Protected socket on manager nodes

[ndegory]

PR cut in smaller pieces: #1791 #1792 #1793 and #1794

---

• Fix AMP-102 (enable TLS on manager nodes), see details in https://techweb.axway.com/confluence/display/AMP/Cluster+with+secured+Docker+API
• Fix AMP-132 (AMI updated to Docker CE 17.09.1)
• Internal PKI for Docker daemon certificates
• all manager nodes expose the engine API with TLS enabled
• all nodes get a unique client certificate give access to the manager nodes API
• fixes in pkg/docker package to allow connection with TLS options
• move Prometheus to non manager nodes
• move Amplifier to non manager nodes
• ampagent can deploy on remote manager nodes
• ampagent pass TLS options that can be used in core service stacks
• templating for core stack files

Not in this PR:

• certificate rotation
• proxy moved to non manager nodes (Confused about running the proxy on non-manager nodes docker-archive/dockercloud-haproxy#215)

How to check

• deploy a cluster on AWS
• check that the dashboard are able to display data about the cluster
• list the service, amplifier should be on a worker node
• signup to amp
• deploy a stack with a service requiring access to the Docker API on a manager
  • mount the docker certificates: - /etc/docker/tls/client:/root/.docker
  • add an env var with the url to the manager LB: - DOCKER_HOST: ${InternalDockerHost} # this value can be read in amp cluster status)

[ndegory]

PR deemed too complex for a single review, closed and replaced by smaller PRs: #1791 #1792 #1793 and #1794