diff --git a/internal/controller/styra/system_controller.go b/internal/controller/styra/system_controller.go
index 4950f1e2..4af6c963 100644
--- a/internal/controller/styra/system_controller.go
+++ b/internal/controller/styra/system_controller.go
@@ -524,10 +524,17 @@ func (r *SystemReconciler) reconcileOPAConfigMapForOCP(
 		}
 	}
 
+	bundleURL, err := url.JoinPath(r.Config.OPA.BundleServer.URL, r.Config.OPA.BundleServer.Path)
+	if err != nil {
+		return ctrl.Result{}, false, ctrlerr.Wrap(err, "Invalid OPA BundleServer URL or path").
+			WithEvent(v1beta1.EventErrorConvertOPAConf).
+			WithSystemCondition(v1beta1.ConditionTypeOPAConfigMapUpdated)
+	}
+
 	opaconf := ocp.OPAConfig{
 		BundleService: &ocp.OPAServiceConfig{
 			Name: "s3",
-			URL:  path.Join(r.Config.OPA.BundleServer.URL, r.Config.OPA.BundleServer.Path),
+			URL:  bundleURL,
 			Credentials: &ocp.ServiceCredentials{
 				S3: &ocp.S3Signing{
 					S3EnvironmentCredentials: map[string]ocp.EmptyStruct{},
diff --git a/test/integration/controller/controller_suite_test.go b/test/integration/controller/controller_suite_test.go
index 65c37c6d..7ed9900f 100644
--- a/test/integration/controller/controller_suite_test.go
+++ b/test/integration/controller/controller_suite_test.go
@@ -175,7 +175,7 @@ var _ = ginkgo.BeforeSuite(func() {
 			},
 			OPA: configv2alpha2.OPAConfig{
 				BundleServer: &configv2alpha2.OPABundleServer{
-					URL:  "s3-url2",
+					URL:  "https://s3-url2",
 					Path: "/test-bucket",
 				},
 			},
diff --git a/test/integration/controller/system_controller_test.go b/test/integration/controller/system_controller_test.go
index 6876e2e4..fc8bf798 100644
--- a/test/integration/controller/system_controller_test.go
+++ b/test/integration/controller/system_controller_test.go
@@ -2823,7 +2823,7 @@ services:
     s3_signing:
       environment_credentials: {}
   name: s3
-  url: s3-url2/test-bucket
+  url: https://s3-url2/test-bucket
 - credentials:
     bearer:
       token_path: /run/secrets/kubernetes.io/serviceaccount/token