Secret Management for Sub-Clusters

[lb4368]

Problem description
Currently all encrypted secrets such as CAs, ssh keys, Dex client secrets, etc. are managed as part of the management cluster. As sub-clusters are added to multi-tenant sites, there needs to be a mechanism to manage secrets specific to individual sub-clusters.

Proposed change

1. Provide a mechanism to generate and encrypt secrets specific to an individual sub-cluster.
2. Provide a mechanism to provide external secrets specific to an individual sub-cluster.
3. All secrets must be encrypted at rest and encryption key for sub-cluster may be the same or different from one used in management cluster.