feat(backend): support custom SSL root CAs for internal GitLab instances

[jeremyeder]

Summary

• Adds httputil package with a shared http.Transport that loads additional CA certificates from the CUSTOM_CA_BUNDLE environment variable, appending them to the system cert pool
• Updates all outbound HTTP clients connecting to user-configured hosts (ValidateGitLabToken, ValidateGitHubToken, ValidateJiraToken, ValidateGoogleToken, gitlab.NewClient) to use the shared transport
• Transport mirrors net/http.DefaultTransport settings (proxy, HTTP/2, dial timeouts, keep-alive) and falls back gracefully to Go defaults on any CA loading failure

Closes #1038

Test plan

• Set CUSTOM_CA_BUNDLE to a valid PEM file with a corporate CA and verify connections to an internal GitLab instance succeed
• Verify connections to public hosts (gitlab.com, github.com, googleapis.com) still work without CUSTOM_CA_BUNDLE set
• Set CUSTOM_CA_BUNDLE to a nonexistent path and verify the backend starts with a warning log and falls back to system CAs
• Set CUSTOM_CA_BUNDLE to a file with invalid PEM content and verify the backend starts with a warning and falls back to system CAs
• Verify HTTP_PROXY/HTTPS_PROXY environment variables are still respected

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3f0841ac-6cf3-47d2-8d15-f5c3e04c3f22

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/custom-ssl-ca-support

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ktdreyer]

What do you think about the first option (config.openshift.io/inject-trusted-cabundle: "true")? That seems more elegant, if it works.

[ktdreyer]

I tried config.openshift.io/inject-trusted-cabundle: "true" recently for ArgoCD. They already pre-populate it with the RH CA in RH IT's MP+ environment. So that is definitely the way to go.