Keeping VaultAuth DRY

[bradfordwagner]

Is your feature request related to a problem? Please describe.
Configurations for Vault Webhook Injector (vault-k8s) and Vault CSI Provider allow default configuration of the auth mount point, and vault namespace.

I do not want my application teams to need to know about the namespace/mount, unless they are using shared secrets across namespaces.

Describe the solution you'd like

• If namespace+mount have been configured on the operator then inherit if not defined in VaultAuth.
• If they haven't then require mount, and leave namespace as optional.
• Do not reject admission unless mount is not defaulted in the operator, and not defined in VaultAuth kubernetes resource.
• Apps with method=kubernetes should only care for setting the role/service_account while running operations.

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
  name: my-app-auth
  namespace: app-ns
spec:
## values which should be defaulted from operator configuration
## they can be overridden here
  method: kubernetes
  namespace: app1
  mount: kubernetes/my-happy-cluster
### end overrides
  kubernetes:
    role: my_app_role
    serviceAccount: app-sa
    audiences:
      - vault

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

[bradfordwagner]

This is a duplicate of #274