Deprecate the cert_format/compat feature

[fspmarshall]

The cert_format role option and --compat flags date back all the way to teleport v2 and were introduced in order to provide a workaround for a bug in older openssh sshd versions (older then, ancient now): https://bugzilla.mindrot.org/show_bug.cgi?id=2387

The gist of this feature, was that specifying a format/compat of oldssh prevented teleport from adding teleport-specific custom certificate extensions, since old openssh versions would reject unknown extensions instead of ignoring them.

In addition to the bug itself now being a decade old, we ourselves lost sight of the original meaning of the CertificateFormat parameter within our own cert generation code and have not been scoping any of the newer custom extensions introduced in the last few years behind that flag. The feature has effectively been broken for multiple years, but nobody appears to have noticed. A strong indicator that we can and should deprecate it.

As an experiment I tried just ripping the field out wholesale, but it turns out that since it's a role option the Kube operator doesn't play nicely with its removal. We'll probably want to remove it from our internals and docs, and add checks at points where roles are created/updated to reject and/or warn on future use of the field.