Network isolation

[skkra0]

If .Values.anvilops.apps.netpol.createIngressNetworkPolicy is true and an allowlist of namespace labels is provided in .Values.anvilops.apps.netpol.allowedIngressMatchLabels, create network policies in tenant namespaces restricting ingress to namespaces with allowed labels and apps of the same app group.

• Add documentation on setting allowedIngressMatchLabels
  • The network policy will block ingress from all namespaces that don't have an allowlisted label and aren't part of the app group. This could include many system services, such as ingress controllers, telemetry collectors, health checkers.

Rancher Project Isolation

• When project isolation is enabled, Rancher creates network policies in each namespace that allow ingress from certain ipBlocks, the project that namespace belongs to, and the System project. In this case, it's sufficient to set allowedIngressMatchLabels to [].
• Setting createIngressNetworkPolicy: true can still be useful in case an app group is split across projects.

[FluxCapacitor2]

Looks great! Tested creating an app & migrating an app on staging and they both work as intended.

When I was testing, I did find a two things about migrating that may be unintended:

1. The image repository is deleted, so for apps that AnvilOps has built, the container will never start up again. We should either tell the user about this or keep images for migrated apps.
2. AnvilOps-generated environment variables are kept (e.g. PORT, ANVILOPS_CLUSTER_HOSTNAME, ANVILOPS_APP_ID, etc.). This is probably good for stability, since someone might start relying on these, but it does mean we leave a trace when we stop managing the project.

This PR is good to merge and we can address these later.