CNF-18992: HTTP01 Challenge Proxy for cert-manager-operator

Add enhancement for HTTP01 Challenge Proxy as a controller within
cert-manager-operator, following the istio-csr-controller pattern.

This enables cert-manager to complete HTTP01 challenges for the API
endpoint (api.cluster.example.com) on baremetal platforms where DNS01
is not available.

Key design decisions:
- New HTTP01Proxy CRD in cert-manager-operator (not openshift/api)
- Optional day-2 feature (not core payload)
- Follows same pattern as istiocsrs.operator.openshift.io
- DaemonSet on control plane nodes with nftables traffic redirection

Supersedes: #1773

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: sebrandon1