fix(deploy/test/libest): pin LIBEST_REF to upstream tag r3.2.0

The Dockerfile at HEAD pinned LIBEST_REF=v3.2.0-2 — that ref does
NOT exist on cisco/libest upstream. Verified via:

    curl -sS https://api.github.com/repos/cisco/libest/tags
    # only tags returned: v1.0.0, r3.2.0, 1.1.0

The 'v' prefix and the '-2' patch suffix were both wrong from day
one (commit e9011ca, EST RFC 7030 hardening Phase 10.1). The bug
went undetected because the libest sidecar Dockerfile was never
built end-to-end — neither operator-side nor in CI. The Dockerfile's
own header comment ('last tag 3.2.0-2 from 2018') was inaccurate
in the same way.

This fix:
  - ARG LIBEST_REF=v3.2.0-2 → r3.2.0 (the actual upstream tag, sha
    4ca02c6d7540f2b1bcea278a4fbe373daac7103b verified via
    api.github.com/repos/cisco/libest/git/refs/tags/r3.2.0)
  - Updated the surrounding head-comment block to reflect the real
    upstream tag name + cite the 2026-04-30 GitHub API verification.
  - Added a note explaining the prior broken pin so future readers
    don't re-introduce it.

The estclient binary built from r3.2.0 supports the only RFC 7030
endpoint the est_e2e_test.go exercises ('estclient -g' = GET
cacerts), so the integration test still works against this ref.

Closes the libest-build-failure surfaced by ci-pipeline-cleanup
Phase 8's Docker build smoke step (CI run 25192163943, job
'image-and-supply-chain').

deploy/test/libest/Dockerfile

@@ -4,10 +4,18 @@
 # canonical RFC 7030 client for the certctl integration test suite.
 #
 # Source: https://github.com/cisco/libest (the upstream reference
-# implementation; last tag 3.2.0-2 from 2018, but the protocol surface
-# we exercise is stable RFC 7030). We build from source rather than
-# pulling a published image because no official Cisco image exists on
-# Docker Hub + reproducible offline-friendly builds need a pinned ref.
+# implementation; latest tag is r3.2.0 — verified via
+# https://api.github.com/repos/cisco/libest/tags 2026-04-30. The
+# protocol surface we exercise is stable RFC 7030). We build from
+# source rather than pulling a published image because no official
+# Cisco image exists on Docker Hub + reproducible offline-friendly
+# builds need a pinned ref.
+#
+# Note: an earlier draft of this Dockerfile (commit 15da1f4) pinned
+# LIBEST_REF=v3.2.0-2 — that ref does not exist upstream (cisco/libest
+# tags do NOT use the `v` prefix and there is no `-2` patch suffix).
+# The build silently broke until ci-pipeline-cleanup Phase 8's Docker
+# build smoke surfaced it.
 #
 # The builder stage compiles libest + its OpenSSL dependency; the
 # runtime stage carries only the compiled `estclient` binary +
@@ -20,7 +28,7 @@
 # CI uses `docker compose --profile est-e2e build libest-client` to
 # orchestrate the build alongside the rest of the test stack.
 
-ARG LIBEST_REF=v3.2.0-2
+ARG LIBEST_REF=r3.2.0
 
 # Bundle A / Audit H-001 (CWE-829): both FROM lines below pin
 # debian:bookworm-slim to the immutable OCI image-index digest pulled
@@ -33,7 +41,7 @@ FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13
 ARG LIBEST_REF
 
 # Build deps. We use the system openssl (1.1.1n in bookworm-slim) which
-# is the same major version libest 3.2.0-2 was tested against. libest
+# is the same major version libest r3.2.0 was tested against. libest
 # also wants libcurl + libsafec; we install both via apt rather than
 # building from source for reproducibility.
 RUN apt-get update && apt-get install --no-install-recommends -y \