Add Helm option to create RBAC allowing approval for all issuers

[SgtCoDFish]

When a user creates a custom issuer, they'll currently need to give permission to approver-policy to approve CertificateRequests from that issuer, which will look something like the below:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-role
rules:
- apiGroups:
  - cert-manager.io
  resourceNames:
  - issuer.example.com/*
  resources:
  - signers
  verbs:
  - approve

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: example-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: example-role
subjects:
- kind: ServiceAccount
  name: cert-manager-approver-policy
  namespace: myns

It's possible to conjure situations where users might want to restrict these permissions, but for most users installing approver-policy it's reasonable for them to want it to be able to approve CRs from any issuer.

Maybe for security reasons we wouldn't want to default open (although we might yet consider defaulting open!), but we could at least add a Helm option to create an allow-all role which applies to approver-policy in this case.

/kind feature

[wallrj]

I think I agree with this change, to (optionally) make things simpler for people using approver-policy with external issuers.

Is csi-driver-spiffe an example of a situation where not to enable this new setting?

In https://cert-manager.io/docs/usage/csi-driver-spiffe/#approver :

A distinct cert-manager approver Deployment is responsible for managing the approval and denial condition of created CertificateRequests that target the configured SPIFFE Trust Domain signer. The approver will only manage CertificateRequests who request from the same IssuerRef that has been configured.