Specify Name Constraints in CA Certificate

[t-cas]

Is your feature request related to a problem? Please describe.
When creating a Certificate CR using flag isCA: true, there is today no possibility to specify Name Constraints to apply restrictions on the CN and SAN for this Sub-CA.

Describe the solution you'd like
a new section spec.nameConstraints in Certificate CR for example:

spec:
  isCA: true
  nameConstraints:
  - type: permitted
    critical: true
    constraints:
      dns: [.private, .corp]
      ipAddress: [192.168.3.0/255.255.255.0]
  - type: excluded
    critical: true
    constraints:
      dns: [.secret.corp]

/kind feature

[SivaBharahi]

Important Feature: Will be a critical addition to controlling boundaries for Sub CAs.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[t-cas]

/remove-lifecycle stale

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[t-cas]

/remove-lifecycle stale

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale