38cb5f6be79022948da18404f8f9864ad709911bcdd09f63bd23d136bfa2e49
       checksum/secret: 039e6066e12df180e8d5d6f869dfbc264c32e6447ea385105e7f777252231cdf
     labels:
       app.kubernetes.io/name: kafka-ui
       app.kubernetes.io/instance: release-name
   spec:
     serviceAccountName: release-name-kafka-ui
     securityContext:
       {}
     containers:
       - name: kafka-ui
         securityContext:
           {}
         image: docker.io/provectuslabs/kafka-ui:v0.7.2
         imagePullPolicy: IfNotPresent
         env:
           - name: KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION
             value: /ssl/kafka.truststore.jks
           - name: KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION
             value: /ssl/kafka.keystore.jks
           - name: SPRING_CONFIG_ADDITIONAL-LOCATION
             value: /kafka-ui/config.yml
         envFrom:
           - secretRef:
               name: ssl-secret    
         ports:
           - name: http
             containerPort: 8080
             protocol: TCP
         livenessProbe:
           httpGet:
             path: /actuator/health
             port: http
           initialDelaySeconds: 60
           periodSeconds: 30
           timeoutSeconds: 10
         readinessProbe:
           httpGet:
             path: /actuator/health
             port: http
           initialDelaySeconds: 60
           periodSeconds: 30
           timeoutSeconds: 10
         resources:
           {}
         volumeMounts:
           - mountPath: /ssl
             name: config-volume
           - name: kafka-ui-yaml-conf
             mountPath: /kafka-ui/
     volumes:
       - configMap:
           name: ssl-files
         name: config-volume
       - name: kafka-ui-yaml-conf
         configMap: 
           name: release-name-kafka-ui-fromvalues
     affinity:
       podAntiAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
         - labelSelector:
             matchExpressions:
             - key: strimzi.io/kind
               operator: In
               values:
               - cluster-operator
           topologyKey: topology.kubernetes.io/zone

4. No IAAC code

Steps to reproduce

Follow the steps from the documentation (SSL Example section): https://docs.kafka-ui.provectus.io/configuration/helm-charts/configuration/ssl-example#create-secret

Screenshots

Logs

2024-04-21 10:03:38,638 DEBUG [parallel-2] c.p.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: Default
2024-04-21 10:03:38,639 ERROR [parallel-2] c.p.k.u.s.StatisticsService: Failed to collect cluster Default info
java.lang.IllegalStateException: Error while creating AdminClient for Cluster Default
        at com.provectus.kafka.ui.service.AdminClientServiceImpl.lambda$createAdminClient$5(AdminClientServiceImpl.java:56)
        at reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3783)
        at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94)
        at reactor.core.publisher.Operators.error(Operators.java:198)
        at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:135)
        at reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53)
        at reactor.core.publisher.Mono.subscribe(Mono.java:4480)
        at reactor.core.publisher.FluxSwitchIfEmpty$SwitchIfEmptySubscriber.onComplete(FluxSwitchIfEmpty.java:82)
        at reactor.core.publisher.Operators.complete(Operators.java:137)
        at reactor.core.publisher.MonoEmpty.subscribe(MonoEmpty.java:46)
        at reactor.core.publisher.Mono.subscribe(Mono.java:4495)
        at reactor.core.publisher.FluxFlatMap$FlatMapMain.onNext(FluxFlatMap.java:427)
        at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.runAsync(FluxPublishOn.java:440)
        at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.run(FluxPublishOn.java:527)
        at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
        at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.NullPointerException: null
        at java.base/java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011)
        at java.base/java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006)
        at java.base/java.util.Properties.put(Properties.java:1301)
        at com.provectus.kafka.ui.service.AdminClientServiceImpl.lambda$createAdminClient$2(AdminClientServiceImpl.java:47)
        at reactor.core.publisher.MonoSupplier.call(MonoSupplier.java:67)
        at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:127)
        ... 16 common frames omitted

Additional context

No response

[github-actions[bot]]

Hi machuecos! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

Hi, please share the contents of your config file (/kafka-ui/config.yml)

[kapybro[bot]]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[machuecos]

Hi @Haarolean:

  config.yml: |-
    auth:
      type: disabled
    kafka:
      clusters:
      - bootstrapServers: my-strimzi-kafka-bootstrap.strimzi.svc:9093
        name: strimzi
    management:
      health:
        ldap:
          enabled: false

[kapybro[bot]]

Thanks for the additional feedback! We'll get back to your issue soon.

[Haarolean]

The error in your logs is about possibly missing bootstrapServers property. But your config looks valid, so here's a thing to try: does it work (or does the error change to some other one) if you get rid of the rest of the env vars? Remove this:

            - name: KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION
              value: /ssl/kafka.truststore.jks
            - name: KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION
              value: /ssl/kafka.keystore.jks

and see what happens.

[kapybro[bot]]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[machuecos]

The error in your logs is about possibly missing bootstrapServers property. But your config looks valid, so here's a thing to try: does it work (or does the error change to some other one) if you get rid of the rest of the env vars? Remove this:

            - name: KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION
              value: /ssl/kafka.truststore.jks
            - name: KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION
              value: /ssl/kafka.keystore.jks

and see what happens.

Same error:

App with default connection:

And logs with exception:

[kapybro[bot]]

Thanks for the additional feedback! We'll get back to your issue soon.

[ivanivicrho]

For anyone stumbling to this issue: if you use (m)TLS on broker side, and configure properties such as KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION in kafka-ui, make sure to also configure KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SSL.

For me, the underlying issue behind this error stacktrace was that brokers only allowed secure connections. While appropriate keys were passed correctly to kafka-ui, they were not used because the security.protocol=ssl kafka property was not set in client. Just passing keys is not enough, that's common for kafka clients afaik.

This was also visible in info logs for client when kafka-ui started, which mentioned that properties such as ssl.trustore.location etc were set, but not used "yet".