Properly handle vSphere thumbprint updates

[jiayiwang7]

After user rotates vCenter server certificate, the thumbprint also changes. It's required to run EKS-A upgrade to update the existing clusters to use the latest thumbprint or machines cannot be created or rotated. There is a race condition in current EKS-A cluster controller where during a management cluster upgrade with new thumbprint, the vspheredatacenter reconciler might alter the thumbprint to the old one as specified in the workload cluster's datacenterconfig (since the workload cluster is not updated with new thumbprint yet). This causes thumbprint mismatch error during management cluster upgrade when it validates the datacenter connectivity.

The current workaround stated in #8042 requires both management and workload clusters to be updated with new thumbprint at the same time to bypass the issue.

We need to figure out a robust solution to handle thumbprint update, where a user should be able to

1. update the management cluster with new thumbprint separate from workload cluster upgrade
2. both CLI and kubectl upgrade should work with thumbprint
3. no controller(s) needed to be restarted during upgrade