Troubleshoot Confluent Gateway CFK Deployments
Diagnose and resolve common Confluent Gateway issues on Confluent for Kubernetes (CFK). Start with the log-capture and debug-logging steps that follow, then consult Known and common issues for symptom-based resolutions.
Note
The Kubernetes commands on this page assume that you have already set the default namespace. If Confluent Gateway runs outside the default namespace, add -n <namespace> to each command.
Capture Confluent Gateway logs manually
The Confluent Gateway pod logs capture most initialization failures, including network timeouts and credential errors. Inspect them first using the following Kubernetes commands:
# Get the Gateway custom resource
kubectl get Gateway <gateway_name> -o yaml > gateway.yaml
# List Gateway pods
kubectl get pods -l app=confluent-gateway
# View logs from all Gateway pods
kubectl logs -l app=confluent-gateway
# Filter for errors
kubectl logs -l app=confluent-gateway | grep -i error
Review these logs first to identify configuration or connectivity issues before you investigate Confluent Gateway routing or client settings.
Enable debug logging to view stack traces
The DEBUG log level captures detailed logs, including stack traces, to help diagnose complex Confluent Gateway issues.
The GATEWAY_ROOT_LOG_LEVEL environment variable controls the global logging level for Confluent Gateway. Update the podTemplate in your custom resource (CR) to set it to DEBUG, then re-apply the CR:
kind: Gateway
spec:
podTemplate:
envVars:
- name: GATEWAY_ROOT_LOG_LEVEL
value: DEBUG
Capture Confluent Gateway logs with a support bundle
Use the CFK support bundle command to collect only Confluent Gateway-related diagnostics, including logs, CRs, and related resources:
kubectl confluent support-bundle --only-gateway
Use the generated archive when sharing details with Confluent Support.
Verify client-to-Kafka connectivity
Test a client that connects directly to the backend Apache Kafka® cluster, bypassing Confluent Gateway, to rule out baseline cluster or network issues before troubleshooting Confluent Gateway routing.
Known and common issues
Confluent Gateway pods in CrashLoopBackOff
Symptoms
The Confluent Gateway pods restart repeatedly or remain in
CrashLoopBackOff.Running the
kubectl get pods -l app=confluent-gatewaycommand shows repeated restarts.Pod logs contain configuration parsing errors, license validation failures, or stack traces.
Logs report an unrecognized configuration field, such as
UnrecognizedPropertyException: Unrecognized field "tls", which indicates a misspelled or misplaced key.
Likely causes
Invalid or incomplete Confluent Gateway CR, such as malformed
streamingDomains,routes, or secret references.A missing or invalid license secret that
GATEWAY_LICENSESreferences.
Resolution
Inspect the pod logs for configuration and license errors:
kubectl logs -l app=confluent-gateway kubectl logs -l app=confluent-gateway | grep -i license
Validate the CR structure:
Ensure that the
streamingDomainssection defines at least one streaming domain and a corresponding bootstrap server.Ensure that the
routessection defines at least one valid route.
Verify secret references: confirm that any
secretStoresand license secrets referenced in the CR exist in the same namespace and contain the expected keys.Correct the configuration and re-apply the CR:
kubectl apply -f <gateway-CR-file>
Clients can’t connect to the Confluent Gateway endpoint
Symptoms
Client connections to the Confluent Gateway endpoint time out or stall indefinitely during metadata requests.
Clients connect successfully when they target the Kafka cluster directly, but fail to connect when routed through Confluent Gateway.
Likely causes
The Confluent Gateway pods can’t reach the Kafka bootstrap servers due to DNS, firewall, or network policy issues.
Clients connect to broker addresses directly instead of the Confluent Gateway route endpoint.
The
routes.endpointvalue doesn’t match the address published by the Confluent Gateway Kubernetes service.The
bootstrapServerIddoes not match across sections of the CR.
Resolution
Verify that the route endpoint is reachable: confirm that the Confluent Gateway Kubernetes service or load balancer exposes the host and port defined in
routes.endpoint.kubectl get svc -l app=confluent-gateway
Test Confluent Gateway-to-Kafka connectivity: from a Confluent Gateway pod, test connectivity to the Kafka bootstrap endpoints defined in
streamingDomains.kafkaCluster.bootstrapServers[].endpoint. Inspect DNS resolution, firewall rules, and network policies.Review logs for authentication issues: inspect logs for repeated connection attempts or
terminated during authenticationmessages. If these errors occur, verify your authentication and TLS/SSL configuration settings. For more information, see Configure Security for Confluent Gateway using Confluent for Kubernetes.Verify broker endpoint resolution: when you use the host-based broker identification strategy, where
routes.brokerIdentificationStrategy.typeishost, clients must resolve individual broker addresses to the Confluent Gateway endpoint. If your broker address pattern isbroker-$(nodeId).gateway.example.com, ensure that your DNS provider routes these subdomains, including a wildcard record, to the Confluent Gateway service.
Protocol or TLS/SSL mismatch
Symptoms
Client logs or Confluent Gateway logs show errors such as frame size exceptions (for example,
FrameOversizedException) or TLS handshake failures.Clients use
SASL_SSLorSSL, but the route uses plaintext, or vice versa.
Likely causes
The client’s
security.protocoldoesn’t match the configured security for the route.TLS-encrypted traffic reaches a plaintext route endpoint, or plaintext traffic reaches an SSL-only route.
Resolution
Confirm the route configuration: inspect the
routes[].security.client.tlssettings in the Confluent Gateway CR.If you omit
security.client.tls, the route expects plaintext traffic.If you define
security.client.tls, configure the client to use an SSL protocol, such asSASL_SSLorSSL.
Align the client configuration:
For unencrypted connections, set the client protocol to
PLAINTEXT.When using SASL authentication without TLS, set the client protocol to
SASL_PLAINTEXT.For TLS routing, set the client protocol to
SSLorSASL_SSLand configure the truststore and keystore as required.
Re-apply the CR if you change route security, and confirm that clients can connect again.
Authentication swap not behaving as expected
Symptoms
Clients using authentication swap fail to authenticate with the backend cluster.
Logs report errors related to secret store lookups, Java Authentication and Authorization Service (JAAS) configuration failures, or callback handler initialization.
Backend brokers report invalid credentials despite the client providing valid local credentials.
Likely causes
Route security isn’t configured with
auth: swap.The
secretStorereferenced in theroutessection is incorrect or missing.The secret store provider type is incorrect, or the credentials required to access the store are incorrect.
Resolution
Verify the route swap configuration: ensure that the route performs authentication swapping.
kind: Gateway spec: routes: - name: <route_name> security: auth: swap
Avoid hard-coded broker credentials: don’t embed static broker credentials in the CR. For swap scenarios, Confluent Gateway must resolve credentials dynamically from a configured secret store.
Validate your secret store configuration:
Provider types are case-sensitive. Verify that you use the exact casing required. For example, use
Azure, notAZURE.Confirm that the Confluent Gateway has the necessary permissions to read secrets from the provider and can reach the provider’s API endpoint over the network.
To learn more about secret store configuration, see Configure Security for Confluent Gateway using Confluent for Kubernetes.
Restart the Confluent Gateway pods so the updated authentication settings take effect:
kubectl delete pod -l app=confluent-gateway
SASL/OAUTHBEARER passthrough fails after a failover
Symptoms
Clients that use SASL/OAUTHBEARER identity passthrough to Confluent Cloud fail to authenticate after a failover.
Likely causes
Clients that use SASL/OAUTHBEARER identity passthrough send a logical cluster (lkc) extension to identify the target cluster. After a failover, the active cluster changes, so the client-supplied value becomes invalid and authentication fails.
Resolution
Configure passthroughConfig on the route so that Confluent Gateway injects the correct logical cluster extension on behalf of the clients. This keeps client configurations independent of the active cluster.
For more information, see Configure identity passthrough.
License and route limit issues
Symptoms
The Confluent Gateway fails to initialize additional routes.
Logs report warnings on license or route-limit exhaustion.
Likely causes
Trial mode limits Confluent Gateway to a maximum of four routes. To configure more routes, you need an Enterprise license.
Resolution
Apply an Enterprise license: Trial mode allows a maximum of four routes, and Enterprise mode supports unlimited routes. To create an Enterprise license secret, reference it from the CR, and review the license modes, see Configure Confluent Gateway license.
Inspect the license status: after re-applying the CR, confirm that the Confluent Gateway recognizes the license.
kubectl logs -l app=confluent-gateway | grep -i license
