After creating topic ACLs within our application, it is not present in Strimzi Kafka cluster

[FlowsenAusMonotown]

Hi together,
we are using Strimzi Kafka Operator to setup a Kafka cluster (currently one replication). Within our Spring Boot application we are using Spring Kafka admin client to create topics and ACLs for it. In AKHQ we see that the topics are created but the ACLs are mostly not available. Only the one with "User:*" is availabble. Is there a mechanism inside of Strimzi, which deletes the created ACLs while "reconcile" the topics in the operator or anything we missed in the configs to keep the ACLs created within our application?

Please remember, we are using our own certificate infrastructure: https://github.com/orgs/strimzi/discussions/8625

Here is our Strimzi configuration:

  apiVersion: kafka.strimzi.io/v1beta2
  kind: Kafka
  metadata:
    name: ${var.instance_name}
    namespace: ${kubernetes_namespace_v1.instance_namespace.metadata.0.name}
  spec:
    clientsCa:
      generateCertificateAuthority: false
    kafka:
      image: own-container.registry.io/strimzi:custom
      version: 3.4.0
      replicas: 1
      listeners:
        - name: external
          port: 9093
          type: loadbalancer
          tls: true
          authentication:
            type: tls
          configuration:
            bootstrap:
              annotations:
                "service.beta.kubernetes.io/azure-load-balancer-ipv4": ${var.instance_kafka_ip}
              loadBalancerIP: ${var.instance_kafka_ip}
            brokerCertChainAndKey:
              secretName: ${local.external-kafka-cert-secret-name}
              certificate: tls.crt
              key: tls.key
            finalizers: ["service.kubernetes.io/load-balancer-cleanup"]
        - name: internal
          port: 29093
          type: cluster-ip
          tls: true
          authentication:
            type: tls
          configuration:
            brokerCertChainAndKey:
              secretName: ${local.internal-kafka-cert-secret-name}
              certificate: tls.crt
              key: tls.key
      config:
        offsets.topic.replication.factor: 1
        transaction.state.log.replication.factor: 1
        transaction.state.log.min.isr: 1
        default.replication.factor: 1
        min.insync.replicas: 1
        inter.broker.protocol.version: "3.4"
        offsets.retention.minutes: 525600
        allow.everyone.if.no.acl.found: false
        auto.create.topics.enable: false
        principal.builder.class: custom.kafka.common.security.authenticator.CustomKafkaPrincipalBuilder
      storage:
        type: ephemeral
      authorization:
        type: simple
        superUsers:
          - Applications:${local.platform-admin-app-id}
          - Services:akhq-${local.akhq-random-uuid}
    zookeeper:
      replicas: 1
      storage:
        type: ephemeral
    entityOperator:
      topicOperator: {}
      userOperator: {}

[FlowsenAusMonotown]

We removed the following block:

entityOperator:
      userOperator: {}

and now it is working. Is the UserOperator removing ACLs from users, which were not created using the dedicated KafkaUser CRD?

[scholzj]

The USer Operator has the KafkaUser CRs as the single source of truth. So if you create some ACLs which do not match the user resources, they will be deleted. If you want to manage your users and ACLs yourself using the Kafka Admin API, you just have to disable the User Operator as you already found out.