Depends on #2712

The tap service should be registered as an APIExtension so that it can ensure that all traffic that it receives has been authenticated and authorized by the API aggregation layer. This allows to use RBAC to control which users and service accounts may access tap data.

On startup, the tap service should generate a serving CA, private key, and certificate and give the CA when registering as an APIExtension by posting to the ApiregistrationV1 API. (Note that generating this material on startup means that the tap service may not run multiple replicas (HA mode). As part of #2176, this can be resolved by generating this material at install time and saving the CA key in a secret.)

The tap server should read the extension-apiserver-authentication configmap to get the client CA to use to validate the identity of calling clients. This should be used to only allow tap requests from the aggregator. This ensures all requests have been authorized.

By serving the tap TAP on POST /apis/tap.linkerd.io/v1alpha1/namespaces/<ns>/taps we cause the aggregator to check that the authenticated user has "create" permission on the "taps" resource in the "<ns>" namespace.