Add trusted_xds_server server feature for TD

[kannanjgithub]

In order to address use-cases where authority rewriting may not be acceptable from a security perspective, adding a new server feature to the bootstrap config. The server feature is specfied via the server_features field described in gRFC A30. The feature is the string trusted_xds_server. (Note that the name is intentionally fairly general, since it may be used to trigger other security-sensitive functionality in the future.)

[kannanjgithub]

This needs to start behind a flag, and after we do interop testing it will be stabilized.

Also, include notes in the commit message/PR description as to why we are making this change (reference the appropriate gRFC).

I didn't do it because the gRFC talks adding the guard elsewhere:

Use of the RDS `auto_host_rewrite` field will be guarded by the
`GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE` env var.  The env var guard
will be removed once the feature passes interop tests.

I assumed each language will follow the same env var protection mechanism. Do we still need it here? I'm ok with adding it though.

[ejona86]

The gRFC doesn't cover the update to this bootstrap generator. It only goes as far as defining changes to the bootstrap format. This generator is for a specific control plane.

"Flag" here means an actual flag, like flag.Bool at the top of main.go. We'd name it with -experimental and change the default when things are ready. It's not a huge concern in this case, but generally we want to verify that the config is correct before we enable it, and that is done by testing with clients that use the new values.

[kannanjgithub]

The gRFC doesn't cover the update to this bootstrap generator. It only goes as far as defining changes to the bootstrap format. This generator is for a specific control plane.

"Flag" here means an actual flag, like flag.Bool at the top of main.go. We'd name it with -experimental and change the default when things are ready. It's not a huge concern in this case, but generally we want to verify that the config is correct before we enable it, and that is done by testing with clients that use the new values.

Done.