Custom domain support

[FluxCapacitor2]

Notable changes:

• Users can now add custom domains to their apps from the Domains tab on the app page
• Custom domains need to be verified by adding a TXT record and an A record (for top-level domains) or a CNAME record (for subdomains)
• Once verified, we use an ACME client to generate a certificate for the domain. (The most popular ACME service is Let's Encrypt, from the creators of the protocol)
• This process uses the HTTP-01 challenge. The ACME server sends a request to http://(the custom domain)/.well-known/acme-challenge/(token), and we need to respond with the value that it's expecting to pass the challenge. Once we pass the challenge, we can generate a certificate.
• The certificate is added as a K8s secret in the user's namespace. It isn't stored in the DB anywhere.
• Certificate validity periods are checked daily in a CronJob. If less than 1/3 of the lifespan is remaining, the certificate is regenerated.
• Cached values can now be optionally encrypted using the same setup as encrypted environment variables. We use this for the ACME accounts, since they're identified by a public-private keypair that should be kept secret.
• The Tilt setup now optionally includes Pebble, an ACME server for local development. After running the setup shell script and setting enable_pebble to True, you should be able to generate certificates for custom domains locally.

To do:

• Deleting domains
• Update staging and prod values files to include the right CNAME domain and ACME server URL
• Test on staging