Use secret for DNS TSIG keys
So the secret keys won't be exposed to cluster-reader role (preparation for https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/245#note_4454513)
I used the same structure to pass the TSIG keys as cert-manager's Helm chart
Remove redundant namespace
value for cert-manager certificate