feat(gateway-api): support TLSRoute

[AlinsRan]

Type of change:

• Bugfix
• New feature provided
• Improve performance
• Backport patches
• Documentation
• Refactor
• Chore
• CI/CD or Tests

What this PR does / why we need it:

Implement TLSRoute.

⚠️ Limitation: TLS Passthrough is not supported in APISIX

According to the Gateway API specification, tls.mode: Passthrough means the gateway does not participate in the TLS handshake or decryption, simply forwarding encrypted traffic to the backend.

However, in APISIX, SNI-based routing depends on ssl objects (which require certificate loading).
Once an SSL object is involved, APISIX must terminate or participate in the TLS handshake.

Therefore, in the current implementation, APISIX rejects configurations with tls.mode: Passthrough.

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[Copilot]

Pull Request Overview

This PR implements TLSRoute support for the Gateway API in APISIX Ingress Controller. The implementation adds full TLSRoute resource handling including controller reconciliation, translation to APISIX configuration, and test infrastructure, but does not support TLS passthrough mode due to APISIX limitations.

Key changes:

• Added TLSRouteReconciler controller with complete lifecycle management
• Implemented TLSRoute to APISIX stream route translation logic
• Extended test infrastructure with TLS proxy support and conformance testing

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/e2e/scaffold/scaffold.go	Added TLS tunnel support for E2E testing
test/e2e/gatewayapi/tlsroute.go	Added comprehensive TLSRoute E2E test cases
test/e2e/framework/manifests/ingress.yaml	Updated RBAC permissions for TLSRoute resources
test/e2e/framework/manifests/apisix.yaml	Added TLS port configuration to APISIX deployment
test/e2e/framework/manifests/apisix-standalone.yaml	Added TLS port configuration to standalone APISIX
test/conformance/conformance_test.go	Added TLS conformance testing with passthrough limitation
internal/types/k8s.go	Added TLSRoute type definitions and mappings
internal/provider/apisix/provider.go	Integrated TLSRoute translation into provider
internal/manager/controllers.go	Registered TLSRouteReconciler controller
internal/controller/utils.go	Added TLSRoute hostname and protocol matching logic
internal/controller/tlsroute_controller..go	Implemented complete TLSRoute controller
internal/controller/indexer/tlsroute.go	Added TLSRoute indexing for efficient queries
internal/controller/indexer/indexer.go	Registered TLSRoute indexer setup
internal/adc/translator/tlsroute.go	Implemented TLSRoute to APISIX stream route translation
docs/en/latest/concepts/gateway-api.md	Updated documentation to reflect TLSRoute support
config/rbac/role.yaml	Added TLSRoute RBAC permissions
api/v2/shared_types.go	Added TLS scheme constant
Makefile	Added TLS conformance profile to testing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[ronething]

others lgtm.