COnfigure kafka-ui to support SASL_SSL connnection to a secured Kafka #1002

nleeuskadi · 2025-04-01T15:23:24Z

nleeuskadi
Apr 1, 2025

Hello,

In the Kafka-ui documentation , I cannot find out how to set Kafka-ui helm chart values in order to make it configured in order to
connect to a secured Kafka through SALS_SSL.

Here below is a typical client.properties we are using to allow Clients to connect a secured kafka:

security.protocol=SASL_SSL
ssl.truststore.location=/path/to/truststore.p12
ssl.truststore.password="<<pwd>>"
ssl.truststore.type=PKCS12
sasl.mechanism=OAUTHBEARER
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  oauth.client.id="client-id" \
  oauth.client.secret="client-secret" \
  oauth.ssl.truststore.location="/path/to/truststore.p12" \
  oauth.ssl.truststore.password="<<pwd>>" \
  oauth.ssl.truststore.type="PKCS12" \
  oauth.token.endpoint.uri="https://$SSO_HOST/realms/ns_name/protocol/openid-connect/token" ;
  sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler

How to set these parameters in the helm chart values of kafka-ui?

Thank you in advance :)

germanosin · 2025-04-02T08:28:59Z

germanosin
Apr 2, 2025
Maintainer

Hi, @nleeuskadi

The Strimzi OAuth2 callback class is missing; you'll need to add it to the classpath.
Pass the configuration similarly to what you described:

You can pass these configurations in YAML format using this method: [Helm Charts Quick Start](https://ui.docs.kafbat.io/configuration/helm-charts/quick-start#passing-configuration-file-as-configmap).

kafka:
  clusters:
    - name: Server
      properties:
        security.protocol: SASL_SSL
        ssl.truststore.location: /path/to/truststore.p12
        ssl.truststore.password: <<pwd>>
        ssl.truststore.type: PKCS12
        sasl.mechanism: OAUTHBEARER
        sasl.jaas.config: org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required oauth.client.id="client-id" oauth.client.secret="client-secret" oauth.ssl.truststore.location="/path/to/truststore.p12" oauth.ssl.truststore.password="<<pwd>>" oauth.ssl.truststore.type="PKCS12" oauth.token.endpoint.uri="https://$SSO_HOST/realms/ns_name/protocol/openid-connect/token";
        sasl.login.callback.handler.class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler

0 replies

nleeuskadi · 2025-04-02T16:36:15Z

nleeuskadi
Apr 2, 2025
Author

hello @germanosin ,
thank you for your answer. it works fine now with your guidelines :)
Cheers

1 reply

germanosin Apr 2, 2025
Maintainer

hello @germanosin , thank you for your answer. it works fine now with your guidelines :) Cheers

You are welcome 👍

nleeuskadi · 2025-04-03T10:50:23Z

nleeuskadi
Apr 3, 2025
Author

hello @germanosin , in fact I have an issue with CLASSPATH.
I do not see how to inject the classpath to make kafka-ui container considering it.

Currently, I enriched the yaml values with adding env variable:

env:
  - name: CLASSPATH
    value: "$(CLASSPATH):/folfer/where/strimzi/libs/are/*"

I can check in the pod that the kafka libraires are avaliable in the expected foler and the CLASSPATH variable is well set with it.

But kafka-ui failed ot start with this error:

java.lang.IllegalStateException: Error while creating AdminClient for Cluster dit-kafka-cluster
        at io.kafbat.ui.service.AdminClientServiceImpl.lambda$createAdminClient$5(AdminClientServiceImpl.java:56)
        at reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3783)
        at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94)
        at reactor.core.publisher.Operators.error(Operators.java:198)
        at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:135)
        at reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53)
        at reactor.core.publisher.Mono.subscribe(Mono.java:4480)
        at reactor.core.publisher.FluxSwitchIfEmpty$SwitchIfEmptySubscriber.onComplete(FluxSwitchIfEmpty.java:82)
        at reactor.core.publisher.Operators.complete(Operators.java:137)
        at reactor.core.publisher.MonoEmpty.subscribe(MonoEmpty.java:46)
        at reactor.core.publisher.Mono.subscribe(Mono.java:4495)
        at reactor.core.publisher.FluxFlatMap$FlatMapMain.onNext(FluxFlatMap.java:427)
        at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.runAsync(FluxPublishOn.java:446)
        at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.run(FluxPublishOn.java:533)
        at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
        at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.apache.kafka.common.config.ConfigException: Invalid value io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler for configuration sasl.login.callback.handler.class: Class io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler could not be found.
        at org.apache.kafka.common.config.ConfigDef.parseType(ConfigDef.java:744)
        at org.apache.kafka.common.config.ConfigDef.parseValue(ConfigDef.java:490)
        at org.apache.kafka.common.config.ConfigDef.parse(ConfigDef.java:483)
        at org.apache.kafka.common.config.AbstractConfig.<init>(AbstractConfig.java:112)
        at org.apache.kafka.common.config.AbstractConfig.<init>(AbstractConfig.java:145)
        at org.apache.kafka.clients.admin.AdminClientConfig.<init>(AdminClientConfig.java:245)
        at org.apache.kafka.clients.admin.Admin.create(Admin.java:134)
        at org.apache.kafka.clients.admin.AdminClient.create(AdminClient.java:39)
        at io.kafbat.ui.service.AdminClientServiceImpl.lambda$createAdminClient$2(AdminClientServiceImpl.java:53)
        at reactor.core.publisher.MonoSupplier.call(MonoSupplier.java:67)
        at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:127)
        ... 16 common frames omitted

  Indeed, since the command ran by the kafka-ui container is "CMD java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED  $JAVA_OPTS -jar api.jar", it seems that CLASSPATH is ignored wihtout -cp parameter.
  
  Do you have any idea how to workaround this without rebuilding the kafka-ui image?
  
  Thank you for your help :)

1 reply

germanosin Apr 3, 2025
Maintainer

You're correct. To add extra jars to the classpath, you need to update the JAVA_OPTS environment variable with -cp {path to folder}.
like

JAVA_OPTS=-cp /folfer/where/strimzi/libs/are/*

hello @germanosin , in fact I have an issue with CLASSPATH. I do not see how to inject the classpath to make kafka-ui container considering it.

Currently, I enriched the yaml values with adding env variable:

env:
  - name: CLASSPATH
    value: "$(CLASSPATH):/folfer/where/strimzi/libs/are/*"

I can check in the pod that the kafka libraires are avaliable in the expected foler and the CLASSPATH variable is well set with it.

But kafka-ui failed ot start with this error:

java.lang.IllegalStateException: Error while creating AdminClient for Cluster dit-kafka-cluster
        at io.kafbat.ui.service.AdminClientServiceImpl.lambda$createAdminClient$5(AdminClientServiceImpl.java:56)
        at reactor.core.publisher.Mono.lambda$onErrorMap$28(Mono.java:3783)
        at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94)
        at reactor.core.publisher.Operators.error(Operators.java:198)
        at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:135)
        at reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53)
        at reactor.core.publisher.Mono.subscribe(Mono.java:4480)
        at reactor.core.publisher.FluxSwitchIfEmpty$SwitchIfEmptySubscriber.onComplete(FluxSwitchIfEmpty.java:82)
        at reactor.core.publisher.Operators.complete(Operators.java:137)
        at reactor.core.publisher.MonoEmpty.subscribe(MonoEmpty.java:46)
        at reactor.core.publisher.Mono.subscribe(Mono.java:4495)
        at reactor.core.publisher.FluxFlatMap$FlatMapMain.onNext(FluxFlatMap.java:427)
        at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.runAsync(FluxPublishOn.java:446)
        at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.run(FluxPublishOn.java:533)
        at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
        at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.apache.kafka.common.config.ConfigException: Invalid value io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler for configuration sasl.login.callback.handler.class: Class io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler could not be found.
        at org.apache.kafka.common.config.ConfigDef.parseType(ConfigDef.java:744)
        at org.apache.kafka.common.config.ConfigDef.parseValue(ConfigDef.java:490)
        at org.apache.kafka.common.config.ConfigDef.parse(ConfigDef.java:483)
        at org.apache.kafka.common.config.AbstractConfig.<init>(AbstractConfig.java:112)
        at org.apache.kafka.common.config.AbstractConfig.<init>(AbstractConfig.java:145)
        at org.apache.kafka.clients.admin.AdminClientConfig.<init>(AdminClientConfig.java:245)
        at org.apache.kafka.clients.admin.Admin.create(Admin.java:134)
        at org.apache.kafka.clients.admin.AdminClient.create(AdminClient.java:39)
        at io.kafbat.ui.service.AdminClientServiceImpl.lambda$createAdminClient$2(AdminClientServiceImpl.java:53)
        at reactor.core.publisher.MonoSupplier.call(MonoSupplier.java:67)
        at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:127)
        ... 16 common frames omitted

  Indeed, since the command ran by the kafka-ui container is "CMD java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED  $JAVA_OPTS -jar api.jar", it seems that CLASSPATH is ignored wihtout -cp parameter.
  
  Do you have any idea how to workaround this without rebuilding the kafka-ui image?
  
  Thank you for your help :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

COnfigure kafka-ui to support SASL_SSL connnection to a secured Kafka #1002

{{title}}

Replies: 3 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

COnfigure kafka-ui to support SASL_SSL connnection to a secured Kafka #1002

nleeuskadi Apr 1, 2025

Replies: 3 comments · 2 replies

germanosin Apr 2, 2025 Maintainer

nleeuskadi Apr 2, 2025 Author

germanosin Apr 2, 2025 Maintainer

nleeuskadi Apr 3, 2025 Author

germanosin Apr 3, 2025 Maintainer

nleeuskadi
Apr 1, 2025

Replies: 3 comments 2 replies

germanosin
Apr 2, 2025
Maintainer

nleeuskadi
Apr 2, 2025
Author

germanosin Apr 2, 2025
Maintainer

nleeuskadi
Apr 3, 2025
Author

germanosin Apr 3, 2025
Maintainer