[gateway] add SNI to xDS bootstrap TLS config

Dedicated backplane Envoy instances connect to their project apiserver's
xDS server via Contour ingress on port 443. Contour uses SNI to route
TLS connections to the correct HTTPProxy backend. Without SNI set in the
bootstrap UpstreamTlsContext, Contour cannot route the connection.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dilyevsky

pkg/gateway/xds/bootstrap/bootstrap.yaml.tpl

@@ -165,6 +165,7 @@ static_resources:
       name: envoy.transport_sockets.tls
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        sni: {{ .XdsServer.Address }}
         common_tls_context:
           validation_context:
             trusted_ca: