fix: import /certs/ca.pem into JVM truststore at startup

The server container mounts the platform's certs volume at /certs but
the CA bundle was never imported into the JVM truststore. OIDC discovery
failed with PKIX path building errors when a self-signed or custom CA
was in use.

The new entrypoint script splits the PEM bundle and imports each cert
via keytool before starting the app. This makes the conditional
CAMELEER_OIDC_TLS_SKIP_VERIFY logic in the SaaS provisioner work
correctly: when ca.pem exists, the JVM now actually trusts it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+set -e
+
+# Import CA certificates from /certs/ca.pem into JVM truststore if present.
+# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,
+# or an internal PKI in production) for OIDC discovery and token exchange.
+if [ -f /certs/ca.pem ]; then
+    TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"
+    STOREPASS="changeit"
+    TMPDIR=$(mktemp -d)
+
+    # Split PEM bundle into individual certificates
+    awk -v dir="$TMPDIR" '
+        /-----BEGIN CERTIFICATE-----/ { n++ }
+        n > 0 { print > dir "/cert-" n ".pem" }
+    ' /certs/ca.pem
+
+    count=0
+    for cert in "$TMPDIR"/cert-*.pem; do
+        [ -f "$cert" ] || continue
+        if keytool -importcert -noprompt -trustcacerts \
+            -alias "custom-ca-$count" \
+            -file "$cert" \
+            -keystore "$TRUSTSTORE" \
+            -storepass "$STOREPASS" 2>/dev/null; then
+            count=$((count + 1))
+        fi
+    done
+
+    rm -rf "$TMPDIR"
+    [ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"
+fi
+
+exec java -Duser.timezone=UTC -jar /app/server.jar