destination: add UriLikeIdentity and server_name (#285)

Changes the `TlsIdentity` type in the destination API such that: 

- we add an extra `UriLikeIdentity` identity type that should contain identities that are in URI format (e.g. SPIFFE)
- we add a `server_name` to the `TlsIdentity` type. This allows us to differentiate between an SNI value and a TLS Id value. This is mainly needed because in certain identity systems (SPIFFE/SPIRE) the TLS SAN can be in URI form. A URI cannot be used as a SNI extension in a `ClientHello`, so an alternative SNI value needs to be provided. This brings the need to distinguish between these two concepts. 

For context: 
linkerd/linkerd2-proxy#2506

Signed-off-by: Zahari Dichev <[email protected]>
Co-authored-by: Oliver Gould <[email protected]>

proto/destination.proto

@@ -103,12 +103,19 @@ message WeightedAddr {
   AuthorityOverride authority_override = 7;
 }
 
-// Which strategy should be used for verifying TLS.
 message TlsIdentity {
   reserved 2;
   reserved "k8s_pod_identity";
 
-  oneof strategy { DnsLikeIdentity dns_like_identity = 1; }
+  oneof strategy {
+    DnsLikeIdentity dns_like_identity = 1;
+    UriLikeIdentity uri_like_identity = 3;
+  }
+
+  // The server name of the endpoint. This is the value that needs to be included
+  // by clients in the ClientHello SNI extension of the TLS handshake when they
+  // initiate TLS connections to servers.
+  DnsLikeIdentity server_name = 4;
 
   // Verify the certificate based on the Kubernetes pod identity.
   message DnsLikeIdentity {
@@ -118,6 +125,15 @@ message TlsIdentity {
     //    {name}.{namespace}.{type}.identity.{control-namespace}.{trust-domain...}
     string name = 1;
   }
+
+  // Verify the certificate based on an URI identity.
+  message UriLikeIdentity {
+    // A URI name that encodes workload identity.
+    //
+    // For example:
+    //    spiffe://trust-domain/workload-dentifier
+    string uri = 1;
+  }
 }
 
 message AuthorityOverride { string authority_override = 1; }