In order to tighten the security around access to secrets stored
in a Vault KV secrets backend, generate a secret_id for each
accessing unit, using a response wrapping token which is passed
over the relation to the consuming application.
The consuming application will then use this token out-of-band of
Juju to retrieve the secret_id associated with the AppRole ID
directly from Vault.
Add a new action 'refresh-secrets' to force a renewal of secret_id's
and associated one-shot retrieval tokens across a deployment.
A token is only issued when a new approle is created or when
a refresh is initiated via the 'refresh-secrets' action.
Change-Id: I2cd173514377d65542ea4fa67ccf700ea4b6ab89