JIRA: CORE-16118
Context
redpanda#30169 adds OAUTHBEARER (OIDC bearer token) SASL support to rpk's Kafka, admin, and Schema Registry clients. A review comment on that PR surfaced that the remote debug bundle flow (`rpk debug remote-bundle start`) drops OAUTHBEARER credentials silently:
- rpk forwards SASL creds to the broker via `POST /v1/debug/bundle` so the broker-side `rpk debug bundle` subprocess can authenticate to Kafka.
- Today, both the `rpadmin` Go client and the broker's JSON parser only accept a SCRAM-shaped payload: `{mechanism, username, password}`.
- OAUTHBEARER profiles have no `username`, so `HasSASLCredentials()` is false and rpk sends the request with `authentication: null`. The broker-side subprocess then tries to connect to Kafka with no SASL and fails confusingly.
The short-term mitigation (landed in #30169) is to reject OAUTHBEARER up front in `rpk debug remote-bundle start` with a clear "not yet supported" error.
What this issue tracks
Full end-to-end OAUTHBEARER support in the debug bundle path. Requires broker-side changes in this repo.
Prerequisite (separate PR)
Broker-side work (this issue)
-
`src/v/debug_bundle/types.h` — extend the variant:
```cpp
struct bearer_creds {
ss::sstring token;
ss::sstring mechanism; // "OAUTHBEARER"
friend bool operator==(const bearer_creds&, const bearer_creds&) = default;
};
using debug_bundle_authn_options = std::variant<scram_creds, bearer_creds>;
```
-
`src/v/debug_bundle/json.h` — add a `from_json<bearer_creds>` branch and update the `debug_bundle_authn_options` dispatch to pick the right variant alternative (e.g. by the presence of `token` vs `username`, or by the `mechanism` value).
-
`src/v/debug_bundle/debug_bundle_service.cc` — extend the `ss::visit` over `authn_options` to translate `bearer_creds` into subprocess args:
```cpp
[&rv](const bearer_creds& creds) {
rv.emplace_back(ssx::sformat("{}=token:{}", password_variable, creds.token));
rv.emplace_back(ssx::sformat("{}=OAUTHBEARER", sasl_mechanism_variable));
}
```
(rpk already accepts `-Xpass=token:` together with `-Xsasl.mechanism=OAUTHBEARER`.)
-
`src/v/redpanda/admin/api-doc/debug_bundle.json` — document the new `{mechanism, token}` auth variant.
-
Tests — extend `src/v/debug_bundle/tests/{json_test.cc,types_test.cc,debug_bundle_service_test.cc}` to cover the new variant: JSON parsing, roundtrip equality, and correct subprocess-arg emission.
rpk-side follow-up (this repo, after common-go release)
After common-go merges and releases a new rpadmin version:
- Bump `go.mod` to the version that exports `WithOAuthBearerAuthentication`.
- Replace the "not yet supported" `out.Die` in `src/go/rpk/pkg/cli/debug/remotebundle/start.go` with a branch that calls `rpadmin.WithOAuthBearerAuthentication(token)` when the profile's mechanism is OAUTHBEARER.
Acceptance criteria
- `rpk debug remote-bundle start` with an OAUTHBEARER profile reaches the broker and the broker-side `rpk debug bundle` subprocess authenticates successfully with the forwarded token.
- The broker rejects malformed `authentication` payloads (e.g. `{mechanism: OAUTHBEARER}` with no `token`) with a 400.
- Unit-test coverage for the new variant parsing and subprocess-arg emission.
JIRA: CORE-16118
Context
redpanda#30169 adds OAUTHBEARER (OIDC bearer token) SASL support to rpk's Kafka, admin, and Schema Registry clients. A review comment on that PR surfaced that the remote debug bundle flow (`rpk debug remote-bundle start`) drops OAUTHBEARER credentials silently:
The short-term mitigation (landed in #30169) is to reject OAUTHBEARER up front in `rpk debug remote-bundle start` with a clear "not yet supported" error.
What this issue tracks
Full end-to-end OAUTHBEARER support in the debug bundle path. Requires broker-side changes in this repo.
Prerequisite (separate PR)
Broker-side work (this issue)
`src/v/debug_bundle/types.h` — extend the variant:
```cpp
struct bearer_creds {
ss::sstring token;
ss::sstring mechanism; // "OAUTHBEARER"
friend bool operator==(const bearer_creds&, const bearer_creds&) = default;
};
using debug_bundle_authn_options = std::variant<scram_creds, bearer_creds>;
```
`src/v/debug_bundle/json.h` — add a `from_json<bearer_creds>` branch and update the `debug_bundle_authn_options` dispatch to pick the right variant alternative (e.g. by the presence of `token` vs `username`, or by the `mechanism` value).
`src/v/debug_bundle/debug_bundle_service.cc` — extend the `ss::visit` over `authn_options` to translate `bearer_creds` into subprocess args:
```cpp
[&rv](const bearer_creds& creds) {
rv.emplace_back(ssx::sformat("{}=token:{}", password_variable, creds.token));
rv.emplace_back(ssx::sformat("{}=OAUTHBEARER", sasl_mechanism_variable));
}
```
(rpk already accepts `-Xpass=token:` together with `-Xsasl.mechanism=OAUTHBEARER`.)
`src/v/redpanda/admin/api-doc/debug_bundle.json` — document the new `{mechanism, token}` auth variant.
Tests — extend `src/v/debug_bundle/tests/{json_test.cc,types_test.cc,debug_bundle_service_test.cc}` to cover the new variant: JSON parsing, roundtrip equality, and correct subprocess-arg emission.
rpk-side follow-up (this repo, after common-go release)
After common-go merges and releases a new rpadmin version:
Acceptance criteria