Description of the change:
This PR fixes a bug in the pkg/lib/server package where the server fails to start when TLS is enabled but the --client-ca flag is empty or not provided.

Motivation for the change:
When --client-ca is empty or nil, filemonitor.NewCertPoolStore() attempts to call os.ReadFile("") which fails with an error, causing the server to crash on startup.

This issue was discovered during code review of PR #1190 (OPRUN-4416: Remove kube-rbac-proxy from PSM), which would be affected by this bug when PSM is started without a client CA configuration.

Architectural changes:

1. Added clientCAEnabled() helper method to check if client CA path is provided and non-empty
2. Modified getListenAndServeFunc() to conditionally setup client CA monitoring only when a valid path is provided
3. Updated TLS configuration to only set ClientCAs and ClientAuth when client CA is available
4. Added certPoolGetter interface for type-safe handling of the cert pool store

Testing remarks:

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Bug fixes are accompanied by regression test(s)
• e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
• tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
• Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
• Docs updated or added to /doc
• Commit messages sensible and descriptive
• Tests marked as [FLAKE] are truly flaky and have an issue
• Code is properly formatted

Assisted-By: Claude-Code