Allow specifying the keystone token provider

[alanmeadows]

The new default for ocata+ is fernet tokens which not all
container images support. This allows the operator to
specify the token provider, allowing uuid token usage in
images which is required until the infrastructure to setup
and distribute fernet keys is created.

---

This change is 

[alanmeadows]

Without this, on modern kolla-build based images the following occurs during bootstrap:

+ keystone-manage bootstrap --bootstrap-username admin --bootstrap-password password --bootstrap-project-name admin --bootstrap-role-name admin --bootstrap-admin-url http://keystone-api.openstack:35357/v3 --bootstrap-internal-url http://keystone-api.openstack:5000/v3 --bootstrap-public-url http://keystone-api.openstack:5000/v3 --bootstrap-service-name keystone --bootstrap-region-id RegionOne
+ keystone_bootstrap='/etc/keystone/fernet-keys/ does not exist'
+ [[ 1 != 0 ]]
+ fail_json '/etc/keystone/fernet-keys/ does not exist'
+ echo '{"failed": true, "msg": "/etc/keystone/fernet-keys/' does not 'exist", "changed": true}'
{"failed": true, "msg": "/etc/keystone/fernet-keys/ does not exist", "changed": true}
+ exit 1

[intlabs]

@alanmeadows good catch! I am currently working on fernet key rotation and management for newer keystones, to provide a longer term solution - but this is great as a stop-gap.

[stannum-l]

lgtm. If this is using master/ocata, and that is not specified, it would have defaulted to fernet (and would require key setup + rotation).

---

Review status: 0 of 2 files reviewed at latest revision, all discussions resolved.

---

Comments from Reviewable

[stannum-l]

Reviewed 2 of 2 files at r1.
Review status: all files reviewed at latest revision, all discussions resolved.

---

Comments from Reviewable

[v1k0d3n]

Reviews look good.