Add ability for admins to globally block users from uploading SSH keys that aren't deploy keys
Problem to solve
When GitLab is used in a mode where no SSH keys are uploaded to it, but instead only SSH certificates are used (per my ongoing PR at https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19911) you don't want users to be able to manually upload SSH keys, because this can circumvent e.g. a 2FA policy on the issued certificate signed keys.
Proposal
There should be some setting in admin settings to disable uploading an key to the keys table whose type isn't DeployKey, with a corresponding UI change in user setting to either hide the SSH key tab, or explain to the user that they can't upload keys.
What does success look like, and how can we measure that?
Users should get an error when trying to upload keys via the UI or API.