The proxy's tap server must only accept TLS connections from the linkerd-controller. If the l5d-client-id is not the identity of the linkerd-controller, then the connection should be refused.

The following (subject to change) are requirements for this:

Behavior

• The proxy config needs a new variable who's value is the expected TLS identity of the controller; this would be set when a proxy is injected like the rest of the config values.
• fn serve_tap should be passed this expected identity so that it can assert equality for each incoming connection
• If the expected identity does not equal the session.peer_identity(), we should not make a new service (we may wan to log here as well)

Testing

• proxy: Test that inbound listener refuses connections until its identity is certified #2598: We should test incoming client connections over TLS and this issue will add the functionality required for testing this
• We also may want to test incoming client connections over TLS from discovery similar to here