Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

Thanks for opening this PR! I'd like to see support for SAN matching conditions as well.

I think we may want to discuss the exact policy syntax internally, so please bear with us if that takes some time.

One specific question I have is whether it would make sense to use the existing StringMatcher in conjunction with the different SAN types. Maybe something like this syntax?

    - client_certificate:
        san_email:
          ends_with: "@example.com"

Although StringMatcher might not make sense for IP address SANs. It might be more natural to accept CIDR notation there; maybe something like this?

    - client_certificate:
        san_ip_address: "10.1.2.0/24"

Sure thing, feel free to discuss, it was essentially a first stab at it.
The IP SAN field would likely contain a /32 address, so if you'd want to to CIDR match specific matcher logic would need to be added.

Hi @calderonth, sorry it's taken me so long to get back to this. Two questions:

1. Are you able to sign the CLA? If so I'll plan to make some changes based on this PR (to support the StringMatcher syntax).
2. Do you have a specific need for IP address SAN matching? I'm wondering if we should hold off on adding support for IP addresses unless there's a concrete use case for this.

Closing in favor of #4913.