fix: include CA certificates in scratch Docker image

[patsevanton]

Problem

The final Docker image is built FROM scratch and does not contain system CA certificates. When Go's crypto/tls attempts to verify a server certificate signed by a public CA (e.g. Amazon Trust Services for AWS MSK), it falls back to an empty root pool and fails with:

tls: failed to verify certificate: x509: certificate signed by unknown authority

This blocks all users connecting topicctl to Kafka clusters that use TLS with public-CA-signed certificates.

Ref: sentry-kubernetes/charts#2213

Fix

Copy /etc/ssl/certs/ca-certificates.crt from the builder stage (golang:1.24.4, Debian-based) into the scratch final image. This is the standard Go approach for minimal container images — Go's crypto/tls automatically discovers this file as the system root CA pool.

The file is ~200KB and adds public CA trust (Amazon, DigiCert, Let's Encrypt, etc.) without adding an entire OS layer.

Before / After

	Before	After
test -f /etc/ssl/certs/ca-certificates.crt	MISSING	present
TLS to public-CA broker (no --tls-ca-cert)	x509: unknown authority	✅ connects

Testing

Built and verified locally:

docker build --build-arg VERSION=dev -t topicctl-test .
docker run --rm --entrypoint sh topicctl-test \
  -c 'test -f /etc/ssl/certs/ca-certificates.crt && echo OK || echo MISSING'
# → OK