Add support for CLI flag for mTLS client certificate key passphrase

[AndersonQ]

What does this PR do?

It adds support for encrypted client certificate key during install/enroll, which done by the cli flag --elastic-agent-cert-key-passphrase.

Why is it important?

It enables Elastic Agent to be configured with passphrase-protected private keys for client mTLS certificates.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• [ ] I have added an integration test or an E2E test

Author's checklist

Tests

• Ensure --elastic-agent-cert-key-passphrase adheres to the same requirements as --fleet-server-cert-key-passphrase.
• Verify that both --elastic-agent-cert-key and --elastic-agent-cert are provided when --elastic-agent-cert-key-passphrase is present.
• Confirm that *enrollCmdOption.remoteConfig() accurately incorporates the passphrase into tlscommon.CertificateConfig.
• Validate that fleetclient.NewWithConfig generates a valid client capable of establishing an mTLS connection to a mock server.
• Ensure the policy TLS client settings take precedence over the CLI. Extend policy with SSL config to ensure the client certificate key passphrase from the cli is not left in the config when the policy's client client certificate key is not passphrase-protected.

Disruptive User Impact

• None

How to test this PR locally

• Build Elastic Agent with the changes from this PR.
• Enroll/Install the Elastic Agent using passphrase-protected private key for the client mTLS certificate.
• Start Elastic Agent and observe successful enrollment/installation with mTLS enabled.

Related issues

• Closes Add support for CLI flag for mTLS client certificate key passphrase #5489

Questions to ask yourself

• How are we going to support this in production?
• How are we going to measure its adoption?
• How are we going to debug this?
• What are the metrics I should take care of?
• ...

[mergify]

This pull request does not have a backport label. Could you fix it @AndersonQ? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

backport-v8.x has been added to help with the transition to the new branch 8.x.

[AndersonQ]

I honestly do not know why it was working on windows before, but it started to fail on elastic-agent-cert-key does not require key-passphrase, so I fixed all tests.

[mergify]

backport-v8.x has been added to help with the transition to the new branch 8.x.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[michel-laterman]

lgtm

[elastic-sonarqube]

Quality Gate passed

Issues
3 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
64.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube