fix(chart): mount mTLS CA for auth-callout

[FrankSpitulski]

Summary

• add explicit auth-callout mtlsCA chart values for mounting CA Secrets
• enable that mount from deploy/nats-event-bus when global.eventBus.mtls.enabled is true
• remove the local-only manual CA workaround and update mTLS docs

Validation

• reproduced: helm template dsx deploy/nats-event-bus --set global.eventBus.mtls.enabled=true rendered empty mtls.ca-path and no auth-callout mtls-ca volume before the fix
• helm template assertions for mTLS enabled, disabled, standalone auth-callout defaults, standalone mtlsCA.enabled, old manual workaround values, and custom serviceConfig.mtls.ca-path
• helm lint auth-callout/deploy
• helm lint deploy/nats-event-bus
• git diff --check
• make check
• make -C local deploy-nats
• live CSC/CPC auth-callout ConfigMaps render /etc/mtls-ca/ca.crt and deployments mount mtls-ca
• direct mTLS runtime check passed via MQTT_MTLS_BROKER=ssl://localhost:18883 go test -count=1 -v ./tests/functional -run TestMTLSConnection/ConnectWithMTLS -timeout 30s

Notes

• Gateway IP mTLS connection to 172.18.200.1:8883 still timed out in the focused functional test; this branch verified the auth-callout CA path through direct nats-mtls service access, and Gateway route behavior is covered by the separate mTLS route work.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.