feat(balancer): integrate sandbox overlay with CNPG + Gateway API + CORS

[TineoC]

Summary

Updates the balancer hologit projection to use the integrated sandbox overlay from balancer-main, which includes:

1. Gateway API migration — Ingress → HTTPRoute + ListenerSet for Envoy Gateway
2. CORS configuration — Configurable allowed origins via ConfigMap
3. CNPG database — Database CRD for shared PostgreSQL cluster + balancer-db-config ConfigMap

Changes:

• .holo/sources/balancer.toml: Points to integration branch (TineoC/balancer-main#integrate-all-migration)
• .holo/branches/k8s-manifests/balancer/manifests.toml: Root changed from base → overlays/sandbox

Depends on:

• feat: integrate Gateway API, CORS config, and CNPG database for sandbox balancer-main#507 (integrated migration PR) — must merge first

Post-merge:

• After #507 merges, update balancer.toml source to point to the main repo tag instead of the fork
• Run git holo project k8s-manifests-github to verify projection
• Verify balancer-db-credentials SealedSecret exists in cloudnative-pg namespace

Related:

• Closes [Architecture] Migrate ingress-nginx to supported alternative (EOL March 2026) #130 (ingress-nginx migration for balancer)
• Addresses Migrate Postgres RDS from AWS to Philly Cluster balancer-main#464 (CNPG migration)

[themightychris]

@TineoC this path doesn't exist on the develop branch in the balancer repo: https://github.com/CodeForPhilly/balancer-main/tree/develop/deploy/manifests/balancer/overlays

[themightychris]

NVM just saw #507 over in the balancer repo

[themightychris]

Superseded by PR #160 (`feat(balancer): clean design with shared-cluster cnpg + Envoy Gateway`). Closing.

The clean design we landed solves all three concerns in this PR without requiring balancer-main#507 upstream, and without the two-lens / sort-order workarounds:

Concern from this PR	How PR #160 addresses it
Gateway API migration (Ingress → HTTPRoute)	_gateways/balancer.yaml with per-app Gateway + HTTPRoute on balancer.sandbox.k8s.phl.io. Cert auto-issued. HTTP→HTTPS handled globally.
CNPG database (Database CR + role)	balancer/cnpg/database.yaml in cloudnative-pg namespace; targets shared-cluster; owner: balancer (the role already exists on the cluster). Database is applied and ready, empty, waiting for the data migration.
CORS configuration via ConfigMap	Deferred — the original ConfigMap shape was coupled to upstream #507's overlay layout. Easier to add cleanly once the DB cutover happens and the actual values firm up.

Layout in this repo now:

balancer/
├── kustomization.yaml          # wrapper, resources: [app, cnpg], no namespace
├── app/
│   ├── kustomization.yaml      # namespace: balancer
│   └── manifests/              # mapped from balancer-main v1.1.5 base via hologit
└── cnpg/
    ├── kustomization.yaml      # no namespace
    └── database.yaml           # Database CR with metadata.namespace: cloudnative-pg

Single hololens, single source pinned to a real tag (no mutable develop), no dependency on balancer-main#507. The Database CR + balancer role co-locate in cloudnative-pg per cnpg's same-namespace requirement; k8s-normalize routes the workspace-side resources to the right places at deploy time.

What's left to actually run balancer on the new database is tracked in a separate follow-up issue (linked once I file it).