Replace LB with Traefik ingress for TLS + basic auth

- Remove m3coordinator LoadBalancer service (was using deprecated AutoSSL)
- Add Traefik ingress controller with Let's Encrypt ACME
- Add basic auth middleware for external access
- Update test scripts with auth support and fixed protobuf encoding
- Add multi-tenancy documentation (label-based isolation)
- Update README with Traefik deployment instructions

09-m3coordinator-ingressroute.yaml

@@ -0,0 +1,59 @@
+##############################################################################
+# M3 Coordinator IngressRoute
+# Traefik handles TLS termination + basic auth
+# External: https://m3db.vultrlabs.dev → Traefik → m3coordinator:7201
+##############################################################################
+
+---
+# HTTP redirect to HTTPS
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: m3coordinator-redirect
+  namespace: m3db
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`m3db.vultrlabs.dev`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: m3db
+      services:
+        - name: m3coordinator
+          port: 7201
+
+---
+# HTTPS with basic auth
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: m3coordinator
+  namespace: m3db
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`m3db.vultrlabs.dev`)
+      kind: Rule
+      middlewares:
+        - name: basic-auth
+          namespace: m3db
+      services:
+        - name: m3coordinator
+          port: 7201
+  tls:
+    certResolver: letsencrypt
+
+---
+# HTTPS redirect middleware
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: m3db
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true