kafka deploy on k8s with KRaft mode and mTLS. when configure also org.apache.kafka.metadata.authorizer.StandardAuthorizer the kafka fail to load with ERROR [RaftManager id=0] Unexpected error UNKNOWN_SERVER_ERROR in VOTE response

[shtemeron]

Name and Version

bitnami/kafka:3.8.1-debian-12-r0

What architecture are you using?

None

What steps will reproduce the bug?

Configure in values.yaml to use SSL for client, controller, and interbroker. Also enable the following:

extraConfigYaml: 
    authorizer.class.name: kafka.security.authorizer.AclAuthorizer
    super.users: User:*
    allow.everyone.if.no.acl.found: true

What do you see instead?

[2024-11-03 11:09:11,849] ERROR [RaftManager id=0] Unexpected error UNKNOWN_SERVER_ERROR in VOTE response: InboundResponse(correlationId=4076, data=VoteResponseData(errorCode=-1, topics=[]), source=kafka-controller-1.kafka-controller-headless.helix.svc.cluster.local:9093 (id: 1 rack: null)) (org.apache.kafka.raft.KafkaRaftClient)
[2024-11-03 11:09:11,849] ERROR [ControllerApis nodeId=0] Unexpected error handling request RequestHeader(apiKey=VOTE, apiVersion=0, clientId=raft-client-1, correlationId=3997, headerVersion=2) -- VoteRequestData(clusterId='aBjmuDonUP0bV7CbrYF2mF', topics=[TopicData(topicName='__cluster_metadata', partitions=[PartitionData(partitionIndex=0, candidateEpoch=51, candidateId=1, lastOffsetEpoch=0, lastOffset=0)])]) with context RequestContext(header=RequestHeader(apiKey=VOTE, apiVersion=0, clientId=raft-client-1, correlationId=3997, headerVersion=2), connectionId='10.233.90.101:9093-10.233.90.125:56188-0', clientAddress=/10.233.90.125, principal=User:CN=BAGHIRA,OU=Amdocs\, Inc,L=Chesterfield,ST=Missouri,C=US, listenerName=ListenerName(CONTROLLER), securityProtocol=SSL, clientInformation=ClientInformation(softwareName=apache-kafka-java, softwareVersion=3.8.1), fromPrivilegedListener=false, principalSerde=Optional[org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder@422b3ab]) (kafka.server.ControllerApis)
org.apache.kafka.common.errors.AuthorizerNotReadyException

[shtemeron]

The call for authorizer used is like:

authorizer.class.name: org.apache.kafka.metadata.authorizer.StandardAuthorizer

and not what I wrote in the issue.

[carrodher]

Hi, the issue may not be directly related to the Bitnami container image/Helm chart, but rather to how the application is being utilized, configured in your specific environment, or tied to a particular scenario that is not easy to reproduce on our side.

If you think that's not the case and want to contribute a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

Suppose you have any questions about the application, customizing its content, or technology and infrastructure usage. In that case, we highly recommend that you refer to the forums and user guides provided by the project responsible for the application or technology.

With that said, we'll keep this ticket open until the stale bot automatically closes it, in case someone from the community contributes valuable insights.