Add SPIRE-backed Prometheus TLS identity and SPIFFE allowlist

[aviralgarg05]

Pull Request check list

• Commit conforms to CONTRIBUTING.md?
• Proper tests/regressions included?
• Documentation updated?

Affected functionality

The Prometheus telemetry endpoint TLS support for both SPIRE Server and SPIRE Agent.

This change makes it possible to:

• serve the Prometheus endpoint with SPIRE's own SVID instead of requiring a separately managed web certificate
• restrict access to that endpoint to an explicit allowlist of client SPIFFE IDs

Description of change

This updates the Prometheus telemetry TLS configuration so operators can secure the metrics endpoint using SPIRE-native identity rather than external certificate management and helper processes.

Specifically, the change:

• adds use_spire_svid to let the Prometheus listener present the current rotating SPIRE SVID
• adds authorized_spiffe_ids to allow only specific SPIFFE IDs to connect
• reuses existing SPIRE SVID and trust bundle state already maintained by the agent/server, instead of introducing any sidecar or glue logic
• preserves the existing file-based cert_file / key_file path for users who still want to serve the endpoint with a regular web certificate
• validates incompatible combinations such as authorized_spiffe_ids with client_ca_file
• adds regression coverage for:
  • SPIRE SVID-backed TLS
  • SPIFFE ID client authorization
  • config validation failures
  • existing file-based TLS behavior

The configuration examples and telemetry documentation were also updated to describe the new options.

Which issue this PR fixes

Fixes #6780