[CC-4365] HCP Metrics xDS Config for Envoy

[freddygv]

Description

#16511 adds bootstrap configuration so that Envoy is configured to send its telemetry to a statically defined local socket.

This PR builds on top of the previous one by configuring a dynamic listener at that statically configured socket. The changes below inject the HCP metrics collector as an upstream for connect proxies since it is intended to be a mesh service deployed onto the user's cluster.

Why is there dynamic configuration when the cluster is statically defined at bootstrap time?

• We want to secure the metrics stream using TLS, but the stats sink can only be defined in bootstrap config. With dynamic listeners/clusters we can use certificates issued by the connect CA, which aren't available at bootstrap time.
• We want to intelligently route to the HCP collector. Configuring its address at bootstrap time limits our flexibility routing-wise compared to providing clusters/endpoints dynamically using xDS. More on this below.

Why define the collector as an upstream in proxycfg?

• Service discovery and routing logic is automatically taken care of, meaning that no code changes are required in the xds package.
• Certificate management is taken care of. Each proxy will dial using the certificate of the proxy it represents, and the HCP collector can present its own certificate as well as check intentions.
• Custom routing rules can be added for the collector using discovery chain config entries. Initially the collector is expected to be deployed to each admin partition, but in the future could be deployed centrally in the default partition. These config entries could be managed by HCP itself.

Testing & Reproduction steps

• Added unit tests at the proxycfg and xds layers.
• Tested against live Consul client agent and consul-dataplane instance, and verified that metrics do get sent to a collector service registered with the expected name.

PR Checklist

• updated test coverage
• external facing docs updated
• not a security concern

[freddygv]

The collector will be deployed in the default namespace of each admin partition using the well-known api.HCPMetricsCollectorName

[freddygv]

Envoy's metrics service stats sink uses gRPC: https://github.com/envoyproxy/envoy/blob/main/api/envoy/service/metrics/v3/metrics_service.proto#L23

[freddygv]

Expected http2 protocol options since it is a gRPC service

[hashi-derek]

Nit. We should invert this so that it performs an early return when the value is empty.