Add API gateway + SSO authentication layer in front of public endpoints

[nbrieussel]

Goal

Put an authenticating API gateway in front of publicly-exposed services (Grafana, demo apps, future apps) so that:

• Public endpoints are protected by auth before the app is reached
• Apps inherit the login automatically (single sign-on, no per-app login)
• SSO is backed by GitHub and Google identity providers (single user for now, but built for multi-user)

Public exposure of endpoints is desired; the supporting infra cost (LoadBalancer, DNS, certs) is accepted.

Scope / things to figure out

• Gateway / ingress: API Gateway (Gateway API) vs ingress-nginx + external-auth. Likely adopt the Gateway API on the scaleway cluster with a Scaleway LoadBalancer.
• Auth layer: an identity-aware proxy / forward-auth (e.g. oauth2-proxy, Authelia, or Pomerium) wired to the gateway, handling GitHub + Google OIDC.
• SSO propagation: forward identity headers to upstreams so apps trust the gateway-provided identity (Grafana auth.proxy / generic OAuth, etc.).
• DNS + TLS: a domain pointing at the LB IP, cert-manager + Let's Encrypt.
• GitOps wiring: add the gateway + auth proxy as platform tools under platform/scaleway/, secrets via the existing secret-management approach.

Out of scope (already done / separate)

• The scaleway (staging) environment scaffolding and a working Grafana (validated via port-forward, no public exposure yet). This issue is specifically the public-exposure + auth layer that comes on top.

Acceptance criteria

• Hitting a public service URL redirects to GitHub/Google login when unauthenticated.
• After login, the user reaches the app and is recognised (e.g. logged into Grafana as the SSO identity) without a second login.