Make join tokens a resource, migrate existing join token in ConnectionParams to a non-expiring token.

Token:

metadata:
   id: <token>
spec:
   expirationTime: <> # optional
   revoked: true/false # could be a label?

This is a user-managed resource.

We need UI to manage join tokens: create new ones, revoke existing tokens, see a list of tokens.

We could also keep track of last used time for a token. (TokenStatus or label/annotation on a resource?)

Download media should allow to pick a token to be used (including CLI).

Provider HMAC-based token (JWT?) should be reworked:

• can we have a per-provider secret which is used to sign JWT-style join tokens for providers
• a unique secret is generated when a provider is registered with Omni
• this secret is removed if the provider is removed from Omni
• secret can be an ECDSA/RSA public/private key.

As a migration path from providers today using "default" join token as an HMAC secret, we can mark the migrated join token as "default", and as long as it hasn't been revoked, we can keep it using it.