only pass keys for specified command

[jamieklassen]

Fixes concourse/concourse-docker#58

This change is necessary because you really should never find yourself running conourse web and needlessly passing worker-related keys.

What's nice about this change is that you can still use these docker images the way you're used to, without needing to pass extra env vars at runtime.

This is achieved by adding an entrypoint script. I'm not married to having it under /usr/local/bin, but after briefly investigating I didn't see any especially idiomatic place to put entrypoint scripts.

I tested these changes manually by running

fly -t ci execute \
  -c ci/build-image.yml \
  --privileged \
  -j release-5.5.x/build-rc-image \
  --image builder \
  -i concourse-docker=. \
  -m linux-rc=linux-rc-ubuntu \
  -o image=./image

then doing a docker load -i image/image.tar and running the resulting image with various subcommands (worker, web, quickstart, generate-key).

[jamieklassen]

@vito @YoussB I realized that the source issue for this PR says things like "don't pass a web key to a worker command", but what's more important here (and what is blocking release-5.5.x/k8s-smoke, for example) is that you should never (at least not by default) pass a flag that points to a nonexistent file. So I've restructured the entrypoint script to highlight this.

As an added bonus, this script really becomes a general-purpose "set key-related env vars if the keys exist at the default paths" and has no coupling to the structure of the concourse subcommands.