Rename many of resources that are created in Kubernetes by Pinniped

New resource naming conventions:
- Do not repeat the Kind in the name,
  e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
  so when a user lists all objects of that kind, they can tell to which
  component it is related,
  e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
  mostly disappear if they choose, by specifying the app_name in
  values.yaml, to the extent that is practical (but not from APIService
  names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
  are passed to the code at run time via ConfigMap, rather than
  hardcoded in the golang code. This also allows them to be prepended
  with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
  CredentialIssuerConfig resource in advance anymore, it lists all
  CredentialIssuerConfig in the app's namespace and returns an error
  if there is not exactly one found, and then uses that one regardless
  of its name

deploy-local-user-authenticator/README.md

@@ -54,7 +54,7 @@ kubectl create secret generic ryan \
 Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint.
 
 ```bash
-kubectl get secret api-serving-cert --namespace local-user-authenticator \
+kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator \
   -o jsonpath={.data.caCertificate} \
   | base64 -d \
   | tee /tmp/local-user-authenticator-ca

deploy-local-user-authenticator/deployment.yaml

@@ -14,7 +14,7 @@ metadata:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: local-user-authenticator-service-account
+  name: local-user-authenticator
   namespace: local-user-authenticator
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
@@ -47,7 +47,7 @@ spec:
       labels:
         app: local-user-authenticator
     spec:
-      serviceAccountName: local-user-authenticator-service-account
+      serviceAccountName: local-user-authenticator
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:
         - name: image-pull-secret

deploy-local-user-authenticator/rbac.yaml

@@ -8,7 +8,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: local-user-authenticator-aggregated-api-server-role
+  name: local-user-authenticator
   namespace: local-user-authenticator
 rules:
   - apiGroups: [""]
@@ -18,13 +18,13 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: local-user-authenticator-aggregated-api-server-role-binding
+  name: local-user-authenticator
   namespace: local-user-authenticator
 subjects:
   - kind: ServiceAccount
-    name: local-user-authenticator-service-account
+    name: local-user-authenticator
     namespace: local-user-authenticator
 roleRef:
   kind: Role
-  name: local-user-authenticator-aggregated-api-server-role
+  name: local-user-authenticator
   apiGroup: rbac.authorization.k8s.io