Restrict gRPC access by certificate DN

[s-jairl]

Summary

Provide option to restrict access to gRPC servers by specifying a list of permitted distinguished names for mTLS authentication.

Problem statement

The applications currently support gRPC access restriction by specifying fingerprints (SHA256 digests) of permitted certificates. This enables us to utilize a shared/pre-existing CA to establish mutually authenticated connections while limiting access to holders of specific client certificates.

Usage of the option does however require that the certificates are generated and signed before the configuration is made, as the fingerprints are unpredictable beforehand. Furthermore, the configuration must be updated when certificates are rotated as their fingerprints would change (which could happen automatically through ACME or similar).

Proposed solution

Provide another option for access restriction that verifies properties from the client certificate's subject, such as its distinguished name. This would solve the two previously mentioned challenges.

Alternative solutions

Setup a dedicated CA for each component (verifier, issuer, etc.) that are only used for granting access to the specific application.