Add REGISTRY_ONLY Sidecar template

Summary

We will want to enable users to configure setting REGISTRY_ONLY traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sidecars in each package will also allow us to focus on individual packages as we define what whitelists will need to be created per application.

This issue will handle this for Alloy

Conditions

For the Sidecar template to be created, the following conditions should be met:

• Istio injection is a feature of the package
• && Istio is enabled for the package
• && The REGISTRY_ONLY setting for the package is enabled (can be configured globally or directly in package values)

Sample Sidecar resource

The following Sidecar resource is applied to every workload in the apps namespace, and limits traffic to only resources that are known within the istio service mesh, which by default includes all internal Kubernetes service domains.

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: curl
  namespace: apps
spec:
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

Acceptance Criteria

• Observability package has the Sidecar above added as an optional Big Bang template
• The Sidecar only created when the conditions listed above are true
• We validate that mesh-external endpoints are not resolvable when these resources exist

Other notes

For some packages, it may not make sense to have a Sidecar resource. Each application/package should be evaluated to determine if it needs a Sidecar resource or not.