Be able to specify a serviceAccount for the HTTP01 ACME solver pod

[captnbp]

When deploying cert-manager using the Helm chart, we can specify the serviceAccount to use for:

• the Webohook
• the CA injector
• the deployment

But we can't specify it for the HTTP01 ACME solver pod.

The problems with this are:

• If the default serviceAccount is disabled, we need to provide a custom one
• We can't use a serviceAccount with linked imagePullSecrets to be able to pull the solver image from private registries in air gapped environments
• We can't apply PSPs to the solver pod.

To solve this, we propose to add a parameter --acme-http01-solver-service-account to cert-manager deployment to specify the serviceAccount to use in every namespace.

/kind feature

[captnbp]

PR is: #3817
Submitter @primael

[primael]

PR is #3856 for image pull secret

[munnerz]

This should be added as a field in the API, not as a flag to the controller: https://github.com/jetstack/cert-manager/blob/2abafa18be128cd337ace1cc281ad1518a67b516/pkg/apis/acme/v1/types_issuer.go#L237-L251

[irbekrm]

/priority important-soon

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close