rpk: enable OAUTHBEARER for remote debug bundle

[david-yu]

Follow-up to #30225 (broker-side OAUTHBEARER support, now merged) and #30169 (rpk OAUTHBEARER SASL support).

Changes

• Bumps rpadmin to v0.2.6 (tagged from common-go#165), which adds WithOAuthBearerAuthentication(token string)
• Removes the out.Die guard in rpk debug remote-bundle start that rejected OAUTHBEARER profiles with "not yet supported"
• toRpadminOptions now dispatches on mechanism: OAUTHBEARER calls WithOAuthBearerAuthentication, all other SASL profiles fall through to the existing WithSCRAMAuthentication path

Usage

Obtain a bearer token from your OIDC provider and pass it via --password (accepts token:<JWT> or a raw JWT) alongside -X kafka_api.sasl.mechanism=OAUTHBEARER:

TOKEN=$(curl -s -X POST "https://<idp>/realms/<realm>/protocol/openid-connect/token" \
  -d "grant_type=client_credentials" \
  -d "client_id=<client-id>" \
  -d "client_secret=<secret>" \
  | jq -r '.access_token')

rpk debug remote-bundle start \
  -X kafka_api.sasl.mechanism=OAUTHBEARER \
  --password "token:$TOKEN"

Or bake the mechanism into an rpk profile and pass the token at call time:

# ~/.config/rpk/rpk.yaml (profile)
kafka_api:
  brokers:
    - broker:9092
  sasl:
    mechanism: OAUTHBEARER
admin_api:
  addresses:
    - broker:9644

rpk debug remote-bundle start --password "token:$TOKEN"

The token is forwarded to each broker in admin_api.addresses. The broker-side rpk subprocess uses it as -Xsasl.mechanism=OAUTHBEARER -Xpass=token:<JWT> when authenticating to Kafka to collect the bundle.

Testing

Includes a ducktape end-to-end test (DebugBundleOAuthBearerAuthn) that exercises the full forwarding chain:

1. A Keycloak OIDC provider issues a client-credentials JWT
2. The test POSTs a debug bundle start request with {mechanism: OAUTHBEARER, token: <JWT>}
3. The broker (via debug_bundle: support OAUTHBEARER auth in broker-side admin API #30225) forwards the token to the rpk subprocess as -Xsasl.mechanism=OAUTHBEARER -Xpass=token:<JWT>
4. The rpk subprocess authenticates to Kafka using OAUTHBEARER and collects the bundle
5. The test verifies the bundle completes with status success and the expected topic appears in kafka.json

Supporting test infrastructure added alongside the test:

• OAuthBearerCredentials dataclass in redpanda_types.py — serializes to {mechanism, token} via the existing DebugBundleEncoder dataclass path
• DebugBundleStartConfigParams.authentication widened to accept SaslCredentials | OAuthBearerCredentials

Backports Required

• none - not a bug fix
• none - this is a backport
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v26.1.x
• v25.3.x
• v25.2.x

Release Notes

Features

• rpk debug remote-bundle start now supports OAUTHBEARER (OIDC) profiles. Pass the bearer token via --password (or kafka_api.sasl.password in the rpk profile) when sasl.mechanism is OAUTHBEARER. Previously the command rejected OAUTHBEARER profiles with an error; broker-side support landed in debug_bundle: support OAUTHBEARER auth in broker-side admin API #30225.

[david-yu]

@dotnwat this is the PR that includes the e2e test for #30225 (thanks for reviewing + merging). I won't backport these as its going to be a chore do backport all three PRs so will wait till 26.2

[vbotbuildovich]

CI test results

test results on build#83600

test_status	test_class	test_method	test_arguments	test_kind	job_url	passed	reason	test_history
FLAKY(PASS)	WriteCachingFailureInjectionE2ETest	test_crash_all	{"use_transactions": false}	integration	https://buildkite.com/redpanda/redpanda/builds/83600#019dbbde-ed1e-4e6a-9f40-9128ab866ef8	25/31	Test PASSES after retries.No significant increase in flaky rate(baseline=0.0826, p0=0.0971, reject_threshold=0.0100. adj_baseline=0.2279, p1=0.2899, trust_threshold=0.5000)	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=WriteCachingFailureInjectionE2ETest&test_method=test_crash_all