Investigate ways to propagate the mTLS client identity through to the upstream cluster

[k-wall]

With plain (unproxied) Kafka, users have the option to use TLS client authentication to authenticate kafka applications. The client certificate's identity is made available within the Broker where it can be used for authorization decisions (ACLs) or audit purposes to understand what actions the user has performed.

If the user is proxying Kafka using Kroxylicious, they can opt to use TLS client auth (#1631) but there is currently no way to propagate the client's identity through to the upstream cluster.

This task is to look at ways that it might be achieved.

[k-wall]

One idea: utilise cooperating SASL/listener configuration on the upstream side to accept the client identity in a secure fashion. You might be able to do this with a custom SASL mechanism (to propagate the identity) coupled with a dedicated listener on the upstream clusters that authenticates the proxy using mTLS.