Add clean parameter

[raphink]

This PR adds a clean parameter, which allows to clean the certificate from the CA upon destroying it.

This is useful to keep the CA clean. It requires to add a rule to auth.conf on the CA, for example by allowing certificates to clean themselves:

        {
            # Allow nodes to delete their own certificate
            match-request: {
                path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$"
                type: regex
                method: [delete]
            }
            allow: "$2"
            sort-order: 500
            name: "c2c puppet cert clean"
        },

Together with #3 and #4, this allows to set up automatic renewal of Puppet certificates, with something along the lines of:

    file { "${confdir}/puppet/csr_attributes.yaml":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0440',
      content => template('blah/csr_attributes.yaml.erb'),
    }
    ~> puppet_certificate { $certname:
      ensure               => valid,
      waitforcert          => 60,
      renewal_grace_period => 20,
      clean                => true,
    }

[raphink]

@reidmv added a description here, too. It should give you an idea of what #3, #4 and #5 achieve together (I plan on writing a blog post on what we're doing with that once it's merged).