Fix #8491: Add AuthenticationMode Any/All for multi-auth OR semantics

[stbattula-research]

What type of PR is this?

feat(api) — Add AuthenticationMode (Any/All) for multi-auth OR semantics

What this PR does / why we need it

When a SecurityPolicy configures both JWT and BasicAuth, the BasicAuth filter (order 7) rejects all Bearer token requests before JWT (order 9) can evaluate them. Valid JWT requests get 401 when BasicAuth is also configured.

This PR adds an authMode field (All/Any) to SecurityPolicySpec. When set to Any, the gateway sets AllowMissing=true on each auth filter and emits a composite RBAC CEL expression so at least one method must succeed.

Credentials	Before	After
Valid Bearer token only	❌ 401	✅ 200
Valid Basic creds only	❌ 401	✅ 200
Both valid	✅ 200	✅ 200
Neither	❌ 401	❌ 401

Files changed

• api/v1alpha1/authentication_types.go — New AuthenticationMode type with kubebuilder markers
• internal/gatewayapi/securitypolicy_authmode.go — applyAuthMode helper
• internal/gatewayapi/securitypolicy_authmode_test.go — 10 unit tests

Which issue(s) this PR fixes

Fixes #8491

Release Notes

Yes

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	07dbc3f
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69cde6c8198a11000871c725