Make keyring integration opt-in (closes #8719, #6773)

[SnoopJ]

This PR adds the --enable-keyring flag to requirement commands, as laid out in #8719. This also implicitly fixes #6773 and possibly some related issues by making keyring an opt-in feature.

I've tested this locally (including environment variable and config file specification) by sticking breakpoints around the retrieval of credentials from the keyring, and it seems to be right. I haven't added any test here because 1) the existing tests are kind of abstract, and 2) I'm not sure if the internal plumbing is quite right anyway. Happy to make changes as desired by the maintainers.

[SnoopJ]

Test failures fixed by aba9e96 can also be fixed by adding the keyring option to cmdoptions.general_group, but it seems more appropriate to me to keep this option associated with Requirement commands. turns out many more tests were broken by leaving this option out of general_group, see 239b3d3

[SnoopJ]

Changes from #11589 are now incorporated, there were some relatively small conflicts but nothing too bad.

I didn't note this before, but the main change of this PR is to make allow_keyring part of the state of MultiDomainBasicAuth rather than an argument at credential retrieval time, so the preference for keyring can be expressed at instance creation time.

This is once again ready for review assuming CI doesn't produce any surprises.

[SnoopJ]

CI failure is not related to this changeset, see #11643

[uranusjr]

See recent discussions in #8719 (comment)

[SnoopJ]

Closing in favor of #11698