mbp-1126: Network segmentation using UDN

[mlorenzofr]

Description

Implements network segmentation using User Defined Networks (UDNs) for the qtodo application

Summary

• Adds NetworkAttachmentDefinition and UserDefinedNetwork resources for isolated network segments
• Configures AdminNetworkPolicy with ingress/egress rules to control traffic between network segments
• Updates qtodo app deployment and PostgreSQL statefulset to use the new UDN
• Adds documentation on UDN usage and configuration
• Introduces feature flag system to enable/disable UDN functionality

Test plan

• Validate feature flag enables/disables UDN resources correctly
• Verify qtodo pods attach to the UDN successfully
• Confirm AdminNetworkPolicy rules allow expected traffic and block unauthorized access
• Test qtodo application
• Review documentation

[minmzzhang]

There seems to be a conflict role of the UDN. In udn-user-defined-netowrk.yaml, the layer2 role was set to Primary, however, in app-deployment.yaml, it uses k8s.v1.cni.cocf.io/networks annotations to attach pods to the UDN:

k8s.v1.cni.cncf.io/networks: {{ .Release.Namespace }}/{{ .Values.app.udn.nadName }}

[minmzzhang]

Shall we use Primary or Secondary role for this UDN work? If we use Primary, then no manual NAD should be needed and no pod annotations of k8s.v1.cni.cncf.io/networks

[minmzzhang]

should this port be 5432?

[minmzzhang]

The flag used here is for egress

[minmzzhang]

ipam is defined but not referenced by templates