docs(networking): Cilium Gateway API — architecture, security, migration (#509)

## What this PR does

Adds a new `networking/gateway-api.md` page to the `next/` docs trunk
describing the Cilium-backed Gateway API feature that landed in
cozystack/cozystack#2470. Also extends the platform-package reference
with the `gateway.*` and `publishing.certificates.dns01.*` value rows
the same upstream PR introduces.

The page covers, as the feature shipped:

- a new platform-level toggle (`gateway.enabled`) and a per-tenant
toggle (`tenant.spec.gateway`) that opts a tenant into its own dedicated
Gateway (own LB IP, own per-tenant Issuer, own Certificate);
- inheritance through the `namespace.cozystack.io/gateway` label:
tenants without `spec.gateway: true` attach their routes to the nearest
ancestor's Gateway via a label-keyed `allowedRoutes.namespaces.selector`
(same shape as `_namespace.ingress` inheritance);
- mechanism-agnostic LoadBalancer IP allocation: the auto-created
Service draws its IP from whatever LB allocator the cluster admin has
wired up (MetalLB / Cilium LB-IPAM / robotlb /
`Service.spec.externalIPs`). Cozystack ships MetalLB installed but does
not auto-render any `IPAddressPool` / `L2Advertisement` /
`BGPAdvertisement` / `CiliumLoadBalancerIPPool`. There is no `gatewayIP`
field on the Tenant CR — to pin an address, the operator pre-creates the
Service with `loadBalancerIP` set or hands the tenant a reference to a
named admin-managed pool;
- a migration away from `Ingress` for every cozystack-native exposed
service (dashboard, keycloak, grafana, alerta via HTTPRoute;
kubernetes-api, vm-exportproxy, cdi-uploadproxy via TLSRoute
passthrough; harbor and bucket attached to the owning tenant's Gateway);
- a per-tenant cert-manager `Issuer` (own ACME account) plus
per-listener Certificates (HTTP-01) or a single wildcard Certificate
extended with per-child-apex SANs and a `*.<child-apex>` listener per
inheriting tenant (DNS-01). Four DNS providers supported (cloudflare,
route53, digitalocean, rfc2136);
- a five-layer security model grouped by who it defends against: Layer 3
gates tenant-user input on `Tenant.spec.host` via `cozystack-api`'s
admission chain; Layers 1, 2, 4, 5 are defense-in-depth via VAPs and the
listener label selector (tenants do not hold
`gateway.networking.k8s.io/*` RBAC by design);
- foreign-takeover guards on six reconcile paths (Gateway, redirect
HTTPRoute, per-tenant Issuer, wildcard Certificate, per-listener
Certificate, plus the namespace-label patching path which only writes /
strips `namespace.cozystack.io/gateway` on namespaces it annotates with
`cozystack.io/gateway-attached-by`).

### Sections

- **Overview** — opt-in defaults, inheritance, coexistence with
ingress-nginx.
- **Architecture** — reconciliation flow, traffic path, listener layout
(HTTP-80 / HTTPS / TLS-passthrough), `allowedRoutes` selector mechanics
per listener role.
- **Enabling Gateway API** — platform-level Package example with full
`attachedNamespaces` list, per-tenant Tenant example for owning and
inheriting tenants, custom-apex case.
- **Inheritance** — how the namespace label is set, how cross-namespace
ParentRef is gated, how DNS-01 mode extends the parent's wildcard cert.
- **Cert mode** — HTTP-01 (default, per-listener) vs DNS-01 (opt-in,
wildcard + per-child SANs), provider matrix, listener-cap
considerations.
- **Per-service routing** — HTTPRoute / TLSRoute tables: service →
namespace → route name → backend → listener.
- **Security** — mermaid diagram and one section per layer, plus
HostnameConflict resolution and the foreign-takeover guards.
- **Certificates** — per-tenant Issuer, supported ACME servers, Let's
Encrypt rate limits and mitigations.
- **Migration from ingress-nginx** — step-by-step for new and existing
clusters.
- **Known limitations** — multi-tenant shared LB IP (deferred until
Cilium ListenerSet, cilium#42756), TLSRoute `v1alpha2`, DNS-01
multi-apex DNS-provider requirement, supported ACME issuers, upstream
application gaps.
- **Troubleshooting** — concrete `kubectl` recipes for the most likely
stuck states (TenantGateway ReconcileError, Gateway not Programmed,
Certificate not Ready, HostnameConflict, admission denials, inheriting
child route not accepted, `<pending>` LB IP).

### Target branch

`next/` — the version-agnostic trunk. When the page ships with the
upstream release that contains cozystack/cozystack#2470, it materialises
automatically under the corresponding `vX.Y/` via `make release-next`.

### Not included

The legacy `v1/networking/gateway-api.md` page on the abandoned
`docs/gateway-api` branch (from the Envoy Gateway proposal in
cozystack/cozystack#2213) is unrelated to this PR. That proposal
targeted a different architecture that has since been superseded.

### Release note

```release-note
NONE
```

Author: lexfrei