Feature: Add support for SASL reauthentication (KIP-368) #217
Description
During deeper testing of #216, I discovered that the proxy currently doesn't support KIP-368 - SASL Reauthentication. It would be great to see support for this added so that long-lived connections using SASL OAUTHBEARER authentication are better supported.
To elaborate a bit more on my use case and what I'm currently seeing, I am looking to use this proxy as a sidecar for microservices running in Kubernetes (AWS EKS) to support a more seamless approach to using IAM authentication with Amazon MSK clusters. IAM credentials are made available to the proxy sidecar container using AWS IAM roles for service accounts, which facilitates short 1 hour duration IAM credentials for pods. What I'm seeing at the moment is that:
- Connections are established from
kafka-proxyto the brokers successfully using IAM authentication - After 1 hour, MSK closes the connections as the IAM credentials used to authenticate the connection have expired.
- This results in the proxy seeing an EOF and hence closing both the server and client connections
- This then causes an unexpected EOF in the proxy clients, which they don't handle particularly gracefully.