API to refresh principals is using HTTP

[louiscryan]

In

https://github.com/lyft/envoy/blob/c16bdb6de9059abba833b59d98239c228ecac699/source/common/filter/auth/client_ssl.cc#L86

the call is using HTTP not HTTP to fetch principals. Exposes the API to a MITM attack.

Seems like this behavior should be configurable and the default should be HTTPS

[mattklein123]

The underlying connection will use SSL if the cluster is configured for it in the cluster manager (the transport is abstracted at this level). With that said, if the underlying connection is going to be SSL we should set the scheme properly. Will need to expose this out of the cluster object.

[mattklein123]

#206

[mattklein123]

fixed