Is your feature request related to a problem? Please describe.
At the moment it is only possible to specify uri_sans and other_sans parameters to a Vault issuer. To use these features one must disable use_csr_sans in the Vault role, which means any DNS SANs in the CSR would be ignored.

Describe the solution you'd like
Add the ability for the Vault alt_names parameter to be configured as a part of the vault.Issuer struct similar to the existing URISubjectAlternativeNames and OtherSubjectAlternativeNames options. Note that the Vault alt_names parameter can be used for both DNS and Email names. For completeness it might be worth adding the ip_sans option at the same time which would fully round out the issuer to expose all underlying Vault options.

Describe alternatives you've considered
The obvious alternative is setting use_csr_sans to true in the Vault role and simply using the CertConfig to specify all SANs. The downside to this is this would require doing all access control in the PKI role (eg, one role per application) and being unable to use the otherwise powerful Vault policy configuration which allows specifying request arguments as a part of the Vault policy and can be more powerful.

Adding the options to the Vault issuer would still permit this option as existing behaviour would not change when those fields are not provided, but enables flexibility where required.

Additional context
https://www.vaultproject.io/api-docs/secret/pki/#sign-certificate