Describe the bug:

Starting in v1.10.0, cert-manager tries to list clusterissuers at the cluster scope, even though we spceifically only enable controllers for namespace scoped resources.

Expected behaviour:

When the clusterissuers controller isn't enabled, don't try to access cluster scoped clusterissuers.

Steps to reproduce the bug:

For cases where clusterissuers are not needed, with v1.9.1 you can start the following controllers. No ClusterRole is needed.

--controllers=issuers,certificates-metrics,orders,challenges,certificaterequests-approver,certificaterequests-issuer-acme,certificaterequests-issuer-selfsigned,certificates-trigger,certificates-issuing,certificates-key-manager,certificates-request-manager,certificates-readiness,certificates-revision-manager"

Starting in v0.10.0, the same configuration will log:

k8s.io/client-go@v0.25.2/tools/cache/reflector.go:169: failed to list *v1.ClusterIssuer: clusterissuers.cert-manager.io is forbidden: User "system:serviceaccount:default:cert-manager" cannot list resource "clusterissuers" in API group "cert-manager.io" at the cluster scope

The purpose of enumerating controllers is that we can turn off those we don't need and we should not need a ClusterRole. I know I could provide it a new ClusterRole for this, but this access attempt is not expected.

Anything else we need to know?:

Environment details::

• Kubernetes version: v1.25.3
• Cloud-provider/provisioner: Any
• cert-manager version: v1.10.0
• Install method: e.g. static manifests

/kind bug