Support fallback/default TLS config for remote cluster connections

[meiliang86]

Feature Request

Problem

When configuring cross-cluster replication with TLS, global.tls.remoteClusters requires an exact hostname entry per remote cluster:

global:
  tls:
    remoteClusters:
      cluster1.temporal.com:
        client:
          rootCaFiles: [/etc/certs/ca.pem]
      cluster2.temporal.com:
        client:
          rootCaFiles: [/etc/certs/ca.pem]

This has two problems:

1. No fallback: If a hostname is not present in the map, GetRemoteClusterClientConfig returns nil, resulting in a plaintext (insecure) connection — not a secure fallback.
2. Adding a new remote cluster requires a config change + cluster restart, since the static config is not hot-reloaded.

Proposed Solution

Support a fallback/default TLS config entry for remote clusters, for example via a reserved key such as "*" or a dedicated defaultRemoteCluster block:

global:
  tls:
    remoteClusters:
      "*":
        client:
          rootCaFiles: [/etc/certs/shared-ca.pem]

This would be used when no exact hostname match is found, before falling back to an insecure connection.

Why This Is Useful

A single fallback entry covers two common PKI patterns without needing per-cluster config:

• Shared CA: all remote cluster certs signed by the same CA — one rootCaFiles entry validates all of them
• Wildcard cert: remote clusters present a *.temporal.com cert — one entry with the matching CA covers all hostnames

Both patterns are cert-type agnostic from Temporal's perspective; the fallback logic simply loads whatever certs are configured.

Current Code Reference

The exact-match lookup with no fallback is in:
common/rpc/encryption/local_store_tls_provider.go — GetRemoteClusterClientConfig()

groupTLS, ok := s.settings.RemoteClusters[hostname]
if !ok {
    return nil, nil  // results in insecure.NewCredentials() in grpc.go
}