refactor: OIDC validation and defaulting

[Diaphteiros]

What this PR does / why we need it:
Improves validation and defaulting of the OIDCProviderConfig struct (used in AccessRequests and MCPv2 resources, as well as MCPv2 controller config):

• usernamePrefix and groupsPrefix have been removed and are now always assumed to be <name>:.
• name is not allowed to be set to system. This prevents impersonating k8s service accounts.
• The regex validation rule for name has been fixed.
• issuer and clientID are now required and the former one must look like an URL.
• Upon initialization, the MCPv2 controller now creates a ValidatingAdmissionPolicy which ensures that MCPv2s don't specify duplicate OIDC provider names and no OIDC provider that conflicts with the default one.
• The naming restriction for the default OIDC provider has been removed (was restricted to default before) and it is now defaulted to openmcp instead.

Which issue(s) this PR fixes:
None

Special notes for your reviewer:

Release note:

The validation for the `spec.iam.oidcProviders` field in the `ManagedControlPlaneV2` resource has been changed in multiple ways:
- `usernamePrefix` and `groupsPrefix` have been removed and are now always assumed to be `<name>:`
- `name` is not allowed to be set to `system` (prevents k8s service account impersonation)
- The regex validation rule for `name` has been fixed
- `issuer` and `clientID` are now required and the former one must look like an URL
- Duplicate OIDC provider names or ones that clash with the default OIDC provider are now prevented

The naming restriction for the default OIDC provider has been removed (was restricted to `default` before) and it is now defaulted to `openmcp` instead.