Use display name as CN

[andrejvanderzee]

We require a way to force the display name into certificates because of security and audit logging. Consider the following use-case (vault-helper is our command-line tool that abstracts from raw vault calls used by our tech people):

(1) vault-helper auth -role devops -username me 
password: *****
(2) vault-helper k8s -cluster production

In step (1) we login and the DisplayName is set to me. In step (2) we fetch a client certificate for Kubernetes production environment. This is were it gets shady. If someone manually calls vault production/pki/issue/devops and provides common_name=you, the Kubernetes audit logs will trace back to you, instead of me.

Of course we can correlate k8s audit logs with Vault audit logs, but we rather have the guarantee that no one can temper with the CN.

This PR adds the option use_displayname_cn to the pki/issue/:role endpoint that supports the above use-case.

[jefferai]

Relying on display name is very fragile and not very secure. Instead this should use identity templating and get the info from the entity associated with the token.

[jefferai]

This is more or less a dup of #4157

[andrejvanderzee]

@jefferai Thanks, thats a duplicate indeed and will have a look at identity templating soon.

Can you explain why allow_token_displayname is not documented on the webpage at all? Cause looking at the source code, we could probably enforce display name by setting these in the role config:

1. allowed_domains="*.example.com"
2. allow_glob_domains=false
3. allow_token_displayname=true

[jefferai]

Backwards compat. We allowed it a long time ago before realizing it was not a good idea. But we didn't want to bust any roles that had already been configured. Given that you can't configure a role with that option likely it's dead code at this point but it's not doing any harm having it in there.

[andrejvanderzee]

Close in favor of #6558.