fix(gateway-api): prevent silent Gateway API disable on CRD discovery timeout

[aslafy-z]

Summary

Fixes a race condition in Gateway API CRD discovery where the operator silently disables Gateway API instead of restarting when the API server is unreachable for longer than 30 seconds.

When the retry context expires during a checkCRDs call (as opposed to during bo.Wait), the returned error is a context deadline error that isTransientError does not recognize. The code falls through to the "permanent error" branch, returning {Enabled: false} with no error, silently disabling Gateway API and TLS secret synchronization while the operator continues running. HTTPS traffic through Gateway API fails permanently with no self-healing until manual restart.

Changes

• Add ctx.Err() check before isTransientError in the retry loop to catch context expiry regardless of where it occurs
• Improve bo.Wait timeout path with explicit logging and Health.Stopped() instead of a bare error return
• Extract discoverCRDsWithRetry for testability (accepts a context parameter instead of hardcoding a 30s timeout)
• Add 6 tests covering: success, CRDs not installed, transient retry then success, transient timeout, and the two race condition variants (context cancelled / deadline exceeded)

How it was validated

The new tests for the race condition (_ContextAlreadyCancelled, _ContextDeadlineExceeded) simulate calling discoverCRDsWithRetry with an already-expired context, which is the exact scenario that triggers the bug. Without the ctx.Err() guard, these tests fail because the function returns {Enabled: false} with a nil error instead of a fatal error. The _TransientErrorUntilTimeout test validates that the bo.Wait path also reports the correct health status and wraps the error message. Full go test ./operator/pkg/gateway-api/ suite passes.

Test plan

• TestDiscoverCRDsWithRetry_Success - CRDs found on first try
• TestDiscoverCRDsWithRetry_CRDsNotInstalled - permanent error, graceful disable
• TestDiscoverCRDsWithRetry_TransientErrorThenSuccess - retry recovers
• TestDiscoverCRDsWithRetry_TransientErrorUntilTimeout - timeout via bo.Wait returns fatal error with proper health status
• TestDiscoverCRDsWithRetry_ContextAlreadyCancelled - race condition: pre-cancelled context returns fatal error, not silent disable
• TestDiscoverCRDsWithRetry_ContextDeadlineExceeded - race condition: expired deadline returns fatal error, not silent disable

Fixes: #43130
Relates: #43452

[maintainer-s-little-helper]

Commit 8977bd5 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[youngnick]

Thanks for this PR @aslafy-z. Could you please clarify if you've used AI assistance with this PR? I find that https://danielmiessler.com/blog/ai-influence-level-ail is a good way to be specific.