feat: routing.filters pass-through, host-scoped WebOrigins, unified route builders

[viniciusdc]

Summary

PR 2 of the routing/SecurityPolicy consolidation (#139). Unifies the protected and public HTTPRoute builders onto a shared path, then builds the additive changes on top so they land in one place for both routes.

Refactor first

buildHTTPRoute/buildPublicHTTPRoute and their rule construction were ~95% duplicated. Extracted three shared helpers in routing/httproute.go:

• resolveListenerSection — TLS listener/section resolution (was copy-pasted in both builders)
• buildRouteMatches — path-match construction, parameterized by the default pathType so the main route stays PathPrefix and public routes stay Exact
• buildRouteRule — a single rule with backend refs + filters, used by both routes

routing.filters pass-through (closes #137)

• New RoutingConfig.Filters []gatewayv1.HTTPRouteFilter, appended in order to the rule of both the protected and public HTTPRoute via buildRouteRule. The operator does not interpret, reorder, or strip them — same escape-hatch contract as the existing Annotations field.
• Motivation: a deployer can fix gateway-side header issues (e.g. an upstream's invalid Allow-Credentials: true + Allow-Origin: * combo) without forking the operator or rebuilding the backend image. The originating backend bug was fixed upstream in https://redirect.github.com/nebari-dev/nebi/pull/385; this field is the general escape hatch for the next one.
• The curated routing.cors half of the original Routing: expose HTTPRouteFilter pass-through on generated HTTPRoutes #137 was split to Routing: curated CORS block on the generated SecurityPolicy #138 and is not in this PR.

Host-scoped Keycloak WebOrigins (closes #37)

• Replaced the wildcard WebOrigins: ["*"] with the NebariApp hostname (both schemes) on all four client paths — main client create/update and SPA client create/update — via a buildWebOrigins helper mirroring buildRedirectURLs. Keeps the OIDC client to least privilege for CORS to the token endpoint.

publicRoutes vs enforceAtGateway docs (partial #118)

• Cross-referenced the two fields in the CRD field comments and routing.md, calling out that publicRoutes carves out a subset of paths and is not the way to disable auth for the whole app (use enforceAtGateway: false).
• The reconciler/admission overlap guard from NebariApp: publicRoutes + default enforceAtGateway produces two competing HTTPRoutes for the same path #118 is intentionally deferred. Tracing it showed Gateway API precedence (Exact > longer-prefix > shorter-prefix) makes most "overlaps" the intended behavior (the Pattern A use of publicRoutes), so a CEL/webhook guard risks rejecting valid configs. The guard needs a precedence-aware design pass; NebariApp: publicRoutes + default enforceAtGateway produces two competing HTTPRoutes for the same path #118 stays open for it. The docs (the issue's "at minimum") land here.

Generated

• zz_generated.deepcopy.go, the CRD, and docs/api-reference.md regenerated. The CRD grows substantially because the filters field inlines the full upstream HTTPRouteFilter schema — expected for a pass-through.

Test plan

• go build ./..., go vet ./..., gofmt -l clean.
• go test across all unit packages (excl. e2e) passes, including:
  • TestUserFiltersPropagateToRoutes — filters appear, in order, on both the protected and public route
  • TestUserFiltersAbsentWhenUnset — no filters when unconfigured
  • TestKeycloakProvider_BuildWebOrigins — host-scoped, no wildcard
• The internal/controller envtest suite fails locally on a pre-existing scheme-registration gap (also fails on clean main; needs make test's CRD setup) — unrelated to this change.