feat: add certificatee rollout-tolerant health checks

[ananthb]

Summary

• add a real /health endpoint alongside /metrics
• make certificatee tolerate mixed DPAPI v2/v3 rollout without failing Nomad health checks
• expose per-endpoint rollout state via certificatee_haproxy_endpoint_up{state=...}
• fix wildcard metadata fallback so missing per-cert detail does not panic

Testing

• env GOCACHE=/tmp/go-build-certificator go test ./pkg/certmetrics ./cmd/certificatee ./cmd/certificator
• env GOCACHE=/tmp/go-build-certificator go test -run '^$' ./pkg/haproxy

[github-actions]

Code Coverage Report

Total Coverage: total: (statements) 27.7%

Coverage by function

github.com/vinted/certificator/cmd/certificatee/health.go:9:		newCertificateeHealthChecker	0.0%
github.com/vinted/certificator/cmd/certificatee/helpers.go:9:		createHAProxyClients		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:22:		main				0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:73:		maybeUpdateCertificates		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:89:		processHAProxyEndpoint		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:191:		setEndpointState		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:197:		shouldUpdateCertificate		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:240:		updateCertificate		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:262:		buildPEMBundle			0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:288:		endsWith			0.0%
github.com/vinted/certificator/cmd/certificator/main.go:20:		main				0.0%
github.com/vinted/certificator/pkg/acme/acme.go:27:			GetEmail			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:32:			GetRegistration			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:37:			GetPrivateKey			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:42:			NewClient			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:61:			setupClient			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:80:			setupAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:118:			newAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:130:			getAccountKey			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:159:			registerAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:177:			recoverAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:211:			saveAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:221:			saveKey				0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:18:	ObtainCertificate		0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:50:	GetCertificate			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:68:	NeedsReissuing			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:96:	arraysEqual			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:110:	arrayContains			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:119:	VaultCertLocation		0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:123:	storeCertificateInVault		0.0%
github.com/vinted/certificator/pkg/certmetrics/metrics.go:80:		StartMetricsServer		0.0%
github.com/vinted/certificator/pkg/certmetrics/metrics.go:105:		newHandler			100.0%
github.com/vinted/certificator/pkg/certmetrics/metrics.go:129:		PushMetrics			0.0%
github.com/vinted/certificator/pkg/config/config.go:73:			LoadConfig			0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:50:		NewClient			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:85:		NewClients			92.3%
github.com/vinted/certificator/pkg/haproxy/client.go:110:		Endpoint			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:115:		doRequest			88.9%
github.com/vinted/certificator/pkg/haproxy/client.go:133:		parseAPITime			66.7%
github.com/vinted/certificator/pkg/haproxy/client.go:146:		getConfigVersion		66.7%
github.com/vinted/certificator/pkg/haproxy/client.go:211:		ListCertificates		100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:225:		ListCertificateRefs		85.7%
github.com/vinted/certificator/pkg/haproxy/client.go:262:		IsV3UnavailableError		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:271:		GetCertificateDetail		68.4%
github.com/vinted/certificator/pkg/haproxy/client.go:312:		UpdateCertificate		85.7%
github.com/vinted/certificator/pkg/haproxy/client.go:336:		CreateCertificate		78.3%
github.com/vinted/certificator/pkg/haproxy/client.go:377:		DeleteCertificate		92.9%
github.com/vinted/certificator/pkg/haproxy/client.go:401:		ExtractDomainFromPath		100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:421:		NormalizeDomainForVault		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:429:		IsExpiring			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:440:		NormalizeSerial			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:463:		Error				100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:467:		Info				0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:471:		Debug				100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:475:		Warn				0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:480:		toLogrusFields			85.7%
github.com/vinted/certificator/pkg/vault/vault.go:18:			NewVaultClient			0.0%
github.com/vinted/certificator/pkg/vault/vault.go:27:			TokenLookupSelf			0.0%
github.com/vinted/certificator/pkg/vault/vault.go:39:			KVWrite				0.0%
github.com/vinted/certificator/pkg/vault/vault.go:53:			KVRead				0.0%
github.com/vinted/certificator/pkg/vault/vault.go:74:			vaultFullPath			0.0%
total:									(statements)			27.7%