Gateway Controller: support custom truststore for Platform API / Control Plane connections

[renuka-fernando]

Description

The Gateway Controller has no way to trust a custom CA when connecting to the Platform API / Control Plane. Today the only knob is controlPlane.insecure_skip_verify. With it set to false, the controller falls back to the container's default system trust store (/etc/ssl/certs/ca-certificates.crt), so private/enterprise CAs are not honored unless they are baked into the container OS trust store.

This affects all outbound TLS clients used by the controller, including:

• The WebSocket connection to the Control Plane
• The HTTPS well-known discovery call
• The gateway manifest publish call
• The Platform API HTTP client
• The on-prem APIM publisher client

None of these accept a custom CA bundle; only insecure_skip_verify is configurable.

Expected behavior:

When insecure_skip_verify=false and a custom CA is configured, the controller should verify the Platform API / Control Plane certificate against that CA bundle (appended to the system trust store).

Proposed fix:

1. Add a trusted_cert_path (or ca_cert_path) option under controlPlane in the controller config.
2. In every outbound HTTP/WebSocket client the controller uses to reach the Platform API / Control Plane, load the file into a cert pool (starting from the system pool and appending) and set it as the TLS root CAs.
3. Helm (gateway-helm-chart): add a controlPlane.truststore block (secret or configMap) mounted into the controller, and pass the mount path through to the controller config.

Version

No response

Related Issue

No response