fix(monitoring): enable correct netpols for alertmanager SSO

General MR

Summary

This MR fixes a bug with monitoring that was introduced with the conversion to bb-common. A NetworkPolicy permitting alertmanager to access authservice was incorrectly transcribed as an ingress policy. This MR corrects that.

Additionally, prometheus' authservice connectivity was only being enabled previously by an entirely different policy meant to allow prometheus' scraping connectivity. In keeping with intent-oriented configuration, a policy has been added for prometheus that accomplishes the same effect as the one added for alertmanager, even though the functionality was not previously broken.

Relevant logs/screenshots

Before:

❯ kubectl logs -n monitoring sts/alertmanager-monitoring-monitoring-kube-alertmanager istio-proxy | grep 'GET / '
[2025-09-15T19:47:28.447Z] "GET / HTTP/1.1" 403 UAEX ext_authz_error - "-" 0 0 1 - "10.42.3.0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Edg/140.0.0.0" "e6e02949-0803-9e69-93ad-77b260066dcd" "alertmanager.dev.bigbang.mil" "-" inbound|9093||; - 10.42.1.9:9093 10.42.3.0:0 outbound_.9093_._.monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local default traceID=f2a1436b9c03cb30bd2b069a144d6a70

After:

❯ kubectl logs -n monitoring sts/alertmanager-monitoring-monitoring-kube-alertmanager istio-proxy | grep 'GET / '
[2025-09-15T19:30:53.651Z] "GET / HTTP/1.1" 200 - via_upstream - "-" 0 1654 14 4 "10.42.4.0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Edg/140.0.0.0" "5f70bb8e-b7bc-4aaa-89c6-a6443dcc2d00" "alertmanager.dev.bigbang.mil" "10.42.1.10:9093" inbound|9093||; 127.0.0.6:60547 10.42.1.10:9093 10.42.4.0:0 outbound_.9093_._.monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local default traceID=fd1ed137e505318cc9409c9a5ca9d6fb

Linked Issue

#2876 (closed)

Upgrade Notices

N/A