feat: migrate ingress from NGINX to Envoy Gateway (#80)

Migrate OLMap backend and frontend from ingress-nginx to Envoy Gateway
(Gateway API).

- Add `gateway.enabled: true` to both `deploy/backend-values.yaml` and
`deploy/frontend-values.yaml`
- Disable explicit ingress resources (chart suppresses them when gateway
is enabled)
- Remove NGINX-specific `configuration-snippet` annotation from frontend

> [!IMPORTANT]
> Before merging, verify the frontend nginx container image handles SPA
routing (`try_files $uri $uri/ /index.html`) internally in its
nginx.conf.

Closes #62

Generated with [Claude Code](https://claude.ai/code)

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Lauri Gates <laurigates@users.noreply.github.com>

Author: laurigates

deploy/backend-values.yaml

@@ -77,9 +77,9 @@ env:
         name: olmap-backend-secrets
         key: DJANGO_SECRET_KEY
   DJANGO_ALLOWED_HOSTS:
-    value: "olmap.dataportal.fi,localhost"
+    value: "olmap-backend.dataportal.fi,localhost"
   DJANGO_CORS_ALLOWED_ORIGINS:
-    value: "https://olmap.dataportal.fi"
+    value: "https://olmap-frontend.dataportal.fi"
   DJANGO_MIGRATE:
     value: "true"
   # Database configuration (Cloud SQL via proxy with IAM auth)
@@ -95,7 +95,7 @@ env:
     value: "olmap-app@fvh-project-containers-etc.iam"
   # Frontend URL for CORS and redirects
   FRONTEND_ROOT:
-    value: "https://olmap.dataportal.fi"
+    value: "https://olmap-frontend.dataportal.fi"
   # Admin email
   ADMIN_EMAIL:
     value: "admin@forumvirium.fi"
@@ -125,29 +125,15 @@ service:
   port: 80
   targetPort: 8000
 
-# Ingress configuration - API endpoint (same domain as frontend, path-based routing)
-ingress:
+# Gateway API configuration (Envoy Gateway)
+# Replaces ingress-nginx; creates HTTPRoute pointing to shared dataportal-gateway
+# Hostname auto-generated as olmap-backend.dataportal.fi from release name
+gateway:
   enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  hosts:
-  - host: olmap.dataportal.fi
-    paths:
-    - path: /api
-      pathType: Prefix
-    - path: /admin
-      pathType: Prefix
-    - path: /static
-      pathType: Prefix
-    - path: /rest-auth
-      pathType: Prefix
-    - path: /accounts
-      pathType: Prefix
-  tls:
-  - hosts:
-    - olmap.dataportal.fi
-    secretName: olmap-backend-tls  # pragma: allowlist secret
+
+# Ingress configuration - disabled in favour of Gateway API above
+ingress:
+  enabled: false
 
 # Health checks for Django
 livenessProbe:

deploy/frontend-values.yaml

@@ -37,26 +37,17 @@ service:
   port: 80
   targetPort: 80
 
-# Ingress configuration - serves the SPA, proxies /api to backend
-ingress:
+# Gateway API configuration (Envoy Gateway)
+# Replaces ingress-nginx; creates HTTPRoute pointing to shared dataportal-gateway
+# Hostname auto-generated as olmap-frontend.dataportal.fi from release name
+# Note: SPA catch-all routing (try_files $uri $uri/ /index.html) must be handled
+# by the nginx container's own nginx.conf - it cannot be delegated to the gateway.
+gateway:
   enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    # SPA catch-all routing - serve index.html for non-file paths
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      location ~* ^/(?!api|admin|static|rest-auth|accounts|health).*$ {
-        try_files $uri $uri/ /index.html;
-      }
-  hosts:
-  - host: olmap.dataportal.fi
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - hosts:
-    - olmap.dataportal.fi
-    secretName: olmap-frontend-tls # pragma: allowlist secret
+
+# Ingress configuration - disabled in favour of Gateway API above
+ingress:
+  enabled: false
 
 # Health check for nginx
 livenessProbe: