[flux] Close Flux Operator ports to external access (#1581)

This patch updates the Flux Operator Deployment to remove hostPort and
hostNetwork, ensuring that ports 8080 and 8081 are only accessible
within the cluster. This prevents external exposure and improves
security.

```release-note
[flux] Close Flux Operator ports (8080/8081) to external access for improved security.
```

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Security**
* Added a cluster-wide network policy for the Flux Operator to block
external access to internal service ports (notably TCP 8080 and 8081)
while preserving intra-cluster communication.
* **Chores**
* Update process now applies the new network policy as part of Flux
Operator deployments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

packages/system/fluxcd-operator/Makefile

@@ -10,3 +10,4 @@ update:
 	rm -rf charts
 	helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts
 	patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff
+	patch --no-backup-if-mismatch -p1 < patches/networkPolicy.diff

packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml

@@ -0,0 +1,21 @@
+{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "flux-operator.fullname" . }}-restrict
+spec:
+  nodeSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+            - port: "8081"
+              protocol: TCP
+  ingress:
+    - fromEntities:
+        - cluster
+{{- end }}

packages/system/fluxcd-operator/patches/networkPolicy.diff

@@ -0,0 +1,25 @@
+diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
+new file mode 100644
+--- /dev/null	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
++++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
+@@ -0,0 +1,18 @@
++{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
++apiVersion: cilium.io/v2
++kind: CiliumClusterwideNetworkPolicy
++metadata:
++  name: {{ include "flux-operator.fullname" . }}-restrict
++spec:
++  nodeSelector: {}
++  ingressDeny:
++    - fromEntities:
++        - world
++      toPorts:
++        - ports:
++            - port: "8080"
++              protocol: TCP
++            - port: "8081"
++              protocol: TCP
++  ingress:
++    - fromEntities:
++        - cluster
++{{- end }}