feat: add cert-manager TLS configuration with opt-out

[ibourgeois]

Context

As a developer deploying Beacon behind ingress, I need TLS to be configured by default through cert-manager, with an opt-out when the cluster or environment does not use it.

Acceptance Criteria

• assume cert-manager is available by default for ingress-enabled deployments
• prompt the user to opt out of cert-manager integration if desired
• generate the required ingress TLS configuration and cert-manager annotations
• allow the certificate issuer reference to be configured
• add tests for cert-manager enabled and disabled output

Notes

This should work cleanly with ingress provider support and not force TLS on environments that intentionally disable it.