[MATRIX-1193] Add username/password option for elastic self hosted

[AitorAlgorta]

Release Notes

New Features

• Added support for username/password authentication for Elastic connections in confluent flink connection create and confluent flink connection update commands. Users can now authenticate with Elastic using either --api-key or --username/--password flags.

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform

What

This PR adds support for username/password (Basic Auth) as an alternative authentication method for Elastic connections in Confluent Cloud Flink.

Problem: Previously, Elastic connections only supported API key authentication. Some users prefer or require username/password authentication for their Elastic deployments.

Solution:

• Added username and password to the allowed secrets for the elastic connection type
• Added elastic to the username/password type mappings (alongside rest, mcp_server, and a2a)
• Implemented mutually exclusive validation: users must provide either --api-key OR both --username and --password, but not both authentication methods
• The CLI automatically sets AUTH_TYPE: "BASIC" when username/password is used, or AUTH_TYPE: "API_KEY" when api-key is used

Applies to: Confluent Cloud only

Blast Radius

• Low risk. This is an additive feature that adds a new authentication option for Elastic connections.
• Existing Elastic connections using --api-key are unaffected; the API key authentication path remains unchanged.
• If the backend Flink Gateway does not support username/password for Elastic, the CLI will successfully send the request but the backend will return an appropriate error.

References

• Flink Gateway backend changes for Elastic Basic Auth support

Test & Review

CLI Integration Tests Added:

• create-elastic-no-secret.golden - Tests error when no secrets provided for elastic
• create-elastic-mutually-exclusive-secret.golden - Tests error when both api-key and username are provided
• create-elastic-missing-required-secret.golden - Tests error when username provided without password

Manual Verification - Elastic CREATE connection with username/password:

./dist/confluent_darwin_arm64/confluent flink connection create test-elastic \
  --cloud aws \
  --region us-west-2 \
  --type elastic \
  --endpoint https://my-elastic.example.com:9200 \
  --username elastic \
  --password mySecretPassword123
No Flink endpoint is specified, defaulting to public endpoint: `https://flink.us-west-2.aws.devel.cpdev.cloud`
+---------------+-------------------------------------+
| Creation Date | 2025-12-19 10:56:38.559965          |
|               | +0000 UTC                           |
| Name          | test-elastic                        |
| Environment   | env-devcxk85zg                      |
| Cloud         | aws                                 |
| Region        | us-west-2                           |
| Type          | ELASTIC                             |
| Endpoint      | https://my-elastic.example.com:9200 |
| Data          | <REDACTED>                          |
| Status        |                                     |
+---------------+-------------------------------------+

Manual Verification - Elastic EDIT connection with username/password:

./dist/confluent_darwin_arm64/confluent flink connection update test-elastic \
  --cloud aws \
  --region us-west-2 \
  --username elastic \
  --password myOtherSecretPassword123
No Flink endpoint is specified, defaulting to public endpoint: `https://flink.us-west-2.aws.devel.cpdev.cloud`
+---------------+-------------------------------------+
| Creation Date | 2025-12-19 14:04:41.666412          |
|               | +0000 UTC                           |
| Name          | test-elastic                        |
| Environment   | env-devcxk85zg                      |
| Cloud         | aws                                 |
| Region        | us-west-2                           |
| Type          | ELASTIC                             |
| Endpoint      | https://my-elastic.example.com:9200 |
| Data          | <REDACTED>                          |
| Status        |                                     |
+---------------+-------------------------------------+

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[sonarqube-confluent]

Quality Gate failed

Failed conditions
1 New issue

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE