At present, there is no way to use the operator to configure a broker to use client certificates for authentication and authorization. To be clear: this isn't about verifying the authenticity of a client's certificate, but using the identity in the certificate to determine what access the certificate's owner has to broker resources.

The existing ActiveMQArtemisSecurity CRD provides for authentication against Keycloak, but this doesn't work with client certificates either (see  ENTMQBR-7511).

What is require is a way for the operator to create a login configuration using, for example,  {{TextFileCertificateLoginModule }}and to provide user and role information to it through, for example, a secret.

At present, there is no way to do client certificate authentication/authorization, with or without Keycloak, except by proving the broker with a completely custom configuration.