Introducing Google Cloud KMS signing

If you're a google cloud user you can root your CA in one of their keys
instead of mucking around with keys in ssh-agent.

I also ported us to go modules with this change.

Build enhancements

This version includes changes to the Makefile and docker building environment.
We also move to go 1.9 and the Docker containers are based on ubuntu 16.04
instead of 15.10

Resolves cloudtools#2 "Support binding to localhost"

Introduces user-configured listen address and defaults to a more secure
listen address of `127.0.0.1:8080`.

Add ability to inject critical options into certs

You may now specify CriticalOptions in sign_certd's config on a
per-environment basis. This allows you to write a policy that says all
certs against this environment will have exactly these critical options.
You can ensure that certs always launch users into restricted shells or
from a defined range of source IPs as supported by sshd.

Log the base32 request id when auto signing

Oops. Was logging the raw bytes instead which led to ugly slack
messages.

Fix go vet errors related to string formats

Stupid programmer errors.

Add tool for generating KMS-encrypted CA keys

Previously you had to run ssh-keygen temporarily storing the output in a
file before using this utility to encrypt the key. Now you can simply
have this tool generate the key and send the private directly to KMS for
encryption. This should be both simpler and more secure.

Be able to load KMS-encrypted keys

This commit introduces KMS functionality. Given an encrypted private key
for the cert authority the signing daemon will call out to KMS on
startup to decrypt the key and load it into the ssh-agent. Docs were
updated accordingly.

Support auto-signing requests

If so configured the server can now automatically sign requests without
requiring any explicit signatures from signers.

Add proper exit code on error