White Screen after login with Azure

[Alexander-ac]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Dear team, we are currently trying to get kafka-ui running in kubernetes.
We want to perform authentication via Azure.
This works so far, we see the following log lines:

2024-05-02 15:02:37,811 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Token's groups: [admin,veib]
2024-05-02 15:02:37,813 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Matched roles: [admin]
2024-05-02 15:02:55,303 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: test
2024-05-02 15:02:55,953 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: test

To us, it looks like azure response is being evaluated by Kafka-UI, but the page doesn't display afterwards. So you only see a white background.

Can you help us.

With kind regards

Alex

Expected behavior

No response

Your installation details

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: kafka-ui
  namespace: monitoring
spec:
  rules:
    - host: xxxxxxxxxxxxx
      http:
        paths:
          - backend:
              service:
                name: kafka-ui
                port:
                  number: 80
            path: /kafka-ui
            pathType: Prefix
---
apiVersion: v1
data:
  roles.yaml: |
    rbac:
      roles:
        - name: "admin"
          clusters:
            - test
          subjects:
            - provider: oauth
              type: role
              value: "admin"
          permissions:
            - resource: applicationconfig
              actions: all
            - resource: clusterconfig
              actions: all
            - resource: topic
              value: ".*"
              actions: all
kind: ConfigMap
metadata:
  name: kafka-ui-configmap
  namespace: monitoring
---
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: kafka-ui
  template:
    metadata:
      name: kafka-ui
      labels:
        app.kubernetes.io/name: kafka-ui
    spec:
      serviceAccountName: kafka-ui
      securityContext:
        runAsGroup: 65534
        runAsNonRoot: true
        runAsUser: 65534
      imagePullSecrets:
        - name: artifactory-docker-cred
      volumes:
      - configMap:
          name: kafka-ui-configmap
        name: roles-volume
      containers:
        - name: kafka-ui
          image: xxxxxxx/kafbat/kafka-ui:latest
          imagePullPolicy: IfNotPresent
          env:
            - name: LOGGING_LEVEL_COM.PROVECTUS.KAFKA.UI.SERVICE.RBAC.EXTRACTOR
              value: trace
            - name: LOGGING_LEVEL_ORG.SPRINGFRAMEWORK.SECURITY
              value: debug
            - name: KAFKA_CLUSTERS_0_NAME
              value: test
            - name: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS
              value: kafka-test.xxxxxxx:9096
            - name: KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL
              value: SASL_SSL
            - name: KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM
              value: SCRAM-SHA-512
            - name: KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG
              valueFrom:
                secretKeyRef:
                  key: kafka_ui_jaas_config
                  name: kafka-ui-secret
            - name: SERVER_SERVLET_CONTEXT_PATH
              value: /kafka-ui
            - name: AUTH_TYPE
              value: OAUTH2
            - name: AUTH_OAUTH2_CLIENT_AZURE_PROVIDER
              value: azure
            - name: AUTH_OAUTH2_CLIENT_AZURE_CLIENTID
              value: xxxxxxxxxxxxxxxxxxxxx
            - name: AUTH_OAUTH2_CLIENT_AZURE_CLIENTSECRET
              value: xxxxxxxxxxxxxxxxxxxxx
            - name: AUTH_OAUTH2_CLIENT_AZURE_SCOPE
              value: openid
            - name: AUTH_OAUTH2_CLIENT_AZURE_USER-NAME-ATTRIBUTE
              value: name
            - name: AUTH_OAUTH2_CLIENT_AZURE_ISSUERURI
              value: https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0
            - name: AUTH_OAUTH2_CLIENT_AZURE_CUSTOM-PARAMS_TYPE
              value: oauth
            - name: AUTH_OAUTH2_CLIENT_AZURE_CUSTOM-PARAMS_ROLES-FIELD
              value: roles
            - name: SPRING_CONFIG_ADDITIONAL-LOCATION
              value: /etc/kafkaui/roles.yaml 
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /kafka-ui/actuator/health
              port: http
            initialDelaySeconds: 60
            periodSeconds: 30
            timeoutSeconds: 10
          readinessProbe:
            httpGet:
              path: /kafka-ui/actuator/health
              port: http
            initialDelaySeconds: 60
            periodSeconds: 30
            timeoutSeconds: 10
          resources:
            limits:
              cpu: 0.6
              memory: 1500Mi
            requests:
              cpu: 100m
              memory: 1024Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: false
            runAsGroup: 65534
            runAsNonRoot: true
            runAsUser: 65534
          volumeMounts:
            - mountPath: /etc/kafkaui
              name: roles-volume
              readOnly: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: kafka-ui
  namespace: monitoring
spec:
  rules:
    - host: xxxxxxxxxxxxx
      http:
        paths:
          - backend:
              service:
                name: kafka-ui
                port:
                  number: 80
            path: /kafka-ui
            pathType: Prefix
---
apiVersion: v1
data:
  roles.yaml: |
    rbac:
      roles:
        - name: "admin"
          clusters:
            - test
          subjects:
            - provider: oauth
              type: role
              value: "admin"
          permissions:
            - resource: applicationconfig
              actions: all
            - resource: clusterconfig
              actions: all
            - resource: topic
              value: ".*"
              actions: all
kind: ConfigMap
metadata:
  name: kafka-ui-configmap
  namespace: monitoring
---

Steps to reproduce

Start application
Start login process with azure

Screenshots

No response

Logs

No response

Additional context

No response

[github-actions]

Hi Alexander-ac! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

Hi can you take a look at your browser's dev console for the errors?

[Alexander-ac]

Unfortunately, nothing can be seen under the Dev Console.
All you can see is the URL in the browser:

https://test.xxxxxx/kafka-ui/login/oauth2/code/azure?code=0.ASEAnC2noeZJbU-a9lqvoRg7_cCi9itqla9FiCgZcPdRUwQhAPY.AgABBAIAA.....

As if the browser was stuck in the load loop.

[Alexander-ac]

Yesterday I experimented with Keycloak and WebUI locally on my computer. I built the whole thing using Docker and simulated it without using reverse proxy. And look, it works! So I strongly suspect that the cause of the problem is the reverse proxy settings.

Can someone tell me what I'm doing wrong with the Ingress settings?

[Alexander-ac]

I think I have now found the real reason for the problem. If I remove the SERVER_SERVLET_CONTEXT_PATH variable, the forwarding works properly. And the WEB-UI interface appears.

[Haarolean]

So is it solved? Please comment here if there's anything else

[Alexander-ac]

I have found the workaround for the problem.
Of course it's not a real solution to the problem. I would like to use the prefix. But it doesn't work! Namely if you want to use AzureAd or Outh as authentication together with the prefix.
In my opinion the problem still exists and needs to be fixed. The whole thing can be recreated with Docker and Keycloak.

[Haarolean]

@Alexander-ac can you provide a minimal reproducible example then? As you mentioned, a docker compose with keycloak would work. Feel free to attach even the volume contents for the keycloak setup.