feat: add HTTPS support via Gateway sectionName

[bdchatham]

Summary

Add SEI_GATEWAY_SECTION_NAME platform env var so HTTPRoute parentRefs can target a specific Gateway listener (e.g., the HTTPS listener).

How It Works

In the Gateway API model, TLS termination is configured on the Gateway resource's listeners, not on HTTPRoutes. An HTTPRoute attaches to a listener via parentRef.sectionName. When SEI_GATEWAY_SECTION_NAME is set (e.g., "https"), all generated HTTPRoutes include this in their parentRef, directing traffic through the HTTPS listener.

Gateway (platform-managed)
  listener "http"  → port 80
  listener "https" → port 443, TLS cert

HTTPRoute (controller-managed)
  parentRef: {name: sei-gateway, namespace: istio-system, sectionName: "https"}
  → attaches only to the HTTPS listener

Changes

• internal/platform/platform.go — add GatewaySectionName field (optional, not in Validate())
• cmd/main.go — read SEI_GATEWAY_SECTION_NAME env var
• internal/controller/nodedeployment/controller.go — add field to reconciler struct
• internal/controller/nodedeployment/networking.go — pass sectionName through to generateHTTPRoute, conditionally include in parentRef
• Tests: sectionName included when set, omitted when empty

No CRD changes. TLS is the Gateway's responsibility.

Test plan

• make test passes
• make lint passes (0 issues)
• Verify HTTPRoute includes sectionName when SEI_GATEWAY_SECTION_NAME=https
• Verify HTTPRoute omits sectionName when env var is empty

🤖 Generated with Claude Code