authorize: add client mTLS support (#751)

* authorize: add client mtls support

* authorize: better error messages for envoy

* switch from function to input

* add TrustedCa to envoy config so that users are prompted for the correct client certificate

* update documentation

* fix invalid ClientCAFile

* regenerate cache protobuf

* avoid recursion, add test

* move comment line

* use http.StatusOK

* various fixes

authorize/evaluator/opa/policy/authz.rego

@@ -5,6 +5,10 @@ import data.shared_key
 
 default allow = false
 
+http_status = [495, "invalid client certificate"]{
+	not input.is_valid_client_certificate
+}
+
 # allow public
 allow {
 	route := first_allowed_route(input.url)