Security — Kafka (UI)
This document covers Kafka UI web interface authentication. Cluster listeners (plain and TLS) are configured in the Kafka cluster parameters — see Kafka Configuration for details on broker listeners.
Kafka UI supports two authentication modes:
| Mode | Description |
|---|---|
LOGIN_FORM | Username and password defined directly in values.yaml |
LDAP | Authentication delegated to a corporate LDAP/AD server |
LOGIN_FORM (default)
The LOGIN_FORM mode is the chart default and only requires setting a username and password:
kafka-ui:
yamlApplicationConfig:
auth:
type: LOGIN_FORM
spring:
security:
user:
name: admin
password: <ui-password>
The chart installs with password: admin by default. Change this password before exposing the interface outside the cluster's internal network. Use private values files (not versioned) or Secret mechanisms in your environment to protect the credential.
LDAP
The LDAP mode delegates authentication to the corporate LDAP or Active Directory server. It is the recommended mode in shared environments or when there is a centralized identity policy.
kafka-ui:
yamlApplicationConfig:
auth:
type: LDAP
spring:
ldap:
urls: ldap://<ldap-host>:389
base: "<ldap-base-dn>"
admin-user: "<ldap-bind-dn>"
admin-password: "<ldap-bind-password>"
| Field | Description | Example |
|---|---|---|
urls | LDAP server address | ldap://ldap.company.com:389 |
base | User search base DN | dc=company,dc=com |
admin-user | Bind user DN (query) | uid=kafkaui,cn=users,cn=accounts,dc=company,dc=com |
admin-password | Bind user password | Do not version — use secrets |
Do not store <ldap-bind-password> in a Git repository. Environment variable injection depends on the Kafka UI version — consult helm show values and the subchart documentation for extraEnvVars options available in your version.
Using LDAPS (TLS)
For a secure connection to the LDAP server, replace the ldap:// scheme with ldaps:// and use port 636:
spring:
ldap:
urls: ldaps://<ldap-host>:636
Make sure the LDAP server's CA certificate is present in the pod's truststore. In environments using a private PKI, it may be necessary to mount the certificate as a volume and configure it at runtime.
Recommendations
| Aspect | Recommendation |
|---|---|
| Development environment | LOGIN_FORM with a strong password, access via port-forward |
| Shared / production environment | LDAP with LDAPS (port 636) |
| Credentials | Never version passwords in a public values.yaml; use private files or Secrets management |
| UI exposure | Prefer access via Ingress with TLS or controlled port-forward; avoid NodePort on open networks |
Troubleshooting
| Problem | Probable cause | Solution |
|---|---|---|
| Invalid credentials in UI (LOGIN_FORM) | Incorrect password or typo in name/password field | Check spring.security.user in the applied values |
| LDAP login fails with "invalid credentials" | Incorrect bind DN or password | Test bind with ldapsearch or an external LDAP tool |
| LDAP login fails with "connection refused" | LDAP host/port unreachable from the pod | Check network connectivity and cluster firewalls |
Changes in yamlApplicationConfig not reflected | Pod not restarted after update | Force rollout: kubectl -n <namespace> rollout restart deployment kafka-ui |