fix: add server_fqdn to kerberos auth config

apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl

@@ -44,9 +44,16 @@ fields(gssapi) ->
                     required => true,
                     desc => ?DESC(principal)
                 })},
-            {keytab_file,
+            {server_fqdn,
                 ?HOCON(binary(), #{
                     required => true,
+                    desc => ?DESC(server_fqdn)
+                })},
+            {keytab_file,
+                ?HOCON(binary(), #{
+                    required => false,
+                    %% This is hidden for now because it has to be /etc/krb5.keytab
+                    importance => ?IMPORTANCE_HIDDEN,
                     desc => ?DESC(keytab_file)
                 })}
         ].

rel/i18n/emqx_authn_gssapi_schema.hocon

@@ -8,8 +8,21 @@ principal {
         NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
 }
 
+server_fqdn {
+    label: "Server FQDN"
+    desc: """~
+        This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
+        However, it is not strictly necessary for it to be an accessible network address.
+        Important considerations include:
+
+        - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
+        - The client must use this exact value to request authentication services.
+
+        This ensures that the client and server agree on the identity being authenticated.~"""
+}
+
 keytab_file {
-    label: "keytab file"
+    label: "Keytab File"
     desc: """~
         SASL GSSAPI authentication Kerberos keytab file path.
         NOTE: This file has to be placed in EMQX nodes.~"""