Add NetworkPolicy for the ZTWIM namespace

[p-rog]

Summary

Adds network isolation for the zero-trust-workload-identity-manager namespace using the default-deny + per-pod allow pattern.

Depends on ztwim-chart PR #5 which adds the NetworkPolicy templates to the wrapper chart. Until that PR merges, the values in this PR are silently ignored by Helm (no NetworkPolicies created).

Changes

• Add overrides/values-ztwim-network-policy.yaml with per-pod rules for spire-server, OIDC discovery provider, SPIFFE CSI driver, and ZTWIM operator
• Enable via extraValueFiles in values-hub.yaml for the ZTWIM application

Per-pod rules

Component	Ingress	Egress
spire-server	8081 gRPC (port-only — agents use hostNetwork), 8443 federation (router), 9443 webhook (port-only), 9402 metrics	DNS (5353), K8s API (6443)
OIDC discovery provider	8443 HTTPS (router — serves JWKS for Vault and Keycloak)	DNS (5353)
SPIFFE CSI driver	—	DNS (5353)
ZTWIM operator	8443 metrics	DNS (5353), K8s API (6443)

Not covered (by design): spire-agent uses hostNetwork: true + hostPID: true — Kubernetes NetworkPolicies do not apply to hostNetwork pods.

Test plan

• Dry-run on OCP 4.21 — all policies applied directly via oc apply
• Agent attestation (6/6 agents re-attested after restart)
• OIDC discovery route (HTTP 200, JWKS keys returned)
• Vault JWT auth (depends on SPIRE OIDC)
• Keycloak SPIFFE IdP (depends on SPIRE OIDC)
• qtodo full SPIFFE auth chain
• Operator reconciliation (allReady=true)
• Full end-to-end after ztwim-chart PR merges

🤖 Generated with Claude Code