Support custom TLS principals

[nightkr]

A vanilla Kafka installation will use the TLS certificate's Distinguished Name (DN) as the principal, which is then used for authorization (see https://kafka.apache.org/documentation/#security_authz_ssl). This isn't great for us, since the Secret Operator will currently always hard-code this to "CN=generated certificate for pod".

We could implement a custom https://kafka.apache.org/28/javadoc/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.html to do whatever mapping we want.