make sure we check all TLS certs exhaustively in Prometheus

in #41633 (closed), we've implemented basic certificate expiry checks for sites that are monitored in Prometheus. But I'm not confident enough that all certs are checked like this.

The best way to ensure that is done is to add prometheus targets systematically when we define a ssl::service in Puppet. Let's do that.