feat(security): create reduced permissions ServiceAccount for Cryostat

[ebaron]

Currently, the operator configures the Cryostat deployment to use the operator's own Service Account. The vast majority of the permissions the operator requires are not needed by Cryostat. This PR creates a separate set of RBAC objects for Cryostat to use.

The operator creates an additional ClusterRole with permissions to create TokenReviews and SelfSubjectAccessReviews.

Each Cryostat CR gets its own:

• ServiceAccount
• Role, with read access to Endpoints and Routes
• RoleBinding to bind the Role to its ServiceAccount
• ClusterRoleBinding to bind the shared ClusterRole to its ServiceAccount

In order to ensure that the cluster-scoped ClusterRoleBinding doesn't suffer a name collision, the operator creates it with the following name: cryostat-hhhh where hhhh is SHA256 sum of the CR's namespace/name. Since this is cluster-scoped, the binding can't be owned by the Cryostat CR and thus can't be garbage collected. Instead, it's deleted using the existing finalizer logic in the Cryostat controller.

Fixes: #221
Depends on: cryostatio/cryostat#599