[CLI-3059,CLI-3464,CLI-3360,CPSEC-342] CLI On-Prem Updates

[Steven Gagniere (sgagniere)]

Release Notes

Breaking Changes

• PLACEHOLDER

New Features

• Add new --client-cert-path and --client-key-path flags to confluent login to support on-premises mTLS login
• Add a new --certificate-only flag to confluent login for on-premises mTLS login without username/password or SSO
• Add new --client-cert-path and --client-key-path flags to all on-premises MDS and Schema Registry commands
• Add new "CONFLUENT_PLATFORM_CLIENT_CERT_PATH" and "CONFLUENT_PLATFORM_CLIENT_KEY_PATH" mTLS environment variables

Bug Fixes

• Fix an issue preventing the CLI from refreshing the authentication token while running the on-premises confluent kafka topic [produce | consume] commands
• Fix an issue causing the on-premises confluent kafka topic [produce | consume] commands to fail to start
• Fix an issue causing confluent local kafka topic consume to fail to start

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

This collection of PRs addresses the following on-prem related updates and issues:

• CLI-3059: Add mTLS support for MDS commands
• CLI-3464: Add mTLS support for SR commands
• CLI-3360: Fix various on-prem produce and consume errors causing the producer/consumer to not start
• CPSEC-342: Fix an issue causing the auth token to not refresh during on-prem produce and consume when using SASL_SSL and OAUTHBEARER

Blast Radius

Commands that would be affected:

• Any authenticated on-prem command
• The login command
• The produce/consume commands

References

1-Pager: https://confluentinc.atlassian.net/wiki/spaces/AEGI/pages/4223534063/1-Pager+On-Prem+mTLS+Support+for+CLI

The following 3 PRs will be merged into this one before this PR is merged:
main <-- CLI-3059 <-- CLI-3464 <-- CLI-3360 <-- CPSEC-342

CLI 3464 PR: #3054
CLI 3360 PR: #3024
CPSEC 342 PR: #3047

Test & Review

This testing doc includes tests covering all 4 PRs.
Testing doc: https://docs.google.com/document/d/1LgE3J2dDlT2j1RmqJuQ-8nrP7JXfsoXbACa69Ibp9tg/edit?usp=sharing

Also converted on-prem audit-log and ACL CRUD unit tests to integration tests.

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Copilot reviewed 113 out of 113 changed files in this pull request and generated no comments.

[Channing Dong (channingdong)]

LGTM, thanks for the efforts.