Allow for configuration policies

Summary:
Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

enforcements:
  - path: <path>
    rule: <rule>

Where <path> is a YAML-ish path to a config field and <rule> is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in config.validation.go).

Example policy:

enforcements:
  - path: variants.production.base
    rule: oneof=debian:jessie debian:stretch
  - path: variants.production.runs.as
    rule: ne=foo
  - path: variants.production.node.dependencies
    rule: isfalse

Command flag parsing was implemented in main.go to support the new
--policy=uri flag and improve existing handling of --version and the
usage statement.

Test Plan: Run go test ./....

Reviewers: thcipriani, demon, hashar, mmodell, Release-Engineering-Team

Reviewed By: thcipriani, Release-Engineering-Team

Tags: Release-Engineering-Team

Differential Revision: https://phabricator.wikimedia.org/D999