security: make SAN authN cluster setting publicly available

[sanchit-CRL]

• Previously, the security.client_cert.san_required.enabled cluster setting was marked as reserved (internal-only) while the SAN-based authentication feature was being developed and tested.
• This also changes WithReportable(false) → WithReportable(true), which means the setting value will now be included in diagnostic reports.

Epic: CRDB-58928

Resolves: #164136

Release note (security update):
The new cluster setting
security.client_cert.san_required.enabled enables Subject Alternative Name (SAN) based authentication for client certificates. When enabled, CockroachDB validates client identities using SAN attributes (URIs, DNS names, or IP addresses) from X.509 certificates instead of or in addition to the certificate's Common Name field.

Key capabilities include:

• For privileged users (root and node): SAN identities are validated against values configured via the --root-cert-san and --node-cert-san startup flags, with automatic fallback to Distinguished Name validation when both methods are configured.

• For database users: SAN identities are extracted from client certificates and mapped to database usernames using Host-Based Authentication (HBA) identity mapping rules, allowing a single certificate with multiple SAN entries to authenticate as different database users based on context.

• Multiple identity attributes: A single certificate can contain multiple SAN entries (e.g., URI for service identity, DNS for hostname, IP for network location), providing flexible authentication options.

This authentication method works across both SQL client connections and internal RPC communication between cluster nodes, ensuring consistent identity verification throughout the system. Organizations using modern certificate management systems and service identity frameworks can now leverage their existing infrastructure for database authentication without requiring certificate reissuance or CN-based naming conventions.

[trunk-io]

😎 Merged successfully - details.

[blathers-crl]

Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[blathers-crl]

It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR?

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[souravcrl]

LGTM. Two minor suggestions:

1. Release note style: The release note is thorough but quite long for a settings doc. Consider tightening the opening to lead with the user action rather than the implementation detail:

   Release note (security update): The new cluster setting
   `security.client_cert.san_required.enabled` enables Subject Alternative
   Name (SAN) based authentication for client certificates. When enabled,
   CockroachDB validates client identities using SAN attributes (URIs, DNS
   names, or IP addresses) from X.509 certificates instead of or in addition
   to the certificate's Common Name field.
   

   The key capabilities list is good — just the intro could be more direct.

2. PR description: Worth mentioning that this also changes WithReportable(false) → WithReportable(true), which means the setting value will now be included in diagnostic reports. This is a minor but distinct behavior change from just making it public.

[sanchit-CRL]

/trunk merge