Add headersToClient support in SecurityPolicy for ext_authz session cookie extension

[johnbolsonito]

When using external authorization (ext_authz) with custom auth services that manage sessions via cookies, there's currently no way to forward Set-Cookie headers from the auth service back to the client on successful authorization. This prevents implementing session cookie extension/refresh patterns.

The Pattern is Valid:
Raw Envoy supports it (allowed_client_headers_on_success)
Istio supports it (headersToDownstreamOnAllow)

Proposed Solution:
Add a headersToClient field to SecurityPolicy's extAuth configuration:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: auth-with-sessions
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: my-route
  extAuth:
    http:
      backendRefs:
        - name: auth-service
          port: 8080
      headersToExtAuth:
        - cookie
      headersToBackend:
        - x-user-id
        - x-user-email
      headersToClient:           # ← NEW FIELD
        - set-cookie             # Forward session cookies to client