Replace grand-central Ingress with HTTPRoute and Traefik Middlewares

[tomach]

Summary of changes

Extends the existing exposure field support to grand-central. When spec.cluster.exposure: traefik, grand-central is now exposed through the Gateway API (HTTPRoute) and three Traefik Middlewares instead of an nginx Ingress. The default loadbalancer path is unchanged.

• grand-central.py adds builders for HTTPRoute, compress-js, buffering, and ip-allowlist Middlewares; adds create_grand_central_exposure (routing resources only, no deployment/service) and delete helpers for both paths
• exposure.py - ChangeExposureSubHandler now also switches grand-central resources when the exposure field changes
• operations.py - suspend_or_start_grand_central deletes routing resources on suspend and recreates them on resume, respecting the active exposure mode
• handle_update_allowed_cidrs.py patches the ip-allowlist Middleware instead of the Ingress annotation when exposure=traefik
• RBAC - adds permissions for gateway.networking.k8s.io/httproutes and traefik.io/middlewares

Checklist

• Link to issue this PR refers to: https://github.com/crate/cloud/issues/2905
• Relevant changes are reflected in CHANGES.rst
• Added or changed code is covered by tests
• Documentation has been updated if necessary
• Changed code does not contain any breaking changes (or this is a major version change)

[goat-ssh]

Caught some errors on dev on /auth and /health endpoints:

The 'Access-Control-Allow-Origin' header contains multiple values 
'https://console.cratedb-dev.cloud,http://localhost:8000', but only one is allowed.

According to the W3C and MDN web specs, the Access-Control-Allow-Origin header can only contain a single origin, the wildcard *, or null. It cannot accept a comma-separated list of multiple origins. When you pass a list, browsers reject it as an invalid value, causing the CORS block.