feat(redpanda): add bootstrap user account option (#2975)

* feat(redpanda): add bootstrap user account option

feat(redpanda): rework the admin api auth

feat(redpanda): rework the admin api auth

* feat(redpanda): rename WithEnableAdminAPIAuthentication to WithAdminAPIAuthentication. Address PR feedback to cleanup tests

* Update test name for non-superuser

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for invalid user case

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test case name for schema registry test

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for successful authentication case

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for invalid user case

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for non-superuser test

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for wrong mechanism

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for schema registry test

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for failed authentication

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* Update test name for successful authentication

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

* feat(redpanda): make AdminAPIClient properties private and add WithAuthentication() and accessor methods

* feat(redpanda): set EnableAdminAPIAuthentication private

* feat(redpanda): set baseURL as public again

* chore: use test names without spaces

---------

Co-authored-by: Manuel de la Peña <social.mdelapenya@gmail.com>

Author: Bojan

docs/modules/redpanda.md

@@ -182,3 +182,8 @@ is an HTTP-based API and thus the returned format will be: http://host:port.
 <!--codeinclude-->
 [Get admin API address](../../modules/redpanda/redpanda_test.go) inside_block:adminAPIAddress
 <!--/codeinclude-->
+
+#### WithAdminAPIAuthentication
+
+Enables Admin API Authentication by setting [`admin_api_require_auth`](https://docs.redpanda.com/current/reference/properties/cluster-properties/#admin_api_require_auth) cluster configuration property to `true`. 
+It also configures a bootstrap superuser account via [`RP_BOOTSTRAP_USER`](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/manual/production/production-deployment/#bootstrap-a-user-account) environment variable.

modules/redpanda/admin_api.go

@@ -10,29 +10,52 @@ import (
 	"net/url"
 )
 
+// AdminAPIClient is a client for the Redpanda Admin API.
 type AdminAPIClient struct {
-	BaseURL string
-	client  *http.Client
+	BaseURL  string
+	username string
+	password string
+	client   *http.Client
 }
 
+// NewAdminAPIClient creates a new AdminAPIClient.
 func NewAdminAPIClient(baseURL string) *AdminAPIClient {
 	return &AdminAPIClient{
 		BaseURL: baseURL,
 		client:  http.DefaultClient,
 	}
 }
 
+// WithHTTPClient sets the HTTP client for the AdminAPIClient.
 func (cl *AdminAPIClient) WithHTTPClient(c *http.Client) *AdminAPIClient {
 	cl.client = c
 	return cl
 }
 
+// WithAuthentication sets the username and password for the AdminAPIClient.
+func (cl *AdminAPIClient) WithAuthentication(username, password string) *AdminAPIClient {
+	cl.username = username
+	cl.password = password
+	return cl
+}
+
+// Username returns the username of the AdminAPIClient.
+func (cl *AdminAPIClient) Username() string {
+	return cl.username
+}
+
+// Password returns the password of the AdminAPIClient.
+func (cl *AdminAPIClient) Password() string {
+	return cl.password
+}
+
 type createUserRequest struct {
 	User      string `json:"username,omitempty"`
 	Password  string `json:"password"`
 	Algorithm string `json:"algorithm"`
 }
 
+// CreateUser creates a new user in Redpanda using Admin API.
 func (cl *AdminAPIClient) CreateUser(ctx context.Context, username, password string) error {
 	userReq := createUserRequest{
 		User:      username,
@@ -55,6 +78,10 @@ func (cl *AdminAPIClient) CreateUser(ctx context.Context, username, password str
 	}
 	req.Header.Set("Content-Type", "application/json")
 
+	if cl.username != "" || cl.password != "" {
+		req.SetBasicAuth(cl.username, cl.password)
+	}
+
 	resp, err := cl.client.Do(req)
 	if err != nil {
 		return fmt.Errorf("request failed: %w", err)

modules/redpanda/options.go

@@ -47,6 +47,9 @@ type options struct {
 	// ExtraBootstrapConfig is a map of configs to be interpolated into the
 	// container's bootstrap.yml
 	ExtraBootstrapConfig map[string]any
+
+	// enableAdminAPIAuthentication enables Admin API authentication
+	enableAdminAPIAuthentication bool
 }
 
 func defaultOptions() options {
@@ -170,3 +173,12 @@ func WithBootstrapConfig(cfg string, val any) Option {
 		o.ExtraBootstrapConfig[cfg] = val
 	}
 }
+
+// WithAdminAPIAuthentication enables Admin API Authentication.
+// It sets `admin_api_require_auth` configuration to true and configures a bootstrap user account.
+// See https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/manual/production/production-deployment/#bootstrap-a-user-account
+func WithAdminAPIAuthentication() Option {
+	return func(o *options) {
+		o.enableAdminAPIAuthentication = true
+	}
+}

modules/redpanda/redpanda.go

@@ -44,6 +44,9 @@ const (
 	bootstrapConfigFile = ".bootstrap.yaml"
 	certFile            = "cert.pem"
 	keyFile             = "key.pem"
+
+	bootstrapAdminAPIUser     = "redpanda_bootstrap_admin_user"
+	bootstrapAdminAPIPassword = "redpanda_bootstrap_admin_password"
 )
 
 // Container represents the Redpanda container type used in the module.
@@ -107,6 +110,25 @@ func Run(ctx context.Context, img string, opts ...testcontainers.ContainerCustom
 		settings.EnableWasmTransform = false
 	}
 
+	// 2.2. If enabled, bootstrap user account
+	if settings.enableAdminAPIAuthentication {
+		// set the RP_BOOTSTRAP_USER env var
+		if req.Env == nil {
+			req.Env = map[string]string{}
+		}
+		req.Env["RP_BOOTSTRAP_USER"] = bootstrapAdminAPIUser + ":" + bootstrapAdminAPIPassword
+
+		// add our internal bootstrap admin user to superusers
+		settings.Superusers = append(settings.Superusers, bootstrapAdminAPIUser)
+
+		// enable admin_api_require_auth
+		if settings.ExtraBootstrapConfig == nil {
+			settings.ExtraBootstrapConfig = map[string]any{}
+		}
+
+		settings.ExtraBootstrapConfig["admin_api_require_auth"] = true
+	}
+
 	// 3. Register extra kafka listeners if provided, network aliases will be
 	// set
 	if err := registerListeners(settings, req); err != nil {
@@ -231,6 +253,10 @@ func Run(ctx context.Context, img string, opts ...testcontainers.ContainerCustom
 
 		adminAPIUrl := fmt.Sprintf("%s://%v:%d", c.urlScheme, hostIP, adminAPIPort.Int())
 		adminCl := NewAdminAPIClient(adminAPIUrl)
+		if settings.enableAdminAPIAuthentication {
+			adminCl = adminCl.WithAuthentication(bootstrapAdminAPIUser, bootstrapAdminAPIPassword)
+		}
+
 		if settings.EnableTLS {
 			adminCl = adminCl.WithHTTPClient(&http.Client{
 				Timeout: 5 * time.Second,