Enable heat/puppet to manage the fernet keys and make it configurable

With the addition of the KeystoneFernetKeys parameter, it's now possible
to do fernet key rotations using mistral, by modifying the
KeystoneFernetKeys variable in mistral; subsequently a rotation could
happen when doing a stack update.

So this re-enables the managing of the key files by puppet. However,
this is left configurable, as folks might want to manage those files
out-of-band.

bp keystone-fernet-rotation
Change-Id: Ic82fb8b8a76481a6e588047acf33a036cf444d7d

puppet/services/keystone.yaml

@@ -122,6 +122,14 @@ parameters:
   KeystoneFernetKeys:
     type: json
     description: Mapping containing keystone's fernet keys and their paths.
+  ManageKeystoneFernetKeys:
+    type: boolean
+    default: true
+    description: Whether TripleO should manage the keystone fernet keys or not.
+                 If set to true, the fernet keys will get the values from the
+                 saved keys repository in mistral (the KeystoneFernetKeys
+                 variable). If set to false, only the stack creation
+                 initializes the keys, but subsequent updates won't touch them.
   KeystoneLoggingSource:
     type: json
     default:
@@ -258,7 +266,7 @@ outputs:
               '/etc/keystone/credential-keys/1':
                 content: {get_param: KeystoneCredential1}
             keystone::fernet_keys: {get_param: KeystoneFernetKeys}
-            keystone::fernet_replace_keys: false
+            keystone::fernet_replace_keys: {get_param: ManageKeystoneFernetKeys}
             keystone::debug:
               if:
               - service_debug_unset

releasenotes/notes/Introduce-ManageKeystoneFernetKeys-parameter-2478cf5fc5e64256.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - This introduces the ManageKeystoneFernetKeys parameter, which tells
+    heat/puppet if it should replace the existing fernet keys on a stack
+    deployment or not. This is useful if the deployer wants to do key rotations
+    out of band.