add managed-by label to eksctl created service accounts

[aclevername]

Description

As part of #3422 we need to be able to track serviceaccounts that don't have CloudFormation stacks. SA's with no stacks are using the attachRoleARN functionality. Alternatively it might be that the stack was deleted, which we need to pick up on.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[aclevername]

---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: jk
  region: us-west-2

iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: s3-reader-1
      # if no namespace is set, "default" will be used;
      # the namespace will be created if it doesn't exist already
      namespace: default
    attachPolicyARNs:
    - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
  - metadata:
      name: s3-reader-2
      # if no namespace is set, "default" will be used;
      # the namespace will be created if it doesn't exist already
      namespace: default
      labels: {aws-usage: "application"}
    attachPolicyARNs:
    - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"

k get serviceaccounts --show-labels
NAME          SECRETS   AGE    LABELS
default       1         106m   <none>
s3-reader-1   1         48s    app.kubernetes.io/managed-by=eksctl
s3-reader-2   1         48s    app.kubernetes.io/managed-by=eksctl,aws-usage=application