Add TLS support for `pd`'s gRPC endpoint

[hdevalence]

Is your feature request related to a problem? Please describe.

It should be possible for pd to serve gRPC using TLS, without requiring the use of an extra proxy layer.

Describe the solution you'd like

Add a way to specify a certificate that pd will use to do TLS. Then use Tonic's TLS support to enable TLS connections on the Server.

[hdevalence]

It looks like the way to do this is:

• Use tls_config on the server builder to set a TLS config
• Configure a ServerTlsConfig with the cert details.

Since we're not going to use TLS for client auth, I don't think we need to set the client_ca_root, so we just need to set the Identity. We could add a command-line flag to pd with a path to the cert -- currently, pd has no config files, only command line arguments (i.e., the "config file" is whatever is invoking the binary), and I think it'd be nice to keep it this way.

At this stage we don't need to do cert management, we can punt all of that to the user for now.

[hdevalence]

Closing in favor of #1406; I don't think we should support TLS other than auto-TLS, since anyone willing to configure certs manually could also configure a reverse proxy.