Override label selectors for networkPolicies generate invalid resources

Network Policy Templates Generate Invalid Kubernetes Annotations

Description

The network policy templates generate invalid Kubernetes YAML when using custom podSelector overrides. The templates attempt to set complex objects/maps as annotation values, but Kubernetes annotations must be strings.

This causes helm template to fail with:

Error: YAML parse error on bb-common/templates/network-policies/render.yaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal object into Go struct field .metadata.annotations of type string

Notably, helm unittest passes because it only validates specific paths without parsing the full YAML structure, masking this issue during testing.

Reproduction

File: chart/tests/istio/values/bug.yaml

networkPolicies:
  enabled: true
  ingress:
    defaults:
      enabled: false
    to:
      backend-service:
        podSelector:
          matchLabels:
            component: api
            tier: backend
        from:
          k8s:
            frontend/webapp: true
  egress:
    defaults:
      enabled: false

Command:

helm template chart -f chart/tests/istio/values/bug.yaml

Result: Fails with YAML parse error

Note: The test "must support custom pod selectors" in chart/tests/network-policies-ingress_test.yaml:245-264 uses the same configuration and passes with helm unittest but would fail with helm template.