feat(balancer): clean design with shared-cluster cnpg + Envoy Gateway

[themightychris]

Summary

Restructures balancer to the clean design we settled on before going down the Envoy/Gateway rabbit hole. Now that all prereqs are in place (Gateway API CRDs, cert-manager 1.20 with gatewayHTTPRoute solver, hairpin-proxy gone), we can land it.

Supersedes PR #143 (two-lens approach, ASCII sort-order hack, mutable develop source ref).

What changes

Workspace restructure

balancer/
├── kustomization.yaml          NEW — wrapper, resources: [app, cnpg], no namespace
├── app/
│   ├── kustomization.yaml      NEW — namespace: balancer, references mapped base
│   └── manifests/              (mapped from balancer-main base via hologit)
└── cnpg/
    ├── kustomization.yaml      NEW — no namespace
    └── database.yaml           NEW — Database CR in cloudnative-pg namespace

Why this layout

• Single hololens — no balancer-cnpg.toml, no sort-order tricks
• Database CR co-located with the rest of balancer config, but its metadata.namespace: cloudnative-pg carries through. The cnpg sub-kustomization sets no namespace; k8s-normalize routes by resource at deploy time.
• No upstream balancer-main#507 dependency — the sandbox overlay (hostname, image tag, db hookup) lives in this repo where it belongs

Hologit

• Source bumped v1.1.3 → v1.1.5 (latest balancer-main release)
• Mapping moved to .holo/branches/k8s-manifests/balancer/app/manifests.toml (was .../balancer/manifests.toml)
• Mapping files filter explicitly enumerates namespace.yaml, deployment.yaml, service.yaml — drops the upstream ingress.yaml (replaced by _gateways/balancer.yaml) and the upstream kustomization.yaml (we compose our own)

Gateway + HTTPRoute

Adds _gateways/balancer.yaml matching the per-app pattern from PR #152:

• Per-app Gateway/balancer with HTTPS listener on balancer.sandbox.k8s.phl.io
• HTTPRoute/balancer with parentRef only to the per-app Gateway (HTTP redirects globally via _infra/envoy-gateway/http-redirect.yaml from PR feat(gateway-tls): force HTTP→HTTPS via global redirect HTTPRoute #154)
• cert-manager.io/cluster-issuer: letsencrypt-prod annotation → auto-issues balancer-gw-tls

Hostname matches what balancer-main/deploy/manifests/balancer/base/secret.template.yaml documents (REACT_APP_API_BASE_URL: https://balancer.sandbox.k8s.phl.io/) and aligns with the other sandbox apps.

Diff vs deployed

A balancer/Gateway/balancer.yaml      (NEW)
A balancer/HTTPRoute/balancer.yaml    (NEW)
A cloudnative-pg/Database/balancer.yaml  (NEW)

Existing balancer Deployment, Service, Namespace, SealedSecret stay identical (same upstream content). No drift.

Not in this PR (follow-ups)

1. balancer-db-credentials SealedSecret — the shared-cluster already has a managed.roles[balancer] entry pointing at this Secret name in cloudnative-pg namespace, but the Secret doesn't exist yet. cnpg has reconciled the role with an empty password. Needs a SealedSecret with a generated password.
2. Database cutover — balancer's balancer-config SealedSecret currently points SQL_HOST at an external RDS instance (balancer-jj.cab6cwkqwif9.us-east-1.rds.amazonaws.com). Migration to shared-cluster-rw.cloudnative-pg.svc.cluster.local requires data migration + coordinated SealedSecret update. This PR adds the empty target database; the cutover happens later.
3. CORS / app config ConfigMap — PR feat(balancer): integrate sandbox overlay with CNPG + Gateway API + CORS #143 was also adding a balancer-db-config ConfigMap and CORS env vars. Deferred to a follow-up after the DB cutover when the actual settings firm up.

🤖 Generated with Claude Code