feat(helm): add configurable network policies for gpu-operator components

[apsega]

Summary

• Add global networkPolicy configuration in deployments/gpu-operator/values.yaml (enabled, labels/annotations, global ingress from and ports).
• Add per-component networkPolicy settings under each component key (operator, dcgmExporter, nodeStatusExporter, and NFD master/worker/gc/topologyUpdater) with default metrics port whitelists.
• Add deployments/gpu-operator/templates/networkpolicy.yaml to render:
  • component-specific ingress whitelist policies
  • one cluster-wide deny-all-ingress policy (podSelector: {}) whenever any component policy is enabled

Why

This adds a least-privilege network baseline for GPU Operator workloads while preserving flexibility to enable policy gradually and tune per-component ingress without changing templates.

Test Plan

• helm lint deployments/gpu-operator
• helm template gpu-operator deployments/gpu-operator --set networkPolicy.enabled=true
• helm template gpu-operator deployments/gpu-operator --set networkPolicy.enabled=false --set operator.networkPolicy.enabled=true
• Confirm rendered output includes component whitelist policies and a single gpu-operator-deny-all-ingress policy when policy is enabled

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[tariq1890]

Thank you for your contribution @apsega! For changes to the dcgm-exporter manifests, they would first need to be made in the dcgm-exporter standalone helm chart. The dcgm-exporter manifests that we maintain in gpu-operator need to align with the standalone dcgm-exporter chart.