Sanctuary: add ability to synchronise specific secrets

Unless I'm mistaken, as it stands we can simply run sanctuary sync and all secrets defined in logan.yaml are synchronised. However, in the gitlab-deploy repo (and I'm sure many others) we are defining secrets per-environment. This has the unfortunate consequence that when I want to do some testing in development I must synchronise the production environment secrets as well (or comment them out as is my current workaround). If this is indeed the case then I think we need the option to target a specific key in the sanctuary block in logan.yaml so that we can synchronise a single secret at a time if required.