Part of https://github.com/elastic/ingest-dev/issues/3443

Related Kibana issue New secrets added to agent policies with the following tickets:

• [Fleet] Show SSL options for fleet server host in UI kibana#207322
• [Fleet] Show SSL options for ES and remote ES outputs in UI kibana#207326
• [Fleet] Show SSL options for Agent Binary source in UI kibana#207324
• [Fleet] Make proxy certificate key a secret kibana#208748

The new fields to support are:

• For fleet server hosts:secrets.ssl.key (under fleet server inputs section of agent policy) and fleet.secrets.ssl.key
• For agent binary source: agent.download.secrets.ssl.key

These fields will contain secret references, same as already happens with outputs. Fleet server needs to fetch the secret and insert the values into the mapped fieds before sending the policy to the agent.

This change MUST be backwards compatible

This change must be backwards compatible in two cases:

1. Where the stack is updated before fleet-server, fleet-server will not yet understand the secret fields and cannot fail to start or take agents offline unnecessarily until it is also upgrades.
2. Where the stack is updated but fleet-server is not, the same requirement applies. It is valid to continue to use older fleet-server instances with newer stack versions and this change cannot break this.