Try to produce a message through an ingress from outside the cluster #7857

JeromeFroment · 2022-12-23T15:41:34Z

JeromeFroment
Dec 23, 2022

Hello,

I am trying to produce a message through an ingress from outside the cluster but I get this error:

root@ubuntu:~/kafka# bin/kafka-console-producer.sh --topic test --bootstrap-server streaming-api.local.sandbox.com:443 --producer.config=/tmp/config.properties
[2022-12-23 14:57:46,374] WARN [Producer clientId=console-producer] Connection to node 1 (broker-1.local.sandbox.com/127.0.0.1:443) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)
[2022-12-23 14:57:46,518] WARN [Producer clientId=console-producer] Connection to node 0 (broker-0.local.sandbox.com/127.0.0.1:443) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)

(no logs in kafka server)

Versions

kafka-cluster-version: v2.8.0
kafka-operator-version: v0.24.0

With my kafka.yml:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "2"
  labels:
    app: "clusterka"
  name: "clusterka"
  namespace: kafka
spec:
  kafka:
    version: 2.8.0
    replicas: 2
    jvmOptions:
      -Xms: 1024m
      -Xmx: 1024m
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: ingress
        tls: true
        authentication:
          type: tls
        configuration:
          class: nginx
          bootstrap:
            host: streaming-api.local.sandbox.com
          brokers:
            - broker: 0
              host: broker-0.local.sandbox.com
            - broker: 1
              host: broker-1.local.sandbox.com
    authorization:
      type: simple
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      log.message.format.version: "2.8"
    storage:
      type: jbod
      volumes:
        - id: 0
          type: persistent-claim
          size: 25Gi
          deleteClaim: false
  zookeeper:
    logging:
      type: inline
      loggers:
        zookeeper.root.logger: "INFO"
    replicas: 1
    storage:
      type: persistent-claim
      size: 10Gi
      deleteClaim: false
  entityOperator:
    topicOperator: {}
    userOperator:
      watchedNamespace: kafka
      reconciliationIntervalSeconds: 60
      logging:
        type: inline
        loggers:
          rootLogger.level: INFO
      resources:
        requests:
          memory: 512Mi
          cpu: "1"
        limits:
          memory: 512Mi
          cpu: "1"

I get the following services:

clusterka-zookeeper-nodes            ClusterIP   None            <none>        2181/TCP,2888/TCP,3888/TCP            23h
clusterka-kafka-brokers              ClusterIP   None            <none>        9090/TCP,9091/TCP,9092/TCP,9093/TCP   23h
clusterka-kafka-bootstrap            ClusterIP   10.43.83.167    <none>        9091/TCP,9092/TCP,9093/TCP            23h
clusterka-kafka-0                    ClusterIP   10.43.183.241   <none>        9094/TCP                              102m
clusterka-kafka-1                    ClusterIP   10.43.116.109   <none>        9094/TCP                              97m
clusterka-kafka-external-bootstrap   ClusterIP   10.43.103.98    <none>        9094/TCP                              102m

clusterka-kafka-external-bootstrap.yml

apiVersion: v1
kind: Service
metadata:
  name: clusterka-kafka-external-bootstrap
  namespace: kafka
  uid: c7d8cfce-d343-442b-a1de-88e040034032
  resourceVersion: '246685'
  creationTimestamp: '2022-12-23T15:30:56Z'
  labels:
    app: clusterka
    app.kubernetes.io/instance: clusterka
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-clusterka
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  selfLink: /api/v1/namespaces/kafka/services/clusterka-kafka-external-bootstrap
status:
  loadBalancer: {}
spec:
  ports:
    - name: tcp-external
      protocol: TCP
      port: 9094
      targetPort: 9094
  selector:
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  clusterIP: 10.43.205.139
  clusterIPs:
    - 10.43.205.139
  type: ClusterIP
  sessionAffinity: None
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack

I get the following ingresses:

clusterka-kafka-0                     nginx    broker-0.local.sandbox.com        172.23.0.2   80, 443   106m
clusterka-kafka-1                     nginx    broker-1.local.sandbox.com        172.23.0.2   80, 443   101m
clusterka-kafka-bootstrap             nginx    streaming-api.local.sandbox.com   172.23.0.2   80, 443   104m

clusterka-kafka-bootstrap.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: clusterka-kafka-bootstrap
  namespace: kafka
  uid: a0dba259-ac39-4d8a-a590-df8efe52c6b0
  resourceVersion: '246705'
  generation: 1
  creationTimestamp: '2022-12-23T15:30:56Z'
  labels:
    app: clusterka
    app.kubernetes.io/instance: clusterka
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-clusterka
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  annotations:
    ingress.kubernetes.io/ssl-passthrough: 'true'
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
  ownerReferences:
    - apiVersion: kafka.strimzi.io/v1beta2
      kind: Kafka
      name: clusterka
      uid: def4a93d-a5f5-4dc1-b150-e84bf0a2edf9
      controller: false
      blockOwnerDeletion: false
  managedFields:
    - manager: okhttp
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:30:56Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:ingress.kubernetes.io/ssl-passthrough: {}
            f:nginx.ingress.kubernetes.io/backend-protocol: {}
            f:nginx.ingress.kubernetes.io/ssl-passthrough: {}
          f:labels:
            .: {}
            f:app: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/managed-by: {}
            f:app.kubernetes.io/name: {}
            f:app.kubernetes.io/part-of: {}
            f:strimzi.io/cluster: {}
            f:strimzi.io/kind: {}
            f:strimzi.io/name: {}
          f:ownerReferences:
            .: {}
            k:{"uid":"def4a93d-a5f5-4dc1-b150-e84bf0a2edf9"}:
              .: {}
              f:apiVersion: {}
              f:blockOwnerDeletion: {}
              f:controller: {}
              f:kind: {}
              f:name: {}
              f:uid: {}
        f:spec:
          f:ingressClassName: {}
          f:rules: {}
          f:tls: {}
    - manager: nginx-ingress-controller
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:31:12Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          f:loadBalancer:
            f:ingress: {}
  selfLink: >-
    /apis/networking.k8s.io/v1/namespaces/kafka/ingresses/clusterka-kafka-bootstrap
status:
  loadBalancer:
    ingress:
      - ip: 172.23.0.2
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - streaming-api.local.sandbox.com
  rules:
    - host: streaming-api.local.sandbox.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: clusterka-kafka-external-bootstrap
                port:
                  number: 9094

I get the following pods:

clusterka-zookeeper-0                        1/1     Running   0          24h
clusterka-entity-operator-7dbd7847f8-ljtzj   3/3     Running   0          24h
clusterka-kafka-1                            1/1     Running   0          11m
clusterka-kafka-0                            1/1     Running   0          10m

clusterka-kafka-0.yml

apiVersion: v1
kind: Pod
metadata:
  name: clusterka-kafka-0
  generateName: clusterka-kafka-
  namespace: kafka
  uid: 7bc81933-7357-4b10-8415-82248941f368
  resourceVersion: '246774'
  creationTimestamp: '2022-12-23T15:31:26Z'
  labels:
    app: clusterka
    app.kubernetes.io/instance: clusterka
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-clusterka
    controller-revision-hash: clusterka-kafka-7894647974
    statefulset.kubernetes.io/pod-name: clusterka-kafka-0
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  annotations:
    strimzi.io/broker-configuration-hash: >-
      d2b1053580b6c5f6271053ecdfede26257dbf7a9b3828a8c3e364bf4eabf1c7b2805bfd9566516ea
    strimzi.io/clients-ca-cert-generation: '0'
    strimzi.io/cluster-ca-cert-generation: '0'
    strimzi.io/generation: '6'
    strimzi.io/inter-broker-protocol-version: '2.8'
    strimzi.io/kafka-version: 2.8.0
    strimzi.io/log-message-format-version: '2.8'
    strimzi.io/logging-appenders-hash: e893ac9f32f7958042d1c82477e3484b0f8ebad5
    strimzi.io/storage: >-
      {"volumes":[{"type":"persistent-claim","size":"1Gi","class":"local-path","id":0}],"type":"jbod"}
  selfLink: /api/v1/namespaces/kafka/pods/clusterka-kafka-0
status:
  phase: Running
  conditions:
    - type: Initialized
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2022-12-23T15:31:26Z'
    - type: Ready
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2022-12-23T15:31:46Z'
    - type: ContainersReady
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2022-12-23T15:31:46Z'
    - type: PodScheduled
      status: 'True'
      lastProbeTime: null
      lastTransitionTime: '2022-12-23T15:31:26Z'
spec:
  volumes:
    - name: data-0
      persistentVolumeClaim:
        claimName: data-0-clusterka-kafka-0
    - name: strimzi-tmp
      emptyDir:
        medium: Memory
    - name: cluster-ca
      secret:
        secretName: clusterka-cluster-ca-cert
        defaultMode: 292
    - name: broker-certs
      secret:
        secretName: clusterka-kafka-brokers
        defaultMode: 292
    - name: client-ca-cert
      secret:
        secretName: clusterka-clients-ca-cert
        defaultMode: 292
    - name: kafka-metrics-and-logging
      configMap:
        name: clusterka-kafka-config
        defaultMode: 420
    - name: ready-files
      emptyDir:
        medium: Memory
    - name: kube-api-access-4ngpz
      projected:
        sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              name: kube-root-ca.crt
              items:
                - key: ca.crt
                  path: ca.crt
          - downwardAPI:
              items:
                - path: namespace
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
        defaultMode: 420
  containers:
    - name: kafka
      image: >-
        ****/kafka:0.24.0-kafka-2.8.0
      command:
        - /opt/kafka/kafka_run.sh
      ports:
        - name: tcp-ctrlplane
          containerPort: 9090
          protocol: TCP
        - name: tcp-replication
          containerPort: 9091
          protocol: TCP
        - name: tcp-clients
          containerPort: 9092
          protocol: TCP
        - name: tcp-clientstls
          containerPort: 9093
          protocol: TCP
        - name: tcp-external
          containerPort: 9094
          protocol: TCP
      env:
        - name: KAFKA_METRICS_ENABLED
          value: 'false'
        - name: STRIMZI_KAFKA_GC_LOG_ENABLED
          value: 'false'
        - name: KAFKA_HEAP_OPTS
          value: '-Xms1024m -Xmx1024m'
      resources:
        limits:
          cpu: '1'
          memory: 1Gi
        requests:
          cpu: 100m
          memory: 100Mi
      volumeMounts:
        - name: data-0
          mountPath: /var/lib/kafka/data-0
        - name: strimzi-tmp
          mountPath: /tmp
        - name: cluster-ca
          mountPath: /opt/kafka/cluster-ca-certs
        - name: broker-certs
          mountPath: /opt/kafka/broker-certs
        - name: client-ca-cert
          mountPath: /opt/kafka/client-ca-certs
        - name: kafka-metrics-and-logging
          mountPath: /opt/kafka/custom-config/
        - name: ready-files
          mountPath: /var/opt/kafka
        - name: kube-api-access-4ngpz
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      livenessProbe:
        exec:
          command:
            - /opt/kafka/kafka_liveness.sh
        initialDelaySeconds: 15
        timeoutSeconds: 5
        periodSeconds: 10
        successThreshold: 1
        failureThreshold: 3
      readinessProbe:
        exec:
          command:
            - test
            - '-f'
            - /var/opt/kafka/kafka-ready
        initialDelaySeconds: 15
        timeoutSeconds: 5
        periodSeconds: 10
        successThreshold: 1
        failureThreshold: 3
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: IfNotPresent
  restartPolicy: Always
  terminationGracePeriodSeconds: 30
  dnsPolicy: ClusterFirst
  serviceAccountName: clusterka-kafka
  serviceAccount: clusterka-kafka
  nodeName: k3d-cx-pcd-c01-s14-local-pcd-jfr-1-server-0
  securityContext:
    fsGroup: 0
  imagePullSecrets:
    - name: *****
  hostname: clusterka-kafka-0
  subdomain: clusterka-kafka-brokers
  affinity: {}
  schedulerName: default-scheduler
  tolerations:
    - key: node.kubernetes.io/not-ready
      operator: Exists
      effect: NoExecute
      tolerationSeconds: 300
    - key: node.kubernetes.io/unreachable
      operator: Exists
      effect: NoExecute
      tolerationSeconds: 300
  priority: 0
  enableServiceLinks: true
  preemptionPolicy: PreemptLowerPriority

Additional tests

Change the service (backend) pointed by the generated ingress (ingress: clusterka-kafka-bootstrap)

Original configuration:

spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - streaming-api.local.sandbox.com
  rules:
    - host: streaming-api.local.sandbox.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: clusterka-kafka-external-bootstrap
                port:
                  number: 9094

New configuration:

spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - streaming-api.local.sandbox.com
  rules:
    - host: streaming-api.local.sandbox.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: clusterka-kafka-bootstrap # Pointe désormais vers le bootstrap généré par le internal listener
                port:
                  number: 9093

Results

root@ubuntu:~/kafka# bin/kafka-console-producer.sh --topic test --bootstrap-server streaming-api.local.sandbox.com:443 --producer.config=/tmp/config.properties
>Hello
root@ubuntu:~/kafka# bin/kafka-console-consumer.sh --topic test --group my-group --from-beginning --bootstrap-server streaming-api.local.sandbox.com:443 --consumer.config=/tmp/config.properties
Hello

It works

Go through the internal listener

root@ubuntu:~/kafka# bin/kafka-console-producer.sh --topic test --bootstrap-server clusterka-kafka-bootstrap:9093--producer.config=/tmp/config.properties
>Hello
root@ubuntu:~/kafka# bin/kafka-console-consumer.sh --topic test --group my-group --from-beginning --bootstrap-server clusterka-kafka-bootstrap:9093--consumer.config=/tmp/config.properties
Hello

It works

Ingress (without certificate) created by me and which exposes the service clusterka-kafka-bootstrap:9093 (internal listener)

[2022-12-23 15:15:48,774] ERROR [Producer clientId=console-producer] Connection to node -1 (streaming-api.local.sandbox.com/10.43.130.75:443) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2022-12-23 15:15:48,774] WARN [Producer clientId=console-producer] Bootstrap broker streaming-api.local.sandbox.com:443 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)

But it is another issue

Thank you in advance for your help! I remain at your disposal for any further information

scholzj · 2022-12-23T15:52:50Z

scholzj
Dec 23, 2022
Maintainer

It is a bit hard to say what is wrong without knowing what the environment looks like in detail.

broker-0.local.sandbox.com and broker-1.local.sandbox.com seem to resolve to 127.0.0.1 - is that expected and correct? The error and your follow-up experiments suggest that the bootstrap resource seems to work somehow. But not the per-broker ingress resources. Shouldn't it resolve to 172.23.0.2?
Your Ingress resources as you shared them here, do not seem to have the status section. You also don't share the status of the Kafka custom resource or the operator log. So was the cluster properly deployed? Were the ingress resources actually accepted by the Ingress controller? If you can share all of it, it might help to understand the issue.

3 replies

JeromeFroment Dec 23, 2022
Author

Thanks for your reply and sorry for the missing information:

Environment

I am currently working on a cluster (k8s v1.21.12) hosted on a private server. I have deployed an ingress controler that exposes my ingresses through the address 172.23.0.2.

About the brokers that are resolved in 127.0.0.1, it is not a desired behavior from my part and indeed I would have expected rather 127.23.0.2.

Here are the yml generated from the ingresses:

broker-0

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: clusterka-kafka-0
  namespace: kafka
  uid: 7f7dad33-1062-4fbb-9a1e-21ae65495810
  resourceVersion: '246706'
  generation: 1
  creationTimestamp: '2022-12-23T15:30:56Z'
  labels:
    app: clusterka
    app.kubernetes.io/instance: clusterka
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-clusterka
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  annotations:
    ingress.kubernetes.io/ssl-passthrough: 'true'
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
  ownerReferences:
    - apiVersion: kafka.strimzi.io/v1beta2
      kind: Kafka
      name: clusterka
      uid: def4a93d-a5f5-4dc1-b150-e84bf0a2edf9
      controller: false
      blockOwnerDeletion: false
  managedFields:
    - manager: okhttp
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:30:56Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:ingress.kubernetes.io/ssl-passthrough: {}
            f:nginx.ingress.kubernetes.io/backend-protocol: {}
            f:nginx.ingress.kubernetes.io/ssl-passthrough: {}
          f:labels:
            .: {}
            f:app: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/managed-by: {}
            f:app.kubernetes.io/name: {}
            f:app.kubernetes.io/part-of: {}
            f:strimzi.io/cluster: {}
            f:strimzi.io/kind: {}
            f:strimzi.io/name: {}
          f:ownerReferences:
            .: {}
            k:{"uid":"def4a93d-a5f5-4dc1-b150-e84bf0a2edf9"}:
              .: {}
              f:apiVersion: {}
              f:blockOwnerDeletion: {}
              f:controller: {}
              f:kind: {}
              f:name: {}
              f:uid: {}
        f:spec:
          f:ingressClassName: {}
          f:rules: {}
          f:tls: {}
    - manager: nginx-ingress-controller
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:31:12Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          f:loadBalancer:
            f:ingress: {}
  selfLink: /apis/networking.k8s.io/v1/namespaces/kafka/ingresses/clusterka-kafka-0
status:
  loadBalancer:
    ingress:
      - ip: 172.23.0.2
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - broker-0.local.sandbox.com
  rules:
    - host: broker-0.local.sandbox.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: clusterka-kafka-0
                port:
                  number: 9094

broker-1

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: clusterka-kafka-1
  namespace: kafka
  uid: 3f4e76e6-3430-44ed-a1d5-045e77c58a14
  resourceVersion: '246704'
  generation: 1
  creationTimestamp: '2022-12-23T15:30:56Z'
  labels:
    app: clusterka
    app.kubernetes.io/instance: clusterka
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-clusterka
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  annotations:
    ingress.kubernetes.io/ssl-passthrough: 'true'
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
  ownerReferences:
    - apiVersion: kafka.strimzi.io/v1beta2
      kind: Kafka
      name: clusterka
      uid: def4a93d-a5f5-4dc1-b150-e84bf0a2edf9
      controller: false
      blockOwnerDeletion: false
  managedFields:
    - manager: okhttp
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:30:56Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:ingress.kubernetes.io/ssl-passthrough: {}
            f:nginx.ingress.kubernetes.io/backend-protocol: {}
            f:nginx.ingress.kubernetes.io/ssl-passthrough: {}
          f:labels:
            .: {}
            f:app: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/managed-by: {}
            f:app.kubernetes.io/name: {}
            f:app.kubernetes.io/part-of: {}
            f:strimzi.io/cluster: {}
            f:strimzi.io/kind: {}
            f:strimzi.io/name: {}
          f:ownerReferences:
            .: {}
            k:{"uid":"def4a93d-a5f5-4dc1-b150-e84bf0a2edf9"}:
              .: {}
              f:apiVersion: {}
              f:blockOwnerDeletion: {}
              f:controller: {}
              f:kind: {}
              f:name: {}
              f:uid: {}
        f:spec:
          f:ingressClassName: {}
          f:rules: {}
          f:tls: {}
    - manager: nginx-ingress-controller
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:31:12Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          f:loadBalancer:
            f:ingress: {}
  selfLink: /apis/networking.k8s.io/v1/namespaces/kafka/ingresses/clusterka-kafka-1
status:
  loadBalancer:
    ingress:
      - ip: 172.23.0.2
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - broker-1.local.sandbox.com
  rules:
    - host: broker-1.local.sandbox.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: clusterka-kafka-1
                port:
                  number: 9094

bootstrap

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: clusterka-kafka-bootstrap
  namespace: kafka
  uid: a0dba259-ac39-4d8a-a590-df8efe52c6b0
  resourceVersion: '246705'
  generation: 1
  creationTimestamp: '2022-12-23T15:30:56Z'
  labels:
    app: clusterka
    app.kubernetes.io/instance: clusterka
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-clusterka
    strimzi.io/cluster: clusterka
    strimzi.io/kind: Kafka
    strimzi.io/name: clusterka-kafka
  annotations:
    ingress.kubernetes.io/ssl-passthrough: 'true'
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
  ownerReferences:
    - apiVersion: kafka.strimzi.io/v1beta2
      kind: Kafka
      name: clusterka
      uid: def4a93d-a5f5-4dc1-b150-e84bf0a2edf9
      controller: false
      blockOwnerDeletion: false
  managedFields:
    - manager: okhttp
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:30:56Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:ingress.kubernetes.io/ssl-passthrough: {}
            f:nginx.ingress.kubernetes.io/backend-protocol: {}
            f:nginx.ingress.kubernetes.io/ssl-passthrough: {}
          f:labels:
            .: {}
            f:app: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/managed-by: {}
            f:app.kubernetes.io/name: {}
            f:app.kubernetes.io/part-of: {}
            f:strimzi.io/cluster: {}
            f:strimzi.io/kind: {}
            f:strimzi.io/name: {}
          f:ownerReferences:
            .: {}
            k:{"uid":"def4a93d-a5f5-4dc1-b150-e84bf0a2edf9"}:
              .: {}
              f:apiVersion: {}
              f:blockOwnerDeletion: {}
              f:controller: {}
              f:kind: {}
              f:name: {}
              f:uid: {}
        f:spec:
          f:ingressClassName: {}
          f:rules: {}
          f:tls: {}
    - manager: nginx-ingress-controller
      operation: Update
      apiVersion: networking.k8s.io/v1
      time: '2022-12-23T15:31:12Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          f:loadBalancer:
            f:ingress: {}
  selfLink: >-
    /apis/networking.k8s.io/v1/namespaces/kafka/ingresses/clusterka-kafka-bootstrap
status:
  loadBalancer:
    ingress:
      - ip: 172.23.0.2
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - streaming-api.local.sandbox.com
  rules:
    - host: streaming-api.local.sandbox.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: clusterka-kafka-external-bootstrap
                port:
                  number: 9094

Here the kafka custom resource with the status section:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: '2'
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"kafka.strimzi.io/v1beta2","kind":"Kafka","metadata":{"annotations":{"argocd.argoproj.io/sync-wave":"2"},"labels":{"app":"clusterka"},"name":"clusterka","namespace":"kafka"},"spec":{"entityOperator":{"topicOperator":{},"userOperator":{"logging":{"loggers":{"rootLogger.level":"INFO"},"type":"inline"},"reconciliationIntervalSeconds":60,"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"1","memory":"512Mi"}},"watchedNamespace":"kafka"}},"kafka":{"authorization":{"type":"simple"},"config":{"log.message.format.version":"2.8","offsets.topic.replication.factor":1,"transaction.state.log.min.isr":1,"transaction.state.log.replication.factor":1},"jvmOptions":{"-Xms":"1024m","-Xmx":"1024m"},"listeners":[{"name":"plain","port":9092,"tls":false,"type":"internal"},{"authentication":{"type":"tls"},"name":"tls","port":9093,"tls":true,"type":"internal"},{"authentication":{"type":"tls"},"configuration":{"bootstrap":{"host":"streaming-api.local.sandbox.com"},"brokers":[{"broker":0,"host":"broker-0.local.sandbox.com"},{"broker":1,"host":"broker-1.local.sandbox.com"}],"class":"nginx"},"name":"external","port":9094,"tls":true,"type":"ingress"}],"replicas":2,"resources":{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":0.1,"memory":"100Mi"}},"storage":{"type":"jbod","volumes":[{"class":"local-path","deleteClaim":false,"id":0,"size":"1Gi","type":"persistent-claim"}]},"version":"2.8.0"},"zookeeper":{"logging":{"loggers":{"zookeeper.root.logger":"INFO"},"type":"inline"},"replicas":1,"resources":{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":0.1,"memory":"100Mi"}},"storage":{"deleteClaim":false,"size":"1Gi","type":"persistent-claim"}}}}
  creationTimestamp: '2022-12-22T15:11:08Z'
  generation: 9
  labels:
    app: clusterka
  managedFields:
    - apiVersion: kafka.strimzi.io/v1beta2
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:argocd.argoproj.io/sync-wave: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
          f:labels:
            .: {}
            f:app: {}
        f:spec:
          .: {}
          f:entityOperator:
            .: {}
            f:topicOperator: {}
            f:userOperator:
              .: {}
              f:logging:
                .: {}
                f:loggers:
                  .: {}
                  f:rootLogger.level: {}
                f:type: {}
              f:reconciliationIntervalSeconds: {}
              f:resources:
                .: {}
                f:limits:
                  .: {}
                  f:cpu: {}
                  f:memory: {}
                f:requests:
                  .: {}
                  f:cpu: {}
                  f:memory: {}
              f:watchedNamespace: {}
          f:kafka:
            .: {}
            f:authorization:
              .: {}
              f:type: {}
            f:config:
              .: {}
              f:log.message.format.version: {}
              f:offsets.topic.replication.factor: {}
              f:transaction.state.log.min.isr: {}
              f:transaction.state.log.replication.factor: {}
            f:jvmOptions:
              .: {}
              f:-Xms: {}
              f:-Xmx: {}
            f:listeners: {}
            f:replicas: {}
            f:resources:
              .: {}
              f:limits:
                .: {}
                f:cpu: {}
                f:memory: {}
              f:requests:
                .: {}
                f:cpu: {}
                f:memory: {}
            f:storage:
              .: {}
              f:type: {}
              f:volumes: {}
            f:version: {}
          f:zookeeper:
            .: {}
            f:logging:
              .: {}
              f:loggers:
                .: {}
                f:zookeeper.root.logger: {}
              f:type: {}
            f:replicas: {}
            f:resources:
              .: {}
              f:limits:
                .: {}
                f:cpu: {}
                f:memory: {}
              f:requests:
                .: {}
                f:cpu: {}
                f:memory: {}
            f:storage:
              .: {}
              f:deleteClaim: {}
              f:size: {}
              f:type: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: '2022-12-22T15:11:08Z'
    - apiVersion: kafka.strimzi.io/v1beta2
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          .: {}
          f:clusterId: {}
          f:conditions: {}
          f:listeners: {}
          f:observedGeneration: {}
      manager: okhttp
      operation: Update
      time: '2022-12-23T14:28:28Z'
  name: clusterka
  namespace: kafka
  resourceVersion: '246852'
  uid: def4a93d-a5f5-4dc1-b150-e84bf0a2edf9
  selfLink: /apis/kafka.strimzi.io/v1beta2/namespaces/kafka/kafkas/clusterka
status:
  clusterId: mvkfXoJLSxW-UTfIjEMsPw
  conditions:
    - lastTransitionTime: '2022-12-23T15:32:16.712Z'
      status: 'True'
      type: Ready
  listeners:
    - addresses:
        - host: clusterka-kafka-bootstrap.kafka.svc
          port: 9092
      bootstrapServers: clusterka-kafka-bootstrap.kafka.svc:9092
      type: plain
    - addresses:
        - host: clusterka-kafka-bootstrap.kafka.svc
          port: 9093
      bootstrapServers: clusterka-kafka-bootstrap.kafka.svc:9093
      certificates:
        - |
          -----BEGIN CERTIFICATE-----
          MIIFLTCCAxWgAwIBAgIUWbWi54+e51cTN7bonI+u4AiQ10wwDQYJKoZIhvcNAQEN
          BQAwLTETMBEGA1UECgwKaW8uc3RyaW16aTEWMBQGA1UEAwwNY2x1c3Rlci1jYSB2
          MDAeFw0yMjEyMjIxNTExMTFaFw0yMzEyMjIxNTExMTFaMC0xEzARBgNVBAoMCmlv
          LnN0cmltemkxFjAUBgNVBAMMDWNsdXN0ZXItY2EgdjAwggIiMA0GCSqGSIb3DQEB
          AQUAA4ICDwAwggIKAoICAQDzUVzSwwJY4vKPj8CxlXPZovMxJwMITPv9dibahKXW
          lItFOiNFvSNqsWhR/q+zwZ7G9zRlkGtl/02+YlSeln+5MQioafswYsEZm8ho1YGm
          PaDuYaFW45a+afWkvThU7AeuP2KKNROamU6JkhrexzU0gwXOlln9ekrfhXMjE+ch
          RlJ9fsH3yaWAvmrnArH+7oWm1Wn5SZRUGs3od4DzQwnX8Yrx0RrSegRyDGq1D4W6
          uOL8hBUvaVCrzaTM/wnU2bVsdbI66YaTpnit5/Neh1JxC/Ks3ORTZo4V+EfXpwMI
          pza7W5Zezrm9hmszrcqMbEcMLThXjBDxXDDC7C7Hdxe38B1vH3WveKKLTq+wZYdD
          J4pRJ2sQBhbssNyvWXpR60j1D6KxQuy8c9lBQbP6e53edmzWl+RdED9RtxobK+DO
          FQjnvBLPeIFcTqlaaNQU7FCoKSthbm/V5gJkJXeVnZDljG15eTbvInGvffcwnAkA
          waioyMVQJOwM91+g9srZHR88l0cZEOn0A56dRiOC3gtzarMtlbqffhpjy9goVi6D
          OXwSttr9cMoKnTeRpD61vIQO9455BcKwlhgyC3ZIbUItkdH3iUXdXtvjjTfkxJfr
          Q+Jbh+WmP9wps9k2bYK2LJlTJrkFc9z57xegUvEJH13uF7lca1NUhUZwsepVLwYS
          wwIDAQABo0UwQzAdBgNVHQ4EFgQUa2fxrQsL3euCdcRfVhRwsg5wq7EwEgYDVR0T
          AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIB
          AItDs9IERDztWZ43CKiEpi4cG0rA7Y3gIv/pWfSpXvMGN3iodSF4eEdKivBgApLG
          Ho5X+Z031HKE1i0E871V2waDppjaXHC/uwrXbQUb0Kuk+Lm5dhCK2+RpvP4volta
          uD0b8BYXHTjOKTi1ry4fgh5vEk7rf2CmrXwnAq4u3Tm9P+3nd/8PgbqGSAaA6TEt
          vtI0smw8X6MWeV15eQddfxjGNd97ZV41GWbHAH2qGON1tWFQj2B720YWO7KelcV1
          G9yEARELimTAB2FU5h/ur7gOtUc1EVR8GMnqH5DWL+a1wm3Tf0OY/TAoGM5g1j2Q
          2REs9/bh8/KQIylYGezG7yHagrlE+P90gS0o2X1Y13nF/fODzzf8Yn1sDphLvMNk
          1O2j8EHhvAw2gLSMYKQv5QEuG8z6C38jN4tRRgVMuR4pgzWN48sNCX18wm1Yjh7C
          e90IJRj2wUvjY9ZBoHuDAlU6vfWWeAPFk+mOtKHvgX9M1uDBq0/ep92zIjbNKWRE
          NX8ME4u+AeHXFWD6fibu+832BPAyV0xi59+QejWh9IlUbEdGtnSZIau5n/REhyDN
          vSsO/8lejSMUnnHhh+xFMIajs2s8CBp/1K2YxslVm3+zXY7R/VUJ0BslsA8mlx3S
          hn0ir812+AIzOQ1fHqUn7aIqScYLjDWJ4DRJaDDhv2tx
          -----END CERTIFICATE-----
      type: tls
    - addresses:
        - host: streaming-api.local.sandbox.com
          port: 443
      bootstrapServers: streaming-api.local.sandbox.com:443
      certificates:
        - |
          -----BEGIN CERTIFICATE-----
          MIIFLTCCAxWgAwIBAgIUWbWi54+e51cTN7bonI+u4AiQ10wwDQYJKoZIhvcNAQEN
          BQAwLTETMBEGA1UECgwKaW8uc3RyaW16aTEWMBQGA1UEAwwNY2x1c3Rlci1jYSB2
          MDAeFw0yMjEyMjIxNTExMTFaFw0yMzEyMjIxNTExMTFaMC0xEzARBgNVBAoMCmlv
          LnN0cmltemkxFjAUBgNVBAMMDWNsdXN0ZXItY2EgdjAwggIiMA0GCSqGSIb3DQEB
          AQUAA4ICDwAwggIKAoICAQDzUVzSwwJY4vKPj8CxlXPZovMxJwMITPv9dibahKXW
          lItFOiNFvSNqsWhR/q+zwZ7G9zRlkGtl/02+YlSeln+5MQioafswYsEZm8ho1YGm
          PaDuYaFW45a+afWkvThU7AeuP2KKNROamU6JkhrexzU0gwXOlln9ekrfhXMjE+ch
          RlJ9fsH3yaWAvmrnArH+7oWm1Wn5SZRUGs3od4DzQwnX8Yrx0RrSegRyDGq1D4W6
          uOL8hBUvaVCrzaTM/wnU2bVsdbI66YaTpnit5/Neh1JxC/Ks3ORTZo4V+EfXpwMI
          pza7W5Zezrm9hmszrcqMbEcMLThXjBDxXDDC7C7Hdxe38B1vH3WveKKLTq+wZYdD
          J4pRJ2sQBhbssNyvWXpR60j1D6KxQuy8c9lBQbP6e53edmzWl+RdED9RtxobK+DO
          FQjnvBLPeIFcTqlaaNQU7FCoKSthbm/V5gJkJXeVnZDljG15eTbvInGvffcwnAkA
          waioyMVQJOwM91+g9srZHR88l0cZEOn0A56dRiOC3gtzarMtlbqffhpjy9goVi6D
          OXwSttr9cMoKnTeRpD61vIQO9455BcKwlhgyC3ZIbUItkdH3iUXdXtvjjTfkxJfr
          Q+Jbh+WmP9wps9k2bYK2LJlTJrkFc9z57xegUvEJH13uF7lca1NUhUZwsepVLwYS
          wwIDAQABo0UwQzAdBgNVHQ4EFgQUa2fxrQsL3euCdcRfVhRwsg5wq7EwEgYDVR0T
          AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIB
          AItDs9IERDztWZ43CKiEpi4cG0rA7Y3gIv/pWfSpXvMGN3iodSF4eEdKivBgApLG
          Ho5X+Z031HKE1i0E871V2waDppjaXHC/uwrXbQUb0Kuk+Lm5dhCK2+RpvP4volta
          uD0b8BYXHTjOKTi1ry4fgh5vEk7rf2CmrXwnAq4u3Tm9P+3nd/8PgbqGSAaA6TEt
          vtI0smw8X6MWeV15eQddfxjGNd97ZV41GWbHAH2qGON1tWFQj2B720YWO7KelcV1
          G9yEARELimTAB2FU5h/ur7gOtUc1EVR8GMnqH5DWL+a1wm3Tf0OY/TAoGM5g1j2Q
          2REs9/bh8/KQIylYGezG7yHagrlE+P90gS0o2X1Y13nF/fODzzf8Yn1sDphLvMNk
          1O2j8EHhvAw2gLSMYKQv5QEuG8z6C38jN4tRRgVMuR4pgzWN48sNCX18wm1Yjh7C
          e90IJRj2wUvjY9ZBoHuDAlU6vfWWeAPFk+mOtKHvgX9M1uDBq0/ep92zIjbNKWRE
          NX8ME4u+AeHXFWD6fibu+832BPAyV0xi59+QejWh9IlUbEdGtnSZIau5n/REhyDN
          vSsO/8lejSMUnnHhh+xFMIajs2s8CBp/1K2YxslVm3+zXY7R/VUJ0BslsA8mlx3S
          hn0ir812+AIzOQ1fHqUn7aIqScYLjDWJ4DRJaDDhv2tx
          -----END CERTIFICATE-----
      type: external
  observedGeneration: 9
spec:
  entityOperator:
    topicOperator: {}
    userOperator:
      logging:
        loggers:
          rootLogger.level: INFO
        type: inline
      reconciliationIntervalSeconds: 60
      resources:
        limits:
          cpu: '1'
          memory: 512Mi
        requests:
          cpu: '1'
          memory: 512Mi
      watchedNamespace: kafka
  kafka:
    authorization:
      type: simple
    config:
      log.message.format.version: '2.8'
      offsets.topic.replication.factor: 1
      transaction.state.log.min.isr: 1
      transaction.state.log.replication.factor: 1
    jvmOptions:
      '-Xms': 1024m
      '-Xmx': 1024m
    listeners:
      - name: plain
        port: 9092
        tls: false
        type: internal
      - authentication:
          type: tls
        name: tls
        port: 9093
        tls: true
        type: internal
      - authentication:
          type: tls
        configuration:
          bootstrap:
            host: streaming-api.local.sandbox.com
          brokers:
            - broker: 0
              host: broker-0.local.sandbox.com
            - broker: 1
              host: broker-1.local.sandbox.com
          class: nginx
        name: external
        port: 9094
        tls: true
        type: ingress
    replicas: 2
    resources:
      limits:
        cpu: 1
        memory: 1Gi
      requests:
        cpu: 0.1
        memory: 100Mi
    storage:
      type: jbod
      volumes:
        - class: local-path
          deleteClaim: false
          id: 0
          size: 1Gi
          type: persistent-claim
    version: 2.8.0
  zookeeper:
    logging:
      loggers:
        zookeeper.root.logger: INFO
      type: inline
    replicas: 1
    resources:
      limits:
        cpu: 1
        memory: 1Gi
      requests:
        cpu: 0.1
        memory: 100Mi
    storage:
      deleteClaim: false
      size: 1Gi
      type: persistent-claim

I just noticed that the type of my external listener is equal to "external" unlike my internal listener where the type = "tls".
We find this problem in the logs of the operator

Kafka-operator logs:

14:27:11.625 [vert.x-eventloop-thread-1] ERROR io.strimzi.operator.cluster.model.ListenersValidator - Reconciliation #712(timer) Kafka(kafka/clusterka): Listener configuration is not valid: [listener external is Route or Ingress type listener and requires enabled TLS encryption]
14:27:11.625 [vert.x-eventloop-thread-1] ERROR io.strimzi.operator.common.AbstractOperator - Reconciliation #712(timer) Kafka(kafka/clusterka): createOrUpdate failed
io.strimzi.operator.cluster.model.InvalidResourceException: Listener configuration is not valid: [listener external is Route or Ingress type listener and requires enabled TLS encryption]
	at io.strimzi.operator.cluster.model.ListenersValidator.validate(ListenersValidator.java:46) ~[io.strimzi.cluster-operator-0.24.0.jar:0.24.0]
	at io.strimzi.operator.cluster.model.KafkaCluster.fromCrd(KafkaCluster.java:466) ~[io.strimzi.cluster-operator-0.24.0.jar:0.24.0]
	at io.strimzi.operator.cluster.operator.assembly.KafkaAssemblyOperator$ReconciliationState.lambda$getKafkaClusterDescription$55(KafkaAssemblyOperator.java:1458) ~[io.strimzi.cluster-operator-0.24.0.jar:0.24.0]
	at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38) ~[io.vertx.vertx-core-4.1.0.jar:4.1.0]
	at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:62) ~[io.vertx.vertx-core-4.1.0.jar:4.1.0]
	at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:179) ~[io.vertx.vertx-core-4.1.0.jar:4.1.0]
	at io.vertx.core.impl.future.PromiseImpl.tryComplete(PromiseImpl.java:23) ~[io.vertx.vertx-core-4.1.0.jar:4.1.0]
	at io.vertx.core.impl.future.PromiseImpl.onSuccess(PromiseImpl.java:49) ~[io.vertx.vertx-core-4.1.0.jar:4.1.0]
	at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:54) ~[io.vertx.vertx-core-4.1.0.jar:4.1.0]
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [io.netty.netty-common-4.1.65.Final.jar:4.1.65.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [io.netty.netty-common-4.1.65.Final.jar:4.1.65.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500) [io.netty.netty-transport-4.1.65.Final.jar:4.1.65.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [io.netty.netty-common-4.1.65.Final.jar:4.1.65.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [io.netty.netty-common-4.1.65.Final.jar:4.1.65.Final]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty.netty-common-4.1.65.Final.jar:4.1.65.Final]
	at java.lang.Thread.run(Thread.java:829) [?:?]

I tried to fix it but my listener seems to be well configured in my file (see my previous message for the complete file) if we compare it to the documentation.

My version

listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: ingress
        tls: true
        authentication:
          type: tls
        configuration:
          class: nginx
          bootstrap:
            host: streaming-api.local.sandbox.com
          brokers:
            - broker: 0
              host: broker-0.local.sandbox.com
            - broker: 1
              host: broker-1.local.sandbox.com

Documentation (https://strimzi.io/docs/operators/in-development/configuring.html#proc-accessing-kafka-using-ingress-str)

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
spec:
  kafka:
    # ...
    listeners:
      - name: external
        port: 9094
        type: ingress
        tls: true
        authentication:
          type: tls
        configuration: (1)
          bootstrap:
            host: bootstrap.myingress.com
          brokers:
          - broker: 0
            host: broker-0.myingress.com
          - broker: 1
            host: broker-1.myingress.com
          - broker: 2
            host: broker-2.myingress.com
    # ...
  zookeeper:
    # ...

scholzj Dec 24, 2022
Maintainer

The resources look all good. So I think there should not be a problem there 🤔

On the beginning you said you get this error:

root@ubuntu:~/kafka# bin/kafka-console-producer.sh --topic test --bootstrap-server streaming-api.local.sandbox.com:443 --producer.config=/tmp/config.properties
[2022-12-23 14:57:46,374] WARN [Producer clientId=console-producer] Connection to node 1 (broker-1.local.sandbox.com/127.0.0.1:443) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)
[2022-12-23 14:57:46,518] WARN [Producer clientId=console-producer] Connection to node 0 (broker-0.local.sandbox.com/127.0.0.1:443) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)

The way I read it is that it connects fine to the bootstrap address and finds the addresses of the individual brokers. But it seems to resolve them to 127.0.0.1 instead of 172.23.0.2 so it does not connect. So I think you need to look into that and fix that. And see what happens when it finds the right IP.

I just noticed that the type of my external listener is equal to "external" unlike my internal listener where the type = "tls".
We find this problem in the logs of the operator

io.strimzi.operator.cluster.model.InvalidResourceException: Listener configuration is not valid: [listener external is Route or Ingress type listener and requires enabled TLS encryption]

The Ingress listener is required to use TLS passthrough because Kafka connections are not HTTP. So in the listener configuration, the tls flag, always needs to be true. This one:

    listeners:
      - name: external
        port: 9094
        type: ingress
        tls: true                 <=========== THIS ONE
        authentication:
          type: tls
        configuration: (1)
          bootstrap:
            host: bootstrap.myingress.com
          brokers:
          - broker: 0
            host: broker-0.myingress.com
          - broker: 1
            host: broker-1.myingress.com
          - broker: 2
            host: broker-2.myingress.com
    # ...

Otherwise it would not work (Unlike type: loadbalancer or type: nodeport listeners which can be used also without TLS). So basically that is what the error means. But your custom resources look good, so not sure why would you get this error.

JeromeFroment Dec 24, 2022
Author

Alright, I'll look for the address resolution and let you know what I find. Thanks !

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

Try to produce a message through an ingress from outside the cluster #7857

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Strimzi

Try to produce a message through an ingress from outside the cluster #7857

Uh oh!

Uh oh!

JeromeFroment Dec 23, 2022

Versions

Additional tests

Change the service (backend) pointed by the generated ingress (ingress: clusterka-kafka-bootstrap)

Results

Go through the internal listener

Ingress (without certificate) created by me and which exposes the service clusterka-kafka-bootstrap:9093 (internal listener)

Replies: 1 comment · 3 replies

Uh oh!

scholzj Dec 23, 2022 Maintainer

Uh oh!

JeromeFroment Dec 23, 2022 Author

Environment

Uh oh!

scholzj Dec 24, 2022 Maintainer

Uh oh!

JeromeFroment Dec 24, 2022 Author

JeromeFroment
Dec 23, 2022

Replies: 1 comment 3 replies

scholzj
Dec 23, 2022
Maintainer

JeromeFroment Dec 23, 2022
Author

scholzj Dec 24, 2022
Maintainer

JeromeFroment Dec 24, 2022
Author