diff --git a/controllers/kafkauser_controller.go b/controllers/kafkauser_controller.go
index 3bd0863d39..ab83147244 100644
--- a/controllers/kafkauser_controller.go
+++ b/controllers/kafkauser_controller.go
@@ -196,6 +196,13 @@ func (r *KafkaUserReconciler) Reconcile(ctx context.Context, request reconcile.R
 	var kafkaUser string
 
 	if instance.Spec.GetIfCertShouldBeCreated() {
+		// Avoid panic if the user wants to create a kafka user but the cluster is in plaintext mode
+		if cluster.Spec.ListenersConfig.SSLSecrets == nil && instance.Spec.PKIBackendSpec == nil {
+			// we should never see this scenario due to the KafkaUser validation webhook
+			// the only edge case is when cluster.Spec.ListenersConfig.SSLSecrets is set to nil during operator upgrade
+			return requeueWithError(reqLogger, "could not create kafka user since user specific PKI not configured", errors.New("failed to create kafka user"))
+		}
+
 		var backend v1beta1.PKIBackend
 		if instance.Spec.PKIBackendSpec != nil {
 			backend = v1beta1.PKIBackend(instance.Spec.PKIBackendSpec.PKIBackend)