chore(deps): bump civic-cloud to v1.9.0 (Envoy Gateway foundation)

[themightychris]

Summary

Bumps civic-cloud v1.8.0 → v1.9.0, which transitively pulls cluster-template v1.5.0:

• Gateway API v1.5.1 CRDs from upstream (standard channel — GatewayClass, Gateway, HTTPRoute, GRPCRoute, ListenerSet, etc.)
• Envoy Gateway v1.7.3 — controller, RBAC, Service, ConfigMap, webhook, certgen Job, all installing to `envoy-gateway-system`
• Envoy Gateway proprietary CRDs — Backend, BackendTrafficPolicy, ClientTrafficPolicy, EnvoyExtensionPolicy, EnvoyPatchPolicy, EnvoyProxy, HTTPRouteFilter, SecurityPolicy
• cert-manager Gateway API integration wired up via a ControllerConfiguration ConfigMap mounted into the controller pod: `enableGatewayAPI: true` + `featureGates: { ListenerSet: true }`

Also drops the workspace `cert-manager/helm-values.yaml` workaround introduced in #144. The upstream fix in cluster-template v1.4.1 is now part of v1.5.0, so the override is no longer needed — projected tree is byte-identical with or without it.

What changes in the deployed projection

86 files, ~92.8k insertions / 3k deletions vs. currently deployed:

• 8 new Gateway API CRDs + 2 ValidatingAdmissionPolicy resources guarding against breaking CRD upgrades
• 8 new Envoy Gateway proprietary CRDs
• Envoy Gateway controller stack (Deployment, Service, ConfigMap, RBAC, certgen Job, webhook config) in `envoy-gateway-system` ns
• cert-manager Deployment picks up the new `--config=/var/cert-manager/config/config.yaml` arg + ConfigMap volume mount; new ControllerConfiguration ConfigMap with Gateway API enabled

Server-side apply (already in our deploy workflow) handles the bigger CRDs — HTTPRoute alone is 11.6k lines.

What this DOES NOT do

• No Gateway / HTTPRoute / ListenerSet resources are created. Those are per-project, cluster-specific (hostnames, cert refs, etc.). Existing apps continue using ingress-nginx until they're migrated.
• No ingress-nginx removal. The two coexist until per-project migrations complete.

Unblocks

• PR infra: configure envoy gateway with cert-manager support #131 (Envoy Gateway + cert-manager support for main-gateway)
• PR feat: migrate balancer to envoy gateway #132 (balancer → HTTPRoute)
• PR feat: migrate echo-http to envoy gateway #133 (echo-http → HTTPRoute)
• PR feat(balancer): integrate sandbox overlay with CNPG + Gateway API + CORS #143 (balancer CNPG + Gateway API integration) — or our cleaner rewrite using `balancer/cnpg/database.yaml` co-located in this repo

Test plan

• `Build k8s-manifests` passes
• `K8s: Deploy k8s-manifests` applies cleanly (server-side apply handles the new CRDs)
• envoy-gateway controller pod becomes Ready in `envoy-gateway-system`
• `kubectl get gatewayclass eg` shows the GatewayClass registered
• cert-manager controller pod rolls onto the new image (uses the same v1.20.2, just with new args/volume); pod stays Ready
• All existing Certificates remain Ready (no migration disruption)
• In a test namespace: create a `Gateway` with TLS terminations + a `cert-manager.io/cluster-issuer` annotation and confirm a Certificate gets auto-issued (smoke test of the new Gateway API wiring)

🤖 Generated with Claude Code