feat: implement intermediate CA support

[slauger]

Problem

The IntermediateCASpec struct exists in the API (api/v1alpha1/config_types.go:303-311) and is referenced from CertificateAuthoritySpec.IntermediateCA, but is not implemented in any controller.

type IntermediateCASpec struct {
    Enabled    bool   `json:"enabled"`
    SecretName string `json:"secretName,omitempty"`
}

The field is included in the CRD schema, so users can set it - but it has no effect.

Expected Behavior

When intermediateCA.enabled: true, the operator should:

1. Skip self-signed CA generation in the setup Job
2. Import an existing CA cert+key from the referenced Secret (intermediateCA.secretName)
3. Use the imported CA to sign certificates
4. Chain the intermediate CA cert with the root CA for trust verification

This enables enterprise setups where the Puppet CA must be subordinate to a corporate root CA.

Current API Surface

apiVersion: openvox.voxpupuli.org/v1alpha1
kind: CertificateAuthority
metadata:
  name: production-ca
spec:
  intermediateCA:
    enabled: true
    secretName: corporate-ca-intermediate

The Secret is expected to contain ca.pem, key.pem, and crl.pem.

Considerations

• Should the operator validate the intermediate CA cert chain on import?
• How should CRL distribution work (chain both CRLs)?
• Should the setup Job handle CSR generation toward the parent CA, or is the intermediate cert provided externally?

Priority: P3