Allow ACME-issued certificates for public endpoint routes

[marbindrakon]

When a user supplies a custom TLS secret for a public endpoint route
(via apiOverride), the operator required the secret to contain
tls.crt, tls.key and ca.crt. Certificates issued by an ACME
issuer (e.g. Let's Encrypt) do not populate ca.crt: the issuing chain
is delivered inline in tls.crt, and the signing root is publicly
trusted, so a separate ca.crt entry is neither produced nor needed.
This made it impossible to use ACME-issued certificates for public
endpoints without synthesising a ca.crt key.

This makes ca.crt optional on that path:

• The secret key check is extracted into validateRouteCertSecret,
  which now requires only tls.crt and tls.key.
• The route's CACertificate is set only when the secret actually
  provides ca.crt, instead of writing an empty value.

Certificate chains continue to be served correctly because cert-manager
packs the full issuing chain into tls.crt; CACertificate is only
used to advertise an additional custom CA, which remains supported when
present. Re-encrypt (TLSE) routes are unaffected — their
DestinationCACertificate is still sourced from the internal CA bundle.

This covers the "bring your own secret" flow. Having the operator
manage an ACME Certificate directly (which additionally requires
guarding the custom-issuer CA-extraction path and splitting public vs
internal SAN profiles) is intentionally out of scope here.

Jira: RHOSRFE-109

🤖 Generated with Claude Code

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marbindrakon
Once this PR has been reviewed and has the lgtm label, please assign dprince for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @marbindrakon. Thanks for your PR.

I'm waiting for a openstack-k8s-operators member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

OpenStackControlPlane CRD Size Report

Metric	Value
CRD JSON size	349562 bytes (341KB)
Base branch size	349562 bytes
Change	+0.00%
Status	yellow — growing

Threshold reference

Color	Range	Meaning
🟢 green	< 300KB	Comfortable
🟡 yellow	300–400KB	Growing
🟠 orange	400–750KB	Concerning
🔴 red	> 750KB	Approaching 1.5MB etcd limit (cut in half to allow space for update)

[marbindrakon]

As proposed, this patch will not stop a user from providing a privately-signed certificate secret. In that case, they would be responsible for adding the correct root to the CA bundle using the existing mechanism.