Heap size issue when trying to reach kafka bootstrap

[iWaveXXX]

Hello,
I'm stuck in a weird issue.
I configure 2 listeners, one internal and one external (type : cluster ip)
When I try this command : ./bin/kafka-topics.sh --bootstrap-server bootstrap.example.com:9443 --command-config /tmp/client.properties --list
I get this error :
Error while executing topic command : The AdminClient thread has exited. Call: listTopics [2025-07-02 02:06:18,891] ERROR org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has exited. Call: listTopics (org.apache.kafka.tools.TopicCommand) [2025-07-02 02:06:18,908] ERROR Uncaught exception in thread 'kafka-admin-client-thread | adminclient-1': (org.apache.kafka.common.utils.KafkaThread) java.lang.OutOfMemoryError: Java heap space at java.base/java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:64) ~[?:?] at java.base/java.nio.ByteBuffer.allocate(ByteBuffer.java:363) ~[?:?] at org.apache.kafka.common.memory.MemoryPool$1.tryAllocate(MemoryPool.java:30) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:103) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:462) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:412) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.common.network.Selector.attemptRead(Selector.java:679) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:581) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.common.network.Selector.poll(Selector.java:486) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:645) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1560) ~[kafka-clients-4.0.0.jar:?] at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1491) ~[kafka-clients-4.0.0.jar:?] at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
from my kafka client outside my kubernetes cluster.

If I try the same command inside my kubernetes cluster with my internal listener I got my topics list.

Is that means that from outside I have an issue with mtls com ?

For external listener, I have a GatewayAPI with TLSRoute and the external listener in Kafka resource is clusterIP type.
My kafka resource

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: my-cluster
namespace: kafka
annotations:
strimzi.io/node-pools: enabled
strimzi.io/kraft: enabled
spec:
kafka:
version: 4.0.0
metadataVersion: 4.0-IV3
listeners:
- name: interne
port: 9092
type: internal
tls: true
authentication:
type: tls
- name: externe
port: 9094
type: cluster-ip
tls: true
authentication:
type: tls
authorization:
type: simple
superUsers:
- "CN=akhq-admin"
config:
auto.create.topics.enable: "false"
default.replication.factor: 3
offsets.topic.replication.factor: 3
transaction.state.log.replication.factor: 3
transaction.state.log.min.isr: 2
min.insync.replicas: 2
metricsConfig:
type: jmxPrometheusExporter
valueFrom:
configMapKeyRef:
name: kafka-metrics
key: kafka-metrics-config.yml
logging:
type: inline
loggers:
kafka.root.logger.level: DEBUG
kafka.authorizer.logger.level: DEBUG
kafka.network.logger.level: DEBUG
kafka.request.logger.level: DEBUG
entityOperator:
topicOperator: {}
userOperator: {}
kafkaExporter:
topicRegex: "."
groupRegex: "."

My kafka user is tls-external

I read the documentation and it seems that until I did not configure my own clientCA certificate (with the CA comes from external dns name reference in gateway API) it will not work, correct ?
In case I use my custom CA for clientCA part , then I should create the secret with .crt, .key and p12 data and use it from my external kafka client ?

[scholzj]

Apart from it being insufficient memory, which is certainly an option, it usually means you have misconfigured security, especially TLS. You use TLS to connect to non-TLS listener or the other way around.

[iWaveXXX]

Indeed, I was missing the suffix -external.
Thanks @scholzj .