handle private-certs + wave-lite

[schaluva]

Summary

This PR addresses a gap in private certificate handling: when flag_use_private_cacert = true, the rootCA was not being imported into the JVM trust
stores of Java-based containers. As a result, any TLS connection made from within those containers to services secured by the same private CA would
fail. This PR closes that gap unconditionally for backend and cron, and extends it to wave-lite when that service is also enabled.

---

Changes by Condition

flag_use_private_cacert = true (all deployments)

What changed:

• 010_prepare_config_files.tf — generates import-cert.sh at apply time: a minimal shell entrypoint wrapper that runs keytool to import rootCA.crt into
  the container JVM's cacerts, then execs the original container command
• docker-compose.yml.tpl — overrides the entrypoint of backend and cron to run import-cert.sh; volume-mounts rootCA.crt and import-cert.sh into both
  containers at /tmp/
• 02_update_file_configurations.yml.tpl (Ansible) — now also copies rootCA.crt from S3 into target/customcerts/ during deployment (previously only the
  leaf cert and key were copied)
• check_configuration.py — validation warning now fires unconditionally when this flag is set

Why: The JVM inside each container maintains its own trust store, independent of the host OS trust store. Even if update-ca-trust is run on the host,
Java processes inside containers will still reject TLS connections to private-CA-secured services unless the rootCA is explicitly imported into the
container JVM cacerts.

---

flag_use_private_cacert = true AND flag_use_wave_lite = true

What changed:

• docker-compose.yml.tpl — same entrypoint override and volume mounts applied to the wave-lite container
• check_configuration.py — validation warning for this combination now specifically calls out that a custom AMI is required for compute workers (see
  below)

Why: Wave Lite is a Java service and has the same JVM trust store requirement as backend and cron.

---

flag_use_wave_lite = true with private cert — Compute Workers

What changed:

• documentation/setup/optional_private_certificates.md — replaced a TODO with full instructions for baking rootCA.crt into a custom AMI for AWS Batch
  compute workers

Why: Nextflow compute workers pull Wave-augmented container images from the Wave Lite server over HTTPS. Because Docker on the worker host (not inside
a container) is making that pull, there is no entrypoint wrapper that can help — the rootCA must be in the host OS trust store, which means it must
be baked into the AMI used by the Compute Environment.

---

Documentation only

• documentation/design_decisions.md — added design decision Gwright99/augment tower.yml.tpl #18 explaining the rationale for unconditional rootCA mounting, the JVM/OS trust store
  distinction, and the Wave Lite addendum
• check_configuration.py — black formatting applied throughout (no logic changes outside the two warning updates noted above)