Document passthrough of k8s groups and ssh logins in trusted clusters

[klizhentas]

Description

New feature allows remote cluster to reference the kubernetes groups coming from the roles of the main cluster in the trusted clusters configuration.

For example, main cluster can have a user with a role 'main' and kubernetes groups:

kube_groups: ['system:masters']

and SSH logins:

logins: ['root']

Remote cluster can choose to map this 'main' cluster to it's own: 'remote-admin' cluster in the trusted cluster config:

role_map:
  - remote: 'main'
    local: 'remote-admin'

The role 'remote-admin' of the remote cluster can now be templated to use the main cluster role main logins and kubernetes_groups using variables:

logins: ['{{internal.logins}}']
kubernetes_groups: ['{{internal.kubernetes_groups}}']

This is possible because teleport now encodes both values in X509 certificate metadata and remote cluster passes these values as 'internal' traits to the template engine.

[webvictim]

This doesn't actually work as described, see #3376

[webvictim]

Also see #3402

[benarent]

I'm going to remove from the 4.3 milestone as it looks like it needs more testing / bug fixing.

[ptgott]

I've edited the Trusted Clusters guide to act as more of a step-by-step tutorial (https://github.com/gravitational/teleport/pull/10708), focusing on Server Access. Should we include a separate Trusted Clusters guide for Kubernetes that includes multiple Kubernetes clusters? It might even be worthwhile to add a separate section to the docs related to Trusted Clusters, rather than including all Trusted Cluster-related information in the same guide.