Support multiple authenticators with path matching

[philipgough]

What

Although the proxy allowed an end user to configure multiple authenticators, at runtime, only one was selected in order of preference.

This change allows support for multiple authenticators.
The default behaviour remains intact.
Optionally, users can specify paths which should not match for specific authenticators.
It also adds middleware that ensures that at least one authenticator has run in order to support users not mistakingly bypassing auth with their configuration.

Furthermore, this change sets up an environment similar to what we have in RHOBS Cell in a KinD cluster.
This utility was badly needed in any case to facilitate the testing of auth which was practically non-existent or difficult to hook into.

It generates a simple configuration that splits read and write for logs and metrics on oidc for read and mtls for write respectively.

Key points to note that if you want optional mtls the api needs to be passed the - --tls.client-auth-type=RequestClientCert flag that already existed prior to this change.

From the working test, here is a sample of what a tenants config for multi-auth will look like

tenants:
- name: auth-tenant
  id: "1610702597"
  oidc:
    clientID: observatorium-api
    clientSecret: ZXhhbXBsZS1hcHAtc2VjcmV0
    issuerURL: http://dex.proxy.svc.cluster.local:5556/dex
    redirectURL: http://localhost:8080/oidc/auth-tenant/callback
    usernameClaim: email
    paths:
    - operator: "!~"
      pattern: ".*(loki/api/v1/push|api/v1/receive).*"
  mTLS:
    caPath: /etc/certs/ca.crt
    paths:
    - operator: "=~"
      pattern: ".*(api/v1/receive).*"
    - operator: "=~"
      pattern: ".*(loki/api/v1/push).*"

[philipgough]

i really dont understand why this was here. it was enforcing oidc on all write requests.