feat(network): implement optional cryostat egress network policy

[andrewazores]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

---

Replaces #1024
See #1017
Related to #1008
See cryostatio/cryostat-helm#209

How to manually test:

1. Check out, build, and deploy Operator with PR in namespace cryostat-operator
2. Create namespaces cryostat, apps1, and apps2
3. for ns in apps1 apps2 ; oc project $ns ; make sample_app ; done
4. oc project cryostat ; TARGET_NAMESPACES="$(oc project -q) apps1" make create_cryostat_cr
5. Wait for everything to come up, then open the web UI and ensure that Cryostat has discovered the sample application in apps1 target namespace
6. Go to Topology view and attempt to create a Custom Target. Copy the JMX URL from the discovered sample application, and edit the IP address to match the sample application in apps2 non-target namespace. Click the connection test button. This should succeed and unlock the Create button. Cancel out of the form.
7. oc edit cryostat and set:

spec:
  networkPolicies:
    coreConfig:
      egressEnabled: true

8. Wait a few moments for the Operator to create the new NetworkPolicy, then repeat step 6. The connection attempt should now fail and time out, indicating that the egress policy is working as intended. All other Cryostat functionality should be unaffected and the sample app in apps1 target namespace should still be discovered and interactable.

[andrewazores]

/build_test

[andrewazores]

https://github.com/cryostatio/cryostat-operator/actions/runs/17130038169

[github-actions]

/build_test : At least one test failed ❌.
View Actions Run.

[andrewazores]

/build_test

[andrewazores]

https://github.com/cryostatio/cryostat-operator/actions/runs/17130195495

[github-actions]

/build_test completed successfully ✅.
View Actions Run.

[andrewazores]

/build_test

[github-actions]

/build_test completed successfully ✅.
View Actions Run.

[andrewazores]

/build_test

[andrewazores]

There seems to be a bug now where the egress policy prevents Cryostat from connecting to its storage container. Looking into it.

EDIT: actually, this might just be the same crc networking issue that I documented in cryostatio/cryostat-helm#209 (comment) .

[github-actions]

/build_test completed successfully ✅.
View Actions Run.

[andrewazores]

There seems to be a bug now where the egress policy prevents Cryostat from connecting to its storage container. Looking into it.

EDIT: actually, this might just be the same crc networking issue that I documented in cryostatio/cryostat-helm#209 (comment) .

Confirmed that a modified testing setup using the Operator on kind works as expected, same as the Helm Chart. It does not work on OpenShift due to the default network setup (OpenShift SDN) not supporting egress network policies.

[andrewazores]

/build_test

[github-actions]

/build_test completed successfully ✅.
View Actions Run.

[ebaron]

Looks good other than the minor nit, and question below

[andrewazores]

/build_test

[github-actions]

/build_test completed successfully ✅.
View Actions Run.