sec: Don't block for update on OIDC service start

[michael-redpanda]

Upon OIDC service start, it will attempt to get the certificates from the IdP. If the service is unable to communicate with the IdP, this process times out after 5 seconds. If this occurs during cluster start up, this will prevent leadership election from occurring, which is especially troublesome with the controller. This has led to a cascade of other failures (such as being unable to assign the cluster ID in the metrics report service).

This change starts the update in the background to permit the rest of startup to continue without being blocked.

Backports Required

• none - not a bug fix
• none - this is a backport
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v25.3.x
• v25.2.x
• v25.1.x
• v24.3.x

Release Notes

Bug Fixes

• Addresses an issue if the OIDC service fails to communicate with the IdP causing the prevention of controller leadership election

[Copilot]

Pull Request Overview

This PR addresses a blocking issue during OIDC service startup that could prevent controller leadership election. Previously, the OIDC service would synchronously wait for certificate updates from the IdP during startup, causing a 5-second timeout if the IdP was unreachable. This blocking behavior during cluster startup prevented critical operations like leadership election and cluster ID assignment.

Key Changes:

• Changed OIDC service startup to spawn the update operation asynchronously instead of blocking on it
• Removed the gate holder acquisition in favor of ssx::spawn_with_gate to manage the background task lifecycle

[BenPope]

Is it just the 5s delay that causes the failed startup? I.e., does that lead to a timeout elsewhere?

[michael-redpanda]

There's a timeout in config_manager awaiting controller leadership. This timeout is preventing controller leadership election from forming.

[vbotbuildovich]

Retry command for Build#76558

please wait until all jobs are finished before running the slash command

/ci-repeat 1
tests/rptest/tests/log_compaction_test.py::LogCompactionTxRemovalUpgradeTest.test_tx_control_batch_removal_with_upgrade@{"test_case_name":"All commits"}

[vbotbuildovich]

CI test results

test results on build#76558

test_class	test_method	test_arguments	test_kind	job_url	test_status	passed	reason	test_history
AuditLogTestKafkaApi	test_no_auth_enabled	{"audit_transport_mode": "kclient"}	integration	https://buildkite.com/redpanda/redpanda/builds/76558#019a97c1-4fc0-4031-9fe3-d82535bb8aa5	FLAKY	19/21	upstream reliability is '99.21011058451816'. current run reliability is '90.47619047619048'. drift is 8.73392 and the allowed drift is set to 50. The test should PASS	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=AuditLogTestKafkaApi&test_method=test_no_auth_enabled
LogCompactionTxRemovalUpgradeTest	test_tx_control_batch_removal_with_upgrade	{"test_case_name": "All commits"}	integration	https://buildkite.com/redpanda/redpanda/builds/76558#019a97bb-cd8e-46bc-907e-9c1b373857c0	FLAKY	8/21	upstream reliability is '88.35616438356165'. current run reliability is '38.095238095238095'. drift is 50.26093 and the allowed drift is set to 50. The test should FAIL	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=LogCompactionTxRemovalUpgradeTest&test_method=test_tx_control_batch_removal_with_upgrade

[michael-redpanda]

CI Failure: https://redpandadata.atlassian.net/browse/CORE-14467

[vbotbuildovich]

/backport v25.3.x

[vbotbuildovich]

/backport v25.2.x

[vbotbuildovich]

/backport v25.1.x