Deploy a SASL_PLAIN Kafka listener & test notifications against it

[delthas]

Issue: ZENKO-5106

[bert-e]

Hello delthas,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[Copilot]

Pull request overview

This PR adds support for testing SASL_PLAIN authenticated Kafka listeners with bucket notifications. It configures a new Kafka listener with SASL authentication and creates the necessary test infrastructure to verify notifications work with authenticated Kafka endpoints.

• Adds a third notification destination with SASL_PLAIN authentication support
• Configures a new Kafka listener on port 9095 with SASL authentication
• Extends test parameters and environment variables to support authenticated notifications

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/ctst/world/Zenko.ts	Adds interface properties for authenticated notification destination configuration
tests/ctst/steps/notifications.ts	Implements test step for setting up an authenticated notification destination
.github/workflows/end2end.yaml	Defines environment variables for authenticated destination credentials and topic
.github/scripts/end2end/run-e2e-ctst.sh	Passes authenticated notification parameters to test world configuration
.github/scripts/end2end/configure-e2e.sh	Adds Kafka topic creation for authenticated notification destination
.github/scripts/end2end/configure-e2e-ctst.sh	Configures SASL_PLAIN Kafka listener and creates authenticated notification topic
.github/scripts/end2end/configs/notification_destinations.yaml	Defines ZenkoNotificationTarget with basic authentication credentials

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[delthas]

Test failure appears to be unrelated: https://github.com/scality/Zenko/actions/runs/20574693679/job/59089167866#step:10:57882

2025-12-29T15:46:43.5917709Z Failures:
2025-12-29T15:46:43.5919230Z 
2025-12-29T15:46:43.5932481Z 1) Scenario: Replicate objects created before creating the replication rule # features/crrReplicationS3utils.feature:17
2025-12-29T15:46:43.5934141Z    ✔ Before # hooks/Logger.ts:39
2025-12-29T15:46:43.5934864Z    ✔ Before # hooks/versionTags.ts:5
2025-12-29T15:46:43.5935688Z    ✔ Before # common/hooks.ts:36
2025-12-29T15:46:43.5936910Z    ✔ Given an existing bucket "source-bucket-1" "with" versioning, "without" ObjectLock "without" retention mode # common/common.ts:140
2025-12-29T15:46:43.5938501Z    ✔ And an object "source-object-1" that "exists" # common/common.ts:374
2025-12-29T15:46:43.5939409Z    ✔ And a replication configuration to "awsbackendmismatch" location # common/common.ts:263
2025-12-29T15:46:43.5940262Z    ✔ When the job to replicate existing objects with status "NEW" is executed # steps/replication.ts:16
2025-12-29T15:46:43.5942424Z    ✖ Then the object replication should "succeed" within 300 seconds # steps/replication.ts:66
2025-12-29T15:46:43.5943870Z        AssertionError [ERR_ASSERTION]: Timeout: Object 'source-object-1' is still in pending/processing state after timeout
2025-12-29T15:46:43.5945061Z            at Zenko.<anonymous> (/ctst/steps/replication.ts:115:16)
2025-12-29T15:46:43.5946134Z            at processTicksAndRejections (node:internal/process/task_queues:95:5)
2025-12-29T15:46:43.5947426Z    - And the replicated object should be the same as the source object # steps/replication.ts:118
2025-12-29T15:46:43.5948470Z    ✔ After # common/hooks.ts:63
2025-12-29T15:46:43.5949143Z    ✔ After # hooks/Logger.ts:63
2025-12-29T15:46:43.5949522Z 
2025-12-29T15:46:43.5950166Z 2) Scenario: Re-replicate objects that failed to replicate # features/crrReplicationS3utils.feature:29
2025-12-29T15:46:43.5951256Z    ✔ Before # hooks/Logger.ts:39
2025-12-29T15:46:43.5951954Z    ✔ Before # hooks/versionTags.ts:5
2025-12-29T15:46:43.5952688Z    ✔ Before # common/hooks.ts:36
2025-12-29T15:46:43.5954249Z    ✔ Given an existing bucket "source-bucket2" "with" versioning, "without" ObjectLock "without" retention mode # common/common.ts:140
2025-12-29T15:46:43.5955986Z    ✔ And a replication configuration to "awsbackendreplicationctstfail" location # common/common.ts:263
2025-12-29T15:46:43.5957390Z    ✔ And a deleted destination bucket on that location # steps/replication.ts:176
2025-12-29T15:46:43.5958563Z    ✔ And an object "source-object-2" that "exists" # common/common.ts:374
2025-12-29T15:46:43.5959809Z    ✖ Then the object replication should "fail" within 500 seconds # steps/replication.ts:66
2025-12-29T15:46:43.5961216Z        AssertionError [ERR_ASSERTION]: Timeout: Object 'source-object-2' is still in pending/processing state after timeout
2025-12-29T15:46:43.5962476Z            at Zenko.<anonymous> (/ctst/steps/replication.ts:115:16)
2025-12-29T15:46:43.5963479Z            at processTicksAndRejections (node:internal/process/task_queues:95:5)
2025-12-29T15:46:43.5964828Z    - When the destination bucket on the location is created again # steps/replication.ts:198
2025-12-29T15:46:43.5966141Z    - And the job to replicate existing objects with status "FAILED" is executed # steps/replication.ts:16
2025-12-29T15:46:43.5967146Z    - Then the object replication should "succeed" within 300 seconds # steps/replication.ts:66
2025-12-29T15:46:43.5967876Z    - And the replicated object should be the same as the source object # steps/replication.ts:118
2025-12-29T15:46:43.5968491Z    ✔ After # common/hooks.ts:63
2025-12-29T15:46:43.5968900Z    ✔ After # hooks/Logger.ts:63
2025-12-29T15:46:43.5969116Z 

[delthas]

Finally passed after 3 retries.

[bert-e]

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

[SylvainSenechal]

Might be worth to see what happens with the same test that you added, but unauthenticated.
given a non-authenticated notification
then i should not receive a notifciation

but maybe annoying to setup and not worth it, whatever

[SylvainSenechal]

wait how come this is the same as the function just above ?
Ah the authentication is done during setup, and it directly comes from the fact that you are using this specific destination

[SylvainSenechal]

Yeah I think ideally, we would use the kubernetes client (we have a client available in ctst) here to do the authentification but its some more work, needs to wait for reconciliation its annoying