cli,server: enable SQL clients on TCP with non-TLS modes

[knz]

Today CockroachDB requires TLS for all client connections on TCP soon as a cluster is runnign securely.

(Unix socket connections already do not require TLS).

As discussed in #16188 (comment) and following, it may be interesting to introduce an alternate listener when the network environment (e.g. k8s) provides its own layer of transport security.

When this becomes available, the authentication should be configurable in a different way than TLS certificates (for example, to require passwords).

PostgreSQL already supports this by distinguishing hostssl and hostnossl rules in the HBA configuration. CockroachDB could do something similar.

Note that this enhancement does not require separate listeners, because the pg protocol already supports mixed TLS / non-TLS connections over a single port.

[knz]

Discussion with @aaron-crl : it would be interesting to only support this with an interlock, to ensure users don't "shoot themselves in the foot". This can be done as follows:

• opt-in 1) only enable the non-TLS listener if a CLI flag is passed
• opt in 2) have the default HBA rule for non-TLS listeners to be deny all, and require the admin to explicitly change the HBA config to allow non-TLS clients

This way, an accidental change of either of the two avenues is much less likely to significantly impair cluster security.

[knz]

@rkruze @piyush-singh if this issue is raising in priority please let me know ASAP.

[knz]

Moving the request to have multiple listeners to a separate issue #54006 -- this issue should focus on non-TLS connections (it's possible to accept both TLS and non-TLS on a single SQL port).