fix(security): harden default NetworkPolicy for client and admin ports

[miledxz]

Fixes the issue #509 where the default NetworkPolicy was effectively granting
unrestricted access to port 6379 and allowing any pod with the
control-plane: controller-manager label to reach the admin port from
any namespace.

• Restrict port 6379 (client) and memcached port to same-namespace pods only,
  instead of being open to the entire cluster
• Pin admin port (9999) operator access to the operator's actual namespace using
  the kubernetes.io/metadata.name well-known label, preventing cross-namespace
  access via spoofed pod labels
• Secure fallback: when the operator namespace cannot be determined, the admin
  port defaults to same-namespace-only access
• Add POD_NAMESPACE env var to both Helm chart and kustomize deployment
  manifests via the Downward API for reliable namespace detection

[Copilot]

Pull request overview

This PR hardens the operator-generated default NetworkPolicy for Dragonfly instances to prevent unintended cluster-wide access to the client/memcached ports and to prevent cross-namespace access to the admin port via spoofed pod labels.

Changes:

• Restrict client port (6379) and memcached port ingress to same-namespace pods only.
• Pin admin port (9999) operator access to the operator’s namespace using kubernetes.io/metadata.name, with a secure same-namespace fallback when the operator namespace is unknown.
• Add POD_NAMESPACE (Downward API) to kustomize and Helm deployment manifests and plumb the resolved operator namespace through controllers into resource generation.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/resources/resources.go	Extends resource generation API to accept operatorNamespace and tightens NetworkPolicy ingress peers accordingly.
internal/resources/resources_test.go	Updates/extends tests to validate same-namespace restrictions and operator-namespace pinning + fallback behavior.
internal/resources/image_test.go	Updates tests for the new GenerateDragonflyResources signature.
internal/resources/const.go	Adds the well-known namespace label key constant used for namespace pinning.
internal/controller/dragonfly_instance.go	Passes operatorNamespace into resource generation during reconciliation.
internal/controller/base_controller.go	Wires OperatorNamespace from reconciler into per-instance controller state.
config/manager/manager.yaml	Adds POD_NAMESPACE env var via Downward API for kustomize deployment.
cmd/main.go	Resolves operator namespace (env/file) and injects it into reconcilers; logs resolution outcome.
charts/dragonfly-operator/templates/deployment.yaml	Adds POD_NAMESPACE env var via Downward API for Helm deployment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Abhra303]

LGTM

[Abhra303]

did you test this? (if POD_NAMESPACE is not available)