Tighten KRaft config checks/constraints

We need to tighten the configuration constraints/checks related to KRaft configs because the current checks do not eliminate illegal configuration combinations. Specifically, we need to add the following constraints:

• controller.listener.names is required to be empty for the non-KRaft (i.e. ZooKeeper) case. A ZooKeeper-based cluster that sets this config will fail to restart until this config is removed. This generally should not be occurring – nobody should be setting KRaft-specific configs in a ZooKeeper-based cluster – but we currently do not prevent it from happening.
• There must be no advertised listeners when running just a KRaft controller (i.e. when process.roles=controller). This means neither listeners nor advertised.listeners (if the latter is explicitly defined) can contain a listener that does not also appear in controller.listener.names.
• When running a KRaft broker (i.e. when process.roles=broker or process.roles=broker,controller), advertised listeners must not include any listeners appearing in controller.listener.names.
• When running a KRaft controller (i.e. when process.roles=controller or process.roles=broker,controller) controller.listener.names must be non-empty and every one must appear in listeners
• When running just a KRaft broker (i.e. when process.roles=broker) controller.listener.names must be non-empty and none of them can appear in listeners. This is currently checked indirectly, but the indirect checks do not catch all cases. We will check directly.
• When running just a KRaft broker we log a warning if more than one entry appears in controller.listener.names because only the first entry is used.

In addition to the above additional constraints, we should also map the CONTROLLER listener name to the PLAINTEXT security protocol by default when using KRaft – this would be a very helpful convenience.