To provision an Identity Provider for a hosted cluster, CS needs to create these secrets in the same namespace as HostedCluster on the management cluster. 

CS does not have direct access to management clusters, and we leverage ACM to reconcile resources on MC based on what CS deploys on service clusters. Currently, ACM does not reconcile the IDP secrets/configmaps that are created by Cluster Services on SC (within the same namespace as HD). This prevents us from provisioning Identity Providers for hosted clusters.