feat(kubernetes): support HA gateway rebalancing

[TaylorMutch]

Summary

Adds HA gateway rebalancing support for Kubernetes deployments so client and supervisor traffic can survive gateway replica scale-up, scale-down, and pod rotation.

This PR targets main directly and currently includes the reconciler lease commit from #1577. Review focus should be ad9f04d7 unless #1577 lands first.

Related Issue

Closes #1021

Related: #1012, #1429, #1577, #1731, #1488

Changes

• Adds gateway peer authentication and peer routing for HA supervisor relay handoff.
• Adds Kubernetes compute lease/reconciler ownership behavior for multi-replica gateways.
• Adds Helm peer Service/RBAC rendering and Skaffold HA/Envoy dev profile support.
• Adds Kubernetes HA rebalancing e2e coverage and removes the noisy readyz e2e smoke.
• Updates architecture and local cluster/debug skills for HA gateway development.

Testing

• mise run pre-commit passes
• Local Kubernetes HA validation with Envoy Gateway, external PostgreSQL, and gateway scale/rotation was exercised during development
• GitHub test:e2e-kubernetes label should run the Kubernetes HA E2E job

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[github-actions]

Label test:e2e-kubernetes applied for ad9f04d. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute Kubernetes HA E2E after building the required gateway and supervisor images once. This is an optional proof-of-life suite; failures are visible in the workflow run but do not publish a required CI gate status.

[elezar]

When reading the docs initially, it was not clear that ha-envoy included the high-availability profile? Could we call this out explicitly (perhaps renaming the profile), or make it so that these are composable?