Backport of Adjust API gateway controller deployment appropriately when Vault configured as secrets backend into release/1.1.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #2083 to be assessed for backporting due to the inclusion of the label backport/1.1.x.

The below text is copied from the body of the original PR.

---

Changes proposed in this PR:
Consider whether Vault is being used as a secrets backend when determining whether to mount a TLS cert into the API gateway controller deployment.

Largely, this change is based off of how other deployments already handle Vault as a secrets backend. For example:

consul-k8s/charts/consul/templates/connect-inject-deployment.yaml

Lines 293 to 297 in 112ad18

	{{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}}
	- name: consul-ca-cert
	mountPath: /consul/tls/ca
	readOnly: true
	{{- end }}

The only unique aspect here is that the api-gateway-controller communicates directly with agents when client.enabled=true, so we require some additional gating to make sure that we're using the correct cert in this case.

How I've tested this PR:
Install Consul w/ API gateway enabled in configurations both with and without Vault used as a secrets backend. In each case, verify that the API gateway controller is able to start up successfully and that deployed API gateways function correctly.

Install Consul w/ external server configuration (HCP, for example). Test with and without clients enabled.

How I expect reviewers to test this PR:

Checklist:

• Tests added
• CHANGELOG entry added

  HashiCorp engineers only, community PRs should not add a changelog entry.
  Entries should use present tense (e.g. Add support for...)

---

Overview of commits

• 310b35a - c3648df - 0332959 - 6c5f713 - b43d77f - b345f41 - 3a6f415