WIP - Use encrypted certs on join

[fabriziopandini]

This issue defines implementation details for "Upload encrypted certs on init" activity defined in #1373

• Add a new flag --certificate-key; this flag could be used in conjuction with the --config flag
• If --control-plane flag is set and the new --certificate-key is set, it will trigger a new certs-download subphase (to be added to the control-plane-prepare phase as first subphase, before the certs subphase)
• the new phase should access the cluster using the bootstrap token as identity, read the kubeadm-certs secret, decript the values using the certificate-key and store secrets on the disk

Some more details to be considered while implementing:

• in case the kubeadm-certs secret does not exists it should be returned a message explaining the user how to create it (use kubeadm init phase upload-certs on one control-plane node)
• The list of items in kubeadm-certs secret depends on the cluster variant in use (external etcd vs local etcd)
• The kubeadm-certs secret can contain empty entries In case of External CA mode; empty entry should not generate corresponding file
• in case of external etcd, certs should be placed in the location specified by the user; we can assume this location must exists and error out this isn't true or if the folder is not set with the proper permissions
• it will be great if we can implement a way to validate the provided key is actually the right key (e.g. it decrypts CA cert and CA certs match the CA cert already discovered by the join process)

[ereslibre]

PR submitted for early feedback: kubernetes/kubernetes#74168. Based on top of still WIP PR kubernetes/kubernetes#73907