feat: Add MongoDB TLS CA certificate support via lib-commons

[ferr3ira-gabriel]

Summary

Matcher does not support loading TLS CA certificates for MongoDB connections, which is required for secure connections to AWS DocumentDB.

Current State

Matcher uses direct MongoDB connection without any TLS configuration. This prevents secure connections to managed MongoDB services like AWS DocumentDB that require CA certificate validation.

Proposed Solution

Migrate MongoDB connection to use lib-commons/v4/commons/mongo and add support for MONGO_TLS_CA_CERT env var (base64 encoded PEM):

var tlsCfg *libMongo.TLSConfig
if cfg.MongoTLSCACert != "" {
    tlsCfg = &libMongo.TLSConfig{CACertBase64: cfg.MongoTLSCACert}
}

mongoConnection, err := libMongo.NewClient(ctx, libMongo.Config{
    URI:      mongoSource,
    Database: cfg.MongoDBName,
    TLS:      tlsCfg,
})

This follows the same pattern used for Redis: REDIS_CA_CERT → libRedis.TLSConfig{CACertBase64}

Why

AWS DocumentDB requires TLS with a specific CA certificate. Currently the only workaround is tlsInsecure=true which skips certificate validation - not ideal for production.

Acceptance Criteria

• Migrate MongoDB connection to lib-commons/mongo
• Add MONGO_TLS_CA_CERT env var to config struct
• Pass TLS config to lib-commons/mongo NewClient
• Update helm chart to support the new env var

[ferr3ira-gabriel]

Note: Before this can be implemented, lib-commons needs to support a standard env var pattern for MongoDB TLS CA cert, similar to how Redis uses REDIS_CA_CERT → libRedis.TLSConfig{CACertBase64}.

Currently, even apps using lib-commons/mongo (midaz, fetcher, reporter, etc.) don't pass TLS config - they rely on MONGO_PARAMETERS URI string with tlsInsecure=true.

Suggested env var: MONGO_TLS_CA_CERT (base64 encoded PEM)