HIVE-2870 took a step toward modernizing how we plug CA bundles into our admission webhooks.

1. Now when running on OpenShift we're pulling the bundles from automatically-injected ConfigMaps. However, we're getting those ConfigMaps specifically from the targetNamespace listed in HiveConfig. Since that namespace can change at runtime, we have to go through some extra work to Watch() those ConfigMaps. But since they should be the same in all namespaces (right??) we could probably get away with just setting up that Watch() in the operator's namespace, which means we can move it to add() and scrub out the dynamic watcher artifacts.
2. The code we have for non-OpenShift was written a long time ago, before this automatic ConfigMap injection existed. We are probably at a point where we can count on non-OpenShift k8s hubs being >v1.20, and can thus count on those ConfigMaps existing.

• This should allow us to converge some of the CA bundle injection code to be OpenShift-agnostic.
• Let's see if we can eliminate/trim the dev cert and/or service account secret creation described here.
• I think we're still going to need the dynamic Secret watch logic, because that's also keeping track of user-provided/configured/referenced Secrets.