proxy: Introduce a l5d-server-id response header

[olix0r]

The proxy's outbound client may or may not validate the identity of the server. This identity is typically a name like ${deployment}.deployment.${namespace}.linkerd-managed.${controller_namespace}.svc.cluster.local, which is provided to the proxy via service discovery.

When the server's identity has been validated, linkerd should insert a l5d-server-id header to responses with the server's name. The linkerd proxy should ALWAYS remove this header for both inbound and outbound requests such that it may ONLY be sent to the application when it is set by the local proxy.

[seanmonstar]

Let me see if I have this correct.

0. Services Foo and Bar have been injected with Linkerd2, and TLS is enabled.
1. Foo makes an outbound request to Bar.
2. Foo's proxy discovers that Bar is managed by linkerd, by receiving a TlsIdentity from the controller.
3. Foo's proxy tries to make a request to Bar's proxy, using TLS, expecting Bar's proxy's certificate to match the identity.
4. If it does, then the response received from Bar (through Bar's proxy) by Foo's proxy should add l5d-server-id: $tls_identity to the headers, and then pass that back to Foo.