api: add CSRF origin validation to SecurityPolicy

[albsga4]

What type of PR is this?

api: add csrf field to SecurityPolicy

What this PR does / why we need it:

Envoy has a built-in envoy.filters.http.csrf filter that validates the Origin header against allowed origins on mutating requests (POST, PUT, DELETE, PATCH). Currently there's no way to configure this through Envoy Gateway without EnvoyPatchPolicy.

This PR adds native CSRF support following the exact same pattern as CORS:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: my-route
  csrf:
    additionalOrigins:
      - type: Suffix
        value: example.com

Implementation:

Follows the CORS pattern exactly:

• API: SecurityPolicy.csrf with additionalOrigins []StringMatch (reuses existing StringMatch type)
• IR: CSRF struct in SecurityFeatures with AdditionalOrigins []*StringMatch
• Gateway API translation: buildCSRF() using irStringMatch() helper (same as CORS)
• xDS: New csrf.go implementing httpFilter interface:
  • patchHCM: adds CSRF filter to listener disabled by default (0%)
  • patchRoute: enables CSRF per-route via typed_per_filter_config (100%)
  • patchResources: no-op

Behavior:

• CSRF only checks mutating methods (POST, PUT, DELETE, PATCH) — GET/HEAD always pass
• Origin is matched against the request destination AND any additionalOrigins
• Missing Origin header on mutating requests → 403
• Non-matching Origin → 403
• Supports Exact, Prefix, Suffix, and RegularExpression matching

Changes:

• api/v1alpha1/csrf_types.go (new) — CSRF API type
• api/v1alpha1/securitypolicy_types.go — add CSRF *CSRF field
• internal/ir/xds.go — CSRF IR struct in SecurityFeatures
• internal/gatewayapi/securitypolicy.go — buildCSRF(), translation for route and gateway targets, TCP validation
• internal/xds/translator/csrf.go (new) — httpFilter implementation
• CRDs regenerated, deepcopy generated, API reference updated
• Golden test: securitypolicy-with-csrf
• Doc: site/content/en/latest/tasks/security/csrf.md
• Release notes updated

Which issue(s) this PR fixes:

Fixes #8835

Release Notes: Yes

/cc @arkodg

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	d7ee907
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69ef755cda0cd700083d821b
😎 Deploy Preview	https://deploy-preview-8836--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 73.11828% with 25 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.40%. Comparing base (8570285) to head (d7ee907).

Files with missing lines	Patch %	Lines
internal/xds/translator/csrf.go	69.73%	12 Missing and 11 partials ⚠️
internal/gatewayapi/securitypolicy.go	86.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8836      +/-   ##
==========================================
+ Coverage   74.36%   74.40%   +0.03%     
==========================================
  Files         246      247       +1     
  Lines       39292    39382      +90     
==========================================
+ Hits        29221    29301      +80     
- Misses       8041     8042       +1     
- Partials     2030     2039       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.