Optional Gorouter mTLS Client Certificate Metadata Verification

[peanball]

What is this change about?

We want to add optional mTLS client certificate metadata verificiation in addition to basic validity checks.

Given a particular signing CA (identified by its subject) we want to limit the allowed client certificate subjects.

While the underlying issue is better solved with changes to the PKI and trust relationship between CAs, the PKI or its use by other sub-entities is not always under the control of the operator.

This PR pulls in the Gorouter change that implements the feature and provides the configuration spec and template to configure the optional property.`

What type of change is this?

• [Breaking Change]: the change removes a feature or introduces a behavior change to core functionality (request routing, request logging)
• [Minor Feature/Improvement]: the change introduces a new feature or improvement that doesn't alter core behavior
• [Bug Fix]: the change addresses a defect

Backwards Compatibility

This is a non-breaking change that is completely optional. When the property is not set, no callback is registered at all.

How should this be tested?

See Gorouter PR. There are also automated tests as part of the Gorouter PR.

Additional Context

Gorouter PR: cloudfoundry/gorouter#367

PR Checklist

• I have viewed, signed, and submitted the Contributor License Agreement.
• I have made this pull request to the develop branch.
• I have run all the unit tests using scripts/run-unit-tests-in-docker scripts/test-in-docker-locally.bash.
• I have given thought to the backward-compatibility requirements of this change, and listed any mitigations above.
• (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests.
• (Optional) I have run CF Acceptance Tests.

[domdom82]

this sentence seems odd 🧐

[domdom82]

only some minor gripes, approving.