[external-dns] Use SA creation script for service account

Summary

We should use a script to generate the ServiceAccount that external-dns uses. At the moment, it was created using install_external_dns.sh, which references a ServiceAccount that was created by hand in the Google console and uploaded to 1Password (see docs).

Details

Rather than relying on a ServiceAccount created by hand in the GCP console, we should add a script that creates the ServiceAccount.

!204 (merged) has an example of how to do this in scripts/create_gcloud_sa_kubeconfig.sh:

gcloud iam service-accounts create $SANAME

gcloud projects add-iam-policy-binding $PROJECT \
  --member=serviceAccount:$SANAME@$PROJECT.iam.gserviceaccount.com \
  --role=roles/container.admin  # container.admin is needed to create cluster-scope objects

gcloud projects add-iam-policy-binding $PROJECT \
  --member=serviceAccount:$SANAME@$PROJECT.iam.gserviceaccount.com \
  --role=roles/dns.admin  # dns.admin is needed to create DNS records for LetsEncrypt

gcloud iam service-accounts keys create gsa-key.json \
  --iam-account=$SANAME@$PROJECT.iam.gserviceaccount.com