Schema Registry tab erroring when using SASL_SSL

[abryant710]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I have set the following configuration setting in my Kafka UI container:

KAFKA_CLUSTERS_0_SCHEMAREGISTRY: https://${SCHEMA_REGISTRY_CONTAINER_NAME}:${SCHEMA_REGISTRY_SERVER_PORT}

However, in the UI when I open the schema registry tab, I see the following error in the logs:

2024-06-26 11:40:01 2024-06-26 10:40:01,643 ERROR [reactor-http-epoll-6] o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler: [08ac1913-49]  500 Server Error for HTTP GET "/api/clusters/local/schemas/compatibility"
2024-06-26 11:40:01 org.springframework.web.reactive.function.client.WebClientRequestException: Host is not specified
2024-06-26 11:40:01     at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:136)
2024-06-26 11:40:01     Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
2024-06-26 11:40:01 Error has been observed at the following site(s):
2024-06-26 11:40:01     *__checkpoint ⇢ Request to GET https://eve_schema-registry:18085/config/ [DefaultWebClient]
2024-06-26 11:40:01     *__checkpoint ⇢ Handler io.kafbat.ui.controller.SchemasController#getGlobalSchemaCompatibilityLevel(String, ServerWebExchange) [DispatcherHandler]

If I log into the Kafka UI container (after installing curl as root user) and try to curl the schema registry, it works fine:

docker exec -it tru_eve_kafka-ui /bin/sh
/ $ curl -vk https://${SCHEMA_REGISTRY_CONTAINER_NAME}:${SCHEMA_REGISTRY_SERVER_PORT}
* Host eve_schema-registry:18085 was resolved.
* IPv6: (none)
* IPv4: 192.168.144.7
*   Trying 192.168.144.7:18085...
* Connected to eve_schema-registry (192.168.144.7) port 18085
...
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://eve_schema-registry:18085/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: eve_schema-registry:18085]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: eve_schema-registry:18085
> User-Agent: curl/8.5.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200
< date: Wed, 26 Jun 2024 10:44:46 GMT
< x-request-id: 692e47b4-f5eb-40a3-9ec2-53f5a977327e
< content-length: 2
< content-type: application/vnd.schemaregistry.v1+json
< vary: Accept-Encoding, User-Agent
<
* Connection #0 to host eve_schema-registry left intact

Is there a configuration setting that I am missing in the Kafka UI container? Please help me resolve this issue.

Let me know if you need any more information.

Expected behavior

The Schema Registry tab should open and show all the schemas loaded into the Schema Registry, without any errors in the logs.

Your installation details

Docker compose project:

Services

Zookeeper

Image: confluentinc/cp-zookeeper:7.6.1.amd64
Restart Policy: unless-stopped
Environment Variables:
ZOOKEEPER_CLIENT_PORT: 2181
KAFKA_OPTS: Configured for SASL authentication and security.
Health Check: Uses nc to check if the Zookeeper port is open.

Kafka

Image: confluentinc/cp-enterprise-kafka:7.6.1.amd64
Restart Policy: unless-stopped
Environment Variables:
Configured for SASL_SSL communication with Zookeeper and clients.
SSL keystore and truststore locations and credentials are specified.
JAAS configuration for SASL authentication.
Exposed Ports: 9092
Health Check: Uses nc to check if the Kafka port is open.

Schema Registry

Image: confluentinc/cp-schema-registry:7.6.1.amd64
Restart Policy: unless-stopped
Environment Variables:
Configured for SASL_SSL communication with Kafka.
SSL keystore and truststore locations and credentials are specified.
JAAS configuration for SASL authentication.
Schema Registry listeners set to https://0.0.0.0:18085
Exposed Ports: 18085
Health Check: Uses curl to check if the Schema Registry is accessible over HTTPS.

Kafka-UI

Image: ghcr.io/kafbat/kafka-ui:latest
Restart Policy: unless-stopped
Environment Variables:
Configured for SASL_SSL communication with Kafka and Schema Registry.
SSL keystore and truststore locations and credentials are specified.
Schema Registry URL set to https://${KAFKA_UI_SCHEMA_REGISTRY_HOST}:18085
Exposed Ports: ${KAFKA_UI_PORT}
Health Check: Uses curl to check if the Kafka-UI is accessible.

Security Configuration

SASL_SSL: All Kafka-related services (Kafka broker, Schema Registry, Kafka-UI) are configured to use SASL_SSL for secure communication.
SSL Certificates: SSL keystore and truststore locations and credentials are specified for all services to ensure encrypted communication.

Health Checks

Health checks are configured for Zookeeper, Kafka, Schema Registry, and Kafka-UI to ensure that the services are running and accessible. These checks use nc and curl commands to verify service availability.

Steps to reproduce

1. Start docker-compose project
2. Log in to kafka-ui
3. Open the Schema registry tab on the left
4. Error appear in the UI with 500 error
5. Logging message appears in kafka-ui logs, as previously shared

Screenshots

No response

Logs

See description

Additional context

No response

[github-actions]

Hi abryant710! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

This is an infra issue, as our compose example works just fine.
KAFKA_CLUSTERS_0_SCHEMAREGISTRY: https://schemaregistry0:8085
Please provide a minimal reproducible example in a form of a docker-compose file (as the one mentioned above) if you want us to take a look into that.

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[abryant710]

@Haarolean I can see that you are using http rather than https in your configuration for the Schema Registry. Do you have a working example where the Schema Registry is configured with SASL_SSL?

Please confirm before I provide a docker-compose example.

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.

[Haarolean]

https://github.com/kafbat/kafka-ui/blob/main/documentation/compose/kafka-ssl-components.yaml#L20

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[abryant710]

This was confirmed to work in a proper server deployment. Not working on localhost, likely for hostname inconsistency with certificates.

Please close the ticket.

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.