websites: Manage dcow cert via Ingress annotation

Now that the reverse proxy for Internet-facing sites uses TLS
passthrough, the certificate for the _darkchestofwonders.us_ Ingress
needs to be correct.  Since Ingress resources can only use either the
default certificate (_*.pyrocufflink.blue_) or a certificate from their
same namespace, we have to move the Certificate and its corresponding
Secret into the _websites_ namespace.  Fortunately, this is easy enoug
to do, by setting the appropriate annotations on the Ingress.

To keep the existing certificate (until it expires), I moved the Secret
manually:

```sh
kubectl get secret dcow-cert -o yaml | grep -v namespace | kubectl create -n websites -f -
```

cert-manager/certificates.yaml

@@ -71,24 +71,6 @@ spec:
     algorithm: ECDSA
     rotationPolicy: Always
 
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate