Implement targeted certificate patching in fleetd

[zwass]

NOT TO BE MERGED

This is to help out a customer who has deployed fleetd agents with a single certificate that is expiring. We look for that certificate and replace it with the default cert bundle. This will be pushed to an orbit release tag that the customer will configure on their Fleet server, so that it only affects their deployment.

It also enables Fleet Desktop for these installations, as discussed with the customer.

[lucasmrod]

LGTM

[lucasmrod]

(Please convert to draft to not affect PR metrics :)

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 183 lines in your changes missing coverage. Please review.

Project coverage is 64.69%. Comparing base (75ab22a) to head (19892e7).
Report is 541 commits behind head on main.

Files with missing lines	Patch %	Lines
orbit/cmd/orbit/orbit.go	0.00%	183 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #21330       +/-   ##
===========================================
+ Coverage   52.91%   64.69%   +11.77%     
===========================================
  Files         444     1487     +1043     
  Lines       11030   120701   +109671     
  Branches     3349     3349               
===========================================
+ Hits         5837    78088    +72251     
- Misses       5170    35486    +30316     
- Partials       23     7127     +7104     

Flag	Coverage Δ
backend	65.87% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.