Document best-practices for minimal vault role configuration for istio-csr

When configuring a Vault issuer for istio-csr, the least privileged Vault role configurations are not very obvious.

We have been through this particular problem recently and can supply a quick guide around minimal policy for any PKI engine role that is dedicated to istio-csr cert issuance.

We could even show a fully worked example in kind in an examples/ directory under docs/ ?