cert-manager-operator should support changing operand pods' labels. Otherwise users can't use cert-manager with dns01 solver using AAD pod identities, i.e. https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#managed-identity-using-aad-pod-identities . There it requires:
"the cert-manager pod has a relevant label to use the pod identity binding ..." and the label must have a key "aadpodidbinding".

https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/#azureidentitybindingspec and https://azure.github.io/aad-pod-identity/docs/demo/standard_walkthrough/#6-deployment-and-validation also both document the needed label key "aadpodidbinding":

"look for value of pod label with key aadpodidbinding that is equal to itself".

"For a pod to match an identity binding, it needs a label with the key aadpodidbinding whose value is that of the selector: field in the AzureIdentityBinding".

1.
2.
3.

To satisfy the requirement about the lable key "aadpodidbinding", I have to use "Unmanaged" unsupported way:
$ oc edit certmanager cluster
...
  managementState: Unmanaged
...
Then update deployment cert-manager to add the label of key "aadpodidbinding":
$ oc edit deployment cert-manager -n cert-manager
...
spec:
  template:
    metadata:
      labels:
        aadpodidbinding: xxxx
...

"Unmanaged" is unsupported way, not official. We should support an official way to add labels when the default "managementState: Managed" is used. Otherwise users can't use cert-manager with dns01 solver using AAD pod identities, i.e. https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#managed-identity-using-aad-pod-identities