From 9b9a59bef46a6f2160c8168a5efcadad216c8103 Mon Sep 17 00:00:00 2001 From: david-yu Date: Fri, 17 Apr 2026 11:30:57 -0700 Subject: [PATCH 1/2] rpadmin: add OAUTHBEARER auth option for debug bundle Add WithOAuthBearerAuthentication(token) so callers can forward an OIDC bearer token to the broker's /v1/debug/bundle endpoint. The existing WithSCRAMAuthentication option only covers SCRAM profiles, which leaves rpk with no way to express OAUTHBEARER credentials to the broker-side rpk subprocess. The new payload is {"mechanism":"OAUTHBEARER","token":""}, sent as a peer variant of the existing SCRAM payload on the same Authentication field. Also export an OAuthBearer constant alongside ScramSha256/ScramSha512/CloudOIDC. Broker-side support for this payload is a separate change in redpanda. Co-Authored-By: Claude Opus 4.7 (1M context) --- rpadmin/api_debug.go | 21 ++++++++++++++++++++- rpadmin/api_debug_test.go | 18 ++++++++++++++++++ rpadmin/api_user.go | 2 ++ 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/rpadmin/api_debug.go b/rpadmin/api_debug.go index 3657affb..f7928f7f 100644 --- a/rpadmin/api_debug.go +++ b/rpadmin/api_debug.go @@ -177,7 +177,7 @@ type DebugPartition struct { // debug bundle process. // See rpk debug bundle --help type debugBundleStartConfigParameters struct { - // one of DebugBundleSCRAMAuthentication or DebugBundleOIDCAuthentication + // one of debugBundleSCRAMAuthentication or debugBundleOAuthBearerAuthentication Authentication any `json:"authentication,omitempty"` ControllerLogsSizeLimitBytes int32 `json:"controller_logs_size_limit_bytes,omitempty"` LogsSizeLimitBytes int32 `json:"logs_size_limit_bytes,omitempty"` @@ -206,6 +206,14 @@ type debugBundleSCRAMAuthentication struct { Password string `json:"password,omitempty"` //nolint:gosec // G117: field holds SCRAM credentials for debug bundle API } +// debugBundleOAuthBearerAuthentication are the OAUTHBEARER authentication +// parameters. The token is the raw OIDC bearer token that the broker-side rpk +// subprocess will present to Kafka. +type debugBundleOAuthBearerAuthentication struct { + Mechanism string `json:"mechanism,omitempty"` + Token string `json:"token,omitempty"` //nolint:gosec // G117: field holds OIDC bearer token for debug bundle API +} + type debugBundleStartConfig struct { JobID string `json:"job_id,omitempty"` Config debugBundleStartConfigParameters `json:"config,omitempty"` @@ -231,6 +239,17 @@ func WithSCRAMAuthentication(username, password, mechanism string) DebugBundleOp }} } +// WithOAuthBearerAuthentication sets OAUTHBEARER authentication using the +// given OIDC bearer token. +func WithOAuthBearerAuthentication(token string) DebugBundleOption { + return debugBundleOpt{func(param *debugBundleStartConfigParameters) { + param.Authentication = debugBundleOAuthBearerAuthentication{ + Mechanism: OAuthBearer, + Token: token, + } + }} +} + // WithControllerLogsSizeLimitBytes sets the controller-logs-size-limit parameter. func WithControllerLogsSizeLimitBytes(v int32) DebugBundleOption { return debugBundleOpt{func(param *debugBundleStartConfigParameters) { diff --git a/rpadmin/api_debug_test.go b/rpadmin/api_debug_test.go index 2c4359f8..17c855b1 100644 --- a/rpadmin/api_debug_test.go +++ b/rpadmin/api_debug_test.go @@ -76,4 +76,22 @@ func TestDebugBundleOption(t *testing.T) { pj, _ := json.Marshal(params) assert.Equal(t, `{"authentication":{"mechanism":"SCRAM-SHA-256","username":"user1","password":"pass1"}}`, string(pj)) }) + + t.Run("oauthbearer auth", func(t *testing.T) { + opts := []DebugBundleOption{ + WithOAuthBearerAuthentication("my-jwt-token"), + } + params := &debugBundleStartConfigParameters{} + for _, o := range opts { + o.apply(params) + } + + authBearer, ok := params.Authentication.(debugBundleOAuthBearerAuthentication) + assert.True(t, ok) + assert.Equal(t, OAuthBearer, authBearer.Mechanism) + assert.Equal(t, "my-jwt-token", authBearer.Token) + + pj, _ := json.Marshal(params) + assert.Equal(t, `{"authentication":{"mechanism":"OAUTHBEARER","token":"my-jwt-token"}}`, string(pj)) + }) } diff --git a/rpadmin/api_user.go b/rpadmin/api_user.go index 7527df4d..e8aba2f1 100644 --- a/rpadmin/api_user.go +++ b/rpadmin/api_user.go @@ -32,6 +32,8 @@ const ( ScramSha512 = "SCRAM-SHA-512" // CloudOIDC is the constant for CLOUD-OIDC. CloudOIDC = "CLOUD-OIDC" + // OAuthBearer is the constant for OAUTHBEARER. + OAuthBearer = "OAUTHBEARER" ) // CreateUser creates a user with the given username and password using the From 7d7d2628dcbdc68ddffc0e674b63bafe1e4a246a Mon Sep 17 00:00:00 2001 From: david-yu Date: Fri, 17 Apr 2026 11:39:16 -0700 Subject: [PATCH 2/2] rpadmin: drop unused nolint on debug bundle token field gosec G117 flags fields named "Password"/"Pass", not generic token fields, so the nolint directive copied from the SCRAM password field is inert and trips nolintlint. Co-Authored-By: Claude Opus 4.7 (1M context) --- rpadmin/api_debug.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpadmin/api_debug.go b/rpadmin/api_debug.go index f7928f7f..ceac8c52 100644 --- a/rpadmin/api_debug.go +++ b/rpadmin/api_debug.go @@ -211,7 +211,7 @@ type debugBundleSCRAMAuthentication struct { // subprocess will present to Kafka. type debugBundleOAuthBearerAuthentication struct { Mechanism string `json:"mechanism,omitempty"` - Token string `json:"token,omitempty"` //nolint:gosec // G117: field holds OIDC bearer token for debug bundle API + Token string `json:"token,omitempty"` } type debugBundleStartConfig struct {