feat(M47): add Kubernetes Secrets target + AWS ACM PCA issuer connectors

Implement both M47 connectors with full cross-layer wiring:

Kubernetes Secrets target: DNS-1123 validation, kubernetes.io/tls Secret
create-or-update, chain concatenation, serial number validation, Helm
RBAC gating. 18 tests.

AWS ACM Private CA issuer: synchronous issuance (like Vault), ARN regex
validation, RFC 5280 revocation reason mapping, CA cert retrieval,
factory + env var seeding. 23 tests.

Cross-cutting: domain types, service validation, config, factory, agent
dispatch, frontend (TargetsPage, issuerTypes), OpenAPI, seed data, Helm
chart, connectors docs, README. Testing docs (testing-guide, qa-test-guide,
qa_test.go) with Parts thematically integrated near related connectors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

deploy/helm/certctl/templates/serviceaccount.yaml

@@ -18,7 +18,14 @@ metadata:
   name: {{ include "certctl.fullname" . }}
   labels:
     {{- include "certctl.labels" . | nindent 4 }}
-rules: []
+rules:
+{{- if .Values.kubernetesSecrets.enabled }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch"]
+{{- else }}
+  []
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/helm/certctl/values.yaml

@@ -381,6 +381,13 @@ serviceAccount:
 rbac:
   create: true
 
+# ==============================================================================
+# Kubernetes Secrets Target Connector
+# ==============================================================================
+kubernetesSecrets:
+  # Enable RBAC rules for managing TLS Secrets
+  enabled: false
+
 # ==============================================================================
 # Pod Disruption Budget (for HA deployments)
 # ==============================================================================