Add controls to `serving-nscert` and enable at all times

[evankanderson]

Describe the feature

Currently, serving-nscert is a separate optional YAML which isn't well documented on the website. It requests a wildcard cert for every namespace in the kuberntes cluster. Users might not want to install this for the following reasons:

• It requires DNS integration
• It creates a certificate for every namespace, including system-owned namespaces

Adding a small amountof configuration seems like it could mitigate these issues. For example, using a label selector on namespaces would allow:

kubernetes.io/metadata.name not in (kube-system, contour-external)

(This would also allow a default of no selector = apply to no namespaces, so we could add the controller to the default set we ship.)

[nak3]

#7265 also discussed how to disable the nscert in system namespaces. The controller like Eventing's sugar controller is also one solution.

[evankanderson]

I think having a namespace selector (either empty by default or matching some set of labels) would be good for both this and the sugar controller, so that admins can control the behavior in a central place.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.