Previously the plugins initialization was done for the apiserver
config only, which enabled admission for core resources handled by
the apiserver, but the extensions server lacked the admission chain
and did not apply webhooks to CRDs

This adds two separate config flags both for the issuer and client id,
while the username claim and prefix are hardcoded. If configuration
flags are not specified, no OIDC authentication is enabled.

Proxy authentication is required for the qpiserver
to properly authenticate against aggregated services, like some
webhooks

Use a post-start-hook waiting for crd to be ready, then discover
the apiserver status by actually checking the healthz endpoint,
which accounts for post-start-hook success

Removing them does not improve performance significatively,
plus basic roles are actually needed for proper API
authorizations on non resource endpoints

Now master services (scheduler and controller manager) all authenticate
using the master bearer token. This goes against the least privilege
principle but those run in the same process as the master itself, so
very little harm is to expect from this simplification.