SAN URI implementation for GCP users

[Dropio12]

#25333

Who is this for and what problem do they have today?

Redpanda users relying on mTLS authentication, especially those using SPIFFE-based identities. Redpanda only supports Distinguished Name (DN) for mTLS, but SPIFFE omits DN, making Redpanda incompatible. This forces users to:

• Use weaker authentication methods
• Implement complex workarounds
• Build custom authentication proxies
• Avoid Redpanda for security-critical workloads

What are the success criteria?

• Support SAN URI authentication alongside DN
• Maintain backward compatibility
• No required changes for existing deployments (opt-in)
• Clear documentation and integration tests
• No performance impact

Why is solving this problem impactful?

For users:

• Enables Redpanda in SPIFFE-secured environments
• Simplifies authentication without workarounds
• Aligns security with Kafka and cloud-native standards

For Redpanda:

• Expands adoption in security-critical industries
• Enhances SPIFFE and cloud integration
• Addresses a key limitation vs. Apache Kafka

Additional notes

Implementation:

• Utilize existing get_alt_name_information for SAN URI retrieval
• Hybrid authentication (DN + SAN URI) with per-certificate config

References:

• SPIFFE Workload API
• SPIFFE X.509-SVID
• JIRA: CORE-9424

JIRA Link: CORE-9817