Replace openid_connect_signing_key with the new ci_jwt_signing_key when
generating CI_JOB_JWT.

The new key is stored encrypted in `application_settings` table.

This also implements /-/jwks endpoint instead of delegating to
Doorkeper. Response will still include openid_connect_signing_key for
seamless rollout.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/214607.