TLS security for dedicated metrics servers

Broken out of #352889 (closed)

For FIPS compliance, all metrics endpoints scraped by Prometheus need to support TLS. We provide two mechanisms to serve metrics from the Rails monolith:

1. Rails controller endpoint (/-/metrics - Puma only): This is covered by #353013 (closed) and related MRs.
2. Dedicated server endpoint (/metrics - Puma and Sidekiq): This issue. This is a WEBrick that runs on a separate port. We need to configure it with a certificate and key to enable TLS.