Enable configuration of Concierge impersonation proxy via concierge CredentialIssuer.

[mattmoyer]

Acceptance Criteria

Scenario: configure Concierge impersonation proxy via CredentialIssuer
  Given that I have an managed cluster with the Pinniped concierge installed
  When I set some optional fields in the concierge CredentialIssuer spec
  Then I can configure the TLS certificate used to serve the impersonation proxy
  And I can configure the external name and load balancer configuration that points at the impersonation proxy
  And I can force the impersonation proxy to be turned on or off, regardless of the autodetected cloud environment
  And when I can connect to my manually-configured impersonation proxy via my custom load balancer and CA.

Notes

This is a followup to #339, which extends the minimal impersonation proxy to accept configuration. Th

API Changes

The API changes related to this issue are described in https://hackmd.io/X83kynapQgCJm_sDxXLCxg.

[margocrawf]

When I update the Pinniped CredentialIssuer with several new spec fields
    And I manually configure a kubeconfig that points at the external endpoint and trusts the CA

@mattmoyer were you imagining that the new CredentialIssuer fields would be integrated into anything as part of this story?

Even without any change to the CredentialIssuer it seems like the acceptance criteria should pass just from manually configuring the kubeconfig.

[mattmoyer]

This story is finished except for the custom CA support. I think we should close this issue until we have more validation of this use case.