pedjak marked this pull request as ready for review

Copilot AI review requested due to automatic review settings

…d conftest

Replace the e2e NetworkPolicy tests with static analysis tools that validate
NetworkPolicy configurations at build time rather than runtime.

Tools:
- kube-score: https://github.com/zegl/kube-score
- conftest: https://www.conftest.dev/
- OPA (Open Policy Agent): https://www.openpolicyagent.org/docs/latest/policy-language/

Changes:
- Add kube-score via bingo for validating deployed NetworkPolicy resources
- Add conftest via bingo for OPA-based policy validation of Helm charts
- Add OPA policies to enforce NetworkPolicy requirements:
  - Deny-all default policy must exist
  - catalogd-controller-manager must allow ingress on ports 7443, 8443, 9443
  - operator-controller-controller-manager must allow ingress on port 8443
  - Both controllers must have general egress enabled
  - Prometheus NetworkPolicy must allow ingress/egress (when deployed)
- Add lint-helm target integration with conftest policy checks
- Add lint-deployed-resources target for runtime validation with kube-score
- Add conftest validation to manifest generation
- Add CI workflow to detect NetworkPolicy changes in PRs and post a comment
- Remove network_policy_test.go as tests are now covered by static analysis

This approach provides faster feedback by catching NetworkPolicy issues during
helm linting and manifest generation rather than requiring a full e2e test run.

Co-Authored-By: Claude <noreply@anthropic.com>